Encryption, Security & Privacy

Uploaded on 2023-05-05 in TECHNOLOGY--Resilience, GOVERNMENT-Law Enforcement, FREE TO VIEW

The notion that the state’s number one priority is to protect the wellbeing of the people it serves has been around for a long time. In exchange for taxation and compliance with the law, citizens will be protected by the resources held by governing authorities. 

Over time, the nature of this power relationship has evolved, not least because the means through which security is provided, as well as the scope of what security actually means, is ever changing.

Indeed, it has fuelled a debate around just how much interference and intrusion into privacy people are willing to accept in return for being kept safe. 

Realigning The Security Versus Privacy Debate 

Today, this conundrum is best encapsulated by varying public attitudes around the extent to which the police and security services should be leaning into information sources such as CCTV, phone records and other components of our digital footprints. 

Take London. With around 73 CCTV cameras per 1,000 inhabitants, it is by far the most surveilled city in the western world. And although Brits generally back its use, there are ongoing tensions around how CCTV is leveraged and whether privacy is being invaded too much in the name of protecting the public. There are also GDPR considerations, making it desirable that police should only get the information they need for a very specific, timebound purpose rather than an entire feed or database.

With many forms of digital and cybersecurity practices relying on the exchange of data to function, it begs the question - what if there was a way to enable cooperation between authorities and data holders without sacrificing individual privacy?

Fully Homomorphic Encryption (FHE) Offers A Solution

In simple terms, it is a technique that enables data to be processed blindly without having to decrypt it at any stage. Developers use a secret key to send encrypted data to a server where blind processing occurs - the result is encrypted and sent back, which developers then decrypt using their secret key. This enables the company or organisation providing the service to work with encrypted data on an end-to-end basis

Improving Privacy In Lawful Interception

Let’s come back to the security scenario and outline a couple of examples. There is a police investigation that involves looking for a suspect on a CCTV feed from a shopping centre. To locate them, the feed from the time period in question needs to be downloaded and put through a facial recognition programme. This presents problems in relation to privacy due to the amount of data that is being extracted to find one individual, which could be far greater than what a judge may grant the right to access. On the flipside, the police cannot simply tell the shopping centre CCTV operator who they are looking for, as this could result in the leakage of sensitive and secret information. 

Instead, using an FHE-enabled solution, the police could send the face of the suspect they need to locate in an encrypted manner. This would allow the operator to search and locate them without knowing who they are searching for, enabling what is commonly referred to as lawful interception. 

In the same manner, security forces may need to comb through the phone calls of a suspect and will need to work with telco companies storing the metadata. Again, this presents the challenge of only allowing access to what is needed, when it is needed and preserving the integrity of the database as a whole - as well as a citizen’s right to privacy! 

Of course, it’s not just police and security forces that have or need access to sensitive data. Businesses and corporations also hold vast amounts of sensitive data from competitive research, to commercial formulae to personnel records. In some cases, they may need to share information with a third-party service provider who has been instructed to carry out some form of cybersecurity audit or check. 

Part of this might involve a colleague wanting to know if their password has been hacked. This again presents a problem, because the only way to find out is to send the password to the third party, who now has this information at their disposal. 

Similarly, when it comes to a broader security audit, auditors need to examine their clients IT architecture and the list of all their network devices, applications and security tools in place to determine where vulnerabilities lie. Now that the third party knows about the company’s security vulnerabilities, there are two potential problems. First, the third party may not be trustworthy and use that information against the customer to hack them. Second, the third party itself could be hacked, leaving the information in the hands of cybercriminals.  

Once again, FHE can alleviate these concerns. In this case, an encrypted list of a company’s data can be sent to the third-party service provider to assess, without them knowing what those applications are.

FHE also makes the service provider a less attractive target for hackers, simply because they do not hold the sensitive information they are seeking. 

These are just two ways in which FHE has the potential to realign the security versus privacy debate. By offering the best of both worlds, individuals and organisations can have their security maintained without having to divulge key parts of their digital footprints. 

Ghazi Ben Amor is VP of Corporate Development at Zama

You Might Also Read: 

Hong Kongers Erase Their Digital Footprints:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cyber Security And Ransomware Attacks - Problems & Solutions
Challenges For CTOs In 2023 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Tanium

Tanium

Tanium is an endpoint security and systems management company.

Dataguise

Dataguise

Dataguise provides a data-centric security solution to detect, protect, and monitor sensitive data in real time across all data repositories, both on premises and in the cloud.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

CLUSIF

CLUSIF

Clusif is the reference association for digital security in France. Its mission is to promote the exchange of ideas and feedback through working groups, conferences and publications.

OIC-CERT

OIC-CERT

OIC-CERT is the Computer Emergency Response Team for Organisation of Islamic Cooperation (OIC) member countries.

CyberGhost

CyberGhost

CyberGhost is a Virtual Private Network services provider offering secure encrypted access to the internet.

New Enterprise Associates (NEA)

New Enterprise Associates (NEA)

As one of the world’s largest and most active venture capital firms, NEA has developed deep domain expertise and insight into our industries of focus - technology and healthcare.

BluBracket

BluBracket

BluBracket is the first comprehensive security solution that makes code safe—so developers can innovate and collaborate, and security teams can sleep at night.

NetApp Excellerator

NetApp Excellerator

NetApp Excellerator is NetApp’s global start-up program that aims to fuel innovation by partnering with deep-tech start-ups.

Secure Technology Integration Group (STIGroup)

Secure Technology Integration Group (STIGroup)

Secure Technology Integration Group, Ltd. (STIGroup) is an innovative firm that provides CyberSecurity consulting, secure IT engineering, managed security services, and human capital solutions.

Cyber Security Forum Initiative (CSFI)

Cyber Security Forum Initiative (CSFI)

CSFI is a non-profit organization with a mission to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training.

CYRISMA

CYRISMA

CYRISMA is a revolutionary cybersecurity platform that helps organizations manage risk without the usual headaches associated with enterprise cybersecurity tools.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

Mission Critical Partners (MCP)

Mission Critical Partners (MCP)

Mission Critical Partners is committed to delivering innovative solutions that help our clients enhance and evolve their critical-communications systems and operations.

NexusTek

NexusTek

NexusTek is a managed IT services provider with a comprehensive portfolio comprised of end-user services, cloud, infrastructure, cyber security, and IT consulting.