Do you have anything to hide?
- 13 June, 2017
- Zeki Erkin
by Zeki Erkin, Cyber Security Group, Delft University of Technology. As of May 2018, there will be severe penalties for companies when privacy-sensitive data are leaked. Are you aware of your data?
“I do not have anything to hide” is a typical answer I receive from my students when I give my first lecture on privacy enhancing technologies. Is that really true? Do we have nothing to hide? Is privacy all about “hiding” something? It is a common misunderstanding that privacy is about the web sites we visit or videos we watch. The truth is that privacy is far more complicated than trying to keep your web history secret.
Controlling your data
Privacy is about controlling your own data. Who can see what and when they see it. It is easy to explain: Do you have the same content, language and jokes while you are having a conversation with your parents or with your colleagues? Or with your friends? No! You are the same person but the content, the style and the amount of information you share are different. In other words, you have different faces for different people. Then why do we have one online face, containing every piece of information about ourselves? And it is either open to everybody on the Internet or to the service providers. The problem gets more challenging since the service providers also share the data about you they have with their business partners with or without your consent.
People either believe in privacy protection or not, but many people do not really understand it. It is true that many online service providers are able to present better and customized services, tailored for us thanks to the data they are collecting about us. For example, when you buy a book online, there are other suggestions for your taste. However, many services relying on data about us are not very transparent at first. I don’t know about you but I was really terrified when I clicked on a map of a city I was planning to visit for a conference and saw that the location of the hotel which I had booked my room was marked, with my check-in and check-out dates! Clearly, the confirmation e-mail I received from the booking site was analyzed and presented on that map for my convenience. Nice service! But is not this a bit disturbing? At least I should have been informed about it.
Privacy is a human right. Privacy is about controlling your own data. I also believe everyone should be able to control their own data. Whether they actually will (use that right) or not is irrelevant. Therefore, I focus on privacy enhancing technologies. Particularly computational privacy, also known as privacy engineering, where you can design protocols based on mathematical constructions and where you can control the amount of information that is disclosed about you. The idea is very simple: I would like to get the same quality of service but without revealing my data to the service providers. And if they want to use my data for some other purpose, not only do they need my consent but also my collaboration. So, power to me, because the data is about me!
This approach is effective and applicable to many domains: travelling, dating, shopping and more. It is possible to design a privacy-preserving version of speech control (e.g Siri) where the service provider does not know the content of your speech but can show you the closest restaurant to your place, without knowing your exact location. We have the mathematical tools, namely cryptographic primitives, to build such systems. The challenge is to make such privacy-preserving systems as efficient as possible in terms of speed. The privacy-preserving version of a service will be taking longer time than the version without privacy protection as we are deploying many layers of security and privacy protection on the sensitive data and this takes time. But we have those solutions!
EU regulations on privacy
If this idea is feasible and as great as I claim, why don’t we see them being used in practice? This approach is indeed very effective to protect data. However, there are serious challenges. Efficiency is one of them. Therefore, we need more research. Great for me! But real life deployment has not happened yet because privacy is not seen as a societal problem but more of a personal one. And many companies do not see privacy as a problem they need to address. On top of that, there is very little demand from society. Look what the young generation says, “I do not have anything to hide!” Fortunately, the European Union is a step ahead, introducing data protection regulations considering privacy of EU citizens and stop possible discrimination based on available data about them. As of May 2018, there will be severe penalties for companies when privacy-sensitive data are leaked. Hopefully, many in business will realize that they need more than anonymization for their business to thrive.
The golden age of Privacy Engineering is yet to come, but we are ready for the challenges here at Delft University of Technology!