Advanced data linking without breaching privacy

8 April 2021

The idea of parties working in partnership to obtain valuable information from data without concessions to privacy sounds like a contradiction. However, thanks to the emergence of cryptographic technologies like Secure Multi-Party Computation (MPC), it can be done. TNO has created secure solutions for the financial, healthcare, and traffic sectors, among others. And the end is not yet in sight.

Data analysis and data sharing are becoming increasingly important. But although parties are able to generate much value from bringing data together, it does make breaching the privacy of individuals much more likely. These two aspects would appear to be mutually incompatible.

New technologies lead to new possibilities

“New cryptographic and other technologies make it possible to crack that incompatibility,” says TNO’s Thomas Attema. “American and Chinese organisations like Google, Facebook, and Alibaba currently collect huge amounts of data and are building up a gigantic monopoly position. That is not a desirable state of affairs. We are showing that you can create value without one single party possessing all the data – and power – while at the same time guaranteeing privacy. That offers a fresh perspective.”

“We are showing that you can create value without one single party possessing all the data and power”

Data security with Secure Multi-Party Computation

One of the technologies for tackling the dilemma is MPC. Attema explains, “Traditionally, there has been one party that collects all the data, carries out analyses, and creates value. MPC replaces that one party with a cryptographic protocol, with all the data remaining encrypted. In other words, the various parties cannot see each other’s data, but they are able to use the encrypted data to make calculations. It is only the results of the analyses that are revealed. Data linking – but done in a secure manner.”

Solution still requires cryptographic engineering

What makes the solution complex is that the data has to be both protected and used at the same time. Scientists discovered how this could be done as long ago as the late 1980s, but the protocols from that time were not efficient. Because the protocols have been made more usable in practice during the past ten years, start-ups are appearing, and the number of specific application possibilities has increased as well.

“But cryptographic engineering is still required for solving certain problems,” warns Attema. “There is no single MPC protocol that we can apply universally. For each specific problem, we have to work out exactly which techniques we should link up and how to do so in an efficient manner. We do this on the basis of the domain knowledge from the years we have spent working in partnership with the private sector, together with unique cryptographic expertise.”

Promising applications are there for the taking

Promising applications – such as detecting money laundering flows – are there for the taking. The government has laid down rules for the major banks in the Netherlands, but each individual bank sees only its own transactions and not the transaction network as a whole. This means that criminal organisations are able to circumvent detection mechanisms by dividing their operations across several banks. The solution is therefore to combine the data from the various banks.

“The realisation that data does not always have to be shared is increasingly gaining traction”

Big data solution in the healthcare and mobility sectors

In the healthcare sector, too, the new technologies can be put to good use. For example, there are countless mutations of the HIV virus. Because the effectiveness of a treatment depends very much on the particular mutation, prescribing the right treatment regime is a complicated process. Attema continues, “Ideally, treatments could be optimised by using patient data. Together with the CWI and the University of Amsterdam, we have shown how that can be done without sacrificing the privacy of patients and doctors.”

A third practical example concerns the mobility sector. “Take Mobility as a Service, the movement that is optimising the entire transport network in the Netherlands by linking various forms of transport with each other – from bikes and trains to electric rental cars. Transport service providers benefit from working in partnership with each other, but at the same time, they are competitors. With MPC, they can protect their modus operandi even though they are working together.”

Gaining traction

Just as a fair amount of engineering work still needs to be done for the technologies to be applied, TNO is developing more and more modules. These are comparable to pieces of Lego and ensure that the roll-out takes place more efficiently and that parties who lack much cryptographic knowledge are able to use the technologies. “The realisation that data does not always have to be shared is increasingly gaining traction; even distributed data can be analysed in a way that is privacy-friendly.”

“Using more and more proofs of concept, we have demonstrated that the technology is ripe for bringing to market,” concludes Attema. “In doing so, we are not just looking at the technology. Together with experts, we are also examining legal, ethical, and organisational aspects. After all, you can create functionalities while maintaining privacy, but it is still important to give careful consideration as whether it is justifiable.”

Would you like to know more about MPC and other cryptographic technologies? Or perhaps you are curious to learn how your organisation can analyse data with other parties in a privacy-friendly manner – from optimising healthcare to the prevention of financial crime. If so, please get in touch with TNO’s Thomas Attema.