Learning from the successes and failures of doctors and pharmaceutical companies is a good way to improve the individual treatment of HIV patients, but privacy considerations mean that individual patient data cannot simply be shared. But it looks like TNO, working with research groups at the University of Amsterdam (UvA) and the national research institute for mathematics and computer science, Centrum Wiskunde & Informatica (CWI), may have solved the problem: Secure Multi-Party Computation (MPC) guarantees privacy.
Two years ago, chatting around the coffee machine at Nanyang Technical University in Singapore, two Dutch professors started working up an idea. “Ronald Cramer told me there about his cryptological research into Secure Multi-Party Computation, and its possible practical applications,” explains Peter Sloot, Professor of Complex Adaptive Systems at UvA. “I saw its usefulness right away. I’ve been doing HIV research for fifteen years, and I’m increasingly coming up against problems involving the use of privacy-sensitive patient data. MPC technology could be a solution.”
“MPC lets you determine the ideal treatment for an individual HIV patient; that means fewer side effects and a better quality of life”
Sloot researches complex systems such as illnesses, and the use of computer simulations to make these systems more understandable. “MPC lets you determine the ideal treatment for an individual HIV patient,” Sloot adds. “That means fewer side effects and a better quality of life. And in the future it might also mean cheaper medicines.” Sloot believes that MPC could also be used to decide the best treatment for type-2 diabetes patients.
“Secure Multi-Party Computation is a kind of ‘trusted party’ for other parties, that takes the form of an algorithm,” explains mathematician Ronald Cramer. He is Professor of Cryptology at the Mathematics Institute of the University of Leiden and head of the Cryptology Group at CWI in Amsterdam. “In a conflict of interest, or where there is mutual mistrust, or when privacy considerations or legislation plays a role, parties can ‘employ’ MPC to jointly compute a function on the participating parties’ data files while keeping the data files private.”
“In MPC, there is no sharing or exchange of data: only the results of the desired computations are exchanged, and nothing else”
Confidentiality is key: inputs are transformed into one large encrypted database on which calculations can be performed in order to reveal the required information. The resulting conclusions can be valuable to all participating parties. In MPC there is no sharing or exchange of the underlying data: only the results of the desired computations are exchanged, and nothing else.
TNO was a logical partner in the HIV/MPC project because of its knowledge of MPC application areas. The mathematician Thomas Attema is involved in the project through TNO’s Cyber Security and Robustness department, and he plans to complete a PhD on this subject. “Using a database of 20,000 HIV patients we succeeded in calculating the effectiveness of a hundred different treatments for a specific patient, within 24 minutes. And we’ve since brought that computing time down even further.” There are, in fact, about 20,000 registered HIV patients in the Netherlands.
Besides the HIV/MPC project, TNO is working with a number of banks to research fraud detection. Attema: “To do so, we need to look at the transaction details of all the banks. Individual banks, after all, see only their own transactions, and not the overall picture. Criminals, however, use different accounts at different banks, shifting money from one to another. We succeeded in securely linking bank networks and running fraud detection algorithms on the data.”
“We succeeded in securely linking bank networks and running fraud detection algorithms on the data”
In Cramer’s opinion, MPC could also play an important role in benchmarking competitors in a given commercial field. “Finding out how well your company is doing compared to others, without sharing commercially sensitive information.”
GDPR: European privacy law
On 25 May 2018 a European privacy law came into force: the European General Data Protection Regulation (GDPR). Cramer sees this law as a huge opportunity and a stimulus for cryptographic techniques like MPC. Attema agrees, but adds “I don’t know whether MPC technology itself meets the legal requirements of European privacy law in full. That’s a good bone for TNO’s legal people to chew on.”
Could MPC bridge, or even close the gap between privacy on the one hand, and data science on the other? Attema: “It can certainly make that gap a lot smaller!” Cramer adds: “Yes, because MPC is a whole spectrum of methods and techniques, each with its own pros and cons.” Sloot: “I certainly believe that this HIV/MPC research is a game changer, one that lets us show everybody what the possibilities are.” Attema grins: “And the same applies to the bank fraud detection project, of course!”
Would you like to know more?
Do you want to know more about how MPC could reduce the gap between privacy and big data in your own organization? Get in touch with Thomas Attema.