Privacy is now a key regulatory and consumer demand, but it presents a challenge for businesses – how do they balance their responsibilities with making the most of customer data?
Enter privacy-enhancing technologies (PETs), the tech industry’s answer to protecting customer data while still extracting the information businesses need.
PETs help protect personal information while ensuring it can also be utilised for analytics or advertising. Examples include homomorphic encryption, which allows firms to analyse or manipulate the data through complex mathematical operations, without decrypting it. Secure multiparty computation, meanwhile, lets multiple entities collaborate without viewing each other’s data. And finally, a trusted execution environment isolates the data from the computer’s main processor to ensure it remains protected.
It’s still early days for these technologies, but big tech firms such as Apple, Meta and Google are recognising their potential. For example, at the height of the pandemic, Google and Apple demonstrated how PETs could be used for privacy-preserving Covid-19 contact tracing. Facebook, meanwhile, uses a combination of PETs to measure advertising metrics without compromising user privacy.
Weighing the benefits
So why are these tech giants so keen on PETs? Among their benefits, these technologies help businesses avoid falling foul of data protection regulations such as the EU’s GDPR by proving that the firms “protect personal data by design and default”, says Camilla Winlo, head of data privacy at professional services consultancy Gemserv.
With privacy increasingly at the heart of most business operations, there are also commercial reasons to consider PETs. “If a business is seen as being unable to protect data in line with modern standards, there is a very real risk it will lose sales,” Winlo says.
PETs can help to minimise the huge volume of data an organisation processes. This can have “other positive knock-on effects”, says Luke Dixon, a partner, IT and data specialist at law firm Freeths. “They help businesses balance the need to share and analyse personal data with the data privacy rights of individuals. They can also make it possible for them to give access to data sets that might otherwise be too sensitive to disclose.”
PETs are now used across a range of industries. They’re starting to gain traction in the financial services industry, where firms use them fir anti-money laundering checks, says Dixon. They are also finding favour in public healthcare, where organisations are sharing patient data privately between departments.
But PETs are not yet mainstream. The technologies are currently being adopted by larger organisations and niche specialists with a strong privacy focus, says Winlo. She cites the example of the privacy-focused Brave browser, which uses PETs to prevent individuals being tracked online.
Another company using PETs is Flo, a period tracker app. The firm has recently launched an “Anonymous Mode” based on PETs to protect its users’ reproductive health data following the Roe v Wade ruling in the US. Anonymous Mode was rolled out as an option to the app’s 48 million active monthly users in September.
Flo’s PET-based system decouples health data from personal information. The Anonymous Mode account contains no unique user identifiers such as email addresses and Google or Apple account IDs. The data transferred from the initial account is limited to health data, reminders and the user’s reason for using Flo.
How to implement PETs
The advantages are clear. However, PETs are new and need to be implemented with care, Winlow says. “Organisations need to make sure they understand the risk the PET is designed to address, the outcome they want to achieve, and the likely consequences of using the PET. It is really important to test PETs thoroughly.”
Using a PET can result in changes that may come as a surprise, Winlow warns. “Some users may lose access to data, or they may become aware that statistical techniques have been applied and lose confidence in it,” Winlow says. It’s therefore a good idea to explain what the PET does, why it’s important, and to involve users in development conversations so any affected processes can be updated.
If an organisation wants to implement a PET, it should first perform a data-protection impact assessment, Dixon advises. As part of this, firms need to consider and document the nature, scope and purpose of the data-processing activity where they intend to implement the PET. “Your organisation should also check that the PET is mature enough for its purposes,” he says. “You don’t need to use the latest technology out there, but you should still consider the PET in the context of what is state of the art.”
A lack of standardisation makes PETs prone to design flaws, says Cezary Cerekwicki, head of product security at browser maker Opera. However, with tech companies like Google working to make existing theoretical solutions available on the market, the future looks “very promising”, he adds.
As the technology develops, Winlow expects PETs to become better known over time, with some becoming standard tools for certain processes. But she concedes that “we are some way off that point at the moment.”
For now, it’s important to realise that PETs aren’t a perfect solution – at least not yet. The technologies have the potential to help businesses balance their use of data with protecting privacy, but it’s unclear how popular they will really become, says Dixon.
“PETs’ success partly relies on the development of industry-led governance,” he explains. “This will help inform organisations how to use them responsibly and let developers know how to build them in a way that best supports users’ needs.”