Federal Trade Commission: COPPA Applies to Connected Toys

This week, the Federal Trade Commission (FTC) updated its guidance on COPPA, the Children’s Online Privacy Protection Act, to clarify that the 1998 statute applies not just to websites and online service providers that collect data from children, but also to Internet of Things devices, including children’s toys. The updated guidance has been applauded by advocates, and is a welcome clarification that COPPA’s strong protections of COPPA apply to toys like Hello Barbie, Dino, and Fischer Price’s Smart Toy.  The guidance acknowledges the potential harm to children of deceptive data practices, writing “when companies surreptitiously collect and share children’s information, the risk of harm is very real, and not merely speculative.”

In December 2016, Future of Privacy Forum and Family Online Safety Institute published “Kids & The Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots,” an early analysis of the privacy and security implications of connected children’s toys. At the time, some advocates were calling for a legal update to cover the unique issues of screen-less dolls and teddy bears that might collect information from children. In our white paper, we were one of the first to analyze COPPA in the context of children’s toys and concluded that it almost certainly already applied to the wide range of Internet-connected toys on the market:

“Although COPPA was written long before a mainstream market for connected toys existed, there is a growing consensus that the federal statute applies to the wide range of modern toys that connect to the Internet. Most connected toys available today connect to the Internet through a mobile app or other mechanism … and it is well-established that COPPA applies to Internet-connected devices and platforms, including smartphones, tablets, and apps. The FTC is vested with the legal authority to interpret COPPA, and it has promulgated more detailed requirements in the COPPA Rule. COPPA applies to any provider (“operator”) of “a Website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child . . .”. Although the FTC has not yet taken an enforcement action against a connected toy operator, the Commission has stated that the term “online service” broadly covers any service available over the Internet or that connects to the Internet or a wide-area network.”

Although COPPA’s protections are strong, we recommend that providers of connected toys go even farther in protecting sensitive information collected from children, and discuss suggested best practices. Privacy-conscious steps include:

Children’s personal information, and parents’ ability to make informed, meaningful choices, should be given the highest level of legal protection. The FTC’s updated guidance represents an important step towards this goal, as well as towards protecting privacy in the growing Internet of Things.

The Top 10: Student Privacy News (May – June 2017)

The Future of Privacy Forum tracks student privacy news very closely, and shares relevant news stories with our newsletter subscribers.* Approximately every month, we post “The Top 10,” a blog with our top student privacy stories.

The Top 10

  1. FPF has relaunched FERPA|Sherpa! The site now includes:
  2. The House Subcommittee on Early Childhood, Elementary, and Secondary Education is holding the hearingExploring Opportunities to Strengthen Education Research While Protecting Student Privacy” on June 28th. If this sounds familiar, that’s because a very similar hearing was held on March 22nd last year. Check out my op-ed on this topic. Could the scheduling of this hearing foreshadow a FERPA re-write (re-)introduction?
  3. As reported in the previous newsletter, both the House and Senate have introduced the College Transparency Act, which would overturn the current federal ban on having a student-level data system at the U.S. Department of Education. There was a hearing on the CTA in the House, and many people continue to weigh in on whether the CTA is a good or bad idea.
  4. Following in the footsteps of the ACLU of Massachusetts, the ACLU of Rhode Island released their research on a lack of privacy protections in 1-1 programs in Rhode Island schools. It will be interesting to see the reverberations from the report. Already, Rhode Island schools are changing their policies and the ACLU is pushing its model bill to fix this problem. EdSurge reports on the Rhode Island report and other student privacy issues: “From High School to Harvard, Students Urge for Clarity on Privacy Rights.” While not specifically about privacy, this article, “California law spurs reforms after heartbreaking student suicide cluster,” has implications for the discussions many advocates and schools are having about when schools should be accessing student devices (either 1:1 devices or BYOD). In related news, too much district filtering can actually undermine student willingness to use a 1:1 device, as one district in Texas discovered.
  5. There have been a couple big breaches in higher ed in the past month, including a major breach at the University of Oklahoma where a student journalist discovered that she was able to access sensitive information like student financial aid records and grades through the school’s use of Microsoft Delve. Following the discovery of the breach, the U.S. Department of Education contacted the school to “further assess the institution’s compliance with its data security safeguard requirements according to the Gramm-Leach-Bliley Act.” Don’t know much about that law? Check out the FSA’s letter (and second letter) to institutions.
  6. The U.S. Department of Education’s Privacy Technical Assistance Center has a fantastic newly designed website and a new data breach response training toolkit. There is also another important federal update this month: the FTC has updated the COPPA compliance plan for businesses.
  7. The Consortium for School Networking has released an updated version of their incredibly useful privacy toolkit – I highly recommend that everyone reading this newsletter check it out!
  8. There was a fair amount of focus this month on philanthropic tech funders in education. Natasha Singer from the New York Times wrote about “The Silicon Valley Billionaires Remaking America’s Schools,” Inside Philanthropy asked “Can Technology Turbo-Charge K-12 Learning? Chan Zuckerberg Is Betting On It,” and EdWeek reported “Gates, Zuckerberg Philanthropies Team Up on Personalized Learning.” The Economic Times also reported “Mark Zuckerberg, Bill Gates try opposite paths to education tech in India.”
  9. “Schools are watching students’ social media, raising questions about free speech” and privacy, via a feature on PBS NewsHour on June 20. This relates to privacy and surveillance questions I discussed in my report on that topic.
  10. IEEE has formed a working group to develop a “Standard for Child and Student Data Governance.” You can contact them at this website if you are interested in joining.

*Want more news stories? Email Amelia Vance at avance AT fpf.org to subscribe to our student privacy newsletter.

Image: “20111105-student2-2” by Devon Christopher Adams  is licensed under CC BY 2.0.

Honoring Jessica Rich

During the 2017 Annual Advisory Board Meeting, FPF issued its first-ever award to Jessica Rich, the former Director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), for her leadership in responsible data use and consumer privacy.

“We are thrilled to honor Jessica with our inaugural award celebrating leadership in responsible data use and consumer privacy,” said Jules Polonetsky, CEO, Future of Privacy Forum. She is widely credited with building the FTC’s privacy program from a small team in the 1990s to the signature program that it is today.”

In her role as Director, Jessica managed over 450 attorneys, investigators, and support staff charged with stopping consumer fraud and false advertising, and protecting consumers’ privacy.  Under her tenure, the Bureau brought a series of major law enforcement actions to halt ongoing law violations. The Bureau also issued groundbreaking reports on data brokers, the Internet of Things, Cross Device Tracking, Big Data, mobile security, and kids’ apps.

Prior to being named Director, Jessica served in a number of senior roles at the FTC, including Deputy Director of the Bureau, Associate Director of the Division of Financial Practices, and Acting Associate Director of the Division of Privacy and Identity Protection.

On May 8, 2017, Jessica joined Consumer Reports as its new Vice President of Consumer Policy and Mobilization.

FPF salutes Jessica for her leadership in responsible data use and consumer privacy!

Future of Privacy Forum and the Data Quality Campaign Relaunch the FERPA|Sherpa Education Privacy Resource Center

 

FOR IMMEDIATE RELEASE                      

June 6, 2017

Contact: Melanie Bates, Director of Communications, [email protected]

Future of Privacy Forum and the Data Quality Campaign Relaunch the

FERPA|Sherpa Education Privacy Resource Center

Washington, DC – Today, the Future of Privacy Forum (FPF) and the Data Quality Campaign (DQC) relaunched FERPA|Sherpa, the leading resource for information about education privacy issues. Named after the core federal law that governs education privacy, FERPA|Sherpa provides students, parents, schools, ed tech companies, and policymakers with easy access to the resources, best practices, and guidelines that are essential to understanding the complex privacy issues arising at the intersection of kids, schools, and technology.

The newly improved website includes:

“FERPA|Sherpa is the best place to easily find the most current, relevant, and authoritative resources regarding student privacy.” said Amelia Vance, Education Policy Counsel for FPF, who runs and creates content for the website. “Stakeholders have created so many great resources and models – some quite recently – and FERPA|Sherpa is the trusted one-stop shop for anyone who wants to access the latest best practices and guidance.”

“Data should be used to open doors, never to close them,” said Aimee Rogstad Guidera, President and CEO of DQC. “Parents want and deserve assurances that their child’s information is used to help them, never to hurt them and that this data is safeguarded and used responsibly and ethically. That’s why we are pleased to partner with the Future of Privacy Forum on the FERPA|Sherpa website to ensure the education sector is prioritizing the effective and responsible use of data in the service of student learning. FERPA|Sherpa provides information, messages, tools, and emerging best practices around safeguarding data to parents, educators, and policymakers so they can be informed actors and advocates for the ethical use of data in education.”

More than at any other time in the evolution of education, data-driven innovations and emerging technologies – such as online textbooks, apps, tablets and mobile devices, and internet-based learning – are bringing advances and critical improvements in teaching and learning, with profound implications.

At the same time, the increased use of vendors and data in schools is matched by the need for heightened responsibility to manage and safeguard student data and implement policies that benefit education and minimize risk. Concerns have been raised about how student data is collected and used in a next-stage learning ecosystem buzzing with social media, mobile devices, central databases, student records, Big Data, and an array of vendors and software. Since 2013, over 100 new student privacy laws have passed in 40 states.

“The Future of Privacy Forum is committed to creating a better landscape for education privacy,” said Jules Polonetsky, CEO of FPF. “The relaunch of FERPA|Sherpa will enable more effective collaboration between stakeholders and better education privacy practices from schools and companies.”

“Technology and the internet are powerful tools for teaching, learning and family-school communication. At the same time, it is imperative that students’ academic and personal information is protected,” said Laura Bay, president of National PTA. “It is a top priority of National PTA to safeguard children’s data and make certain that parents have appropriate notification and consent as to what and how data is collected and used. National PTA is pleased to collaborate with the Future of Privacy Forum and the Data Quality Campaign to bring the FERPA|Sherpa online resource center to families nationwide to ensure they are knowledgeable about the laws that protect student data as well as students’ and parents’ rights under the laws.”

The new FERPA|Sherpa website builds on FPF’s work to ensure the responsible use of student data and education technology in K-12 and higher education, helping educators with resources and information, and seeking inputs from all stakeholders to ensure privacy while allowing for effective data and technology use in education. FERPA|Sherpa initially launched in spring 2014.

FPF and the Data Quality Campaign are proud to support responsible education technologies in order to promote successful student outcomes. If you have questions or resources that you think should be part of FERPA|Sherpa, please contact Amelia Vance at [email protected].

June 22nd Event: Ensuring Individual Privacy in a Data Driven World

Criteo and Future of Privacy Forum are pleased to invite you to an exceptional conference gathering a very high-level selection of regulators, lawyers, advertisers, and publishers to discuss individual privacy in a data driven world.

Save the date for Thursday, June 22, 2017 from 8:30 am to 8:00 pm.

REGISTER HERE

FPF Capital-Area Academic Network Speaker Series

Future of Privacy Forum, Washington & Lee University School of Law, and the International Association of Privacy Professionals recently collaborated in a Call for Papers focused on the privacy impact of current and projected technological advancements, focusing on the transparency, sharing, and algorithmic implications of data collection and use – topics identified in the National Privacy Research Strategy.

The accepted papers from this call introduce new thinking by taking a closer look at how data flow maps can be leveraged to increase data processing transparency and privacy compliance in the enterprise, how the market has either created or failed to create privacy enhancing standards, and rethinks the traditional notice and consent model in the context of real time M2M communication. These papers have been published in the latest issue of the Washington & Lee Law Review, Online Roundtables. The winning papers are:

The authors of these papers will be sharing their work at a series co-hosted by the FPF Capital-Area Academic Network and IAPP’s Washington D.C. KnowledgeNet Chapter. The first of these series will be held on Tuesday, June 6th featuring Chetan Gupta, CIPP/US, UC Berkeley School of Law who will discuss conclusions from his research on how individuals can have an impact on the market’s adoption of privacy standards and security technologies for the tools we use every day. Following Mr. Gupta, we will be joined by Carrie A. Goldberg, Esq. for a question and answer session about her work focused on justice for individuals who are under attack. Carrie is the founder of C.A. Goldberg, PLLC, a law firm operating out of Brooklyn, New York, that focuses on internet privacy and abuse, domestic violence, and sexual consent.

REGISTER HERE

WannaCry About Backdoors

There are many lessons to learn from the spread of the WannaCry ransomware attacks across the globe.  One lesson that needs more attention is the danger that exists when a government attempts to create mandatory backdoors into computer software and systems.

The ransomware attacks began May 12 and soon spread to over 150 countries and over 10,000 organizations, encrypting files and demanding payment in the online currency Bitcoin for the hackers to unlock those files.  The attacks contained relatively unsophisticated ransomware.  By contrast, the software that spread the ransomware from system to system was very sophisticated, based on the EternalBlue exploit that was stolen from the National Security Agency and leaked in April by a group called the Shadow Brokers.

An initial lesson is to remind us that leaks can and do happen from intelligence agencies, from Edward Snowden, through the publication of CIA hacker code, to the Shadow Brokers release of NSA hacker tools. In an era where leaks happen at scale and get disseminated globally, agencies face a “declining half life of secrets,” and must anticipate that their actions and techniques will be made public far sooner than historically was true.

An important lesson picked up by tech policy experts has been the need to improve what is called the “vulnerabilities equities process” (VEP).  The NSA has long had this process to weigh the benefits of a spying tool (such as breaking into an adversary’s computer system) with the costs (such as leaving civilian computers open to the same attack).  In 2013, I was part of President Obama’s NSA Review Group, and that administration accepted our recommendation to shift the VEP to the White House and involve more agencies and perspectives, especially to highlight the risk to the economy and our own infrastructure from vulnerabilities that are not patched.

Experience with WannaCry shows, however, that improving the VEP is not enough to create good security.  After the government learned about the Shadow Brokers theft, it alerted Microsoft to the vulnerability exploited by the ransomware. Microsoft released a patch in March, before the Shadow Brokers published the key attack mechanism.  Nonetheless, Britain’s National Health Service and the other victims world-wide did not update their systems in time.  These failures show the need to update quickly and systematically, an issue whose importance will only increase as myriad devices connect online as part of the Internet of Things, where many devices have no mechanism for updates.

Along with these lessons, however, WannaCry should inform us about the egregious risks that come from mandatory vulnerabilities in software, what are often called “backdoors.”  The greatest public attention to backdoors arose when the FBI sought to require Apple to write software that would gain access to an encrypted iPhone in the San Bernardino terrorism case.  Apple CEO Tim Cook refused, saying “There have been people that suggest that we should have a back door. But the reality is if you put a back door in, that back door’s for everybody, for good guys and bad guys.”  Strong encryption is permitted even under the 1994 U.S. law that requires phone companies to build their networks to respond to court orders.  As the ACLU’s Chris Soghoian has emphasized, that law “explicitly protected the rights of companies that wanted to build encryption into their products – encryption with no backdoors, encryption with no keys that are held by the company.”

The risk of government-mandated backdoors goes far beyond the U.S., however.  Late last year, the United Kingdom passed the Investigatory Powers Act, which allows the government to compel communications providers to remove “electronic protection applied … to any communications or data.”  The Electronic Frontier Foundation reports that they don’t believe the U.K. government has taken advantage of this requirement to break encryption yet, but the law is now on the books and companies could face severe consequences for non-compliance.

Even more broadly, China’s new cybersecurity law can be read to require encryption backdoors, Brazil temporarily blocked the encrypted app WhatsApp when seeking access to user data, the European Union Justice Minister is considering measures to force companies to cooperate with law-enforcement requests, and India has proposed sweeping encryption legislation that would require backdoor acces as well.

The difficulty with these mandated backdoors, however, is that a computer vulnerability that exists in China, Brazil, or India typically will exist in the United States as well. In all of these countries, users rely on largely the same hardware and software –  the same phones, laptops, operating systems, and applications.

The WannaCry attack thus teaches us lessons about the likelihood of leaks, the need for a better vulnerabilities process, and the importance of better software updating.

Most importantly, however, it teaches us that a backdoor required in one nation opens up the data and devices of users everywhere in the world.  Over 150 countries suffered the effects of the WannaCry ransomware.  Over 150 countries will also have their systems exposed if any one country succeeds in mandating a backdoor in the devices and software upon which we all rely.

Peter Swire teaches cybersecurity at the Georgia Tech Scheller College of Business, and is a Senior Fellow at the Future of Privacy Forum.

In Memory of Elise Berkower

 

 

We learned yesterday of the passing of Elise Berkower, a dear friend and one of the unsung heroes in the world of digital privacy.

Elise was Chief Privacy Counsel at The Nielsen Company and was a valued member of the Future of Privacy Forum Advisory Board. If you didn’t know Elise, it is because she was incredibly modest and humble, despite being one of the most knowledgeable people working at the intersection of data and online ads, mobile ads, traditional TV and the emerging smart TV and smart home.

I first met Elise when I was Commissioner of Consumer Affairs for New York City in 1998 and she was the Deputy Chief Administrative Law Judge at the agency. Her commitment to consumer protection was deep and her ability to manage the agency court system to ensure it served the city and consumers was remarkable. When the opportunity arose, I appointed her as Chief Judge and saw her continue to work to resolve agency bottlenecks, while ensure we did justice to the businesses and the individual consumers we served.

When I became Chief Privacy Officer at DoubleClick, Elise was my first hire. While Nuala o’Connor and I rushed around the world, putting out fires and negotiating with regulators, Elise built and ran the first comprehensive online advertising privacy compliance program in the industry. This involved not only ensuring DoubleClick’s policies and practices were proper, but working with thousands of advertisers and publishers who were clients. In those days, web sites were first beginning to adopt privacy policies and few had language or choices that reflected the uses of ad technology. Elise corrected and edited thousands of policies, helping companies large and small learn about and comply with emerging ad tech best practices – many which we were working with others in the sector to develop as new uses of data emerged.

Elise did her work with a deep commitment to ensuring fair practices for individuals and carried that same devotion to Chappell & Associates and then to Nielsen. When she reached out to fill me in on a new product, the briefing was never about the compromises made to balance privacy and data use and the hope that the end solution was good enough – it was always a review of all the protections she had worked with the business to put in place and was there anything else we could think of that would help do more.

At each company, Elise was devoted to her peers and staff as if they were her family – and indeed we were. My only complaint is that she was so selfless that it was hard to learn about the challenges she was facing over the years. She was severely impacted by 9/11, as she lived in an apartment very close to the World Trade Center, and she struggled with health issues, including a recent stroke. When I called to check up on her recently, she was more interested in finding out how my family was doing than sharing her own challenges.

Elise seemed to be doing better recently and was even at the FPF annual meeting last week, sharing her views and input.  We will be coordinating and effort to honor her friendship and service.

Our condolences to our friends at Nielsen and to peers at ESOMAR and NAI, where she for many years was a leader in advancing industry self-regulation and was a respected and beloved partner.

The funeral will take place on June 4th in Manhattan.

May her memory be a blessing.

Consumer Genetic Testing: Beginning to Assess Privacy Practices

Genetic testing is becoming more widely available to consumers; such testing can be an exciting new opportunity to help individuals flesh out family histories, discover cultural connections, and learn about their personal backgrounds.  The availability of low-cost genetic sequencing and analysis has led to numerous businesses offering a variety of services, including some that provide detailed health and wellness reports that explain how genetics can influence risks for certain diseases.  The enthusiastic public response demonstrates that there is great demand for this knowledge.

But, as with so many new technologies, this new data analysis also raises privacy questions.  DNA can be immensely revealing. And by its nature, DNA includes information about an individual’s close relatives – not just data about the person tested.  The broad US law protecting health privacy, HIPAA, only protects health information when handled by specific types of entities, such as health care providers or health insurers.  If your doctor orders a genetic test, all the providers involved are bound by HIPAA requirements.  But if you order a consumer genetic test on your own, those restrictions are not applicable.

To ensure that genetic information isn’t misused, Congress acted, providing protections in some areas.  The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits the use of genetic information to make health insurance and employment decisions.  GINA was a landmark when it passed, but it does not provide comprehensive protections.  For example, GINA does not apply to decisions about schools, mortgage lending, or housing. And it excludes other forms of insurance like life insurance, long-term care, and disability insurance, although some states do provide some additional protections in these areas.

Given the gaps in legal protection, it is particularly important that companies offering genetic testing to consumers provide rock solid, legally enforceable commitments to consumers that ensure their data won’t be used to harm them.  And consumers need to look for commitments by companies not to share genetic information without explicit permission, the ability to delete their information, and promises to only use the data for the expected purposes.  FPF has begun discussions with a number of consumer genetics companies and hopes to share best practices guidance in the upcoming months.

But before we begin, there are some useful lessons that FPF can share from our work in other sectors.  It’s useful to understand some of the language that is common to the legal construction of policies and terms of service, as well as the underling protections provided by federal and state consumer protection laws.

  1. Companies do not own your data when they claim a perpetual license to use your information. When you provide a company with data – whether that data is DNA, user comments, profile pictures, or other content that the company needs to hold and use to provide services – the company will often declare that it has a perpetual, royalty-free, worldwide license to use your information.  Corporate intellectual property lawyers insist on this language to give themselves the rights to use the data on an ongoing basis, subject to the restrictions they place on themselves – such restrictions can include commitments to only use data for the services described a company’s policies, and users’ right to demand deletion of the data.  Search the phrase “perpetual license,”  and you will find it in the policies of almost every online service that allows the submission of user content.  This does not mean the company owns your data and can use it for any purpose it pleases –companies typically cannot make a book out of your private photos or publish your DNA.  But several times a year, someone reads “perpetual license” and sounds an alarm that is picked up by the media.  The fact that reporters own publications have the same language in their online policies is typically not considered.  Often, a company will respond by making a cosmetic amendment to its terms, explaining that indeed it does not own consumers’ data.  This story is the Groundhog Day story of privacy.  In 2008, Google’s terms were debated. In 2011, Dropbox was critiqued. In 2012, Twitter and Facebook came under scrutiny. In 2015, it was Microsoft .  Last week, AncestryDNA was the latest company to encounter this flap and accordingly updated its terms to explain that it had never asserted legal ownership of consumers data.  Companies can get ahead of this issue by using clear terms from the outset.  Smart consumers and critics should recognize this legal language by now and appreciate that it does not grant a company  “ownership rights to user data.”  Look for the limitations on what a company can actually do or not do with the data and your rights to opt-in or out.
  2. All bets are not off when a company is sold. The Federal Trade Commission (FTC) has repeatedly made clear that it will hold a successor company responsible to use data only in ways compatible with the original privacy policy.  Back in the ToySmart case, where sensitive childrens’ data was involved, the FTC required that ToySmart’s buyer abide by the terms of the Toysmart privacy statement. If the buyer wanted to make changes to that policy, it could not change how the information previously collected by Toysmart was used, unless it provided notice to consumers and obtained their affirmative consent (“opt-in”) to the new uses. The FTC will surely hold companies that collect and process DNA to this standard
  3. Policies cannot be changed at any time. The FTC has been clear that material changes to consumer privacy policies can’t be made without first providing prominent notice to consumers and providing them with choices before data is used in any manner inconsistent with terms they were initially provided. So if a company holds sensitive data, it should not claim that it may change its policy at any time and immediately apply the new terms to data it previously collected.  If the change is material, a company may not apply it retroactively without consumers’ express, affirmative consent.

These are just some of the baseline issues that are worth understanding before beginning to think through the important commitments genetics companies can make to promote trust and responsible data use in this emerging industry.  Stay tuned for that effort!

Homomorphic Encryption Signals the Future for Socially Valuable Research on Private Data

Encryption has become a cornerstone of the technologies that support communication, commerce, banking, and myriad other essential activities in today’s digital world. In an announcement this week, Google revealed a new marketing measurement tool that relies on a particular type of advanced encryption to allow advertisers to understand whether their online ads have resulted in in-store purchases. The announcement created controversy because of the types of data and analysis involved, with the theme of media coverage being that “Google knows your credit card purchases.” Although the details were lost in much of the coverage, we were far more intrigued by the apparent advances in homomorphic encryption that Google seems to have achieved in order to apply this double-blind method at scale.

The Importance of Encryption

If well encrypted, even data that is made public—intentionally or due to a data breach—remains totally unintelligible to those who may try to access it. However, data that is well encrypted also loses its utility, as it can no longer be analyzed or used in ways that we might want and need. For example, if cloud-based data is fully encrypted and only the owner holds the key, the data is unreadable by the cloud provider, safe from attackers, and unavailable to law enforcement authorities that might approach the cloud provider. If the key is lost, the data may be lost forever. This level of protection is often sought out for purposes of data security and privacy—but it also means that the cloud provider cannot perform useful computing on the data that we may want performed, such as to easily provide a “search” function. If the data cannot be read, it cannot be searched or analyzed. Similarly, research cannot be conducted on encrypted data.

But what if there were methods of encryption that ensured data was converted in ciphertext, protecting the privacy of individuals, but enabling research to be conducted on the data? The most advanced technique being developed to enable the performance of some basic functions on data that is encrypted– adding, matching, sorting – is known as homomorphic encryption.  This method, recently reviewed in Forbes, has made some great strides in recent years, but has required substantial computing resources and has thus been quite limited in use. Some recent successes have started to make these processes more efficient, exciting researchers who consider fully homomorphic encryption to be a “holy grail” for researchers.

In the words of security expert Bruce Schneier when IBM researcher Craig Gentry first discovered a fully homomorphic cryptosystem: “Visions of a fully homomorphic cryptosystem have been dancing in cryptographers’ heads for thirty years. I never expected to see one. It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure, but — practicality be damned — this is an amazing piece of work.”

Comparing Datasets through Homomorphic Encryption Methods

One of the reasons researchers are enthused is because very often the data sets they wish to study belong to separate organizations, each who has promised to protect the privacy and personal information of the data subjects. Fully homomorphic encryption provides the ability to generate aggregated reports about the comparisons between separate, fully encrypted, datasets without revealing the underlying raw data. This could prove revolutionary for fields such as medicine, scientific research, and public policy. For example, datasets can be compared to analyze whether people provided with homeless services end up in housing or holding jobs; whether student aid helps students succeed; or whether certain kinds of support can prevent people from being re-admitted to hospitals. These uses all depend on comparing sensitive data held by different parties and subject to strict sharing protections. But homomorphic encryption will allow datasets to be encrypted, thereby protecting personal information from scrutiny, but still compared and analyzed to gain insights from aggregate level summary reports.

Similarly, homomorphic encryption can be used in the fields of advertising and marketing. Google announced that it was using a new double-blind encryption system to enable a de-identified analysis of encrypted data about who has clicked on an advertisement in combination with de-identified data held by companies that maintain credit card purchase records. Google can provide a report to an advertiser that summarizes the relationship between the two databases to conclude, for example, that “5% of the people who clicked on your ad ended up purchasing in your store.”

If the encryption is sound and the data combined is truly unintelligible to both Google and its partners, but the mathematics can still enable useful comparisons, this methodology could be an importance advance for privacy protective research and data sharing. It means that when different researchers have datasets that include private or sensitive information, this methodology could enable valuable insights while respecting individual privacy.

Google seems to have put years of top level research into advancing these privacy protective encryption methods. We expect that after the initial controversy over its application to analyze the effectiveness of advertising, researchers will take a hard look at how these methods can be used for a wide range of socially valuable research. And with respect to advertising itself, it’s certainly good to see real sophisticated privacy-enhancing technologies being used when sensitive data is being analyzed. Although we appreciate the importance of providing users with choices and notices, at the end of the day there is nothing better than scientific, technically advanced protections to ensure personal information is protected.