Welcome back to Mind the Gap 👋.
Time to pick up where we left it before we took a summer siësta. Our team just got back from Basel to talk privacy in intelligent health applications (spoiler: that starts with data!).
Privacy over summer was just as hot as the temperatures, so let's dive right in:
- Privacy-Enhancing Technologies are now officially helpful for data privacy compliance;
- We can dust-off our favourite analogy of your data as a droplet of ink in a huge lake, with Facebook admitting they have no clue where user data goes.
- This week's light snack is a fun background look at a fundamental principle of improving privacy and a seventies vibe: (true) randomness as achieved with lava lamps.
PS We have some leftover chocolate bars from the conference. We'll send the first 3 readers that hit firstname.lastname@example.org with a "🍫" some overstock. Shipping worldwide!
ICO's guide on privacy enhancing technologies
[to] help organisations unlock the potential of data by putting a data protection by design approach into practice.
And we're off to a good start to Mind (or bridge!) the Gap: an excellent fusion between legal and engineering perspectives in data privacy comes from Britain's Information Commissioner, of slashing Real-Time Bidding and AdTech-fame.
The ICO released a new report (they say it's a draft) on Privacy Enhancing Technologies, and how PETs can help drive data protection and privacy for organisations.
There's a few interesting things about this:
- The report, which is both comprehensible, comprehensive AND framed through the lens of applicability to real-world challenges organisations face (e.g. loss of data utility).
- It's concrete guidance from a regulatory body
- It's a connection of legal perspectives to actual data transformations.
- It's right up our alley 😇
The summary is simple: PET's can help to achieve a better balance between data regulations and applications through privacy-by-design and data minimisation principles that meet the security requirements data laws impose. The BUT: it's not a silver bullet nor a replacement for the fundamental principles of lawful collection and processing grounds and requirements.
It's good overview and worthwhile read if you want to understand more of the space and applications, grab your free copy here:
Facebook doesn't know where our data goes
Garrie was attempting to [uncover] where personal data might be stored in some 55 Facebook subsystems. “I don’t believe there’s a single person that exists who could answer that question,” replied Eugene Zarashaw, a Facebook engineering director.
We wrote before how legal pressure and consumer demand for privacy might require you to rebuild all your pipelines. Exhibit C in building that case came afloat from a recent hearing in the Cambridge Analytica case (yes, that's still ongoing): Facebook has no clue where our data goes inside their own systems.
Now, tracing the origin of data to every single point, copy or derivative is simply a fantasy if you want to use data in the real-world. There's just too much copying and aggregating going on. But if something's complicated, flip the challenge: make sure you don't have to worry about how it's copied and aggregated because it's either unusable beyond purpose or, when talking about personal data, anonymised.
I wonder who could help with implementing that approach...
Head over the The Intercept for the full background and context on the hearing:
Security 101: How Lava Lamps (can) help to improve privacy
Pre-S: engineers click here. https://blog.cloudflare.com/lavarand-in-production-the-nitty-gritty-technical-details/
When I was a little Pim, I had a lava lamp. It had green wax inside a blue liquid and a lamp that warmed the wax (this was pre-LED, kids). I loved it, and recall trying to predict where the next sphere would be dividing or gobbled up, and how large it would be.
I couldn't. It was agonizing. The currents created by the heat source underneath would always flow and cool differently, creating ever changing configurations. As if I had to predict how exactly a crystal glass would shatter on the kitchen floor. Little did I know back then I was learning about a principle that would later underpin my career: randomness.
Now, the essential principle of "privacy" is that you can't trace a piece of information back to an individual. You can achieve this by taking that piece of information, and mashing an unpredictable element into it. If you then want to revert back to the original, it requires you to know what element was added to it. But that was unpredictable in the first place. Ergo: you can't know.
So far for a little intro 101 to the core of many security and cryptographic methods. It's the same methods that underpin privacy-enhancing technologies to create unpredictable -and so private- derivatives of personal data.
But... the problem with these methods is they run on computers. And computers are very good at following instructions. So when generating these necessary "unpredictable" elements, we have to instruct them how to be unpredictable. Which makes them... just a little too predictable.
Now for applications where you need unpredictability guarantees, that's a challenge. Ergo: you need to look for a truly random source of information.
Turns out the agony I felt trying to understand my lava lamp is exactly what makes them very suitable for creating true randomness in data flows. Hence they are used in an application every one of us comes across daily: protecting the internet (e.g. making sure no one can eavesdrop on your browsing behavior).
Sit back for an interesting and accessible primer on cryptographic basics through the lens of CloudFlare's lava lamp farms:
And... that's it for this week! Spread the word, and make sure to earn that chocolate! 🍫