Privacy-enhancing tools may offer a way out of a difficult digital dilemma
By Yogesh Hirdaramani
Conventional wisdom holds that data privacy is incompatible with the levels of convenience people have come to expect in their app-assisted lives. Initiatives in Singapore and Estonia are attempting to turn that notion on its head.
Privacy-enhancing technologies can allow the transfer of insights without disclosing data. Image: Envato Elements
Tech giant Apple last year updated the operating system iOS 14 to allow users to opt out of sharing their data with advertisers on third-party platforms such as Facebook. The effect was immediate. According to Forbes, the move was related to a potential loss of US$10 billion of ad sales by Facebook owner Meta – nearly 8% of the company’s annual revenue.
The Apple case demonstrates that as data privacy practices and regulations shift, companies and agencies will also have to shift their strategies. They will need to gain insights from data without sharing the actual data involved. One means by which they can do so is through the adoption of privacy-enhancing technologies (PETs) – cryptographic tools that allow data providers to share data for analysis in a modified form, and to pull insights from multiple data sources without disclosing private data.
As GovInsider has reported, inter-agency data sharing can support healthcare efforts and other whole-of-government projects.
In Estonia as long ago as 2015, the country’s education and tax authorities used a PET known as secure multi-party computing to compare datasets in order to determine whether college students’ take up of apprenticeships was linked to dropout rates. No actual data was disclosed to either authority.
The governments of Singapore and Estonia have recently taken steps to drive the adoption of such technologies in both the public and the private sectors. Both countries are looking to tap the promise of data transfers to drive growth and greater convenience while maintaining high standards of data security in line with regulations, initiatives that necessarily involve PETs.
Singapore’s media and communications regulator, the Infocomm Media Development Authority (IMDA), and its data regulator, the Personal Data Protection Commission (PDPC), launched the country’s first PET sandbox in July.
The sandbox is an experimental environment in which companies can work with PET suppliers on pilot projects. It aims to reduce the risks of traditional data sharing, open up opportunities for data collaboration between businesses, and unlock more data for use in training artificial intelligence platforms.
PDPC Deputy Commissioner Yeong Zee Kin told GovInsider: “PETs can support the essential elements of a digital economy – namely, the seamless transfer of data and the use of data to support innovation.”
In implementing their pilot schemes, which will be supported by grants, companies can improve their understanding of which PETs to use to achieve their goals, understand their technical constraints, and get a better grip on regulatory compliance requirements.
A travel agency and a telecommunications company, for instance, could use secure multi-party computing to understand customers’ travel preferences without disclosing any sensitive data, according to the IMDA.
Yeong said the PDPC, alongside the IMDA, will partner with sandbox participants throughout the programme’s life “to identify the real-world regulatory and technical bounds of PETs and provide greater assurance to businesses to innovate with PETs while protecting consumer data”. He said this would help the PDPC better understand what regulatory guidance might be helpful to map a path forward.
When it comes to the future of cross-border data collaboration, Yeong said PETs will be no panacea, as some cases might still require that data, rather than just insights, be shared. However, he said PETs will remain “an additional tool in the toolbox for regulators and compliance officers to make use of”.
As part of an initiative known as the Global Partnership on Artificial Intelligence, the IMDA and the International Centre of Expertise of Montreal for the Advancement of Artificial Intelligence are collaborating on a project to demonstrate how PET can enable AI systems across multiple jurisdictions relating to such issues as climate action and health. PETs may be a key means of overcoming data barriers between commercial and government entities.
Singapore has also launched a Digital Trust Centre at Nanyang Technological University to deepen research on PETs and other trust technologies.
In the same week as IMDA's announcement, authorities in Estonia issued a procurement call for data professionals, both local and international, to develop and extend the use of PETs in the nation’s “Siri of digital public services” – a system named Bürokratt, which aims to provide people with voice-activated public services.
Ott Velsberg, Estonia’s Chief Digital Officer, told GovInsider that the country is planning to put together a government action plan on using PETs so that agencies can securely provide other agencies with access to sensitive datasets on the basis of consent.
Velsberg said Estonia’s government information systems are decentralised, with each agency maintaining its own datasets. Estonian data regulations stipulate that data can be transferred between registries only for reasons stipulated in the law, and that any new uses would require changes in those rules.
He said that by using PETs such as homomorphic encryption – a form of data encryption which still allows for analysis – agencies can transfer insights and collaborate on projects without handling people’s information at all. He also said PETs such as federated learning – a machine learning technique that trains algorithms across multiple decentralised repositories of data samples without exchanging them – can support agencies in processing data in their own systems and feeding those insights to develop centralised AI models.
Velsberg said that last December, Estonia had carried out pilot projects that generated synthetic data based on actual data. Synthetic data retains the overall characteristics of a dataset, but doesn’t include any specific information on individuals. This could pave another way for making full use of government-held data.
Consent-based data sharing
Estonia’s pilot schemes is taking place alongside efforts to provide individuals with more control over their data and give them rapid access to third-party services, which were informed by the understanding that for the government to offer people additional services, robust consent services were required.
“We need to respect different spheres of privacy, but at the same time we want to make maximum use of data,” Velsberg told GovInsider.
At the beginning of last year, Estonia’s Information System Authority rolled out a digital consent service that allowed people to give permission to the state to share personal data with an external service provider. The service currently provides people with a choice to share solvency data from the country’s Tax and Customs Board with digital lender Inbank. The bank can use the data to decide quickly whether a person can repay a loan in instalments, helping people avoid having to fill in numerous forms to apply for loans.
Velsberg said the service gives people the option of obtaining comparative offers, allowing them more choice, and even drives down loan interest rates. He said people also have access to a data tracker that gives them an overview of the data collected on them, who is using that data, and for what purpose.
He said more than 15,000 people had already used the service for loans, and that in the future, it might be expanded to facilitate the consent-based sharing of health data so that private sector entities could offer more personalised healthcare.
Velsberg said that PETs could in future help Estonia drive government-business data-sharing by enabling businesses to access only encrypted data or even synthetic data.
At the beginning of the year, a report in the Harvard Business Review said the data economy may soon be organised around gaining insights from consented data, and that sharing such insights would drive innovation, creating a secure data regime that simultaneously offers increased levels of convenience. As demonstrated by the trial schemes undertaken by Singapore and Estonia, government agencies and regulatory bodies are taking steps with PETs to shape the future of just such a data regime.