HOME

TheInfoList



OR:

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
of their
personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates h ...
(PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of
personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates h ...
without losing functionality. Generally speaking, PETs can be categorized as hard and soft privacy technologies.


Goals of PETs

The objective of PETs is to protect
personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates h ...
and assure technology users of two key privacy points: their own information is kept confidential, and management of data protection is a priority to the organizations who hold responsibility for any PII. PETs allow users to take one or more of the following actions related to personal data that is sent to and used by
online service provider An online service provider (OSP) can, for example, be an Internet service provider, an email provider, a news provider (press), an entertainment provider (music, movies), a search engine, an e-commerce site, an online banking site, a health site, ...
s, merchants or other users (this control is known as
self-determination The right of a people to self-determination is a cardinal principle in modern international law (commonly regarded as a ''jus cogens'' rule), binding, as such, on the United Nations as authoritative interpretation of the Charter's norms. It sta ...
). PETs aim to minimize personal data collected and used by service providers and merchants, use
pseudonym A pseudonym (; ) or alias () is a fictitious name that a person or group assumes for a particular purpose, which differs from their original or true name ( orthonym). This also differs from a new name that entirely or legally replaces an individu ...
s or anonymous data credentials to provide anonymity, and strive to achieve informed consent about giving personal data to online service providers and merchants. In Privacy Negotiations, consumers and service providers establish, maintain, and refine privacy policies as individualized agreements through the ongoing choice among service alternatives, therefore providing the possibility to negotiate the terms and conditions of giving personal data to online service providers and merchants (data handling/privacy policy negotiation). Within private negotiations, the transaction partners may additionally bundle the personal information collection and processing schemes with monetary or non-monetary rewards. PETs provide the possibility to remotely audit the enforcement of these terms and conditions at the online service providers and merchants (assurance), allow users to log, archive and look up past transfers of their personal data, including what data has been transferred, when, to whom and under what conditions, and facilitate the use of their legal rights of data inspection, correction and deletion. PETs also provide the opportunity for consumers or people who want privacy-protection to hide their personal identities. The process involves masking one's personal information and replacing that information with pseudo-data or an anonymous identity.


Families of PETs

Privacy-enhancing Technologies can be distinguished based on their assumptions.


Soft privacy technologies

Soft privacy technologies are used where it can be assumed that a third-party can be trusted for the processing of data. This model is based on compliance,
consent Consent occurs when one person voluntarily agrees to the proposal or desires of another. It is a term of common speech, with specific definitions as used in such fields as the law, medicine, research, and sexual relationships. Consent as und ...
, control and auditing. Example technologies are
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
, differential privacy, and tunnel encryption (SSL/TLS).


Hard privacy technologies

With hard privacy technologies, no single entity can violate the privacy of the user. The assumption here is that third-parties cannot be trusted. Data protection goals include data minimization and the reduction of trust in third-parties. Examples of such technologies include
onion routing Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of ...
, the
secret ballot The secret ballot, also known as the Australian ballot, is a voting method in which a voter's identity in an election or a referendum is anonymous. This forestalls attempts to influence the voter by intimidation, blackmailing, and potential v ...
, and VPNs used for democratic elections.


Existing PETs

PETs have evolved since their first appearance in the 1980s. At intervals, review articles have been published on the state of privacy technology: * A principal, though fundamentally theoretical, overview of terminology and principal anonymization technology is found in Pfitzmann & Hansen'
terminology of anonymity
* In 1997,
report
by Goldberg, Wagner and Brewer at the University of California in Berkeley summarized PETs. * In 2003, Borking, Blarkom and Olk reviewed the technologies from a data protection perspective in their Handbook of privacy enhancing technologies. * In 2007, Fritsch published an historic, taxonomic and practica
overview of contemporary privacy-enhancing technology
for the Internet for the research project PETWeb. * In 2008, Fritsch and Abie documented the gap between implemented PETs and their successful deployment in
research roadmap for PETs
* In 2015, Heurix et al. published a taxonomy of privacy enhancing technologies. * A specialization of PET research that looks into increasing the transparency of data processing is called Transparency Enhancing Technologies (TETs). A review article by Janic et al. summarizes developments in TETs. Murmann and Fischer-Hübner published
review of transparency tools
in 2017. * In 2019, the World Economic Forum published
white paper
exploring PET use cases in financial technology and infrastructure. * The Boston Women's Workforce Council published reports i
2017
an
2019
exploring the gender pay gap in a number of Boston-based companies. The data was compared using PETs, to ensure that sensitive employee information remained private throughout. * In 2020, Identiq published a
ebook
discussing PETs that are actively being used in identity validation. * In 2021, the European Data Protection Board, which oversees the enforcement of GDPR, and the European Union Agency for Cybersecurity publishe
technical guidance
supporting Secure Multi-Party Computation as a valid privacy-preserving safeguard, applying to both healthcare and cybersecurity use cases.


Example PETs

Examples of existing privacy enhancing technologies are: * Communication anonymizers hiding a user's real online identity (email address, IP address, etc.) and replacing it with a non-traceable identity (disposable / one-time email address, random IP address of hosts participating in an anonymising network, pseudonym, etc.). They can be applied to everyday applications like email, Web browsing, P2P networking,
VoIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet ...
, Chat, instant messaging, etc. *Shared bogus online accounts. This technology de-links an online account from a specific user's habits by allowing many users to share the account, and setting up fake personal information in the account settings. To accomplish this, one person creates an account for a website like MSN, providing bogus data for their name, address, phone number, preferences, life situation etc. They then publish their user-IDs and passwords on the internet. Everybody can now use this account comfortably. Thereby the user is sure that there is no personal data about him or her in the account profile. (Moreover, he is freed from the hassle of having to register at the site himself.) *Obfuscation refers to the many practices of adding distracting or misleading data to a log or profile, which may be especially useful for frustrating precision analytics after data has already been lost or disclosed. Its effectiveness against humans is questioned, but it has greater promise against shallow algorithms. Obfuscating also hides personal information or sensitive data through computer algorithms and masking techniques. This technique can also involve adding misleading or distracting data or information so it's harder for an attacker to obtain the needed data. *Access to personal data: Here, a user gains control over the privacy of their data within a service because the service provider's infrastructure allows users to inspect, correct or delete all their data that is stored at the service provider. * Enhanced privacy ID (EPID) is a
digital signature algorithm The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a varian ...
supporting anonymity. Unlike traditional digital signature algorithms (e.g., PKI), in which each entity has a unique public verification key and a unique private signature key, EPID provides a common group public verification key associated with many of unique private signature keys. EPID was created so that a device could prove to an external party what kind of device it is (and optionally what software is running on the device) without needing to also reveal exact identity, i.e., to prove you are an authentic member of a group without revealing ''which'' member. It has been in use since 2008. *
Homomorphic encryption Homomorphic encryption is a form of encryption that permits users to perform computations on its encrypted data without first decrypting it. These resulting computations are left in an encrypted form which, when decrypted, result in an identical ...
is a form of encryption that allows computation on ciphertexts. *
Zero-knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information ...
is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. * Secure multi-party computation is a method for parties to jointly compute a function over their inputs while keeping those inputs private. *
Ring signature In cryptography, a ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. O ...
is a type of
digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
that can be performed by any member of a set of users that each have a pair of cryptographic keys. * Non-interactive zero-knowledge proof (NIZKs) are zero-knowledge proofs that require no interaction between the prover and verifier. *
Format-preserving encryption In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output (the ciphertext) is in the same format as the input (the plaintext). The meaning of "format" varies. Typically only finite sets of characters ar ...
(FPE), refers to encrypting in such a way that the output (the
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
) is in the same format as the input (the plaintext) * Blinding is a cryptography technique by which an agent can provide a service to a client in an encoded form without knowing either the real input or the real output. * Differential privacy: An algorithm is constrained so that the results or outputs of a data analysis can't tell if a certain individuals information is being used to analyze and form the results. This technique focuses on large databases and hides the identity of individual "inputs" who might have private data and privacy concerns, * Pseudonymization is a data management technique that replaces an individual's identity or personal information with an artificial identifiers known as Pseudonyms. This de-identification method enables contents and fields of information to be covered up so as to deter attacks and hackers from obtaining important information. These Pseudonyms can be either placed in groups or for individual pieces o information. Overall, they serve to discourage information stealing while also maintaining data integrity and data analysis. *
Federated learning Federated learning (also known as collaborative learning) is a machine learning technique that trains an algorithm across multiple decentralized edge devices or servers holding local data samples, without exchanging them. This approach stands in ...
is a machine learning technique that trains models across multiple distributed nodes. Each node houses a local, private dataset. * Adversarial stylometry methods may allow authors writing anonymously or pseudonymously to resist having their texts linked to their other identities due to linguistic clues.


Future PETs

Examples of privacy enhancing technologies that are being researched or developed include limited disclosure technology, anonymous credentials, negotiation and enforcement of data handling conditions, and data transaction logs. Limited disclosure technology provides a way of protecting individuals' privacy by allowing them to share only enough personal information with service providers to complete an interaction or transaction. This technology is also designed to limit tracking and correlation of users’ interactions with these third parties. Limited disclosure uses
cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
techniques and allows users to retrieve data that is vetted by a provider, to transmit that data to a relying party, and have these relying parties trust the authenticity and integrity of the data. Anonymous credentials are asserted properties or rights of the credential holder that don't reveal the true identity of the holder; the only information revealed is what the holder of the credential is willing to disclose. The assertion can be issued by the user himself/herself, by the provider of the online service or by a third party (another service provider, a government agency, etc.). For example: Online car rental. The car rental agency doesn't need to know the true identity of the customer. It only needs to make sure that the customer is over 23 (as an example), that the customer has a drivers license,
health insurance Health insurance or medical insurance (also known as medical aid in South Africa) is a type of insurance that covers the whole or a part of the risk of a person incurring medical expenses. As with other types of insurance, risk is shared among m ...
(i.e. for accidents, etc.), and that the customer is paying. Thus there is no real need to know the customers name nor their address or any other
personal information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
. Anonymous credentials allow both parties to be comfortable: they allow the customer to only reveal so much data which the car rental agency needs for providing its service (data minimization), and they allow the car rental agency to verify their requirements and get their money. When ordering a car online, the user, instead of providing the classical name, address and credit card number, provides the following credentials, all issued to
pseudonym A pseudonym (; ) or alias () is a fictitious name that a person or group assumes for a particular purpose, which differs from their original or true name ( orthonym). This also differs from a new name that entirely or legally replaces an individu ...
s (i.e. not to the real name of the customer): * An assertion of minimal age, issued by the state, proving that the holder is older than 23 (note: the actual age is not provided) * A
driving licence A driver's license is a legal authorization, or the official document confirming such an authorization, for a specific individual to operate one or more types of motorized vehicles—such as motorcycles, cars, trucks, or buses—on a public r ...
, i.e. an assertion, issued by the motor vehicle control agency, that the holder is entitled to drive cars * A proof of insurance, issued by the health insurance * Digital cash Negotiation and enforcement of data handling conditions. Before ordering a product or service online, the user and the online service provider or merchant negotiate the type of
personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates h ...
that is to be transferred to the service provider. This includes the conditions that shall apply to the handling of the personal data, such as whether or not it may be sent to third parties (profile selling) and under what conditions (e.g. only while informing the user), or at what time in the future it shall be deleted (if at all). After the transfer of personal data took place, the agreed upon data handling conditions are technically enforced by the infrastructure of the service provider, which is capable of managing and processing and data handling obligations. Moreover, this enforcement can be remotely audited by the user, for example by verifying chains of certification based on Trusted computing modules or by verifying privacy seals/labels that were issued by third party auditing organizations (e.g. data protection agencies). Thus instead of the user having to rely on the mere promises of service providers not to abuse
personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates h ...
, users will be more confident about the service provider adhering to the negotiated data handling conditions Lastly, the data transaction log allows users the ability to log the personal data they send to service provider(s), the time in which they do it, and under what conditions. These logs are stored and allow users to determine what data they have sent to whom, or they can establish the type of data that is in possession by a specific service provider. This leads to more transparency, which is a pre-requisite of being in control.


See also

*
Crypto-shredding Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys. This requires that the data have been encrypted. Data may be considered to exist in three states: data at rest, data in transit an ...
* Cypherpunk *
Digital credential Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or ...
s * Digital self-determination * Enhanced privacy ID (EPID) * Identity management *
Information privacy Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as dat ...
*
Information processing Information processing is the change (processing) of information in any manner detectable by an observer. As such, it is a process that ''describes'' everything that happens (changes) in the universe, from the falling of a rock (a change in posit ...
*
Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
Privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
* Privacy by design * Privacy Engineering *
Privacy-enhanced Electronic Mail Privacy-Enhanced Mail (PEM) is a de facto file format for storing and sending cryptographic keys, certificates, and other data, based on a set of 1993 IETF standards defining "privacy-enhanced mail." While the original standards were never broa ...
* Privacy software *
Privacy policy A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify ...
* Self-sovereign identity


References

* *


Notes


External links

PETs in general:
The EU PRIME research project
(2004 to 2008) aiming at studying and developing novel PETs
About PETs from the Center for Democracy and TechnologyAnnual symposium on PETsReport about PETs from the META Group, published by the Danish ministry of science
broken link Anonymous credentials: *IBM Zürich Research Lab'
idemix
* Stefan Brands' U-Prove
Digital credential Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or ...
br>'credentica'
*which is now owned by Microsof
U-Prove
Privacy policy negotiation: *The W3C's P3P *IBM's EPAL *Sören Preibusch
Implementing Privacy Negotiations in E-Commerce
''Discussion Papers of DIW Berlin'' 526, 2005 {{DEFAULTSORT:Privacy Enhancing Technologies Privacy Identity management Data protection