An awakened awareness of personal data, how it can be manipulated, and the control individuals have over their own information continues to frame regulatory and commercial interests for the coming year.
The freewheeling days when data collection and usage might be conducted with little scrutiny from individuals or government entities are winding down. Now organizations must sort out plans to comply with emerging laws on data privacy as well as allay their customers' concerns. Experts from Opaque Systems and Immuta shared their perspectives on data privacy trends that will take shape in 2023.
On the international stage, the EU General Data Protection Regulation (GDPR) has already been in effect for more than four years. US domestic policy and legislation on data privacy surfaced at state and national levels in more recent times and even more regulation is expected as additional jurisdictions enter the fray.
While personal data continues to be used for such purposes as recommending marketing and advertising spots, it can also tailor news and political content as well as be used for nefarious intent. Growing mountains of personal data can also be attractive targets for hackers who might ransom the data or otherwise control such information for illicit gains.
Some states have already put laws on data collection and usage into effect, such as the California Consumer Privacy Act, which netted a $1.2 million settlement in August from Sephora. The settlement stemmed from accusations that Sephora did not tell consumers their personal information was sold to other parties -- while also allegedly stating personal information would not be sold.
Other states such as Colorado, Connecticut, Utah, and Virginia also have data privacy laws in place. While a clear federal policy on data privacy has yet to emerge, regulatory gears seem to be turning. The Federal Trade Commission said in August it intended to consider rules on data collection, analysis, and commercial profit gained from the public.
There are also questions about what government agencies might do with data they seek or collect about the populace. For example, the overturning of Roe v. Wade set the stage for states that made abortion illegal to potentially pursue personal information that might be used to enforce their laws.
Data Privacy Challenges
Navigating the data privacy space may become more of a challenge for public and private entities alike.
“The landscape of privacy regulation is becoming more and more stringent,” says Raluca Ada Popa, associate professor of computer science at University of California, Berkeley. She is also co-founder/president of Opaque Systems, which is developing a confidential AI platform. Her company is based on the MC2 open-source platform, developed at UC Berkely’s RISE Lab, which enables analytics and machine learning to be run on encrypted collective data without revealing individual data to each other.
Popa says GDPR was just the beginning, with cookies falling under scrutiny, changing how companies capture and use personal data. “The advertising space is not going to have super-sensitive information about users, but they still want to conduct business,” she says.
It can be hard to comply with the regulations being introduced, Popa says, by using data collection techniques that had been the norm up until recently. She expects there to be more give and take to meet the new rules. There may be ways for businesses that rely on data collection to have their cake and it too in the current environment. “If one adopts modern PETs, privacy enhancing technologies, then there’s less give and take -- less compromise,” Popa says.
Confidential computing, she says, as an example of PET, lets users encrypt their data. “Advertisers don’t have to see all my private emails and phone calls and everything I do online,” Popa says. “That all stays encrypted.” Yet advertisers can still run algorithms to suggest relevant ads, based on data via confidential computing without seeing personal information, she says.
Prior efforts in data privacy saw homomorphic encryption and secure multi-party computation put to work, though there were tradeoffs with their implementation. Homomorphic encryption, Popa says, allows data to be worked with while maintaining its encryption, and secure multi-party computation, which shares a computation among parties so no individual can see the other’s data. “The problem with them is they are very, very, very slow,” she says. “They’re not practical.”
More recent years brought on technology based on hardware enclaves, Popa says, which have memory encryption and security instructions built directly into CPUs. “It uses cryptography for extra protection but the fact that it’s hardware-enforced, hardware computes much faster so now it’s practical,” she says.
There might be some friction, however, as organizations may feel the need to buy special hardware for such a layer of data security. “In the past two years or so, major cloud providers have offered confidential computing as a service,” Popa says. “There’s enclaves in those clouds as a service.” That means client customers do not have to procure hardware, making this option more practical.
Confidential Computing Arena
More providers are getting into the confidential computing arena, she says, to meet the growing demand for regulatory compliance. “Gartner has a report where they predict that by 2025, at least 50% of organizations will adopt privacy enhancing technology of the kind that you compute sensitive data, and you do multiparty analytics on sensitive data,” Popa says.
Nowadays, a data breach can compromise vast numbers of records in one go, making control of such data essential to organizations. “The consequences of an attack have become much more dire,” she says.
It is highly unlikely that the flow of data will slow in response to privacy concerns and regulations, especially with many businesses built around leveraging data. “Organizations want to get data in more people’s hands than ever before,” says Steve Touw, CTO of Immuta, which offers a data security platform. The data usage and control he sees within organizations includes people writing their own queries and doing their own analysis, which may create exposure risks.
“When you layer humans on top of raw data it removes that application tier from the equation,” he says. “The application tier used to be where all that security logic lives.” Such vulnerability has organizations looking at ways to protect data more directly. “People joke about Facebook listening to their conversations -- they are, but they are watching your every move to predict what to feed you advertising-wise,” Touw says.
The escalating awareness of that type of data usage has put pressure on organizations to be better about controlling data internally. Anonymizing data is nothing new, however there are more approaches to data security being put into play. The goal is to furnish data for operations while also allowing people to control what is shared about them. “There’s techniques where you can still derive some insight from data without giving away everything,” Touw says.
Data masking methods available through privacy-enhancing technologies can offer different degrees of privacy, he says. “I think of these like a dimmer switch instead of a light switch,” Touw says, which is either on or off. Legacy methods of controlling data may have been all or nothing, but with PETs, the data could be “fuzzed” so it can still be used but also meets privacy demands. “As GDPR states, if the data is fully anonymized, then you’re not breaking anyone’s privacy by deriving some sort of aggregate metrics from it,” he says. “As soon as you start getting down to targeting individuals, obviously you’re breaking privacy.” PETs allow for big-picture questions about data to be asked without targeting individuals, Touw says.
There may be ways to get close to a happy medium where most parties are content with privacy and the ability to collect and use data. “If you have a legitimate purpose for targeting an individual, you can do contextual controls mixed with data controls,” Touw says, which could include documents required to outline the limits of how data would be used. “Amazon needs to know your address so they can send you your box. That’s a legitimate purpose.”
Non-obvious risks can still be tied to data that organizations believe is being held securely. “Even if I’ve masked your name, address, and credit card number, I can still find you in that row of data if there’s very unique things about you in that row,” he says. “Like, if you’re the only person that owns a 1978 Volvo in whatever zip code you are, and that data exists in that row, I can easily pinpoint you.”
Touw believes organizations should look at such indirect identifiers and possibly adopt PETs in response, though very few organizations are mature enough to do so on their own. They will have to learn fast or seek out expertise as he sees more regulatory fines putting pressure on organizations to comply with guidance on handling data. “Everyone just needs to agree that privacy is a right of everybody,” Touw says.
What to Read Next:
What the FTC’s Scrutiny of Data Collection and Security May Mean
Can Data Collection Persist Amid Post-Roe Privacy Questions?