Data governance is in desperate need of innovation
Jeremy Bradley-Silverio Donato is Chief of Staff at Zama, an open source framework for securing AI applications in the cloud. Lorrayne Porciuncula is the Executive Director of the Datasphere Initiative. They discuss how the data governance policy landscape is evolving and examples of the new technologies that can offer innovative ways of transferring and securing data.
How has the thinking on data governance evolved over the past decade?
Lorrayne Porciuncula, Datasphere Initiative
From a policy perspective, historically, from about the late seventies, the topic of data governance has been framed with a focus on concerns around privacy and data protection. It became a trade issue at the end of the nineties and since then there has been very little progress in multilateral fora in terms of finding a common vocabulary to discuss data governance more systemically, and to measure the value of data, both from an economic and social perspective.
Jeremy Bradley, Chief of Staff, Zama
If we look at the private sector, many companies have to deal with the problem of data governance. In the past years, the amount of data collected has grown, and very often this data is sensitive. Many laws and international regulations (such as the European Union’s General Data Protection Regulation) act to protect this data. But companies might be victims of attacks and data theft even with these regulations in place. Many examples have happened recently. This has a strong judiciary and economic cost for companies. Better solutions are required: crypto can help.
Why can data governance be challenging?
Jeremy Bradley, Chief of Staff, Zama
With the advent of the internet, the amount of private data we generate has increased exponentially — and with it a massive rise in data breaches and mass surveillance.
These sorts of risks can be mitigated with end-to-end encryption in our everyday apps such as WhatsApp, however, techniques such as ‘Encryption’ can sometimes be used as a buzzword these days which can be unhelpful for data governance.
Many websites and online services claim to be encrypted and most of us rest assured that our data is protected as we navigate around the internet. However, when a service provider claims that your data is being encrypted on the internet, it often just means that the data is transformed into an insignificant form that no one can make use of, except if they hold a private key that allows decryption. The reverse operation, encryption, transforms useful data into random data, and decryption can transform it back to its original form. However, there is a point where the data needs to be decrypted, and that point comes just before it is necessary to compute the data. At this point, the data is left unencrypted and ripe for interference. If the data is sensitive, we should not allow online services to access them. Something more than just encryption/decryption is necessary.
Lorrayne Porciuncula, Datasphere Initiative
What Jeremy points to here is an interesting example of how buzz words around data governance can lead to confusion on how data is managed and secured.
If we look at policy debates, data governance is increasingly challenging because the world of data is growing. Data is different from traditional goods and services, very diverse, and prone to overlapping models of classification. This complexity is exasperated by the many different actors connected by non-linear value chains in the data economy.
The issue of data governance, therefore, becomes very complex, and innovative frameworks are needed for us to address competing policy objectives and also clarify how different techniques such as encryption and others can be used.
How can we shift the perspective on data governance and consider more innovative models for transferring as well as securing data?
Lorrayne Porciuncula, Datasphere Initiative
Approaching the environment in which all digital data exists as a global Datasphere could provide the fundamental perspective shift needed for the holistic multi-disciplinary approach that governing data for the public interest requires.
For example, discussion on data governance often focuses on the location of data. Like the atmosphere or the stratosphere, the concept of the Datasphere can de-territorialize data and frame it as an ecosystem and a common resource.
This encourages us to take a step back and question whether we should be concerned with only the location of storage and processing of data, or rather who is collecting and accessing the data and for what purposes.
At the Datasphere Initiative, our intention is to use the concept of the Datasphere, defining it as — the ecosystem encompassing all types of data and the complex dynamics between data, human groups, and norms — to help overcome some of the current tensions and polarization around data and encourage a new, holistic and positive approach.
Jeremy Bradley, Chief of Staff, Zama
A first step in shifting perspective on data governance is recognizing that we need mechanisms to secure data end to end, from the time we send it, to the time we receive it, and on any result inferred from it. Until recently, this wasn’t part of the cryptography toolkit.
Fortunately, there are innovative models for transferring as well as securing data and true end to end encryption can now be provided for by what we call Fully Homomorphic Encryption (FHE for short).
FHE is a technology that enables processing data without decrypting it. This means companies can offer their services without ever seeing their users’ data — and users will never notice a difference in functionality. With data encrypted both in transit and during processing, everything we do online could now be encrypted end to end, not just sending messages. This also means no data theft and, importantly, the location of the server is kept private.
How is homomorphic encryption different from other tools and do you have any real-life examples and applications?
Jeremy Bradley, Chief of Staff, Zama
Homomorphic encryption is an extension of public-key cryptography, but it has an additional evaluation capability for computing over encrypted data without access to the secret key. The result of such computation thus remains encrypted.
Other privacy-preserving solutions are possible, but FHE is the easiest to deploy and offers functionalities that other technologies cannot offer. It was not usable until a few years ago, but the advancement has been impressive, and we can now see some real-world applications with FHE.
For sensitive data, such as healthcare information or contact tracing, FHE can be used to enable new services by removing privacy barriers inhibiting data sharing or by increasing security to existing services. Predictive analytics is another strong use case. Predictive analytics are typically hard to apply via a third-party service provider due to data privacy concerns. FHE would allow a predictive analytics service provider to operate on encrypted data instead, meaning these privacy concerns would be diminished. Moreover, even if the service provider’s system is compromised, the data would remain secure, because it is encrypted all the time.
At Zama, we believe that all online services should offer full end-to-end encryption. You should be able to rely on the knowledge that any service using private data is transferring and manipulating only encrypted data. This way, you can make sure your sensitive information is never leaked by the service provider.
How can we catalyze these sorts of innovations for data governance?
Lorrayne Porciuncula, Datasphere Initiative
We need a platform to discuss data that is truly global and cross-sectoral. We need the participation of the global south of companies of all sizes from sectors such as health, agriculture, and transport to name a few. We need better institutions that are agile to advance not only normative measures but also tech-enabled ones that foster trust, prosperity, sustainability, and well-being for all.
The work of actors like Zama is exemplary of the type of innovations that can emerge when we privacy is not seen as opposed to the usability of data. We need to take stock of these innovative solutions and business models, such as those offered also by data fiduciaries and data collectives and imagine their use and applicability in a variety of contexts, including to advance the global debate around data governance. At the Datasphere Initiative, we plan to provide a space for that type of exchange with the goal to catalyze human-centric technical, policy, and institutional innovations.
Learn more about end to end encryption with this 6-minute introduction from the Zama team here: 6min.zama.ai
Many thanks to Ilaria Chillotti, Director of Research at Zama, who contributed to this article.
If you’re interested in getting the latest news about homomorphic encryption and what we do at Zama, you can subscribe to our newsletter.
We are hiring! Join Zama and help us safeguard privacy by making the internet encrypted end-to-end. All the info here: jobs.zama.ai
We’re open source — follow Zama’s CONCRETE library on Github here: github.com/zama-ai