Privacy Enhancing Technologies 10 Years Later

For my first post, i’d like to discuss privacy enhancing technologies.

When i was a fresh out of graduate school, i joined a start up called “zero-knowledge systems”. This being in the middle of the dot com boom, they had 300+ employees, great parties and essentially no revenues!

Beyond the hype and fluff, we created truly innovative solutions to protect online privacy. Their main product was essentially a “mix-net” somewhat like “tor” that masked the users’ ip addresses. I was in what they called the “evil genius” team and working on future products. I was fortunate to work on privacy enhancing credentials based on the work of stefan brands.

This technology is awesome (and now belongs to microsoft) it allowed one to show certificate properties without divulging anything else (even with collusion of the verifier and the certificate issuer) – this is highly counter-intuitive. Using these mathematical tricks, we could develop electronic cash that had properties that were almost identical to physical cash – it was impossible to determine who had owned the cash before the current transaction.

This was very exciting stuff at the time.

Despite their amazing potential, these technologies have not really hit the main stream. Privacy seems to be the realm of lawyers and regulators nowadays. Back in 2000, we did not think things would evolve this way. The internet has changed since then with google, facebook, etc. however i persist to believe that privacy enhancing technologies can more easily solve many of the privacy issues we are dealing with today.

Perhaps, just like mobile payments that are just now starting to take off after being feasible for 10+ years, privacy enhancing technologies should be revisited… The business cases did not fly back then, perhaps they would today.

Also read other related post about privacy framework:

Public available of ISO/IEC 29100:2011 Privacy framework

Looking forward to hearing your views. I also understand that there are huge variations in how people perceive privacy in different cultures. Perhaps a more fundamental question is whether in the age of facebook we even care strongly about privacy?

JF

Warning: my career has taken many twists and turns and i have not worked on this for several years and may not have the most up to date information.

2 thoughts on “Privacy Enhancing Technologies 10 Years Later”

  1. JF, you bring out a point that very few people discuss in Asia, maybe due to the fact that most Asian regions are just starting on privacy regulation and researches. Privacy enhancing technology (PET) applications are very specific and not many people have experience in such project in real world. Your sharing and insight will be invaluable.

    The current development of mobile payment security is towards authenticated transactions. However, when we come to integrating NFC with a GPS-enabled mobile, the issue of privacy invasion emerges. Each transaction record could reveal not only the time and amount but also the user location. There is a risk of the merchant or the banks storing too much information when they process each payment. I believe people will start looking for PET soon when they found out such large amount of privacy data could be captured in each transaction.

    One unique feature of cash transaction is anonymity. Will PET bring anonymity to mobile payment platforms?

  2. Particularly at mainland China, privacy is something that is luxury, partly because of the historical Culture Revolution which disowned privacy at all. So far there still a long way to the legislation of “Privacy Law”. Without the legal enforcement, it’s illusive to expect the website operators, e-commerce companies, and all other cyber entities that collect, process, do business on PII(Personally Identifiable Information) would spend money to improve their protection around PII. Personally I am somewhat pessimistic on this.

    Technology can help a little, but only a little.

Leave a Reply

%d bloggers like this: