OPINION: The recent revelations that Yahoo scanned customer emails for US intelligence raised a fundamental question: “Do users have control over their data on the internet?” Technically, the short answer is “no”. And that raises the next question: “Can users have control over their data on the internet?”
To have full control over our data, we need to be able to track our data, stay private, get alerted to, attribute and stop a data breach. In other words, think of full data control as a “remote kill switch”.
A remote kill switch for our online data will help Jennifer Lawrence and Pippa Middleton prevent their iCloud photo leakage incidents. It reduces the dependency on trusting the IT managers.
The recent Yahoo incident rekindles memories of an incident in 2010, where a Google engineer took advantage of his position to repeatedly access user accounts and violated the privacy of at least four minors – stalking them on the now-defunct GTalk chat system.
In both Yahoo and Google cases, the lack of awareness of the data provenance – or ‘what goes on behind the scenes’ – stems from the lack of tools to help users regain the control of their data. Once we upload something onto Facebook or Dropbox, we lose control over the fate of our data.
From another perspective, a common security recommendation is to “encrypt all your data”. This is useful for privacy preservation but compromises on utility. In order for computers to do meaningful stuff (eg adding two numbers) to your data, it needs to see what the data is.
Even with technology such as end-to-end encryption (think WhatsApp messenger) protecting privacy of data transmission channels, there will always be a point where someone or some machine needs to process the data in its unencrypted form on the servers “somewhere in the cloud”. As such, anonymous surveys are never truly anonymous.
To combine data privacy and utility, several groups of computer scientists are now working on making the concept of ‘fully homomorphic encryption’ (FHE) practical. With FHE, we will be able to process encrypted data without decrypting it at any point. This opens up several usages: your bank teller will not need to know your bank account to process your banking needs on the systems, and you can safely vote in an eVoting system without fearing for the privacy of your vote.
Closer to home, I am leading a team of computer scientists and Kiwi tech companies working on an MBIE-invested research into creating “remote kill switch”-like solutions with the STRATUS (https://stratus.org.nz) project. Working on data provenance, FHE and situation awareness research, the STRATUS project aims to create a new Kiwi IT sector which exports products and services returning control of data to users. The project is now in its second year, and the team is now making progress in scientific breakthroughs and commercialisation. A public engagement forum will take place on December 5, 2016 at the MBIE building in Wellington, and it will be great for my team to hear from you about your ideas and frustrations around the lack of control over our online assets.
If everyone can control their own data online, we will be a step closer towards an internet that protects the privacy and data sovereignty of its users.