Post on 08-Feb-2022
Secure Private Computing-as-a-service Proposal for a technical public consultation
by the UNECE HLG-MOS Project on Input Privacy Preservation (IPP)
Fabio Ricciato Eurostat - Unit A5 ‘Methodology; Innovation in Official Statistics’
1
2021 Workshop on the Modernisation of Official Statistics - IPP Project Webminar
16 November 2021
Secure Private Computing (SPC) Privacy Enhancing Technologies (PET)
Input Privacy Solutions Output Privacy Solutions
• Differential Privacy • Statistical Disclosure Control
How to sanitize the output after computing, before releasing it to prevent re-identification of individual input records
• Secure Multi-Party Computation (SMPC) • Trusted Execution Environment (TEE) • Homomorphic Encryption (HE) • other ad hoc protocols …
How to let somebody compute the output without letting him seeing the input?
Secure Private Computing (SPC) Privacy-Preserving Computation (PPC)
• Increasingappetiteforproducinginformation(e.g.,statistics,analyses)fromthecombinationofdataheldbydifferentorganizations(privatecompanies,publicinstitutions)
• Statisticalauthority/iesactingasoutputparty,inputpartyorboth
• Increasingpressuretostrengthensafeguards,“technicalandorganisationalmeasures”forprotectingthedata
• legalrequirementsbyDataProtectionAuthorities• necessaryconditiontobuildpublictrustandpublicacceptance
Context: inter-organization data processing
Moretrust
Moredata Higherrisks
Strongersafeguards
SPC
Considertwoormorepublicorganizationsthathaveaneed(oratleastaninterest)toproduceinformationfromthejointprocessingontheirconfidentialdatasets.
Whatoptionsdotheyhave?1. AbstainfromtheprojectàLossofpublicbenefit
2. Executetheprojectviatraditionaldatasharing,i.e.movethedataàIncreaseofrisks(fordatamis-use,butalsoreputational)
3. Buildanad-hocSPCinfrastructurededicatedtotheprojectàOftenimpracticalduetohighcosts(time,staffresources,budget)andlackofappropriateskills
4. SPC-as-a-service:executetheprojectbyusingtheSPCservicesmadeavailableondemandbyatrustedSPCinfrastructurethatis…
• designed/specified/procured/deployed/certified/etc.byapublicinstitution(orconsortiumthereof)actingasSPCproviderandmadeavailableondemandtoSPCusers
Options
Note: the marginal costs (per project) for SPC users is not zero, but should be anyway considerably lower than setting up (by internal development or procurement) ad-hoc infrastructure dedicated to a single use-case
Secure Private Computing-as-a-service
SecurePrivate
Computationplatform
Controllers&Auditors
Computation Instance
#1
Institution A
Institution B
Computation Instance
#2
Institution A
Institution B
Institution C
Institution D
Institution E
PlatformMaintainer
Inputparties
Outputparties
• WhatisaSPCinfrastructure?• Theterminfrastructureismeantheretorefertoacombinationoftechnologicalandnon-technologicalcomponents,includinge.g.organisationalmeasures,businessprocesses,legalandcontractualaspects,liabilities,etc.
• hardware+software+… humanware(*)
• WhatistheroleofSPC-as-a-serviceprovider?• Buildtheinfrastructure&buildtrustintheinfrastructure• NB:I’mnotsurethesetwoitemsarereallydistinctfromeachother,butit’sanywayusefulto
spellthemdistinctively
Key aspects
(*) see https://doi.org/10.1017/dap.2020.7
• Nosinglepointoftrust• nosinglepartyshouldholdfullcontrolovertheprocessand/oraccesstothedata(nottheSPCprovider,notthetechnologyprovider,…)
• distributecontrolacrossmultipleselectedactors• selectactorsthataresemi-trustedindividuallyandcanbetrustedcollectivelyàpartoftrustengineeringtask
• balancecomplexity(nottoomany)vstrustworthiness(nottoofew)• ensurecredibilityandmutualindependenceamongselectedactors
• Closethedata,openeverythingelse• Foreachcomputationinstance,ensurefulltransparencyasto(i)purposeoftheprocessing;(ii)participatingorganisations;(ii)whatinputdataare(re)used;(iii)detaileddescriptionofmethodsanddesiredoutput,includingthekindofoutputprivacyprotections(ifapplicable)
Key design features of SPC-as-a-service model
Beforebuildinga(firstversionof)anSPCinfrastructure,weneedtoformulatealistofspecifications,i.e.answerquestionslike… • WhatSPCservicestooffer?
• InitialfocusonaPrivateSetOperationswithanalytics.Scenario:twoormoreinputpartieshavelistsofstructuredrecords(micro-data)andneedtoexecutesomesimpleanalyticprimitive(e.g.counting)ontheintersectionorunionoftheirsets
• Towhichusers?• Anycombinationofpublic/privateorganizationswiththeconstraintthatatleastoneinputoroutputpartyisastatisticalauthority.
• …
Ok, let’s build it … but first let’s specify it!
• Howtobuildtrustintotheinfrastructure?• Thisisthemainchallenge-TrustEngineeringhttps://doi.org/10.1017/dap.2020.7 • Complexanswer,asitinterminglestechnologicalandnon-technologicalaspects.
• Idea:askthequestiontothosethatwillbeeventuallyconcerned• viaapublicconsultation(informal,technical)
• Publicconsultationasawaytopullexpertknowledge• toidentifypossiblesolutionstoknownchallengesbutalsotoidentifyadditionalchallengesandcriticalpoints
• Sidebenefit:probegeneralinterestforSPC-as-a-servicemodel
How to build trust into the infrastructure?
• Which“experts”toaddress?Wideanddiverserangeofexpertisearerelevant,including
• Technologyexperts(computerscience,cryptography,ITsecurity…)andlegalexperts
• Privacyadvocates,civilrightactivists• Researchersandscholarsinrelevantdisciplines,e.g.CriticalDataStudies,politics,e-government…
• PotentialSPCusers:statisticalauthorities,otherpublicbodies,privatedataholders
• Mindthattechnologyisameans,notthegoal!• Askprimarily“whatshouldbeachieved[bythetechnology]”• Thequestion“whattechnologycan[helpto]achievethat”comeslater
Scope and targets of public consultation
1. Certificationsandtechnicalstandards:whatkindsofcertificationsandbywhichcertificationbodiesdoyourthinkshouldberequired?WhichtechnicalstandardsshouldtheenvisionedSPCinfrastructurecomplywith?
2. Independentaudits,penetrationtests:shouldindependentaudits,penetrationtestsorothersimilaractionsberequired?Ifso,howshouldtheybeorganisedandbywhom?
3. Open-source:consideringthecurrentstageoftechnologicalmaturityforSPCtechnologies,doyouthinkthereshouldbeanexplicitrequirementthattheSPCinfrastructuretobebasedpurelyonopen-sourcesoftwareandhardwarecomponents?Whatcouldbethebenefitsandthepotentialrisksofimposingastringentrequirementinthissense?
4. Inter-operability:inwhichwaystheSPCprovidermayensureinteroperabilityoftheSPCinfrastructureandpreventvendorlock-ineffects,consideringthatthemostmatureSPCsolutionstendtobeproprietarynowadays?
Examples of (initial) questions 1/2
6. Distributed(shared)control:Howimportant(ornotimportant)istoensurethatcontroloverthecomputationprocessissharedamongmultipleactors,soastoavoidanysinglepointoftrust?Ifthisrequirementisimportant,howshouldtheseactorsbeselected(e.g.basedonwhatcriteria,whethergovernmentornon-governmentalorganizations,etc.)?Andwhatwouldbetherole,dutyandcommitmentoftheselectedactors?
7. Infrastructuregovernancemodel:whatarethekeyelementsthatagovernancemodelfortheSPCinfrastructureshouldincorporateinordertostrengthenpublictrustworthinessintheinfrastructure?Whatentitiesshouldbecalledto“sharecontrol”?
8. Procedures.WhatarethekeyingredientoftheprocedurethatshouldbeputinplaceinordertoensuretrustworthinessofeachindividualSPCtransactionandoftheSPCinfrastructureasawhole?(e.g.preventiveauthorisation,ex-postcontrols,regularaudits,…)
9. …
Examples of (initial) questions 2/2
• FinalizeformulationofquestionsandlaunchofconsultationviaEUsurvey-December’21
• Closingdateforreplies–endofMarch’22• Analyseresponseanddraftasummaryreport–endApril’22
Proposed roadmap (tentative)
Thanksforyourattention
Fabio.Ricciato@ec.europa.eu