New England Biz Law Update
Privacy-enhancing technologies — also known as PETs — are a facet of cybersecurity you’re most likely using in your personal or professional life, but you may not recognize the term.
“PETs is just a buzzword for any technological tool or step that you take to protect privacy and to ensure the confidentiality, integrity and availability of the data,” said F. Paul Greene, a partner with Harter Secrest & Emery and chair of the firm’s privacy and data security practice group.
Greene likes to think of PETs as being in two primary buckets: traditional privacy-enhancing technologies and more cutting-edge privacy-enhancing technologies.
“Most organizations are applying some form of PET right now,” he said. “Encryption is a PET. Locking your data, using an algorithm to scramble your data so it has to be unlocked to use it.; that’s encryption and it is a very traditional and long-standing PET.”
Another common PET is de-identification, Greene says, which can be in the form of removing, redacting or suppressing identifiers.
Higher-level PETs include secure multi-party computation, which involves splitting up a computation across multiple parties where no individual party can see the other parties’ data.
Another is differential privacy, which utilizes a cryptographic algorithm to add statistical noise to a dataset to make it less likely an individual in that dataset can be identified.
“Emerging PETs have gotten a lot of focus because regulators in Europe and elsewhere have been saying, ‘PETs are a good way to lower your privacy risk,’” Greene said. “Companies look at that and say, ‘I want to lower my privacy risk. I’m going to look at PETs.’”
When it comes to risks involved with using PETs, Greene says the primary risk is an organization incorrectly assuming their data is anonymized when they apply a PET.
“Anonymization is a legal term of art under these privacy regimes, and it’s usually a very high bar to meet,” he said.
For example, Greene says that under certain jurisdictions in Europe, something is only anonymized if you destroy the original identifying information and there’s no way to link it back up, even conceptually.
“When you apply PETs, quite often what you’re left with is pseudonymized information,” Greene said. “And that’s great. It’s a way to reduce your overall risk, but under most regulatory regimes, pseudonymized information is not anonymized information, and it’s still considered personal information.”
Matthew Wright, Ph.D., endowed professor and department chair of the Department of Cybersecurity at the Golisano College of Computing and Information Sciences at the Rochester Institute of Technology, explains that PETs are any technology that can be used to help protect people’s privacy.
One example of PET technology Wright has worked on is Tor, an open-source, encrypted privacy network that offers the Tor Browser which hides a user’s IP address and web activity by redirecting web traffic through a network of volunteer-run servers across the world.
“Tor protects your communications, who it is that you’re talking to and what it is that you’re communicating,” he said. “It’s essentially preventing someone like your internet service provider from eavesdropping on what it is that you’re doing.”
Wright points to cryptography, which the National Institute of Standards and Technology defines as “mathematical techniques to transform data and prevent it from being read or tampered with by unauthorized parties,” as the starting point for PETs.
“In the early days of the Internet, there were battles about cryptology,” said Wright, who explained that some people and organizations were worried — from a national security standpoint — about the technology falling into the wrong people’s hands. “It was a real debate at the time.”
An outgrowth of that debate was more discussions and more thinking about privacy and its role in a more online, connected and computerized society, said Wright, who notes that PETs have continued to expand over the past few decades.
“It’s definitely a field that is growing and will continue to grow and I think that a big driver for that is compliance,” said Wright, noting the European Union’s General Data Protection Regulation (GDPR) law and California privacy regulations. “It’s more likely that there’ll be more privacy regulations and not less in the coming years.”
Wright, who is also a board member of the international Privacy Enhancing Technology Symposium, predicts there will also be a broader expectation that one’s privacy is protected by businesses of all sizes.
“As it becomes more normal across industries everywhere, then it starts to become expected practice and best practice,” Wright said. “So, the work on technology that’s been going on in research and development for the last couple of decades is starting to come into fruition as real products and products that a lot of companies are seeing the value in adopting.”
David Wolf, vice president of Just Solutions, Inc., a provider of managed IT services, says that currently much of the enhanced PET technologies are expensive, but he also anticipates them becoming more accessible to small and mid-size businesses down the road.
“I think more businesses and more business software will probably come along and add this as a functionality and feature of how they separate the data and make it more,” Wolf said. “As it becomes more mainstream, there will be lots of options that will be pretty affordable.”
In the meantime, some PETs he suggests businesses and individuals to consider using are password managers, which store all passwords in an encrypted format; VPNs (virtual private networks), which are encrypted connections over the Internet; and search engines that do not save IP addresses or keep records of search histories.
