This story is part of The Privacy Divide, a series that explores the fault lines and disparities–economic, cultural, philosophical–that have developed around digital privacy and its impact on society.
In 1984, Shafi Goldwasser, then a young professor at MIT, proposed a radical new idea in cryptography: that you could prove something was true without disclosing anything about it. The idea that would lay the framework for much of the cryptography we use today and eventually earn her the prestigious Nobel Prize of encryption, the Turing Award. More than 30 years later, she’s now a startup founder, with the aim of bringing a long-awaited approach to encryption out of the closet. “At some point it became clear that this theory, the mathematics, was efficient enough,” she says of the technique.
Part of the idea behind homomorphic encryption, as the approach is called, is to bring encryption to the places where it’s increasingly needed most. That’s a lot of places. In the last few years, data privacy has become a hot-button issue globally, with high profile scandals and data leaks surrounding prominent companies like Facebook and Equifax resulting in greater privacy awareness among both consumers and businesses. New privacy laws in the EU, California, and Vermont have begun to give citizens more rights around their data. But companies aren’t going to stop collecting data–if anything, data collection is only increasing.
On top of that, companies often share this data with third parties that can analyze it or use it to improve customer experiences, requiring them to give up control over the data that they own. But a growing desire to maintain a hold over data, combined with fear over regulation and public frustration, is leading companies to look for more ways to ensure that private data really does stay private.
The primary reason that companies are collecting so much data is that they can use it to look for patterns. These patterns power the algorithms that provide personalized experiences, from those annoying ads that follow you around the internet to insurance premiums that are calculated using exercise data.
It’s the insights from analysis that are the real value of data–many businesses don’t care about any single individual’s data, but the insights they can glean from the aggregate. That’s why so many businesses claim to protect user privacy by anonymizing large datasets–they can still look for patterns, while appeasing privacy concerns (though we know that most anonymized data is so distinct that it can easily be identified).
But Goldwasser’s startup Duality has an even greater promise: to analyze encrypted data without ever decrypting it. Based on breakthroughs from Goldwasser and several of her cofounders, who are also encryption researchers, the company’s technology could provide an actual solution to the data privacy problem by allowing companies to keep their data fully encrypted and still find patterns in it.
The math behind homomorphic encryption is complex, but CEO and cofounder Alon Kaufman uses a simple metaphor to explain how it works. Imagine that you’ve put your data inside a box to protect it, he explains. You’re the only one who has the key. With homomorphic encryption, you can then give the box to someone else, and they can put their hands in with their eyes closed. That person can shuffle around the numbers inside without ever seeing them.
“It means the entity doing the math doesn’t ever see the data, doesn’t see the answers but can employ the computations,” Kaufman says. “That’s what companies want. They don’t want the raw data, they want to know the insights. They want to know if they should offer you this deal.”
While the ideas behind homomorphic encryption have been around for decades in academia, where it’s been considered one of the holy grails of cryptography, it’s only recently that the technique has gotten good enough—and fast enough—to make it practical and scalable in a business context. (Compared with computation on unencrypted data, the earliest homomorphic encryption systems were a trillion times slower.) Funding for open-source encryption research from agencies like DARPA, IARPA, and the NSA has also helped.
“The applications were out there because there’s more and more data being collected, and it’s clear you can get more by combining [data] rather than working in isolation,” says Goldwasser.
That’s what convinced her to team up with her cofounders and try to bring the cryptographic technique she pioneered in academia to the private sector.
Duality’s first products will be just for businesses, enabling them to share data with third parties that can work with the raw data in the cloud without actually having access to it. Citing privacy reasons, naturally, the company declined to name its clients, but Kaufman says its data scientists are developing algorithms for use in healthcare, insurance, and banking.
For instance, Duality’s technology could also help companies like 23andMe and Ancestry, which have gotten into hot water with regulators over its data privacy practices. These companies would be able to process the data in the cloud or share their analysis with third parties–already a widespread practice–while keeping the raw data completely private.
However, Duality’s consumer possibilities are the most intriguing. For example, let’s say there’s an app that gives you diet recommendations based on your genomic data. You might want the app’s insights but you don’t really want to share your data with the company behind it–after all, who knows who at the company might be able to access it, or what third parties the company will share it with? With homomorphic encryption, you could feasibly encrypt your genetic data, locking it in that proverbial box, Kaufman explains.
“You ship this box to the analytics provider, but you don’t ever give them your key. They [analyze] the data in the box, then give you the answer. The result that comes out is still encrypted, and you take out your key, open the box, and find the answer.”
There are several other companies that are offering business security solutions based on homomorphic encryption, and tech giants like Microsoft and IBM are also working on it, but Duality’s cofounders are the ones who pioneered the technique. Their solution is also one of the most advanced. The company’s algorithms won a computation challenge in November 2018 focused on analyzing a genomic dataset using homomorphic encryption, completing the task faster and with less memory use than any other industry group. Investors have taken note: the company said that month it raised $4 million from venture capital fund Team8, which is backed by companies including Microsoft, Softbank, Wal-Mart, Airbus, and AT&T.
Studying genomics with privacy
Last year, Duality also got a boost from the National Institutes of Health, which gave it grant to apply its privacy-protecting approach to genomics research. Duality’s tech could be a boon for the field, says Sasha Gusev, an assistant professor at Harvard Medical School’s Dana-Farber Cancer Institute who focuses on genome-wide association studies (GWAS), which use large amounts of genetic data to look for variants that are correlated with different diseases. Gusev says that data privacy is becoming an increasingly important challenge in academia, where researchers are aware of the kinds of breaches that have happened in the corporate world and want to ensure that doesn’t happen to their subjects. As a result, many researchers are reluctant to share sensitive health data, even with other academics, because of these security and privacy concerns.
“What we need from GWAS is a fairly simple statistical computation but it relies on very sensitive data,” Gusev says. “Being able to bypass that data sensitivity and report the simple number which ends up being very meaningful was very appealing.”
While he began working with the company as a consultant, Gusev then started working with Duality scientists to create an algorithm that could analyze encrypted genetic data, helping the company’s in-house data scientists understand what elements of the algorithms that he uses in his GWAS research are the most crucial for the analysis. He has co-authored an upcoming study showing that Duality’s encrypted analysis method produces the same quality of results that a non-encrypted dataset does.
Duality has been working with a host of other experts in a similar capacity to Gusev to develop algorithms tailor-made for specific analyses in healthcare, insurance, and banking–industries that usually rely on third-parties to do their data analysis. According to Rina Shainski, Duality’s cofounder and chairwoman, the startup’s next step is to make all of these algorithms available for companies to integrate into their systems. “We would like to be more of a platform that makes it possible to run analytics on encrypted data,” she says. This platform, which she calls a “library of tools,” is slated to launch later this year.
Ultimately, Duality’s technology can’t fix everything about the rampant data violations that occur on a daily basis. Even if every company were using homomorphic encryption, they could still use your data to target you with pesky ads, score you as “risky,” or influence your vote. To address those concerns, we’ll still need regulation to step in to ensure that companies’ practices are secure and good for consumers. But as Kaufman says, technology is the thing that created the data security problem–and technology can also help offer a chance to fix it.