Imagine the ability to perform computations on data that, until now, had been unobtainable due to global regulatory regimes. Data privacy and protections laws—most notably the General Data Protection Regulation (GDPR) in Europe, implemented in May 2018—enforces strict rules around data sharing and ensures that those that access personal information are authorized to do so.  But what if there was a way to unlock the value of data without actually viewing it or falling afoul of the law? Enter homomorphic encryption (HE).

According to a recent report by the World Economic Forum, homomorphic encryption sits within a family of emerging privacy enhancing techniques (PETs), ranging from differential privacy, federated analysis, zero-knowledge proofs, secure multi-party computation, and lastly, homomorphic encryption.

HE is garnering increased attention because it is cryptographic primitive—or, to put it simply, a building block—allowing firms to share encrypted data with one another and perform computations on the data, without having to decrypt it. As a simple example, firm A sends its encrypted data to firm B, and similarly, firm B sends its encrypted data to firm A.

Both parties then merge their own encrypted data and perform homomorphic computations on the combined dataset through a common set of instructions built into each firm’s analytics tools, to make sense of the encrypted data and derive value from it. Once completed, each party can decrypt the insights from the process using their dedicated encryption keys.  (For a detailed explanation of homomorphic encryption and its origins, click here.)

Although this technique is very much in the early stages of being applied to commercial applications, it could tackle some of the industry’s most pressing problems and unlock the doors to an unlimited supply of data.

“It addresses one of the biggest paradoxes, which is the ‘need to share’ versus the ‘need to know,’” says Flavio Bergamaschi, a senior research scientist at IBM Research Laboratory and the leader of the group developing IBM’s Fully Homomorphic Encryption (FHE) technology.

As homomorphic techniques start to mature, many projects will look to move from development stages into production over the next 12 months, according to sources at both Microsoft and IBM. Today, some of the most significant use cases are still being worked on with banks in meeting rooms and behind closed doors. For this piece, WatersTechnology spoke to specialists in homomorphic encryption, legal experts, and research teams at some of the biggest tech companies in the space to see where the privacy technique is being applied.

Inpher

According to Jordan Brandt, CEO and founder of Inpher, the types of use cases for homomorphic encryption can be categorized into intra- and inter-organizational constructs, and consortia applications. Intra is when a firm seeks to leverage all of its internal data located within various business lines, but have been prohibited from doing so due to restrictions on data sharing.

Inter-organizational is when two or more companies want to pull their data together to build more sophisticated analytics or technologies for, say, tackling financial crime, by applying artificial intelligence (AI) to combined, massive datasets to detect patterns. Cooperation between counterparty firms has also opened up the possibility for firms to build more refined algorithms and AI models by training them with large shared datasets.

“We are finding that there is a very high value in machine-learning applications because they are so hungry for more data,” Brandt says. “The more data that you can feed into these algos, generally the smarter that they get and these [homomorphic encryption] technologies create an ability to provide more data without having the privacy or security concerns of exposing any individual personally identifiable information.”

There have been ongoing discussions about the need to combine resources and intelligence to combat terrorist financing. A major a barrier to this has been the reluctance to share sensitive data with other entities. Now the hope is that large consortia, including private companies, industry bodies, governments and regulators, can use homomorphic encryption to prevent unlawful financial activity and defend against the growing number of sophisticated cyber-attacks.

Currently, Inpher is using HE to explore trade-surveillance applications for regulatory authorities, where they can run analytics on trades in order to identify anomalies, such as insider trading, without having to view any of the trader or investor’s personal information.

“Privacy computing or encryption can enable [users] to run forensics and pattern matching on encrypted datasets to identify if there is suspicious trade behavior without actually exposing any of this individual investor information,” Brandt says. “And then if they do identify within a certain probability [that an illegal act had occurred]—for example, there was a bad actor involved—then they could subpoena the specific data that they need to identify with that organization or organizations.”

The firm is working with several clients, including JP Morgan, which led a $10 million Series A funding round for Inpher in November 2018, to leverage internal and external shared datasets that fit into the intra- and inter-organization categories.

Microsoft

While Inpher is a startup gaining traction, some of the biggest tech companies in the world are also very active in this space.

Microsoft is in the middle of developing a platform to allow clients to perform secure computations on the cloud, often referred to as edge-based inferencing. Clients can use its software development kit and Microsoft SEAL, an open-sourced homomorphic encryption library, to encrypt their data and transfer it to the cloud where they can leverage machine-learning analytics tools. Once completed, the client can return the encrypted data to its on-premise systems to decrypt the information.

According to Kim Laine, a senior researcher at Microsoft Research, the tech giant is close to releasing a private preview of the platform. The idea is to initially make the platform available to clients working on proofs of concept to see how it can be deployed in real-life scenarios. It will also be available free of charge to clients with a subscription to Microsoft Azure.

As one example, Marcello Benati, a senior business innovation and strategy leader at Microsoft Research, says this solution could be used by hedge funds for portfolio analysis. In this scenario, the hedge fund could encrypt an aggregate of its client data and send it to the cloud to derive insights on portfolio performance, allowing clients to view the insights that apply to them and compare them with the average performance of portfolios in the hedge fund.

Today, Microsoft offers some homomorphic capabilities via its Microsoft 365 E5 platform. Firms can run basic analysis on data in Excel spreadsheets without employees having to view it.

“So, in E5 you can do things like bring your own key, things like attribute-based access control, role-based access control, and those sort of analytical homomorphic capabilities,” says Lee Bressler, US capital markets lead at Microsoft.

IBM

Another major mover that is actively working with a broad net of multi-industry firms using homomorphic encryption is IBM. The enterprise technology company is currently developing a range of data privacy and security solutions to protect against the misuse of data. As part of these plans, IBM is piloting projects with banks to secure the process in which they can share AI models without having to share the underlying data within the models. This would mean that institutions could combine, trade, or outsource models to third-party firms to enhance their functionality. 

“Banks have all of this data about you and they want to use that to build these AI models,” says Wendy Belluomini, director of AI and cognitive software at IBM. “They want to be able to use that data in a way that is legitimate, they want to market to you in a way that is based on how you are behaving and what your needs may be, but they don’t want to expose that data to someone that doesn’t need to see it.”

Another potential use being explored is the ability to analyze sensitive market data or potentially pull data from multiple exchanges and providers on to a single cloud repository and enable clients to run analysis on the combined resource.

Still, while this type of encryption could transform how firms share and leverage data, it is not without its challenges. Not only is there need for the encryption technology to mature to allow for viable commercial solutions to appear on the market, but a long-term regulatory framework has yet to be determined.

The Roadblocks

Cost and speed are two of the biggest challenges holding homomorphic encryption back. However, some firms such as IBM believe that the technology has reached an inflection point on performance, and others still think there is a tradeoff to be had at this early stage as third parties look to take on the computation of the data for clients.

“With homomorphic encryption, the pure idea is that I can outsource workloads to a third party,” Inpher’s Brandt says. “So, I can encrypt my data and put it in [for example] Amazon Web Services to process it for me, and they can give me the results back. The challenge from the commercial point of view is that the increased computation time and increased cost to compute the data while it is encrypted often counters any economic advantage that I have of using a third-party cheaper service to do the computing.”

He adds that other types of privacy techniques such as multi-party computation (MPC) can operate much faster, but that each use case and application is distinct. Secure MPC is a cryptographic protocol that divides and distributes the data of each party participating in the computation, which means that no individual can see a complete version of the data inputted.

When it comes to all privacy-enhancing technologies, the main question is, how secure is it? With homomorphic encryption, it is designed to guarantee the security and privacy of the inputted data where other third parties cannot decrypt the data or have access to the underlying data. However, when it comes to simple computations, it does have security flaws because if the calculation is too simple, one party could potentially deduce the value entered by another party.

“That is something that is known as calculating the privacy budget that is independent of the encryption method, where it doesn’t guarantee that the output is not revealing anything about the input data,” Brandt says. “You can think of the encryption method as securing the process and guaranteeing that an adversary or some party cannot decrypt the data or access it, but the output itself can reveal something about the input data.”

On the other hand, as AI and algorithms become more complex and harder to explain, applying them to encrypted technologies could create a whole new paradox. Today, homomorphic encryption effectively operates like a black box to some extent where algos process the encrypted data and churn out a result. How exactly that result comes about is not apparent and it is not possible to validate, as there is no access to the full dataset.

Combining that with AI subsets such as deep neural networks and machine learning could create a whole new range of challenges that firms will have to overcome.

It’s fair to say that there are still many question marks to address in order for homomorphic encryption to gain a footing in the capital markets, one of which is regulation.

Gray Area

When it comes to data-sharing regulations, the transferring of encrypted data is something of gray area. Rules in the space vary widely from jurisdiction to jurisdiction, with GDPR being one of the most progressive cross-border rule to date. Today, GDPR restricts the transfer of personal data to countries outside of the European Economic Area (EEA). This rule applies to all firms, entities, and business lines that process personal data from within the EEA. The question is, are you GDPR compliant when transferring encrypted data?

In one example, IBM’s Belluomini poses this question: “Let’s suppose I share an encrypted file with you across a border that you didn’t have the key for. Have I really given you anything?”

As encrypted data can only be accessed through a permitted key, there are remaining uncertainties as to how regulators will react to sharing encrypted data across international borders, particularly as other global data protection laws follow in the footsteps of GDPR, such as new proposals in Australia, as well as in the US in California and New York.

“Since the technology is just getting to a proof-of-concept stage to do that, I don’t think the regulators have looked at it all that much, but there are definitely going to be discussions about it.” Belluomini adds.

Currently, GDPR recognizes some privacy methods for transferring data. For example, truly anonymized data is still regarded as GDPR-compliant, however recent studies—such as a paper published by Imperial College London in July 2019—reveal that even encrypted data could be reverse-engineered by using large datasets to re-identify the personal characteristics removed.

Although GDPR is written as technology-neutral, it seems that more clarification and guidance is required to understand whether homomorphic encryption is a fully valid and compliant method of sharing data.

Others are convinced that the regulators are looking for industry firms to lead on the topic. According to Jake Jacobson, partner for financial services at consultancy EY, global lawmakers are promoting innovative breakthroughs and new ways to secure data.

“One thing that we are seeing in the past 24 months is that regulators are now pushing rather than tapping the breaks,” Jacobson adds. “So, they are sponsoring fintech and regtech events. They are putting innovation out front as a key agenda item, which then kind of gives the banks the permission to go explore and come up with new innovative ideas and come back to seek comment and guidance from the regulators.”

But bringing in the regulatory conversation might be putting the cart before the horse. Homomorphic encryption still has a long way to go before it sees wide-scale adoption in the capital markets. While breakthroughs are happening, especially when it comes to latency, as it pertains to finance, the technology is still in the PoC stage. It will likely take a year or two before more tangible rollouts will be seen, and that’s by the most progressive estimates.

Still, there’s a reason why so many in the field of data science are excited about the possibility of homomorphic encryption—and that excitement is shown in the research and development spend by the likes of IBM and Microsoft, as well as upstarts like Inpher—and that is because it could open up whole new avenues of data exploration by combining datasets. In actuality, it could potentially revolutionize how regulators actually surveil the market—so maybe they won’t be quite such a roadblock, after all.

The future possibilities are limitless, even if right now there is a limit.