CROSSING BORDERS OF ORGANIZATIONAL SILOS -

USE CASES OF MPC IN DECISION MAKING

@HEILIGE GEESTTAFEL, COSIC, KU LEUVEN, 2018.11.30

BALDUR KUBO

ACCOUNT MANAGER

E-MAIL: baldur.kubo@cyber.ee

WEB: sharemind.cyber.ee

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

ABOUT CYBERNETICA

• Estonian ICT company, founded in 1997

• Successor of the Institute of Cybernetics of Estonian Academy of

Sciences

• Mission-critical e-government, information security, radio

communications and surveillance products and systems

• We inspire new areas of advancement with research and

development

• Team of 140 people, 10% PhD-s

50% exports (Main markets: Indonesia, USA, EU).

2

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

CYBERNETICA’S OPERATIONS

• Software:Sharemind® Platform for Confidential Data Analysis

SplitKey Authentication and Digital Signature Platform

UXP® for Interorganisational Data Exchange

TIVI® Internet Voting (subsidiary with Smartmatic)

• Systems:Coastal Maritime Communication

Border Surveillance

• Secure Software Development: energy (smart-grid), tax and customs, homeland security, defence, cybersecurity, authentication and digital signatures

• R&D: information security (cryptography), consulting

3

DEPARTMENT OF PRIVACY TECHNOLOGIES

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

HIGHLIGHTS

• Privacy Analytics/IQVIA, Canada – healthcare data/pharmaceutical research, Sharemind MPC (2018)

• Police and Borderguard - Processing of biometric data. Process and risk analysis, design (2018)

• Positium LBS – R&D of a Privacy-preserving tourism statistics system on mobile Big Data, Sharemind HI (2016+)

• Smart City government – employee satisfaction and dedication survey. Thank you, Alexandra Institute and Partisia for the shared efforts leading to success, Sharemind MPC (2016).

• CentAR (ITL,Ministry of Education and Science)- Privacy-preserving linkage and statistical analysis using administrative data, Sharemind MPC (2015, 2016)

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

SERVICES

Differentiation

Risk

Compliance

• Privacy by Design- consulting and training- process design

• Selection of Privacy-enhancing technologies

• Qual.-/Quant assessment

• Mapping of attack vectors

• Cryptographic security analysis

• Analysis of privacy leakage

• Support of compliance assessment

De

plo

ymen

t o

f P

riva

cy-E

nh

anci

ng

Tech

no

logi

es

https://pleak.io

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

HOW TO GET/SHARE THE BEST DATA?

Today’s data analysis tools are not

designed for processing confidential

data in an accountable way.

This is hurting owners and data-driven

service providers. They find it hard to

launch new offerings.

PROPRIETARY

USE CASE: TAX FRAUD DETECTION

CUSTOMER: ESTONIAN TAX AND CUSTOMS BOARD

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

VAT AVOIDANCE WAS A 100M€+ PROBLEM

VAT

Socia

l tax

Incom

e tax

Alcoho

l exc

ise

Tobacco e

xcise

Fuel

excis

e

Packagin

g excis

e

ME

UR

PROPRIETARY

Data about

taxes paid

PROPRIETARY

Data about

taxes paid

Missing data

on taxes

not paidPROPRIETARY

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

PRESIDENTIAL VETO FOR THE FIRST SOLUTION

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

MPC WOULD PROTECT THE HONEST TAXPAYER

Tax and

Customs

BoardCompanies

VAT declaration

(encrypted)

Risk analysis

queries

Risk

scores

Sharemind-based risk analysis system

matches encrypted declarations without decrypting them and finds companies witha risk of VAT fraud

• Confidentiality of honest

taxpayers is guaranteed from

both internal leaks and external

attacks.

• There is no single party who can

decrypt data and, thus, break

privacy. Control is distributed

among parties.

USE CASE: WELFARE FRAUD DETECTION

CUSTOMER: A EUROPEAN COUNTRY

Drawings by Alisa Pankovaat Cybernetica

USE CASE: GOVERNMENT DATA LINKAGE

CUSTOMER: CENTER FOR APPLIED RESEARCH

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

EXAMPLE: LINKING TAX AND EDUCATION DATA

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

REGULATORY BARRIERS ON DATA LINKING

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

EXAMPLE: LOCATION DATA ANALYTICS

LOCATION DATA TELLS US

• How many people live in an area?

• How many people attend an event?

• How do people travel?

• How to plan better public transport?

• How long do tourists stay?

• What places are visited by tourists?

PROPRIETARY

SHAREMIND LOCATION ANALYTICS PARTNER

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

UNSOLVED PROBLEMS

Lack of information

• Who are my customers? KYC

• Where to invest to improve employee engagement?

• How should I improve my business?

• How to exit from the world top position in imprisoner of women, USA?

• How to increase graduation of IT students from current 60%?

• How to reduce sexual assault on university campuses?

• How to get better credit? Companies/individuals.

Heilige Geesttafel

Industry, fintech, telco, gov.

UNSOLVED PROBLEMS

Ongoing Fraud

• How to ease reporting of

cheating in university?

• How to reduce

• 150b€ annual VAT tax gap?

• Informal economy?

Informal economy

EU/EFTA % of GDP (2015)

https://ec.europa.eu/home-affairs/sites/homeaffairs/files/00_eu_illegal_employment_synthesis_report_final_en_0.pdf

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

REGULATORY PRECEDENTS IN EUROPE

• The Estonian Data Protection Agency stated that the combination of

technology and processes ensured that private data was not processed and

the requirements of the Data Protection Act need not apply.

• Assumption: no identifiable records are published.

• The Internal Oversight of the Tax and Customs Board agreed to provide

unmodified tax records after a code and process review.

• A German legal research team extended the precedent to work under the

GDPR.

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

CASE STUDIES OF DESCRIBED APPLICATIONS

• Students, taxes, GDPR validation (outdated performance numbers)

• Dan Bogdanov, Liina Kamm, Baldur Kubo, Reimo Rebane, Ville Sokk, Riivo Talviste.

Students and Taxes: a Privacy-Preserving Social Study Using Secure Computation. In

Proceedings on Privacy Enhancing Technologies, PoPETs, 2016 (3), pp 117–135, 2016.

http://dx.doi.org/10.1515/popets-2016-0019

• Tax fraud detection

• Dan Bogdanov, Marko Jõemets, Sander Siim, Meril Vaht. How the Estonian Tax and

Customs Board Evaluated a Tax Fraud Detection System Based on Secure Multi-party

Computation. Financial Cryptography and Data Security - 19th International

Conference. 2015.

• http://fc15.ifca.ai/preproceedings/paper_47.pdf (case study)

• https://cyber.ee/uploads/2013/05/T-4-24-Privacy-preserving-tax-fraud-detection-in-the-

cloud-with-realistic-data-volumes-1.pdf (performance numbers)

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

USEFUL LINKS

• Sharemind blog (legal analyses, case studies etc)

• https://sharemind.cyber.ee/

• Sharemind SDK (both source code and download)

• https://sharemind-sdk.github.io

• Sharemind-related publications

• https://sharemind.cyber.ee/research/

PROPRIETARY

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

DATA-DRIVEN SERVICES ON CONFIDENTIAL DATA

CONSCIOUS APPLICATION OF PRIVACY ENHANCING TECHNOLOGIES RAISES ORGANIZATIONAL MATURITY

§ ☠ ✰ ❤

Compliance Risks Differentiation Values