ANON: “What is the nature of the involvement of cryptographers in the area of privacy?”

STEFAN BRANDS: “Individuals are increasingly confronted with requests to identify themselves when conducting ordinary everyday activities. New electronic communication and transaction mechanisms automatically capture and record identities without individuals being aware of it. As more and more personal information is collected and recorded on computer systems, policies and traditional security safeguards to prevent against leakage and abuse are rapidly becoming ineffective. To counter this dangerous trend, it is paramount that societies encourage and adopt communication and transaction mechanisms that have been built to not only provide security, but also to respect privacy. As cryptographers, we know perfectly well how to build secure privacy-protecting systems, at least in theory. Over the course of the past two decades, the cryptographic research community has developed a wide range of core techniques for minimizing the disclosure of personal information at different stages in its life-cycle, such as zero-knowledge proofs, privacy-preserving data-mining, private information retrieval, privacy-preserving digital credentials, homomorphic encryption, and so on.”

ANON: “Why are so few privacy-preserving technologies in use today?”

STEFAN BRANDS: “There are many legitimate reasons why industry is virtually inactive in the field of privacy-preserving technologies. Notably, there is a lack of demand from customers, primarily due to a lack of awareness and understanding. As well, data protection legislation is proving to be much less effective than legislators had hoped. As a result, it is virtually impossible for industry to quantify their return on investment for privacy-preserving technologies, let alone to make a sound business case for them, even if they would like to. In my opinion, it is up to government to introduce direct measures to encourage industry to be more active in the design and implementation of privacy-preserving technologies. We are seeing early indications that this is starting to happen.”

ANON: “Do you think governments recognize the risks of adopting large-scale privacy-invasive communication and transaction infrastructures?”

STEFAN BRANDS: “I notice an increasing awareness in several countries, notably in Canada and in parts of Europe. The European Commission, for example, has recently been hosting a series of workshops involving experts from different disciplines to discuss the matter and to propose ways to address the problem. I think this will become a high-priority issue for many governments within the next several years.”

ANON: “What about the population as a whole?”

STEFAN BRANDS: “You cannot expect the general population to be knowledgeable about the privacy implications of new technologies and data processing practices. In fact, since the collection, processing, and secondary use of personal information is more and more surreptitious, it is very hard for the general public to have a sense of the privacy-invasiveness that is going on underneath the hood of all these new systems that are being introduced. As a result, the general public will only be concerned when they learn in the news about highly visible privacy violations, such as the recent threat by a records transcribe in Pakistan who threatened to publish on the Internet the health records of thousands of Americans; of course, nobody but a few insiders had a clue in the first place that the companies that individuals entrusted with their sensitive health information were shipping that same information overseas for cheap transcription services. This illustrates precisely why the role of government is so important.”

ANON: “What are the main privacy concerns in e-health?”

STEFAN BRANDS: “There are two basic privacy concerns at stake here. The first is from the perspective of patients. Patients worry about who has access to their health records, especially in electronic form. For example, the knowledge of sensitive health data on you can be used against you by prospective employers and such. The other basic privacy concern is from the perspective of healthcare professionals themselves. Most healthcare professionals prefer to preserve what they refer to as patient-doctor autonomy, and dislike the idea of central parties being able to track and trace in real time which patients they are treating for what purpose. This is a real concern in both a private sector healthcare settings and government-run healthcare.”

ANON: “Where do you see electronic health records as being most suitable for improving patient care?”

STEFAN BRANDS: “I believe the most interesting patient care targets for electronic health records at this stage are the elderly and the chronically sick. The quality of service delivery, notably diagnosis, for these patient groups could be improved dramatically if their health records could be electronically made available at the point of patient care in such a manner that the medical professionals who take care of them can make fully informed diagnostic decisions. Currently, a significant fraction of the elderly and the chronically sick are receiving conflicting drug prescriptions that could lead to cardiac arrests and such, since their medical professionals often do not have access to all the medical data of their patients to make a proper diagnosis. There are, however, serious privacy implications associated with the move towards electronic health records. Would you want your entire health record, which is currently physically fragmented across many disparate systems in formats that are often not electronic let alone interoperable, to be stored in one location on the Internet where potentially anyone can have access? Would you feel comfortable if the only technological protections surrounding such an electronic health record would be fire-walls, passwords, and a few other basic access controls? As a security expert, I certainly would not. It is not merely hackers and other outsiders that are a threat to the confidentiality of your personal data, but also all manner of insiders who may have authorized access to your information for specific purposes and abuse that authority. E-health architectures, in particularly those for the automated management of your medical data in electronic form, have to be designed with great consideration for privacy in mind in order to adequately protect the privacy of health information.”

ANON: “What are the different architectural approaches to electronic health records?”

STEFAN BRANDS: “There are basically three different approaches. The first approach involves carrying around your own medical data on a chipcard or some other portable device. The second approach is to compile all your fragmented health information and to then securely store it on the Internet with access control provisions built around it so that only authorized parties can access your data. The third approach, which I refer to as Federated Health Record Management, is to keep all your fragmented health records where they currently reside, and to open up access by way of access-controlled communication channels. The idea here is to make the experience for authorized parties that access your fragmented electronic records much the same as if they would be accessing a single medical record. The third approach is the most challenging to design and implement.”

ANON: “What do you believe to be the preferred architectural approach?”

STEFAN BRANDS: “I have spent a great deal of time in the past several years thinking about this problem. I have come to the belief that by far the best approach, both from a security and a privacy perspective, is a thoughtful combination of first and third approach. Your fragmented health records would physically remain at the point-of-care organizations that collect them, but they would be in electronic form in a manner that has unambiguous meaning across all healthcare providers. You would carry a portable device with you, such as a chipcard, which at the end of each visit to a point-of-care organization would make a synchronized copy of at least the most relevant parts of your medical record. The entries in your local record would be cryptographically authenticated by the healthcare providers responsible for entering them in the first place, so as to allow relying parties to verify the authenticity of medical data that your device would provide to them on an as-needed basis. Through special cryptographic techniques, like the ones I mentioned before, as a patient you will have control over who is able to learn what about your medical data. As well, the scope for unauthorized secondary use of your medical data will be greatly reduced. At the same time, the autonomy of healthcare providers can be protected.”

ANON: “When designing cryptographic technologies to protect privacy, how do you balance the need for secure authentication with the desire to provide privacy?”

STEFAN BRANDS: “It is actually a widespread misbelieve that privacy and security are opposite interests that need to be balanced. The reality is that security and privacy are not opposites, but that they are mutually reinforcing if implemented properly. In fact, I view privacy as a more holistic approach towards security. One can argue that security is simply a subset of privacy. Let me elaborate on that. In traditional intra-organizational contexts, there is no need to protect against insiders, since they are the very people who are trying to protect the information. This is no longer true when you start hooking up multiple organizations. In contrast, when you deal with access control in a multi-organizational setting, where information flows across organizational boundaries, your traditional outsiders now all of a sudden include insiders at other organizations. In this context, security is only one of several safeguards that have to be provided in order to adequately protect sensitive information. As cryptographers, when we design privacy-protecting systems, we in essence are trying to build systems that provide security towards both outsider and insider attacks.”

ANON: “But what about the need for secure identification in order to gain access to services?”

STEFAN BRANDS: “Note that in the paper-based world, there are many cases where I can gain access to services without disclosing my identity. Instead, I simply show that I have the right privileges or entitlements. Alternatively, I provide the service provider with what can be referred to as a context-based identifier, such as an employee number or a health insurance number. While these numbers are identifiers in a sense, they are far from globally unique identifiers; organizations cannot readily use them to cross-profile me. What we try to accomplish with privacy-preserving technologies is to preserve the privacy that we used to have in the legacy systems that we are automating. Once all data is in fully electronic format, however, the privacy risks go up dramatically, since nothing is easier to capture and transfer than a bunch of bits and bytes. That explains why as cryptographers working on privacy-preserving techniques we need to rely on methods where is simply is impossible to link together different context-based identifiers, which leads to such notions as digital pseudonyms.”

ANON: “You refer to privacy-preserving technologies what most people in the privacy field refer to as privacy-enhancing technologies. Why is that?”

STEFAN BRANDS: “In my opinion, the term “privacy-enhancing technologies” is an unfortunate misnomer. Instead, what many cryptographers including myself have been working on for many years are better called “privacy-preserving technologies” or, for that matter, “privacy-friendly technologies”. After all, we are trying to preserve the privacy that people used to have in the paper-based world, as opposed to taking it away as in the currently prevailing trend towards automation of communication and transaction systems. If we keep referring to privacy-preserving technologies as privacy-enhancing technologies, we are suggesting that these technologies are designed to give you something that you currently don’t have. This does not help the debate in the favour of privacy activists. The opposite is the case: the currently prevailing approach to design and implement new electronic systems for communicating and transaction is privacy-invasive, in that they take away from individuals what used to be present.”