What are privacy-enhancing technologies (PETs)?

A graphic of a padlock in a digital blue colour, with effects

As companies struggle to get the most out of their data while adhering to strict regulations, privacy-enhancing technologies (PETs) have started to gain traction. Among the benefits, this set of technologies allows firms to extract data without compromising individuals’ privacy.

PETs are particularly useful for performing analytics on customer data – something that Facebook owner Meta has been doing to boost the success of its digital advertising business in an increasingly privacy-conscious consumer market.

Other big tech firms are also taking advantage, with Google and Apple among those creating, championing and using PETs. The pair used privacy-friendly technologies when rolling out contact tracing schemes during COVID-19.

PETs are gaining so much attention that the US and UK governments announced a joint initiative last year to boost adoption. Businesses will now rightfully consider how PETs can be integrated into their core processes.

What are privacy-enhancing technologies?

PETs are a set of technologies that offer the ability to analyse or manipulate data without compromising privacy. “PETs provide a way of analysing data in a privacy-friendly way to continue reaping the benefits, while at the same time minimising the risks associated with maintaining and safeguarding it,” says Michael Markevich, senior director of risk and security at browser company Opera.

One of the core pillars of PETs is homomorphic encryption, which allows complex computations to be performed without decrypting the data. Another type of PET is a trusted execution environment, which allows processing by a secure part of the computer isolated from the main operating system.

Secure multiparty computation, meanwhile, allows different parties to jointly process a dataset without sharing information with each other.

The power of PETs lies in their ability to protect data while it’s being used or processed. This allows searches, analytics and machine learning models to extract value securely and privately from multiple data sources, says Dr Ellison Anne Williams, founder and CEO at Enveil.

The use of PETs can therefore boost consumer trust, as well as offer a basis to adhere to regulations such as GDPR and the UK Data Protection Act (DPA) 2018.

'Soft' PETs vs 'hard' PETs

There are already multiple types of PETs, which all fall into ‘soft’ and ‘hard’ categories. A soft PET assumes you can trust a third party to process personal data. Luke Dixon, partner, IT and data specialist at law company Freeths cites the example of an organisation using controls to authorise certain parties to have access to data.

Transport Layer Security (TLS) used in email, instant messaging, and the HTTPS protocol are examples of soft PETs. “TLS relies on a number of third-party certificate authorities that are trusted to verify the authenticity of digital certificates,” Markevich explains.

In contrast, a hard PET works on the basis that third parties cannot be trusted in relation to the data. Examples include virtual private networks (VPNs).

What do PETs look like in a real-world setting?

PETs are only just starting to be used in real-world settings. The most common uses for businesses are encryption and pseudonymisation, adds Simon Walsh, partner at Oury Clark Solicitors. “Businesses tend to use these types of software as a way to collect data and assess the behaviours of individuals without the need to process large amounts of personal information.”

RELATED RESOURCE

An EDR buyer's guide

How to pick the best endpoint detection and response solution for your business

FREE DOWNLOAD

PETs can benefit multiple vertical industries, including financial services, where they can help with anti-fraud and money laundering initiatives. “Data silos and privacy boundaries continue to cripple financial organisations’ ability to fight criminal activity such as fraud and money laundering,” says Williams.

PETs allow banks to perform encrypted searches on data containing sensitive customer information. “This allows them to gain insights in near real-time while ensuring personal information is never exposed outside of its original jurisdiction,” she explains.

In healthcare, PETs are being used to analyse patient data and drive insights into drug interactions, clinical trials and research to improve health outcomes,” says Michael Hughes, chief business officer at Duality Technologies.

For example, genomic data, clinical data, patient disease registries and electronic health registries exist separately and are distributed across thousands of hospitals and research firms. “PETs are being used to allow healthcare researchers and firms to combine these disparate data sources together to fuel discovery, identify patterns and develop more effective interventions and treatments.”

How to integrate PETs into business processes

The advantages of PETs are clear, so how can businesses start to integrate PETs into their tools and services? Firstly, it's important not to rush into PETs and to determine relevant use cases for the technology. Businesses need to “think long and hard” about how best to implement PET systems into their workflows, says Markevich.

He says the primary challenges are technical. “For example, having a distributed trust system would be a prerequisite for most forms of PETs, and those are very difficult to implement at the moment.”

Taking this into account, firms should also ensure they have the right skills in place – or make sure they can access these through partners.

PETs are hailed as a tool to help firms comply with regulations, but official guidance around this is still at an early stage. In the UK, the Information Commissioner’s Office (ICO) issued draft guidance on the use of PETs in September 2022. As part of this, the organisation recommends businesses conduct data protection impact assessments (DPIAs) to assess their use of PETs.

“The ICO recognises that PETs can ‘unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights’,” says Lauren Wills-Dixon, a solicitor at Gordons. Yet, she warns organisations to exercise caution in their implementation. PETs should be utilised to augment existing frameworks “rather than as a panacea to satisfy all their data protection compliance needs”, says Wills-Dixon.

They are new technologies but in an era where both data and consumer trust are key to doing business, the future for PETs looks bright. “Data is arguably the biggest commodity in the world, and this creates a need for technology that protects the privacy of individuals and helps to demonstrate compliance with strict data protection laws,” Wills-Dixon continues. “PETs are very much here to stay and hopefully, we will see more regulatory guidance and codes of conduct to help organisations implement these technologies safely.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.