By Alfred Monterie (Computable magazine) 

Translated by Toon Segers, CPO at Roseman Labs

This is a translation of an article that appeared in the IT magazine Computable on February 18, 2021. We thank the original author, Alfred Monterie, and Computable for the permission to post it in English.  

Link to the original article

Analyze sensitive data securely

"Roseman Labs is emerging as a promising privacy tech startup"

Anyone who comes into contact with data will soon grapple with a privacy problem, especially if you want to analyze data from different sources. This prospect makes collaborations within sectors more difficult. Companies and institutions do not dare to hand over data because it can sometimes end up in the wrong hands.

Not only rogue outsiders pose a danger, but insiders with wrong intentions can also cause a lot of damage. Data leaks such as at the one that recently happened to the Dutch Municipal Health Service (GGD) are an example of this.

No wonder then that technology that increases privacy and enables data-driven collaboration is currently attracting a lot of attention. One of the most promising startups in the field of privacy tech is Roseman Labs from Breda. Building on the work of Berry Schoenmakers of Eindhoven University of Technology, cryptographers Toon Segers and Niek Bouman have started to develop software based on secure multiparty computation (MPC). A technology that enables decentralized data analysis in a secure manner. Roderick Rodenburg, who has a lot of experience with the exchange of sensitive data between companies, joined this duo. Their technology enables organizations to analyze data that is stored in different silos and stays there. This data is encrypted in order to subsequently run a calculation over it.

Rodenburg cites as an example three hospitals that want to know the average age of corona patients who end up on the ICU. Previously, that data was collected at a central point for analysis. You had to hope that no one would get off with that data.

With the Roseman Labs method, data remains in place. The algorithm travels across the various databases, as it were. Also, the concept of data sovereignty is given concrete substance. Everyone remains in charge of their own data. Although the data is completely protected, there is still complete transparency. It is possible to check how the calculations were made. According to Rodenburg, abstract concepts in the GDPR such as purpose limitation and data minimization are given concrete meaning.

"The new engine makes applications run fast
and perform powerfully"

Building block

Roseman Labs offers an engine for secure MPC, a cryptographic building block that software developers can build on. This tool increases the productivity of the employees involved. They can implement faster. In addition, Roseman solved performance problems. Until recently, MPC was characterized by a low performance compared to regular data analytics. If applications need a lot of time to run a particular analysis, this is not interesting for AI and machine learning applications. The new engine makes applications run fast and perform powerfully. That makes MPC suitable for big data and AI.

However, developers still need to have cryptographic knowledge to be able to create these types of applications. For that reason, Roseman focuses on 'sensitive' use cases where high privacy requirements are set. That is where the benefits are greatest. An obstacle to this is the limited number of cryptographic experts. There is a lack of this worldwide.

But the Breda company is working on a tool that will allow developers to assemble 'privacy-by-design' applications in the future even without this specialist know-how. Rodenburg thinks it will take two to four years for this. 'If experts are no longer needed, privacy technology will become scalable. Then these kinds of solutions will really take off, 'he predicts.

"The MPC technique can also be applied within one organization
when there are Chinese walls"

Threats and incidents

Roseman Labs was founded in March 2020. Launching customer of the Breda company was the Dutch National Cyber ​​Security Center (NCSC). The assignment was to offer more options to securely share information about cyber risks, with the aim of increasing the digital resilience of the Netherlands. With this solution, the NCSC is able to improve its visibility of threats and incidents without knowing which participant in their network provided the information. With this solution, the NCSC offers the highest possible privacy guarantee to its participants.

In December, Roseman teamed up with Technolution to commission a privacy project with a national grid operator. The project enables the operator to aggregate data from smart meters across multiple households while safeguarding the privacy of individual households. Roseman also sees applications for its software in medical care systems, the detection of human trafficking and the fight against money laundering.

Another use case is "privacy-preserving device telemetry". Manufacturers of, for example, computer tomography (CT) scanners or wafersteppers (machines for making chips) can read back specific usage information without learning sensitive customer information. Preventive maintenance can thus be optimized. Rodenburg sees the use of privacy tech eventually becoming mainstream and expanding to applications that are less sensitive.

Last January, Roseman Labs participated in the virtual tech fair CES. This brought the technology to the attention of a broader target group.

Male-female ratio

MPC enables multiple parties to perform calculations efficiently on their combined dates. Each party does not learn anything beyond its own input and, if allowed, the output of these calculations. In the aforementioned example of hospitals, data cannot be used improperly. For example, other employees cannot calculate the male-female ratio in addition to calculating the average age without the prior approval of the data owners.

The MPC technique can also be used within one organization when there Chinese walls are present, as is the case with insurers. For example, the commercial arm of an insurance company is not allowed to gain insight into sensitive operational customer data. During or after data collection, the data can be stored in encrypted form. Then several internal servers perform the secure calculation on the encrypted data. In addition, the data that is "at rest" and the data "in use" are fully protected from prying eyes.

The first theoretical ideas for MPC date back to the 1980s. Due to advances in fundamental research, and due to the enormous increase in computing power and advancements in computer network technology, this technology has become practically applicable.

Contact us