Toward regulation for security and privacy
Introduction
A massive amount of data is being collected every day. The exploitation of these data is a central question of the digital strategy in any major company. The effects of these strategies can already be seen: big data is one of the key factors that enabled the rise of machine learning over the last fifteen years. This is one of the reasons why, over the same period, the value of data has been soaring.
Collecting data also implies responsibilities. Companies in areas such as banking or payments are collecting and storing a lot of personal data. They are thus responsible for putting sufficient measures to ensure their security. To some extent, the trust relationship established between these industries and their clients also stands on their responsibility on the data they collect.
Security regulation and data value
Banking and payment are heavily regulated industries. One aspect of this regulation is the duration of data’s security. The value of data obviously evolves over time. The images of a football game have a very high value for a short time, whereas the value of personal, healthcare or classified data remains high for at least thirty years. For banking data, ten or twenty years of security is standard, and in some cases, it tends to evolve toward thirty years.
Considering the value of data over time has very different consequences in the classical and quantum case. In classical cryptography, the mathematical security follows from the conjectured hardness of some computational problem. For example, the security of RSA encryption follows from the hardness of factoring large numbers. Therefore, in order to set the size of encryption keys (a large number in the case of RSA), it is necessary not only to consider current computational power, but also anticipate its increase during all the lifetime of the data. These previsions are usually done by governments through either IT security Agencies (BSI in Germany, ANSSI in France) or standardization institutions (NIST in the US). These previsions are obviously more relevant for the short term than the long term, which makes the question of long-term security very complex in the case of classical cryptography.
As we mentioned already, quantum cryptography can make data as secure in the future as they are at the moment they are encrypted. This could completely change the way we approach security over time. In particular, the question of the long-term security of data should be reconsidered in this setting. Quantum key distribution and its applications to secure storage is opening new doors for the regulation of the security of the most sensitive data.
The general framework for data privacy in Europe is GDPR. This regulation lays down the people’s right regarding the processing and movement of their personal data. This puts stringent limitations on how collected data can be used. Data aggregation, introduced earlier, is a case in which cryptography can be used to enforce trust between mistrustful parties. Similar approaches can be developed for regulated data.
Reinforcing rulings with cryptography
Using cryptography to design GDPR-compliant applications is already being considered in the classical case. Quantum cryptography can offer more tools for such designs. Anonymous transmission and secure delegated quantum computation can be used to hide some selected information to the recipients of quantum communication. These tools seem relevant in even more complex contexts such as the protection of free speech or whistleblowers.
Beyond the economic consequences that we have already reviewed, cryptography can be used to enforce the application of human rights. Quantum networks will offer more options for regulating security in the long term, personal data protection, and more.