The Center for Data Innovation spoke with Kurt Rohloff, CTO of Duality, a New Jersey-based startup that uses emerging techniques in privacy and encryption to enable companies to share sensitive data securely. Rohloff spoke about some of Duality’s uses, including tracking financial crimes and enhancing public health efforts.
Gillian Diebold: What is secure data collaboration?
Kurt Rohloff: There’s been a big growth in the use of data and the use of very sensitive data, anything from obviously sensitive things like our personal medical records to things like our financial transactions that we want to keep fairly private. However, this data that we have is extremely valuable knowledge, even apart from the monetary value. For example, its real value would come from a situation like groups getting together to share medical records. From there, we can potentially start to develop more effective treatments for things like rare diseases and other kinds of things that are effectively untreated and untreatable right now. There’s a growing need and growing recognition of a need to share sensitive data for the broader benefit of society.
There are also other broader examples of sharing data about financial transactions, not necessarily to get insights about any one individual, but for example, to build better models of what normal financial transactions look like in order to better identify things like fraud or money laundering, or various kinds of financial crimes associated with drugs and human trafficking, etc. Secure data collaboration is focused on how organizations and how individuals can share their data in a way where the sensitive information isn’t actually revealed but still collaboratively get insights into the data.
Diebold: Can you explain some of Duality’s use cases?
Rohloff: One use case that we do focus on quite closely is financial crime investigations, a use case that we call secure query. It’s fairly rare. We recognize that in order for criminals to benefit from crime, typically, there has to be some sort of financial component, like getting money out of a country or transacting financially with their victims and their accomplices. We know the current mechanisms that police and law enforcement have to investigate crimes but also know that these crimes have financial components that typically require going to a compliance officer or going in front of a judge involving lawyers to generate a production order or a warrant. And when this happens, it takes days, weeks, or months to get a warrant production order.
Sometimes organized crime insiders inside banks will get tipped off about the meaning of the subject of investigation. An organized crime ring will then be able to exfiltrate all the money out of their accounts much more quickly than then investigators can really move. One of our products offers the ability to take queries from financial crime investigators and use encryption so that the bank doesn’t have to share their customer data with law enforcement. Law enforcement can move much more quickly on generating warrants and production orders, and the organized crime insiders don’t necessarily know who’s being investigated, so they can’t necessarily exfiltrate all their money before law enforcement come back. It’s a way of running private queries on banks’ data while also protecting the information.
Diebold: Your background is in defense, national security, and the DARPA ecosystem. How does Duality support national security applications?
Rohloff: While working in the national security space about 15 years ago, my team and I at the time got into a set of projects supporting DARPA to prove that this new technology called homomorphic encryption was possible. And DARPA has the art of the possible as its main organizational focus in some senses. At the time, homomorphic encryption was shown to be mathematically theoretically possible, but DARPA wasn’t quite sure if it could be practically possible. My team was funded to build some of the early implementations of the technology to show what could actually be done. And so we did that. And we showed dramatic improvements in the performance of the technology to the point where we were supporting several real-world applications.
Eventually, I resigned from my position to go and build this company that we now call Duality with my co-founders to show that this technology could be commercially viable. So we’ve been pushing forward on supporting secure investigations as a set of commercial capabilities for banks or insurance companies for things like this. We would also be deploying this tech to help support the modeling of sensitive data. For example, how research centers could combine genetic data to build better models of how cancers occur in different populations or build models of what cyber attacks look like using multiple organizations’ sensitive data.
The nature of DARPA is that DARPA makes very heavy investments early in a technology’s lifecycle. Typically one has to go off and show commercial proof of concept or commercial viability. Eventually, the Department of Defense will pull a commercial application back into the national security space. A lot of what we’re doing is helping fight financial crime, which is, of course, a major aspect of national security. And we still get very involved with federal law enforcement, with folks that want to support privacy-protected investigations, and even helping to support some of the Center for Disease Control/National Institutes of Health initiatives associated with rare disease modeling COVID-19 pandemic modeling and the public health aspect of national security more broadly.
Diebold: What considerations are needed when organizations are choosing between privacy-enhancing technologies (PETs)?
Rohloff: No one privacy technology is a panacea. Nothing solves everything. They all have their benefits, trade-offs, and quirks associated with them. Overall, there are a set of technologies called TEEs, or Trusted Execution Environments, which are basically hardware enclaves inside a computer chip where one can complete data and then process that data securely. It’s nice in general, but one has to buy and install hardware, which is often cost-prohibitive. At Duality, we focus on software solutions. There’s other kinds of trade-offs associated with them.
For example, differential privacy is nice because it’s time efficient and it solves problems quickly. But organizations are typically given what’s called a privacy budget, which means sometimes there’s too much noise to get the clinical significance needed for medical applications and things like that.
There are other types of techniques called secure multi-party computing, in which parties communicate with one another. But there are a lot of resource requirements in terms of communication.
Homomorphic encryption is a technique that we use at Duality, where one can get arbitrary precision and computation, like for applications in the medical space. The trade-off associated with homomorphic encryption is that it has a very different compute model. So someone basically has to rebuild a lot of the core data science, AI and machine learning, and modeling algorithms to get performance out of it. And so this is where Duality exists. We’ve proven out the underlying encryption, and we’re building out the data science on top of the encryption as a company.
Diebold: What are the biggest challenges of working with PETs and encrypted data?
Rohloff: This area is so interesting because it touches on some really deep technology, things pretty far out for what they are. But at the same time, it has rather profound implications for regulation and legal aspects. It’s regulation associated with data management, regulation associated with privacy, regulation associated with data locality, which is how data moves across boundaries, and geographies, and things like that. So not only do we need to talk with organizational leaders such as chief data officers and CISOs, who are very technology oriented inside organizations, whether it’s government or commercial, but we also need to talk with privacy officers with expertise in legal compliance. This is all in addition to talking with standards bodies like NIST and ISO. So, privacy technologies really sit at the nexus of a lot of fairly important organizations, and we need to be able to communicate with all sides. But because they’re interesting and hard, thorny problems in a practical sense, there are a lot of constituencies that need to be on board with using this technology as well.