Tech giants implement homomorphic encryption. A new era of user security or just smoke and mirrors again?
Alphabet, Facebook, Microsoft, and IBM are all testing a new encryption technology. Encryption equals privacy, right? Ironically, this technology will give companies even more access to user data and more options for analyzing it for ad targeting purposes.
What is homomorphic encryption?
It is a type of encryption that permits performing computations on encrypted data without decrypting it first. The computation results match those performed on non-encrypted data. For example, we can add up two encrypted numbers and then decrypt the sum without ever knowing what these numbers were.
One of the application perspectives for this type of encryption is the processing of sensitive information in cloud services: the processed data is not disclosed to the owner of the cloud.
Several of the classical encryption methods had long before supported partial homomorphism and allowed to perform some operations with encrypted data. A lot changed back in 2009 when Craig Gentry introduced the first fully-homomorphic encryption scheme. A year later its first implementations emerged, but they required too much computing resources and time, and therefore could not be widely used at the time.
By now, the technologies evolved enough to provide the required resources, and the research of homomorphic encryption have become a very popular field.
This technology is utilized in cloud data processing when information leaves the protected perimeter (i.e. your computer or smartphone) and is sent to cloud services for processing. For example, you can send requests to the Google search engine, and it will search the Web without understanding what exactly the request meant. Or it could be an email provider that detects spam messages without "reading" the emails. Today, in most cases the information is decrypted on the server before processing, and the result of processing is encrypted again and then sent to the user.
Does this mean that homomorphic encryption safely protects data from being accessed by a cloud service operator? It would be great, but we've got bad news.
What could be wrong?
Facebook is deeply interested in homomorphic encryption and researches the potential of recognizing the nature of a text encrypted this way without decrypting it. Whether you are exchanging private messages, sending financial documents, discussing some goods and services — Facebook wants to analyze all that without decrypting data and getting full access to its contents.
It was suggested that WhatsApp would implement this technology later on, but this plan invoked great resentment among users. WhatsApp's CEO had to back up promptly and deny the interest in homomorphic encryption. This disclaimer sounded quite funny considering that Facebook (who owns WhatsApp, by the way) had by that time officially confirmed the interest in the technology. Moreover, several job openings had been found: Facebook is building a team of AI researchers to work on homomorphic encryption. One of the key employees has already been headhunted from Microsoft.
A number of other big tech companies are currently researching the applications of homomorphic encryption. The implementation of this technology will bring the new era of ad-tech and let the market leaders gain ground covering more sources of data about users and penetrating still deeper into their communications.
How actually is homomorphic encryption to be used in ad-tech?
Encrypted data is supposed to be analyzed in order to detect users' interests and preferences and to serve them more relevant ads, of course.
But the promise of useful ads disguises the actual problem. Instead of messages being protected by end-to-end encryption that WhatsApp cannot analyze, we will have homomorphic encryption. Artificial intelligence gets the ability to understand what people are talking about. Simultaneously, corporations employing this method would be able to claim that now they have no access to user content whatsoever. This paradox explains easily: corporation do not need to read your messages to find out what they are about.
We at AdGuard see the claims that Facebook and WhatsApp can't read your messages with the implementation of homomorphic encryption as an attempt to distract users' attention from the fact that they become even more transparent for advertising platforms.
And we find it a little funny when even the CEO of WhatsApp tweets his doubts about the technology and is skeptical about its use solely for users' benefit.
So, bottom line is, homomorphic encryption is just yet another technology, an instrument like any other, and could be used for purposes both malignant and benign. Companies can make any claims about the correct and ethical use of data. But tech giants like Facebook who repeatedly had been caught abusing user data have their reputation undermined and now need to be extremely cautious — as are we, when dealing with their privacy-related initiatives.
Yes, the technology has its advantages, especially for cloud data processing, but WhatsApp messages are not processed in the cloud! They are visible only to the sending and the receiving sides. So it all looks like an attempt by the media giants to have their cake and eat it too. Users rest assured that the companies have no access to their data, and the companies can do what they want without technically getting this access: safely collect data and either sell it or use it for ad targeting. The day is not far off when, having discussed your desire to buy new headphones or sneakers in an encrypted messenger, you will be attacked by a scattering of relevant offers on every website and mobile app.
This is why big tech pours huge money into the new encryption type research. Even companies that currently have no need to process user data in the cloud. Even companies that thus risk their reputation yet again (or what's left of it).
So that's our job here — to state clear and loud that we do not want such implementation of homomorphic encryption. People's voice has an impact. A recent case with Apple giving up a controversial technology of photo scanning illustrates this well.
We at AdGuard are convinced that the key to the commercial success for a technological company should not be the desire to feed a user as many ads as possible, but rather it should be dictated by such things as technological superiority, revolutionary products, user convenience, and the security of confidential data.