Report by FPF: Implications of Secure Processing for Privacy Due to Trusted Execution Environments

Report by FPF: Implications of Secure Processing for Privacy Due to Trusted Execution Environments

In the realm of technology, confidential computing is making waves as a secure solution for data processing in public cloud and collaborative infrastructures. This innovative approach, which leverages trusted execution environments (TEEs) and attestation services, has significant implications for data protection across key sectors such as financial services, healthcare, and advertising.

The Future of Privacy Forum (FPF), a leading organisation in privacy and data protection, has published a comprehensive paper on the subject, titled "Confidential Computing And Privacy: Policy Implications Of Trusted Execution Environments." The paper delves into the sectoral applications, categories, and policy considerations of confidential computing.

## Financial Services

Confidential computing presents a promising solution for financial institutions, enabling them to process sensitive client data in the cloud without the risk of unauthorised access. This enhanced regulatory compliance facilitates adherence to data residency and privacy laws such as GDPR and GLBA.

Moreover, by securing data in use, confidential computing minimises the risk of internal and external data breaches, a critical concern in finance where data tampering or leakage can have severe consequences.

Financial firms can also safely collaborate with third-party vendors or regulatory bodies for analytics, risk modelling, or fraud detection without sharing raw data, using TEEs to ensure data confidentiality and integrity.

## Healthcare

In the healthcare sector, confidential computing allows medical data to be processed and analysed in a secure, isolated environment, reducing the possibility of unauthorised access to sensitive health information. This is particularly important given the highly sensitive and regulated nature of patient records, such as under HIPAA and GDPR.

Secure research and analytics can be facilitated through confidential computing, enabling collaborations on medical data without exposing raw patient data. This supports advances in personalised medicine and public health while adhering to privacy standards.

## Advertising

The advertising sector stands to benefit from confidential computing as it protects user data. By securely processing user data within TEEs, confidential computing limits access and reduces the risk of misuse or exposure.

Advertisers must also comply with privacy laws that restrict data processing and require explicit user consent. Confidential computing supports these requirements by ensuring that sensitive data is processed securely and transparently, and that data usage can be audited and verified through mechanisms like remote attestation.

Furthermore, confidential computing enables the use of advanced privacy-preserving techniques for analytics, allowing advertisers to derive insights without aggregating or exposing raw user data.

## Cross-Sector Policy Considerations

As confidential computing becomes more widespread, policymakers must ensure that standards and best practices are harmonised across sectors to avoid fragmentation. Transparency and accountability are crucial, with policies mandating transparency in how confidential computing environments are used, including requirements for remote attestation and auditability to build trust among stakeholders.

Policymakers also need to clarify the interaction between confidential computing and international data protection laws, such as the Cloud Act and GDPR, to resolve conflicts and ensure lawful data processing.

The FPF, under the direction of the Biden-Harris Administration's Executive Order on AI, has launched the PETs Research Coordination Network (RCN), aiming to analyse and promote the trustworthy adoption of privacy-enhancing technologies (PETs) in AI and other technologies.

The FPF will participate in the PETs Summit during Personal Data Protection Commission's Personal Data Protection Week, with FPF Vice President for Artificial Intelligence, Anne J. Flanagan, speaking on the panel "Architecting real world new products and solutions with PETs." Additionally, Managing Director for FPF Asia-Pacific, Josh Lee Kok Thong, will chair the roundtable "Unleashing The Data Economy: Identifying Challenges, Building Use Cases & How PETs Help Address Generative AI Concerns."

In conclusion, confidential computing offers robust technical solutions to data protection, but its policy implications require attention to regulatory alignment, transparency, and international legal harmonization to fully realize its benefits. The FPF paper provides an in-depth analysis of these considerations, expanding upon the categories of what confidential computing is, emerging sector applications, and policy considerations. For a more detailed discussion, the paper can be downloaded from the FPF website.

1. Financial institutions can process sensitive client data securely in public cloud and collaborative infrastructures with the help of confidential computing, enhancing compliance with laws like GDPR and GLPA.
2. Confidential computing reduces the risk of internal and external data breaches in financial services, due to its ability to secure data in use.
3. Financial firms can collaborate safely with third-parties or regulatory bodies for analytics, risk modelling, or fraud detection, using TEEs to ensure data confidentiality and integrity.
4. In health care, confidential computing provides a secure environment for processing and analyzing sensitive medical data, reducing the risk of unauthorized access.
5. Secure research and analytics can be facilitated through confidential computing in healthcare, supporting advances in personalized medicine and public health, while adhering to privacy standards.
6. The advertising sector stands to benefit from confidential computing as it protects user data by limiting access and reducing the risk of misuse or exposure.
7. Confidential computing in advertising helps advertisers comply with privacy laws by ensuring secure and transparent processing of sensitive data, and by enabling the use of advanced privacy-preserving techniques for analytics.
8. Policymakers must ensure harmonization of standards and best practices across sectors, promote transparency, and clarify the interaction between confidential computing and international data protection laws to fully realize its benefits. The FPF has launched the PETs Research Coordination Network (RCN) under the direction of the Biden-Harris Administration's Executive Order on AI.

Read also: