Privacy-Enhancing Technologies: Protecting Human and Non-Human Identities
I want to talk about PETs. No, not about my cats (though they are awesome), but about Privacy-Enhancing Technologies.
Not a day goes by without learning about another data breach that is exposing critical details about people and things online. Enter Privacy-Enhancing Technologies (PETs)—a critical component in digital security. These tools, like zero-knowledge proofs and advanced biometrics, are designed to safeguard digital identities while allowing people and things to get work done.
The rise of privacy-enhancing technologies (PETs) like zero-knowledge proofs and advanced biometrics is reshaping how we think about and manage digital identity. But what’s driving this change, and why should it matter to you, whether you’re managing user access or overseeing countless processes and APIs in the cloud?
All Identities Need PETs
Digital identity isn’t just about people anymore. Sure, your personal online identity—how you log in, interact, and transact—remains essential. But increasingly, digital identity also includes non-human entities like software processes, APIs, and entire cloud workloads. These non-human identities need the same attention to security and privacy as human ones, especially as they become more central to how businesses operate.
When I first started thinking about digital identity, it was all about ensuring the right people had access to the right resources. Today, though, we’re dealing with identities that aren’t people at all—identities that exist in the cloud, managing everything from payroll to AI model training, often without any direct human oversight or even a human-like credential. And these identities need to be just as secure, if not more so, given the scale and complexity they operate within.
Human and Non-Human Considerations
Biometrics like facial recognition and fingerprint scanning have long been used to verify human identities. There’s a lot of work in the field of biometrics, especially with concerns about deepfakes making Ye Olde Fashioned liveness detection hardly a thing. But what about non-human identities? While biometrics might not apply directly, the principles of unique identification and secure access certainly do. For instance, in a cloud environment, processes and APIs need to be uniquely identified and authorized—much like a person—but with a focus on speed, scalability, and automation.
So, two challenges: ensuring that human identities are securely managed while also creating systems that can handle the massive scale of non-human identities. Whether it’s a government-issued digital credential or a cloud-based process, the goal is the same: secure, reliable, and privacy-respecting identity management.
Addressing Privacy Concerns with Digital Credentials
Governments are moving towards digital credentials to improve security and convenience. But this shift brings new privacy challenges. For humans, the way these credentials are issued and managed has significant implications for personal privacy. PETs like zero-knowledge proofs are becoming crucial to ensure that sensitive information remains private, even when it’s used to prove identity.
For non-human identities, the concerns are different but equally important. In cloud environments, digital credentials need to be robust enough to manage the complex interactions between countless processes and APIs, all while maintaining strict access controls and minimizing the risk of breaches.
Of course, if it was easy, I wouldn’t be writing about it. Standards organizations like the IETF are trying to define what a credential should look like in a scenario where it may or may not be for a person (that’s work in SPICE). They’re also trying to define the best way to move those credentials around from one cloud service to the next, given those cloud services don’t exactly speak the same languages (that’s work in WIMSE). And these days we can’t have those conversations without considering the privacy implications of all of it.
Zero-Knowledge Proofs: PETs for All Identities
Which takes us to an area I find fascinating: Zero-Knowledge Proofs (ZKPs). ZKPs are a game-changer for both human and non-human identities. They allow for the verification of information without revealing the underlying data, making them perfect for situations where privacy is paramount. To put it another way, a ZKP will tell you that the proof is true without actually exposing any of the data that is included in the proof. “Is this mobile driver’s license valid” becomes a question that can be answered without exposing any of the data in the mDL. It’s magic, I tell you, pure magic. (And math. Lots and lots of math.)
In the human world, this might mean you will be able to prove your identity without exposing personal details. In the non-human world, ZKPs can help secure interactions between cloud processes, ensuring that only authorized entities can access sensitive data or perform critical operations. This approach not only protects individual privacy but also bolsters the security of complex digital ecosystems.
Why aren’t ZKPs widely deployed? Because the math involved is incredible, and not all devices can actually handle the necessary computations in the time people expect their web pages to load or their APIs to run. But that’s today; tomorrow is going to be an entirely different story as hardware improves.
Visiting the PETs Shop
Technology is at the heart of these advances. From cryptography to AI, new tools are making it possible to protect digital identities against a range of threats. But with great power comes great responsibility. Whether it’s human users at risk from phishing attacks or non-human processes vulnerable to security breaches, there will never be a point where security and privacy are guaranteed. Innovation will always be necessary to get ahead of bad actors.
For human identities, this might mean adopting stronger authentication methods. For non-human identities, it could involve developing more sophisticated ways to manage and secure API interactions across multiple cloud environments. The challenge is ensuring that these technologies are both effective and adaptable, capable of protecting identities at scale.
PETs Need to be Everywhere
As digital identity continues to evolve, the line between human and non-human identities will blur further. In commerce, for example, digital identities—whether of customers or the processes serving them—are becoming central to every transaction. The transactions may trigger any number of APIs and services that go far beyond a single person’s digital identity. And since all problems have not been solved, businesses are going to have to support the innovation necessary to keep their data safe.
Wrap Up – Loving Your PETs
The future of digital identity is definitely not boring! PETs play a crucial role in shaping how we protect digital identities and are definitely worthy of some focused attention. It’s not the only piece of the puzzle in keeping our data safe, but it’s a biggy.
For tech leaders, I’m afraid you have another area of technology you need to keep on your radar. Your organization must engage in shaping privacy-enhancing digital identity solutions. Don’t just install them, think about how they meet tomorrow’s requirements. Better yet, be a part of defining tomorrow’s requirements in the standards being developed today.
For individual contributors like me, it’s crucial to stay informed. Keep up with the latest security practices, and be on the lookout for open calls for comments on the standards that impact this space. Your voice matters in shaping the standards and regulations in this space.
And if keeping track of all this sounds overwhelming, why not let someone else do the heavy lifting? Reach out to me; let’s chat about how I can help by providing regular updates and insights, tailored to your needs. You don’t have to do this alone.
