Differential privacy, regulatory frameworks, education and collaboration are key solutions to building privacy-preserving technologies
The "Solving the crisis:" series explores the pressing challenges of our time, including climate change, biodiversity collapse, housing affordability and more. Each article highlights how Waterloo, a hub of research, innovation and creative thinking, is uniquely positioned to address these issues. Through this series, we highlight the dedicated researchers who are tackling global crises and shaping a better future for all.
Recent events, such as the data theft attacks on Snowflake customers impacting companies including Neiman Marcus, Ticketmaster and Santander Bank, have underscored the urgent need for robust cybersecurity measures. The 2024 Summer Olympics have also been a major cybersecurity concern, with the 2021 summer games in Tokyo facing a staggering 450 million attempted security events. Cyber threats continue to evolve, becoming more sophisticated and pervasive, posing significant risks to people, organizations and governments alike.
Dr. Xi He is a professor in the Faculty of Math and the recipient of the 2024 Faculty of Mathematics Golden Jubilee Research Excellence Award for the early-career category
According to IBM, in 2024 cybersecurity breaches can lead to substantial economic costs, with the average data breach costing companies $4.88 million USD and causing significant disruptions to productivity. It is imperative to explore innovative solutions and frameworks that can help safeguard sensitive information while maintaining the utility of data.
Dr. Xi He is a professor at the Cheriton School of Computer Science at the University of Waterloo, and a member of Waterloo's Cybersecurity and Privacy Institute. Her research focus is on privacy as it relates to cybersecurity and provides valuable insights into potential solutions to the cybersecurity crisis.
One of the primary challenges in cybersecurity is the delicate balance between privacy and utility. Dr. He emphasizes the importance of this balance, particularly when dealing with sensitive data. She highlights differential privacy as a promising approach to achieving this balance. Differential privacy is a technique that adds controlled noise to data, allowing for the extraction of useful information while preserving the privacy of individuals.
“For instance, when we are trying to release population statistics, such as those collected by the U.S. Census, they need to provide useful demographic data while ensuring the privacy of individuals,” Dr. He explains.
“The state-of-the-art approach in privacy that we consider is differential privacy, which has been used by the U.S. Census Bureau. The idea is to inject randomness into the statistics being released. The more randomness you inject, the more privacy you offer, but this also affects the utility of the data,” Dr. He says.
Large corporations like Apple, Google and Microsoft have begun implementing differential privacy. For instance, when Apple decided to gather data on the most frequently used emojis among its users, they turned to differential privacy methods to collect and analyze emoji usage data by adding random noise to anonymize individual user information while still identifying overall trends.
Dr. He notes a significant gap in its adoption among small and medium-sized enterprises (SMEs). Her research aims to bridge this gap by designing tools and systems that enable SMEs to achieve optimal privacy-utility trade-offs in their data-driven analyses. This democratization of privacy-preserving technologies is essential for widespread implementation and enhanced cybersecurity across various sectors.
Regulations play a major role in shaping cybersecurity practices. Dr. He points out that regulations like the General Data Protection Regulation (GDPR) in Europe and Bill C-27 in Canada have driven companies to revisit their privacy practices. These regulations mandate that companies handle data responsibly and protect individuals' privacy.
“One of the main driving factors for companies to consider privacy within their organizations is regulation,” Dr. He notes. “After GDPR, there was a surge in privacy policies aimed at ensuring that companies do not breach sensitive information. However, there is still a gap between privacy policies and the actual implementation of privacy-preserving techniques.”
Dr. He’s work seeks to address this triangular relationship between regulation, privacy research and industry practice. By fostering collaboration among these sectors, it is possible to develop more effective privacy-preserving technologies that comply with regulatory standards and meet practical needs.
Dr. He’s highlights the need for better literacy in cybersecurity and privacy-preserving technologies among both industry professionals and the public. This increased awareness can drive more informed decision-making and the adoption of best practices in cybersecurity.
“One of the most important aspects of enhancing cybersecurity is educating people about the potential solutions and technologies available,” Dr. He says. “In my work we do this by organizing roundtable discussions and boot camps to help industry partners understand privacy-preserving technologies and their applications. It’s crucial for companies to be open-minded and willing to collaborate with researchers to develop long-term solutions.”
Dr. He also underscores the role of open-source communities in advancing cybersecurity. Projects like OpenDP, which collects and disseminates privacy-preserving algorithms and tools, are invaluable resources for organizations looking to implement these technologies. Furthermore, the involvement of big tech companies in open-sourcing their privacy-preserving tools demonstrates a collective effort to tackle cybersecurity challenges.
The cybersecurity landscape is complex, and no single solution can address all its challenges. Dr. He acknowledges that while techniques like differential privacy are crucial, they must be complemented by other privacy-enhancing technologies such as encryption, multi-party computation and synthetic data generation.
“Each of these technologies addresses different aspects of cybersecurity, from preventing data breaches to ensuring secure data storage and processing,” Dr. He says.
“Cybersecurity is not just about one technique or approach — it's about a combination of efforts from various parties,” Dr. He explains. “We need to work together, leveraging different technologies and fostering collaboration between researchers, industry and regulators to develop comprehensive solutions.”
Addressing the cybersecurity crisis requires a varied approach that balances privacy and utility, adheres to regulatory frameworks and fosters education and collaboration. By leveraging innovative technologies like differential privacy and promoting collective efforts, we can enhance our cybersecurity posture and protect sensitive information in an increasingly digital world — building a safer, more secure future for all.
Illustrations generated by Midjourney
