Dan Bogdanov, director of Cybernetica’s Information Security Institute, was invited to give a talk on December 10 about using privacy and security technologies for making data-driven policy decisions. The lecture was hosted by the Johan Skytte Institute of Political Studies at University of Tartu under its European Research Area Chair of e-governance and digital public services.
Bogdanov was selected for the series to highlight the “important and interesting work” that is being undertaken by the university’s partners in the private and public sectors in Estonia and worldwide, according to Elis Vollmer, communication manager for the ERA Chair at the university.
Vollmer said another goal was to “introduce the different aspects of digital governance on a wider scale, as there is so much more to it” than just artificial intelligence. “We believe that when society understands the aspects of digital transformation,” said Vollmer,” then it will be easier for them to ask for safe and secure public services and to trust digital governance.”
According to Vollmer, the institute’s research on digital governance is focused on three areas. One is life-event based and pro-active digital services based on proxy data sources, such as logs of e-public services. These data can be used to identify life-events that can proactively trigger public services without user interaction. Another research area of interest is cross-border governance and service impact assessment, as the ERA Chair helps to develop, pilot, and assess the impact of cross-border digital services. Thirdly, the Chair is interested in internet voting and open government co-creation, and in improving the use of such digital tools.
Bogdanov’s lecture for the institute specifically focused on how policy makers can combine and aggregate data from diverse sources to prepare for decision making, feeding multiple data streams into what is termed a government data warehouse or data lake. While they do this, policy makers have to ensure they abide by data privacy regulations, and assuage the concerns of citizens about security.
Bogdanov has extensive background in managing privacy challenges, and cut his teeth on the data collection systems of the Estonian Genome Centre, an undertaking that led him to start working with cryptographic solutions for privacy problems. Inspired by the technical and regulatory challenges he saw in healthcare data processing, Bogdanov led the development of Sharemind, a secure, multi-party computation system for collecting, sharing, and processing private data. Using this new kind of computer, one can analyze digital data but steer clear of values that can be traced to people. This allows users to sift through reams of tax, education, genomic, and financial information under the guard of state-of-the-art data protection.
“I believe privacy technologies will be critical for re-using public sector data without sacrificing the ground principles of security and privacy,” said Bogdanov. “If we do this right, we can reduce the cost of managing chronic diseases, strengthen precision medicine efforts, or improve the fight against money laundering or other crime,” he said. “There is lots of potential.”
As noted, Bogdanov has an extensive pedigree in his field. He is the co-author of the ISO/IEC 29101 standard on the architecture of privacy-preserving systems and the ISO/IEC 19592 standard on secret sharing, for instance, and also a board member of the MPC Alliance, an industry organization of companies developing secure multi-party computation technology.
Currently, Dan is the director of the Information Security Research Institute at Cybernetica, one of the oldest IT companies active in Estonia. Cybernetica was founded in 1997 as a successor to the Institute of Cybernetics, which was established in 1960. The firm is probably best known for helping to develop X-Road, a software solution that serves as the backbone of Estonia interlocking and overlapping digital services, the whole of which is dubbed “e-Estonia.”
While Cybernetica is a private company, it still functions in some way as an academic endeavour, noted Bogdanov, and his institute of 35 people continues to produce scientific research and act as a think tank on e-governance, digital identity, and data protection technologies, with an aim to make solutions developed for Estonia fit systems in other countries. “You can’t export the whole country,” commented Bogdanov, “but you can build up other e-governments using the components and experiences collected in Estonia and elsewhere. Each country is different, has its own past and ways of living, this has to be respected..”
During his talk, Bogdanov commented on trends in data privacy, noting that Estonia early on decided to decentralize its data as a way to reduce security risks. He noted that the current trend is to centralize data, as most AI and analytics prefer to have the data in the same place. “At the same time, the Estonian X-Road based system is often misunderstood abroad as a superdatabase. There is a perception that you can only build the kinds of services we have in Estonia if you have a big central database,” noted Bogdanov. “This is not the case here. Data-driven services have a good starting point in Estonia, but the data science methods need further development to maintain the level of security and privacy we have upheld for the last 20 years.”
As part of his lecture, Bogdanov also provided an overview of an early use case of Sharemind in Estonian e-government, showcasing how the tool could be used to analyze the labour market activity of students by linking their tax and education records, but without infringing on their fundamental right to privacy. “This is very valuable information but not possible to generate in a privacy preserving way without secure computing technologies,” he said.
Bogdanov also discussed the application of Sharemind and similar technologies in COVID-19 surveillance and also in location and mobility statistics. The latter has been a controversial topic in Estonia and Europe, as mobile phone location data contains many insights, but any system using it could also be used for unwarranted surveillance. Cybernetica has shown Sharemind to be a useful tool for privacy-preserving mobility and tourism statistics in projects with the Indonesian Ministry of Tourism and the European Statistics Office (EUROSTAT).
In the future, Bogdanov said, it might be possible to link X-Road, Cybernetica’s Unified eXchange Platform (UXP), and Sharemind to allow e-governments to build encrypted data lakes that can still be analyzed for insights or decision support, whether in governance, healthcare, taxation or security.
Robert Krimmer, the ERA Chair holder of e-governance within the Skytte Institute, said that Bogdanov’s talk showcased the practical links between the research and development done in the Skytte institute and Cyberenetica and fell in line with the institute’s research on data sharing within and across borders.
“Dan provided some insights into the experience with his invention Sharemind, which allows for data protection safe analysis of multiple data sources, such as knowing what the average salary of university graduates in their first year working is, and the development of the European Green Passport. This enables us to overcome critical gaps in secure data exchange across platforms and service providers,” said Krimmer. “All in all, it was a great experience report by Dan, which highlights the high level of expertise available in Estonia,” Krimmer said.
Vollmer noted that the institute’s lecture series will continue this spring, though new talks have not yet been announced. Those interested can find more information about the talks on the ERA Chair homepage.
Written by: Justin Petrone
This article was funded by the European Regional Development Fund through Estonian Research Council.