Skip to Content

Security chain cooperation without having to share data

Capgemini
2022-02-15

Privacy and classification pose many challenges for public security organizations Data sharing can take place without providing protected information There are no safety obligations or risks for data that is not there Zero-Knowledge Proof cryptography is a gamechanger Information-driven work increases efficiency and safety Within the public security and safety domain, data sharing is important but also risky and difficult. New technology can make all the difference.

Old problems, new solutions

Since its introduction in 2018, the EU General Data Protection Regulation (GDPR) has governed the security and use of personal information by all organizations in Europe. For those organizations involved in public security and safety, there is another important body of information that must be protected in the interests of society as a whole: classified information.

It can be difficult or even impossible to exchange information within the public security domain. This information comes from the multiple sources of different organizations and/or security chain partners. Violating privacy rules or being unable to communicate due to unequal levels of classification poses a problem. One consequence of this is that, while too much information can harm the organization or an investigation, too little information has an inhibiting, if not destructive, effect.

Security chain interactions without revealing data

Today’s reality forces organizations to look further ahead. Because if data lasts forever, then data that is leaked or stolen lasts forever as well. Once data has been revealed, it cannot be hidden again. For those in the public security domain in particular, the damage done at every level — up to and including the strategic level — can be substantial, both to the organization and to individuals.

When it comes to data exchange, there are also obligations around guaranteeing integrity, security and, above all, reliability. Traditional integration technologies such as an Enterprise Service Bus (ESB) or a Service Oriented Architecture (SOA) play a crucial role here. The technology used to meet modern standards cannot provide the desired integration solution without making it very complex and time-consuming. Current architectures are mainly based on intensive customization in which security is guaranteed by authorizations for the users and security requirements for the data carriers.

Introducing a new innovative technology, such as the use of cryptography, can offer a solution. A special type of cryptography that is now maturing due to the rise of blockchain technology is Zero-Knowledge Proof cryptography. This form of cryptography is mainly used as a means to ensure privacy, while the correctness of the transaction can still be verified.

For example, core register surveys in security chains could (start to) interact with each other based on cryptographic evidence.

This technology has now made its appearance within the financial world[i] and could play a role within the security domain.

What is Zero-Knowledge Proof cryptography?

A Zero-Knowledge Proof, or Zero-Knowledge Proof Protocol, is a method by which a party can prove to another party that they are familiar with value x, without conveying any information, apart from the fact that they are aware of the value x. It enables the parties to determine through a number of interactions whether certain data is known, without revealing any information about this data.

Underlying this cryptography are several mathematical principles with which it is simple to generate and verify evidence of someone being familiar with value x, but where it is impossible to trace what value x is.

A Zero-Knowledge Proof should have the following three properties:

  1. Completeness: if the claim is true, an authentic verifier (i.e. one who follows the protocol correctly) will be convinced of this fact by an authentic evidence provider
  2. Robustness: if the claim is false/incorrect, a cheating evidence provider will be unable to convince an authentic verifier
  3. Zero-Knowledge: if the claim is true, a verifier will obtain no information other than the fact that the claim is true.

Solving a complicated problem with ease

Technology with such simple basics could easily contribute to highly complex systems. In the current landscape, we have many forms of classification, from the national level to NATO and EU level, each with its own degree of classification. Access to data is based on the provision of authorizations. This is a time-consuming process, for which the procedure must ensure data security. In many cases, the transfer of classified information from one system to another is difficult (i.e. manual) or impossible. In addition, for classified information held in documents rather than in systems, there is always a danger that the processing will be unsecured (via open mail, by telephone, or on paper).

Zero-Knowledge Proof cryptography is viewed as one of the most important developments in the field of privacy-enhancing computation[ii]. Solutions based on Zero-Knowledge Proof cryptography can make the jungle of authorizations unnecessary and increase security at the same time. In many cases this is because the purpose of the transmission of privacy-sensitive or classified information is not to transfer the complete package of information, but only to indicate whether something is correct or not. Zero-Knowledge Proof cryptography can provide that evidence.

Where the technology stands now

Within its Applied Innovation Exchange (AIE), Capgemini has developed a solution in which provable interactions between parties are carried out based on data, without any sensitive data being shared and/or replicated. In a proof-of-concept, this has reduced the registration process for a rental property, which normally involves sharing personal data and financial information, to a minimal set of (cryptographic) interactions between the parties involved. Several specific APIs have been developed that generate and verify cryptographic evidence. Framed with a number of additional techniques, such as digital signature of evidence and a rule-management system to prevent abuse and exploitation, the solution provides secure and reliable data interaction with just a few simple ‘API interactions’ between source systems. This proof-of-concept shows that, with the right technology, it is possible to significantly reduce opportunities for fraud, privacy risks and security risks in security chain cooperation. At present, the AIE is working on use cases in the security domain.

Use cases reveal the potential

Within this domain, Zero-Knowledge Proof cryptography offers the potential to support organizations both at a security level and to relieve them of the management of sensitive data. This potential is already being realized, as the following uses cases demonstrate.

The MIT (Multi-disciplinary Intervention Team) is a recent partnership between organizations in the Netherlands — the Police, the Royal Netherlands Military Constabulary, the Public Prosecutor’s Office, the Dutch Fiscal Intelligence and Investigation Service, and the Tax and Customs Administration. Here, the organizations involved are working together to build up a joint information position for the purpose of effective security intervention. The use of Zero-Knowledge Proof cryptography can enrich the information position of the MIT because it allows for data to be integrated that otherwise cannot and/or may not be used. This could have a direct impact on the efficiency and decisiveness of this partnership.

Also in the Netherlands, the collaboration agreement on counter terrorism — Counter-Terrorism Information (CTI) — involves the Ministry of Defense, the Tax and Customs Administration, the General Intelligence and Security Service, the Royal Netherlands Military Constabulary, the Dutch Fiscal Intelligence and Investigation Service and the Inspection Service of the Ministry of Social Affairs and Employment. In this type of exchange of information, the data is so secret that cooperation is seriously hampered. If one of the parties wants to look up data about someone, other parties must be prevented from finding out that an investigation into this person may be ongoing and taking their own steps (which could hinder the initial investigation). In this case, information is ‘leaked’ the moment the data is requested because it shows that there is an interest in that person in the context of counter terrorism. Zero-Knowledge Proof cryptography allows for these searches to be ‘packaged’ and obscured. In some cases, one of the parties might have certain data but is not legally allowed to act on it or inform other parties. Zero-Knowledge Proof cryptography can also play a role in facilitating secure notification of another body, without revealing data about a person or potential investigation.

In a broader context, security chain interactions already exist in the security domain where the unwanted release of information would have major consequences in the context of information security or privacy assurance. Consider, for example, the communication of medical data of military personnel to/from conflict areas where both the personal data and the medical condition of a soldier must not be revealed. Zero-Knowledge Proof cryptography offers new potential. It allows for the design of security chain interactions that are currently not possible or permitted at all. This is a new world for the security domain to discover.

Conclusion

Systems that communicate based on Zero-Knowledge Proof cryptography can ensure a high degree of security in the exchange of data and thus bring peace-of-mind both to public security organizations and to society. What is not known cannot just end up on the street or in the wrong hands. Systems connected to each other based on Zero-Knowledge Proof cryptography can solve the challenge of unequal classification levels without having to make a direct connection. In addition, setting up such processes in day-to-day operations can help to reduce the jungle of authorizations and relieve the pressure on the security services, while increasing overall security.

Find out more

This article has been adapted from a chapter in the Trends in Safety 2021-2022 report giving European leaders insight into the safety and security trends affecting citizens in the Netherlands.

  • The full report in Dutch can be found here.
  • An executive summary in English can be found here.

For information on Capgemini’s Public Security and Safety solutions, visit our website here

Authors

Joop Koster
Chief Architect Daan specializes in recognizing, translating, and responding to the challenges in the field of IT and beyond faced by the public safety and security domain every day.
Emaildaan.verwaaij@capgemini.com
Daan Verwaaij
Business Analyst Daan specializes in recognizing, translating, and responding to the challenges in the field of IT and beyond faced by the public safety and security domain every day.
Emaildaan.verwaaij@capgemini.com
Michael Kolenbrander
Domain Architect Michael specializes in the realization of systems for information provision in the public safety and security domain, in particular in the context of information as intelligence. He is creator and co-author of the Whiteflag Protocol and expert in emerging technologies, such as blockchain technology.
Emailmichael.kolenbrander@capgemini.com

[i] ING launches Zero-Knowledge Range Proof solution, a major addition to blockchain technology

[ii] Gartner: Top Strategic Technology Trends 2021