European Data Protection Supervisor
European Data Protection Supervisor

Technologies

Technologies

As new technologies emerge and are integrated into our lives (internet of things, for instance) new uses of personal data evolve. Together with growth in computing and detection capabilities, in the field of biometrics for instance, these evolutions raise legitimate concerns about the protection of privacy and personal data.

Filters

Pages

07/08/2020
7
Aug
2020

TechDispatch #2/2020: Quantum Computing and Cryptography

Quantum computers can be highly beneficial to scientific developments due to the new, speedy way of performing computing. Once available, they however could break currently used cryptography and undermine the protection of (personal) data.

What is quantum computing?

The physical laws of quantum mechanics allow for an alternative method to how today’s computers process information. Whereas traditional computers use bits (0 or 1) as a building block, quantum computers employ quantum bits, or qubits, that can be at the same moment a combination of |0⟩ and |1⟩.

The possible spectrum of values one qubit can adopt is best depicted by the surface of the Bloch sphere in Figure 1. While bits allow for two discrete values, qubits can store a point in a two-dimensional continuum, a surface of a sphere. Quantum computing can take advantage of those more powerful qubits and carry out operations not only for a determined value |0⟩ or |1⟩, but also for all possible superpositions at the same time. Consequently, quantum computing attains an efficiency advantage over binary computing for selected tasks. Some tasks would be rendered only feasible due to this efficiency boost, if the appropriate quantum computer hardware were available.

Figure 1: The Bloch sphere is a geometrical representation of a qubit. Qubits can take as value each point on the surface described by the two angles φ and θ. The pole points are |0⟩ or |1⟩.

In sum, quantum computers have a speed advantage over classical computers for selected problems and could therefore perform types of computation not available to current classical computers.

Figure 2: Quantum Computer IBM Q. Source: Pierre Metivier (detail, licensed under cc-by-nc 2.0)

What are the data protection issues?

There are many reasons why quantum computing could have significant implications for data protection in terms of data security and confidentiality of communications. One reason is the ability to break cryptography. Quantum computing can break many of today’s classical cryptography and as such harm severely IT security. The risk extends to the core internet security protocols. Nearly all of today’s systems that demand security, privacy or trust, would be affected.

Impact on public-key cryptography

Public-key cryptography, also known as asymmetric encryption, is a method of encrypting data with the use of cryptographic protocols based on algorithms. It requires two separate keys, a private and a public key. The Rivest-Sharmir-Adleman (RSA) algorithm is a cryptographic system that is used for public-key cryptography, and is commonly used when sending sensitive data over the internet. The RSA algorithm allows for both public and private keys to encrypt messages so their confidentiality and authenticity remain intact.

Quantum computers would allow for public-key cryptography systems to be jeopardised by adversaries in possession of a sufficiently powerful quantum computer, that could carry out the decryption without prior knowledge of the private key. Effected could be for instance digital signatures, essential Internet protocols like HTTPS (TLS) required for secure browsing, online banking, online shopping, etc.

Impact on symmetric cryptography

Quantum computing can also bring negative consequences for security guarantees of symmetric cryptography systems such as the Advanced Encryption Standard (AES). Asymmetric (e.g. RSA) and symmetric (e.g. AES) cryptography are often used together such as with the use of HTTPS. Symmetric cryptography needs practical ways of exchanging private keys in a confidential manner. To guarantee data security, the private key exchange must remain secure. But the key exchange methods used in practice today are based on problems that quantum computing may put at risk. To guarantee data confidentiality, the whole key exchange must remain secure.

Retrospective decryption

The technological progress in binary computing hardware, meaning today’s widespread classic computers, is also a threat to IT security. With increasing computing power at decreasing costs, the retrospective decryption of data from the past becomes of use if the employed key lengths used at the time were sufficiently short. Security experts regularly call out for an increase of key lengths to keep data secure for a given period. Some governments’ secret services are reported to collect data purposefully for future retrospective decryption. Quantum computers though follow different laws and would allow retrospective decryption in many cases much earlier.

Practical quantum computers

To be able to execute quantum algorithms with practical impacts, quantum computers would need to have thousands or millions of qubits with low error rates. This is something which is beyond the reach of technology in the foreseeable future.

In 2019, Google claimed to have demonstrated quantum supremacy with its 54-qubit quantum computer (Oliver 2019). The claim was that it took their quantum computer hundreds of seconds to perform computation that would take thousands of years for a powerful non-quantum supercomputer. While the solved task has no practical significance, it served as a proof of concept. It is likely that more similar results may be announced in this decade, but in the foreseeable future they will unlikely have a practical impact.

According to current understanding, to execute useful algorithms of practical relevance there is a need to build a quantum computer with more qubits and smaller error rates than what is possible today. The creation of a large and usable quantum computer within the next ten years is highly unlikely, but difficult to predict. It is this unpredictability that eventually leads to risks for IT security today.

Post-quantum cryptography

Post-quantum cryptography or quantum-safe cryptography refers to cryptography whose security is believed to be unaffected by quantum computers. This is achieved by the use of very different mathematical building blocks, which incorporate mathematical operations that quantum computers cannot solve more efficiently than other computers.

Post-quantum cryptography however will likely come with performance drawbacks and require larger computing resources to e.g. encrypt and decrypt data or sign and verify signatures and more networking resources to exchange lengthier keys and certificates. Post-quantum cryptography is not yet standardised. Sufficient and convincing knowledge must be available to conclude in a so-called cryptanalysis that such a solution is safe for both quantum and binary computing. The US National Institute of Standards and Technology (NIST) is working towards a Post-quantum cryptography standard and estimates to publish a draft with a first algorithm in 2022 or 2024. Once standardised, algorithms will need to be integrated with standard internet protocols like HTTPS.

As of 2020, prototypes of (non-standardised) postquantum cryptography are available for testing in the form of source code, software libraries (e.g. for OpenSSL), cloud services (e.g. Amazon AWS and Cloudflare) and consumer software (e.g. Google Chrome). It is estimated that a full transition could even take as long as 15-20 years in practice.

Organisations should consider for how long they need to guarantee absolute confidentiality of data and protection from retrospective decryption. Based on what we know today there is no immediate threat posed by a quantum computer in the foreseeable future. It may likely take decades to build a usable quantum computer that can execute known algorithms. But for data that needs to remain safe for very long, this uncertainty poses an issue that may require an early transition to post-quantum cryptography.

For this reason, some organisations may be interested in preparing appropriate risk assessment as well as contingency and migration plans. Such plans should always prioritise guaranteeing data security with respect to today’s non-quantum security. When transitioning to post-quantum systems, organisations should consider existing risks and the usual considerations during migration of data that would guarantee data security (i.e. reliability, availability) as well as confidentiality (e.g. when the data is re-encrypted with post-quantum cryptography). The German Federal Office for Information Security (2020) has developed initial recommendations for the migration to post-quantum cryptography.

Recommended Reading

German Federal Office for Information Security. 2020. “Post-Quantum Cryptography.” 2020. https://www.bsi.bund.de/EN/Topics/Crypto/Cryptography/PostQuantumCryptography/post_quantum_cryptography_node.html.

Giles, Martin. 2019. “Explainer: What Is Post-Quantum Cryptography?” MIT Technology Review, July. https://www.technologyreview.com/2019/07/12/134211/explainer-what-is-post-quantum-cryptography.

Montanaro, Ashley. 2016. “Quantum Algorithms: An Overview.” Npj Quantum Information 2 (1). https://doi.org/10.1038/npjqi.2015.23.

National Academies of Sciences, Engineering, and Medicine. 2019. Quantum Computing: Progress and Prospects. The National Academies Press. https://doi.org/10.17226/25196.

Oliver, William D. 2019. “Quantum Computing Takes Flight.” Nature 574 (7779): 487–88. https://doi.org/10.1038/d41586-019-03173-4.

Preskill, John. 2018. “Quantum Computing in the NISQ Era and Beyond.” Quantum 2 (August): 79. https://doi.org/10.22331/q-2018-08-06-79.

Shankland, Stephen. 2019. “IBM’s New 53-Qubit Quantum Computer Is Its Biggest yet.” CNET, September. https://www.cnet.com/news/ibm-new-53-qubit-quantum-computer-is-its-biggest-yet/.

This publication is a brief report produced by the Technology and Privacy Unit of the European Data Protection Supervisor (EDPS). It aims to provide a factual description of an emerging technology and discuss its possible impacts on privacy and the protection of personal data. The contents of this publication do not imply a policy position of the EDPS.

Issue Author: Lukasz OLEJNIK, Robert RIEMANN
Editor:    Thomas ZERDICK
Contact:   techdispatch@edps.europa.eu

To subscribe or unsubscribe to TechDispatch publications, please send a mail to techdispatch@edps.europa.eu. The data protection notice is online on the EDPS website.

© European Union, 2020. Except otherwise noted, the reuse of this document is authorised under a Creative Commons Attribution 4.0 International License (CC BY 4.0). This means that reuse is allowed provided appropriate credit is given and any changes made are indicated. For any use or reproduction of photos or other material that is not owned by the European Union, permission must be sought directly from the copyright holders.

ISSN 2599-932X

HTML:    ISBN 978-92-9242-431-2

       QT-AD-20-002-EN-Q

https://data.europa.eu/doi/10.2804/603798

PDF:      ISBN 978-92-9242-432-9

      QT-AD-20-002-EN-N

https://data.europa.eu/doi/10.2804/3604

24/06/2020
24
Jun
2020

14 misunderstandings with regard to biometric identification and authentication

Joint paper of the Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), and the European Data Protection Supervisor (EDPS) on 14 misunderstandings with regard to biometric identification and authentication.

The use of biometric data for identification and authentication purposes is not new but has greatly increased in recent years. Along with its growing popularity, unfortunately, some misconceptions about the technologies involved have become widespread. 
The objective of this document is to raise awareness about some misunderstandings about biometric technologies, and to motivate its readers to check assertions about the technology, rather than accepting them without verification. 

Tags:
Thursday, 28 May, 2020
28
May
2020

Newsletter (N°
80
)

In this edition of the EDPS Newsletter we cover the EDPS consultation on transfers of personal data, the virtual visit at the European Medicines Agency (EMA), the new TechDispatch on contact tracing and mobile apps, the 47th DPO virtual meeting among other topics.
07/05/2020
7
May
2020

TechDispatch #1/2020: Contact Tracing with Mobile Applications

In public health, contact tracing is the process to identify individuals who have been in contact with infected persons. Proximity tracing with smartphone applications and sensors could support contact tracing. It involves processing of sensitive personal data.
What is Contact Tracing?

During epidemics of infectious diseases, such as the Coronavirus disease (COVID-19), it is important to lower the number of new infection cases and to stop it eventually. Therefore the infection chain of onward transmissions must be interrupted. When those persons known to be infected reveal their recent contacts, other infected persons may be identified, informed and e.g. isolated already early on, even before they become aware of their infection. The process to identify contacts of known cases is called contact tracing.
A person becomes a contact of a primary case by e.g. face-to-face contact within a short distance over some time span, physical contact or spending time indoors together–all within the incubation period of e.g. up to 2 weeks for the coronavirus disease.

To establish the risk exposure in contact tracing, information about the distance between the persons and the duration of contact are important. Close contacts with high-risk exposure may then become subject to different rules or treatments.

21/01/2020
21
Jan
2020

EDPS-Civil Society Summit 2020

The EDPS-Civil society summit is an annual meeting between the EDPS and civil society organisations organized to discuss the state of data protection and privacy in the EU.

The 2020 edition will focus on a number of issues relating facial recognition, biometric surveillance technologies and its effects on activists
in the EU.

The Summit is part of Privacy Camp 2020.

Register here.

You can follow the event on our Twitter account and participate in the conversation using the hashtag #PrivacyCamp20.

Tags:
20/12/2019
20
Dec
2019

TechDispatch #3: Connected Cars

The modern car is a computer on four wheels. Today’s cars are constantly processing and transmitting data about themselves, their surroundings and the people in it – in most of the cases even without the knowledge of the driver. This data is used in navigation, to manage car systems like the engine or to deliver communication and infotainment services to passengers.

Increasingly today, the data generated by the car is shared over the internet with other vehicles, traffic infrastructure and private and public entities. These so-called connected cars belong to the evolving Internet of Things (IoT) - with manifold related risks attached. The growing amount of personal data generated by connected cars raises the interest of insurers, automakers, law enforcement authorities and other third parties.

To read the HTML edition, click the title above.
To read the PDF edition, click the EN button below.

03/12/2019
3
Dec
2019

Leading by Example: EDPS 2015-2019

This report provides an overview of the activities carried out by the EDPS from 2015-2019. In particular, it focuses on how the EDPS has worked towards implementing the objectives set out in the EDPS Strategy 2015-2019, which relate to digitisation, global partnerships and the modernisation of data protection. This involved not only contributing historical pieces of legislation, such as the General Data Protection Regulation and Regulation 2018/1725, but also bringing the concepts of ethics and accountability to the forefront of data protection discourse and application.

 

 

 

 

HTML:    DE   EN   FR 

HTML (Summary):    DE    EN    FR

Full text of Leading by Example: EDPS 2015-2019:PDF icon
Summary (PDF):PDF icon
22/10/2019
22
Oct
2019

EDPS software receives Global Privacy and Data Protection Award

The European Data Protection Supervisor (EDPS) has received the Global Privacy and Data Protection Award for innovation. The award recognises EDPS efforts to develop a Website Evidence Collector and was presented at the annual International Conference of Data Protection and Privacy Commissioners (ICDPPC), taking place this year in Tirana, Albania.

16/10/2019
16
Oct
2019

TechDispatch #2: Smart Meters in Smart Homes

To tackle climate change, the European Union has set itself a target to ensure that 80% of EU consumers are using smart meters by 2020. This should accelerate the move towards cleaner energy and reduce energy consumption. The European Commission issued a Recommendation on preparations for the roll-out of smart metering systems in 2012. Today, there are an increasing number of smart meters being used across the EU and integrated with other smart home appliances.

To read the HTML edition, click the title above.
To read the PDF edition, click the EN button below.

Friday, 4 October, 2019
4
Oct
2019

Newsletter (N°
72
)

In this edition of the EDPS Newsletter we cover Data Protection Impact Assessments (DPIAs), the first EDPS-EDPB Joint Opinion and the new EDPS website inspection software, among many other topics.
19/07/2019
19
Jul
2019

TechDispatch #1: Smart Speakers and Virtual Assistants

Ever since Alan Turing published his paper Computing Machinery and Intelligence in 1950, computer scientists have tried to get machines to mimic human behaviour and make them as intelligent or as smart as human beings, by having them play imitation games.

Turing raised the question: Can machines think? He suggested that something “resembling thinking” could be achieved if we provide the machine with the best sense organs that money can buy, and then teach it to understand and speak English. This is the main reason why we call modern machines with some imitation capacity smart devices.

Today, a new generation of speaking devices interact with us in human-like ways to execute simple tasks and answer questions, and not only in English. How is this possible?

To read the HTML edition, click the title above.
To read the PDF edition, click the EN button below.

18/01/2019
18
Jan
2019

Smart glasses and data protection

This technology report on smart glasses and data protection aims at clarifying the state of play of smart glasses in the market, official positions on related privacy and data protection issues and future developments.

10/08/2018
10
Aug
2018

Security of identity cards of Union citizens

EDPS Opinion on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

Tags:
31/05/2018
31
May
2018

Privacy by Design

EDPS Preliminary Opinion on Privacy by Design.

26/03/2018
26
Mar
2018

EDPS helping EU institutions to prepare for new chapter in EU data protection

Two months before the new data protection rules set out in the General Data Protection Regulation (GDPR) become applicable, the European Data Protection Supervisor (EDPS) has published two new sets of Guidelines. The Guidelines provide advice to the EU institutions on how to adapt to this new chapter in EU data protection, which is notable for the emphasis it places on the principle of accountability.

Tags:
21/03/2018
21
Mar
2018

"Data Processing for Social Media Monitoring" at the European Central Bank (ECB) - ECB

Priorcheck Opinion on "Data Processing for Social Media Monitoring" at the European Central Bank (ECB) (Case 2017-1052)

Tags:
19/03/2018
19
Mar
2018

2017 Annual Report - Data Protection and Privacy in 2018: going beyond the GDPR

The GDPR is an outstanding achievement for the EU, its legislators and stakeholders, but the EU's work to ensure that data protection goes digital is far from finished. The majority of the world population now has access to the internet, while tech giants now represent the six highest valued companies in the world. With this in mind, in 2017 the EDPS issued advice to the legislator on the new ePrivacy Regulation, as well as pursuing his own initiatives relating to the Digital Clearinghouse and Digital Ethics, the latter of which will be the main topic of discussion at the 2018 International Conference of Data Protection and Privacy Commissioners, co-hosted by the EDPS.

Finalising and implementing a revised version of the current legislation governing data protection in the EU institutions and bodies as soon as possible is also a priority, if the EU is to remain a credible and effective leader in the protection of individuals' rights. The EDPS intends to exercise the powers granted to him in the revised Regulation efficiently and responsibly, in order to ensure that the EU's institutions and bodies set an example for the rest of the EU to follow. For this reason, the EDPS has invested a lot of effort in preparing the EU institutions for the new rules and will continue to do so throughout 2018.  

In 2017, the EDPS also contributed to ongoing discussions on the Privacy Shield and on the free flow of data in trade agreements, which will remain on the EU and EDPS agenda throughout 2018. With the fight against terrorism still a pressing concern for the EU, the EDPS continues to advocate the need to find a balance between security and privacy in the processing of personal data by law enforcement authorities. As the new data protection supervisor for Europol, the EU’s police authority, he is determined to ensure that the EU sets an example in achieving this balance.

 

Full text of Annual Report:PDF icon
E-book (e-pub):File
16/03/2018
16
Mar
2018

Guidelines on the use of cloud computing services by the European institutions and bodies

The EU institutions, bodies and agencies (“the EU institutions”) have been considering the use of cloud computing services because of advantages such as costs savings and flexibility gains. They are nevertheless faced with the specific risks that the cloud computing paradigm involves and remain fully responsible regarding their data protection obligations. For cloud services, the EU institutions should ensure an equivalent level of protection of personal data as for any other type of IT infrastructure model.

Tags:
09/11/2017
9
Nov
2017

Lowering the minimum age for fingerprinting visa applicants

EDPS formal comments in response to the Commission public consultation on lowering the fingerprinting age for children in the visa procedure from 12 to 6 years old

Pages