Type of problem?The type of challenge that is to be tackled plays a big part in the choice of a PET as different applications have aspects that affect the choice differently. This should be clear later on. It could be that a problem can be solved in different ways (for example 'set intersection' or 'statistical analysis'), please use the tree multiple times to explore the possibilities. Besides playing with the tree we recommend reading the accompanied guide as soon as possible. Specifically if any data involved contains personal data, the GDPR legislation is important (see Section 4 in the Guide).
§2.4: Type of problem.
§4: Legal considerations
?For the Machine Learning type of challenge, we consider problems where an actual model is involved, either by training or for evaluation. We do not consider other forms of statistical analysis as they are separately examined.
Machine learning
Type of machine learning?For the Machine Learning type of challenge, we consider problems where an actual model is involved, either by training or for evaluation. We do not consider other forms of statistical analysis as they are separately examined. If machine learning is trained on synthetic data, also the Synthetic Data path should be traversed.
§4.2: GDPR principles and PET (fairness)
Model evaluation
Single party provides input data??It is necessary to clarify whether the model evaluation will be performed on data belonging to one party.
No
Are the various data sources independent of each other from a ML perspective? (e.g. horizontally partitioned)?In the case of Machine Learning, the outcome of a model is a set of parameters where each roughly corresponds to a feature of the dataset. There are 2 distinct cases: a) each data owner owns the same features but on different subjects (horizontal partition) or b) each data owner owns different of the features but on the same subjects (vertical). We refer to the first case as data source independence.
§6.1: Data sources independence
No
Is the model sensitive??By model sensitivity, we mean that the model itself is to be protected. This can occur either if there are serious concerns that the model can leak information about the data on which it was trained or if the model owner wishes to keep the model private for organizational reasons, such as commercial confidentiality.
§6.3: Data vs model and output sensitivity
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Is the input data confidential??We know that the model is not sensitive, but it is relevant to consider the data's sensitivity as well. In case the data is sensitive, one will need to consider whether the local computations are sensitive and thus potentially add a layer of privacy to protect them.
§6.3: Data vs model and output sensitivity
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Probably solvable without privacy-preserving technologies or trusted third parties?In case neither the data nor the model are sensitive, or the model is but the data is not, there is no need for privacy-preserving technologies to evaluate the model considering the model is owned by one party.
Yes
When parties evaluate the model with a lot of data, might this evaluation potentially lead to (partially) confidential results??At this point, we conclude that the local model evaluations are possible, either by: a) the data being sensitive but the model not -> each party receives part of the model b) the model being owned by multiple parties and sensitive but the input data not sensitive -> the data are sent to the equivalent parties c) each party owning equivalent features and model parameters -> each party immediately performs the local computations. The issue now is whether it is possible to combine the local computations in the clear. This might not be the case because of what these local results may reveal for the model and/or data, depending on which is sensitive.
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Federated Analytics?Since the local computations themselves are not sensitive, federated analytics can be used to combine them without need for centralization.
§Appendix A: Federated Learning
Yes
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Is the input data sensitive??Data being sensitive means the data itself being under protection. This can be due to different reasons, including privacy or other legislations, commercial reasons or simply due to other policies of the organization owning the data.
§6.3: Data vs model and output sensitivity
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Is the model owned by a single party??We know that the model is sensitive but the input data is not. In the case where the model is owned by one party, the solution can be to have the data parties send their data to the model party and receive back the evaluation's result. If multiple parties own the model, it is not always possible to perform the evaluation in the clear.
§6.3: Data vs model and output sensitivity
No
When parties evaluate the model with a lot of data, might this evaluation potentially lead to (partially) confidential results??At this point, we conclude that the local model evaluations are possible, either by: a) the data being sensitive but the model not -> each party receives part of the model b) the model being owned by multiple parties and sensitive but the input data not sensitive -> the data are sent to the equivalent parties c) each party owning equivalent features and model parameters -> each party immediately performs the local computations. The issue now is whether it is possible to combine the local computations in the clear. This might not be the case because of what these local results may reveal for the model and/or data, depending on which is sensitive.
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Federated Analytics?Since the local computations themselves are not sensitive, federated analytics can be used to combine them without need for centralization.
§Appendix A: Federated Learning
Yes
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Probably solvable without privacy-preserving technologies or trusted third parties?In case neither the data nor the model are sensitive, or the model is but the data is not, there is no need for privacy-preserving technologies to evaluate the model considering the model is owned by one party.
Yes
Do the parties have insight (in the clear) in the part of the model that relates to their attributes??Do all parties have the required information from the model to perform the model evaluation locally?
No
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
When parties evaluate the model with a lot of data, might this evaluation potentially lead to (partially) confidential results??At this point, we conclude that the local model evaluations are possible, either by: a) the data being sensitive but the model not -> each party receives part of the model b) the model being owned by multiple parties and sensitive but the input data not sensitive -> the data are sent to the equivalent parties c) each party owning equivalent features and model parameters -> each party immediately performs the local computations. The issue now is whether it is possible to combine the local computations in the clear. This might not be the case because of what these local results may reveal for the model and/or data, depending on which is sensitive.
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Federated Analytics?Since the local computations themselves are not sensitive, federated analytics can be used to combine them without need for centralization.
§Appendix A: Federated Learning
Yes
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Is it possible for the parties to exchange model or data??We know that the model is not sensitive, but it is relevant to consider the data's sensitivity as well. In case the data is sensitive, one will need to consider whether the local computations are sensitive and thus potentially add a layer of privacy to protect them.
§6.3: Data vs model and output sensitivity
No
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Probably solvable without PETs or trusted third parties?We reached this decision because either: a) the model and data are owned by the same party or b)there is one data party and one model party and it is possible to exchange model or data or c) there is one model party, two or more data parties, each party's data is independent from the model's perspective and it is possible to exchange model or data between the model party and each of the data parties. In all of these cases, solving the problem does not require privacy enhancing technologies or usage of a third party.
Yes
Does the data party own the model??In case one party owns the data where the model will be evaluated, then we should know whether that data party owns the model as well. This will help decide the level of privacy protection needed.
No
Is it possible for the parties to exchange model or data??We know that the model is not sensitive, but it is relevant to consider the data's sensitivity as well. In case the data is sensitive, one will need to consider whether the local computations are sensitive and thus potentially add a layer of privacy to protect them.
§6.3: Data vs model and output sensitivity
No
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Probably solvable without PETs or trusted third parties?We reached this decision because either: a) the model and data are owned by the same party or b)there is one data party and one model party and it is possible to exchange model or data or c) there is one model party, two or more data parties, each party's data is independent from the model's perspective and it is possible to exchange model or data between the model party and each of the data parties. In all of these cases, solving the problem does not require privacy enhancing technologies or usage of a third party.
Yes
Probably solvable without PETs or trusted third parties?We reached this decision because either: a) the model and data are owned by the same party or b)there is one data party and one model party and it is possible to exchange model or data or c) there is one model party, two or more data parties, each party's data is independent from the model's perspective and it is possible to exchange model or data between the model party and each of the data parties. In all of these cases, solving the problem does not require privacy enhancing technologies or usage of a third party.
Model training
Single party provides input data??For Model Training, it is relevant to consider whether the training data is owned by one more parties. This is due to the fact that in the case of a single data owner, the output of the model is the only aspect that may require privacy layers and training can happen in the clear.
No
Are the various data sources independent of each other from a ML perspective? (e.g. horizontally partitioned)?When Model Training or Statistical Analysis is to be performed and the input data is split among parties, it is relevant to consider in what way it is split. There are 2 distinct cases: a) each data owner owns the same features but on different subjects (horizontal partition) or b) each data owner owns different of the features but on the same subjects (vertical). We refer to the first case as data source independence.
§6.1: Data sources independence
No
Is an MPC solution the result of the Set intersection route??In case the data sources are not independent, then the Set Intersection route applies as well. Hence, one should complete it before answering this question, and then observe whether the decided upon intersection method involves MPC or not.
No
Federated Analytics and/or MPC*?If a non-MPC method is used for the intersection, then either Federated Analytics, or MPC, or a combination of the two can be used for the statistics computation.
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Federated Analytics/Learning?In case the data sources are independent, then Federated Analytics (for Statistical Analysis) or Learning (for Model Training) should be performed. However, federation is not always sufficient to protect sensitivity, hence one should continue traversing the tree for additional measures.
§Appendix A: Federated Learning
Are the locally computed values to be exchanged sensitive??Federated solutions assumes that some computations are locally performed by each data party and then are centrally aggregated. Hence, examining whether the results of the local computations are sensitive is a deciding factor for additional privacy layers.
§6.5: Sensitivity of locally computed values
No
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as Secret Sharing requires it. In case it is not possible, Homomorphic Encryption is suggested.
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Multiple local multiplications and additions??If the application is not mainly based on multiple local multiplications and addition, then Secret Sharing is the best solution.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2: GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Is there an output party that did not provide data??If there is a single data party, the question is whether that party is the only one seeing the resulting model or not.
No
Probably solvable without privacy-preserving technologies or trusted third parties?If the resulting model is not revealed to anyone but the data party, or it is but it is not sensitive, then the whole process can happen in the clear.
Yes
Is the model sensitive??In case there is a different output party, model sensitivity is a relevant factor. A model being sensitive in this context means that it can reveal information about the underlying training data.
§4.2: GDPR principles and PET
No
Probably solvable without privacy-preserving technologies or trusted third parties?If the resulting model is not revealed to anyone but the data party, or it is but it is not sensitive, then the whole process can happen in the clear.
Yes
Differential privacy?If the model is sensitive, then differential privacy should be incorporated to the training in order to avoid leaking information to the output party.
§6.3: Data vs model and output sensitivity
§4.2: GDPR principles and PET
?The type of problem Set Intersection can be either a subproblem of any of the other problems, or a problem by itself. An example of the second scenario is when organizations wish to match their datasets without planning to perform a specific analysis per se. In this case, only the Set Intersection route shall be traversed. On the contrary, when additional analysis is intended, the tree shall be traversed twice: once for Set Intersection and once for said analysis (Machine Learning, Statistical Analysis or Synthetic Data Generation).
Set intersection
Can the identifiers be shared between the parties??The most straightforward way to match the databases would be to share common identifiers of some sort. However, it is not always possible to do so as this would allow each party to know which subject the other parties own, even if the identifiers themselves are pseudonymized.
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Probably solvable without privacy-preserving technologies or trusted third parties?If the identifiers can be shared freely, there is not a need to use PET or TTP, as the intersection can happen as it is using the identifiers.
?By Statistical Analysis, we refer to cases where one or more parties wish to compute a set of statistical metrics (e.g. counts, averages, standard deviations, quantiles, histograms, frequency plots, ...) on their data and receive the results.
Statistical analysis
Single party provides input data??One or more parties may provide the data for the computation. It is important to clarify it as it may affect the privacy levels needed.
No
Are all parties able and willing to trust a common third party for data processing and computation??Such a party is also known as a 'trusted third party' or TTP. Does such a party exist for this application, and if so, are the involved parties able and willing to trust such a common third party for data processing and computation?
§Appendix A: TTP
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are the various data sources independent of each other from a ML perspective? (e.g. horizontally partitioned)?When Model Training or Statistical Analysis is to be performed and the input data is split among parties, it is relevant to consider in what way it is split. There are 2 distinct cases: a) each data owner owns the same features but on different subjects (horizontal partition) or b) each data owner owns different of the features but on the same subjects (vertical). We refer to the first case as data source independence.
§6.1: Data sources independence
No
Is an MPC solution the result of the Set intersection route??In case the data sources are not independent, then the Set Intersection route applies as well. Hence, one should complete it before answering this question, and then observe whether the decided upon intersection method involves MPC or not.
No
Federated Analytics and/or MPC*?If a non-MPC method is used for the intersection, then either Federated Analytics, or MPC, or a combination of the two can be used for the statistics computation.
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Federated Analytics/Learning?In case the data sources are independent, then Federated Analytics (for Statistical Analysis) or Learning (for Model Training) should be performed. However, federation is not always sufficient to protect sensitivity, hence one should continue traversing the tree for additional measures.
§Appendix A: Federated Learning
Are the locally computed values to be exchanged sensitive??Federated solutions assumes that some computations are locally performed by each data party and then are centrally aggregated. Hence, examining whether the results of the local computations are sensitive is a deciding factor for additional privacy layers.
§6.5: Sensitivity of locally computed values
No
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as Secret Sharing requires it. In case it is not possible, Homomorphic Encryption is suggested.
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Multiple local multiplications and additions??If the application is not mainly based on multiple local multiplications and addition, then Secret Sharing is the best solution.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2: GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Is this trusted party legally allowed to have access to and process the raw data? And is it organizationally desirable??It is also important to note whether this trusted party is legally allowed to have access to the data.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness)
No
Could data be allowed to leave the premises if it is aggregated and/or encrypted??If there is no such third party or it is not allowed at all to share raw data, the possibility of sharing aggregated and/or encrypted data should be explored. Please get yourself familiar with the legal considerations concerning data sharing in encrypted or unencrypted form in the guide to make a decision.
§4: Legal considerations
§4.2: GDPR principles and PET (lawfulness, international transfer)
No
Is the use of a Trusted Execution Environment desirable from a legal and organizational perspective??If it is not possible to share even encrypted data, then MPC is not possible. Hence, one should consider emulating a TSE on premise of one of the participating parties.
§Appendix A: TSE
§4.2: GDPR principles and PET (lawfulness, purpose limitation)
No
Impossible??If neither TTP, nor encrypted data sharing, nor TSE can be used, then the application cannot happen. One might want to consider loosing some restrictions or reevaluating the application's feasibility.
Yes
Trusted Secure Environment at the premises of one of the parties?If TSE is possible, then one of the parties should emulate it at their own premises.
§Appendix A: TSE
Yes
Are the various data sources independent of each other from a ML perspective? (e.g. horizontally partitioned)?When Model Training or Statistical Analysis is to be performed and the input data is split among parties, it is relevant to consider in what way it is split. There are 2 distinct cases: a) each data owner owns the same features but on different subjects (horizontal partition) or b) each data owner owns different of the features but on the same subjects (vertical). We refer to the first case as data source independence.
§6.1: Data sources independence
No
Is an MPC solution the result of the Set intersection route??In case the data sources are not independent, then the Set Intersection route applies as well. Hence, one should complete it before answering this question, and then observe whether the decided upon intersection method involves MPC or not.
No
Federated Analytics and/or MPC*?If a non-MPC method is used for the intersection, then either Federated Analytics, or MPC, or a combination of the two can be used for the statistics computation.
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as secret sharing protocols send many messages among the involved parties. Even for simple protocols, hundreds or thousands of messages are exchanged. If your infrastructure does not support setting up connections that last for the entire protocol, the overhead of making a connection for every message may have significant negative impact on the duration of the protocol. In this case, homomorphic encryption may be a better option as it exchanges only few messages (although the messages themselves are larger).
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Multiple local multiplications and additions??Additively homomorphic encryption is most powerful if the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value. If more involved operations are foreseen, then Secret Sharing is probably better suited for the challenge at hand.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2 GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Yes
Federated Analytics/Learning?In case the data sources are independent, then Federated Analytics (for Statistical Analysis) or Learning (for Model Training) should be performed. However, federation is not always sufficient to protect sensitivity, hence one should continue traversing the tree for additional measures.
§Appendix A: Federated Learning
Are the locally computed values to be exchanged sensitive??Federated solutions assumes that some computations are locally performed by each data party and then are centrally aggregated. Hence, examining whether the results of the local computations are sensitive is a deciding factor for additional privacy layers.
§6.5: Sensitivity of locally computed values
No
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Are parties able to maintain a connection for high-throughput communication during the computation??Whether it is possible to maintain high throughput communication between the parties during the computation is important, as Secret Sharing requires it. In case it is not possible, Homomorphic Encryption is suggested.
§Appendix A: MPC
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Multiple local multiplications and additions??If the application is not mainly based on multiple local multiplications and addition, then Secret Sharing is the best solution.
§Appendix A: MPC
§4.2: GDPR principles and PET (integrity and confidentiality)
No
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Is there need for a flexible implementation (frequent update of the architecture)??If the required mathematical operations in the solution primarily consist of additions and multiplication by a locally known value, the need for flexibility is the deciding factor. If it is likely that, in time, new secure functionalities are to be implemented then it is convenient to have a flexible fundament. Solutions based on homomorphic encryption are often very tailored to the specific problem, whereas secret-shared based solutions are often more flexible and enable potentially frequent updates of functional requirements.
§Appendix A: MPC
§4.2: GDPR principles and PET (accuracy, storage limitation)
No
Homomorphic Encryption?Overall, Homomorphic Encryption should be chosen if it is not possible to maintain high throughput communication or there is need for multiple local multiplications and additions and no need for flexibility. In any other case, Secret Sharing should be used.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Secret Sharing?Secret Sharing is generally an easier to use, more flexible solution and should be used unless there is a reason not to.
§Appendix A: MPC
Is the output of the computation sensitive??The analytics or learning performed will result to a statistic or model respectively. Thus, one should consider whether that result is in itself sensitive. Sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.3: Data vs model and output sensitivity
Yes
Differential Privacy (complimentary to the solution already suggested)?In case the output of the computation is sensitive, Differential Privacy should be used during the computation to add noise and protect from information leakage.
§Appendix A: Differential privacy
Yes
Trusted third party?In case there is a third party that the parties trust and are legally allowed to share information with, this party should be used for the computation.
§Appendix A: TTP
Yes
Is there an output party that did not provide data??If there is a single data party, the question is whether that party is the only one seeing the resulting statistics or not.
No
Probably solvable without privacy-preserving technologies or trusted third parties?If the resulting statistics are not revealed to anyone but the data party, or they are but they are not sensitive, then the whole process can happen in the clear.
Yes
Is the output sensitive??In case there is a different output party, output sensitivity is a relevant factor. A statistic being sensitive in this context means that it can reveal information about the underlying data on which it was computed.
§6.5: Sensitivity of locally computed values
No
Probably solvable without privacy-preserving technologies or trusted third parties?If the resulting statistics are not revealed to anyone but the data party, or they are but they are not sensitive, then the whole process can happen in the clear.
Yes
Differential privacy?If the output is sensitive, then differential privacy should be incorporated to the computation in order to avoid leaking information to the output party.
?Synthetic data generation refers to cases where one wishes to generate new data based on some other data's distribution and characteristics, e.g. with the purpose of creating larger datasets for testing. We assume that the original data used to generate synthetic data is sensitive. Else, it is immediately possible to synthesize data without employing some PET to protect the original data from potential reconstruction by using the synthetic data.
Synthetic data
Single party provides input data??It is important to know whether a single party provides the original data from which synthetic data will be created.
No
Privacy-Preserving version of the technique used (see the start of the tree) & Differential Privacy?If there are multiple data providing parties, the data synthesizing algorithm will be applied on them combined, thus there may be a need for applying it in a privacy-preserving way. Thus, the tree should be traversed depending on the type of data synthesizing algorithm used (e.g. if Neural Networks are used, one should traverse the /Machine Learning/Model Training subtree). Differential Privacy should be also used as in 5.1.
Yes
Differential privacy?If there is one data providing party, Differential Privacy can be used to ensure that there is enough noise on the synthesized data to protect the original data. The data synthesizing algorithm itself does not need to be applied in a privacy-preserving way.