�Privacy Enhancing Technologies (PETs)

Legal Convening

​

March 12, 2024

1

Corinna Turbes, Center for Data Policy, Data Foundation

​

Jim Siegl, Future of Privacy Forum

​

Amy O’Hara, Georgetown University, Massive Data Institute

Stephanie Straus, Georgetown University, Massive Data Institute

​

Agenda

​

• Welcome + Intros
• Norming
• FERPA Overview
• PETs Overview
• Data Sharing Use Cases
• FERPA + PETs Key Issues

2

2

Welcome & Intros

• Name
• Affiliation
• PETs or Policy (FERPA) side

3

3

Norms, Expectations, and Goals

​

• Chatham House rule
• No recording
• For Zoom participants:
• Please mute yourself when not speaking.
• Please raise your hand.
• For in-person participants:
• Please raise your hand.
• Use the table microphones provided.

4

4

Norms, Expectations, and Goals

​

• Delineate the challenges in this PETs + laws space
• What are your key questions?
• Where are you getting stuck?

5

5

FERPA Overview

​

Jim Siegl

Senior Technologist

jsiegl@fpf.org

GUIDING QUESTION

"If a tree falls in the forest and no one is around to hear it, does it make a sound?……”

GUIDING FERPA AND PETs QUESTION

"If a tree falls in the forest and no one is around to see it……”

​

Did you have a logging permit?

Is Every PET a CAT?

Compliance

Avoidance

Technology

TERMS

• COMPLIANCE: Legally binding rules established by government authorities or delegated bodies to control an industry, process, or sector
• PRIVACY: The protection of sensitive information from unauthorized access, use, or disclosure.
• SECURITY: The protection of important information against unauthorized access, disclosure, use, alteration, or disruption.
• CONFIDENTIALITY: Ensuring that data is only accessible to authorized parties.

The Family Educational Rights and Privacy Act�WHAT DOES FERPA PROTECT?

• Applies to Education Agencies

​

• Education Records: Materials that are “maintained by an educational agency or institution or by a person acting for such an agency or institution,” and contain “information directly related to a student.”

​

• Protects personally identifiable information (PII) from education records from unauthorized disclosure. PII includes direct identifiers (e.g. social security number), indirect identifiers (e.g. date of birth).

​

​

​

​

How Does FERPA Define”Disclosure”?

Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.�

(34 CFR §99.3)

COMMON K12 FERPA Exceptions

...or with the Parent’s or Eligible Student’s Written Consent

Organizations conducting certain studies for or on behalf of the school;

​

4

THERE IS NO “RESEARCH EXCEPTION”….

FERPA�“RESEARCH”�EXCEPTION

COMMON K12 FERPA Exceptions

...or with the Parent’s or Eligible Student’s Written Consent

Organizations conducting certain studies for or on behalf of the school;

​

4

CONSENT FOR DISCLOSURE OF STUDENT DATA

The written, signed and dated consent must:

(1) Specify the records that may be disclosed;

(2) State the purpose of the disclosure; and

(3) Identify the party or class of parties to whom the disclosure may be made.

FERPA: School Official Exception

Permits schools to outsource institutional services or functions that involve the disclosure of education records to contractors… or other third parties provided that the outside party:

• Performs an institutional service for which the institution would otherwise use employees;
• Is under the direct control of institution with respect to the use and maintenance of education records;
• Is subject to the requirements in § 99.33(a) that the…education records may be used only for the purposes for which the disclosure was made…and governing the redisclosure of PII from education records; and
• Meets the criteria specified in the school or local educational agency’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records

FERPA: Studies Exception

PII from education records may be disclosed in connection with certain studies conducted “for or on behalf of” schools, school districts, or postsecondary institutions

Studies must be for the purpose of:

• Developing, validating, or administering predictive tests;
• Administering student aid programs; or
• Improving instruction

There must be a written agreement with the individual/organization performing the study that meets certain requirements.

Written Agreements—Studies Exception

Written agreements must

• Specify the purpose, scope, and duration of the study and the information to be disclosed, and
• Require the organization to
• use PII only to meet the purpose(s) of the study,
• (protect) limit access to PII to those with legitimate interests,
• conduct the study in a manner that doesn’t permit the identification of parents or students by anyone other than representatives of the organization with legitimate interests,
• destroy PII upon completion of the study and specify the time period in which the information must be destroyed

FERPA: Audit / Evaluation Exception

Federal, State, and local officials listed under § 99.31(a)(3), or their authorized representatives, may have access to education records –

• in connection with an audit or evaluation of Federal or State supported education programs, or
• for the enforcement of, or compliance with, Federal legal requirements which relate to those programs.

The receiving entity must be a State or local educational authority or other FERPA-permitted entity or must be a designated authorized representative of a State or LEA or other FERPA-permitted entity.

Requires a “Written Agreement” with requirements specific to the Audit / Evaluation Exception.

How might the Audit/Evaluation exception be used?

Example:

An evaluation of college freshman who graduated from the same high school may reveal that all of those students needed postsecondary remediation in math, indicating that the high school needs to improve its math program.

An LEA could designate a university as an authorized representative, allowing the LEA to disclose, without consent, PII from education records on its former students to the university.

The university then may disclose, without consent, transcript data on these former students to the LEA to permit the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education.

DE IDENTIFICATION

FERPA allows the disclosure of de-identified data without parental consent only if the data cannot be used to re-identify a student.

(1) De-identified records and information. An educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information without the consent required by §99.30 after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information.

(2) An educational agency or institution, or a party that has received education records or information from education records under this part, may release de-identified student level data from education records for the purpose of education research by attaching a code to each record that may allow the recipient to match information received from the same source, provided that—

(i) An educational agency or institution or other party that releases de-identified data under paragraph (b)(2) of this section does not disclose any information about how it generates and assigns a record code, or that would allow a recipient to identify a student based on a record code;

(ii) The record code is used for no purpose other than identifying a de-identified record for purposes of education research and cannot be used to ascertain personally identifiable information about a student; and

(iii) The record code is not based on a student's social security number or other personal information.

Suppression

Suppression is a disclosure limitation method which involves removing data (e.g., from a cell or a row in a table) to prevent the identification of individuals in small groups or those with unique characteristics.

​

Source: https://studentprivacy.ed.gov/content/suppression

Research Provisions in State Laws

Georgia Act 171 (2015)

Example of a fairly standard research provision in state laws passed after 2014.

20-2-666. (c) Notwithstanding paragraph (4) of subsection (a) of this Code section, an operator may disclose student data, so long as paragraphs (1) to (3), inclusive, of subsection (a) of this Code section are not violated, under the following circumstances:… (2) For legitimate research purposes: (A) As required by state or federal law and subject to the restrictions under applicable state and federal law; or (B) As allowed by state or federal law and under the direction of a school, a local board of education, or the department, subject to compliance with subsection (a) of this Code section.

Idaho SB 1372 (2014)

The State Board of Education shall… (iii) Develop criteria for the approval of research and data requests from state and local agencies, the state legislature, researchers and the public: (1) unless otherwise approved by the state board of education, student data maintained shall remain confidential; (2) unless otherwise approved by the state board of education, released student data in response to research and data requests may include only aggregate data; and (3) any approval of the board to release personally identifiable student data shall be subject to legislative approval prior to the release of such information.

​

​

Kan. Stat. Ann. § 72-6314 (2014)

(1) Except as otherwise provided in paragraph (2), student data may be disclosed to any governmental entity not specified in subsection (b) or (c), or to any public or private audit and evaluation or research organization, provided that only aggregate data is disclosed to such governmental entity or audit and evaluation or research organization. (2) Personally identifiable student data may be disclosed if the student, if an adult, or the parent or legal guardian of the student, if a minor, consents to such disclosure in writing.

Coffee Break

10:10-10:25 am

29

29

PETs Overview

30

30

Amy O’Hara

Research Professor

Massive Data Institute

Stephanie Straus

Policy Fellow

Massive Data Institute

Pulse Check: Knowledge of PETs

31

31

PET, who?

Common Use Cases of SLDS �Data Access/Sharing

• Linking across agencies or institutions
• Training data for development teams and new applications
• Responding to microdata requests from researchers
• Responding to data requests from legislators, media, public

32

32

Current Privacy Protection Methods

• Lockdowns
• Data use:
• Rely on contracts (licenses, NDAs)
• Share full copy of data with requestor
• Trusted third parties
• Data release:
• Statistical disclosure controls
• Rounding, swapping, suppression

33

33

Current Privacy Protection Methods → Not Enough!

• Lockdowns
• Data use:
• Rely on contracts (licenses, NDAs)
• Share full copy of data with requestor
• Trusted third parties
• Data release:
• Statistical disclosure controls
• Rounding, swapping, suppression

34

34

Full privacy, but no utility!

Trusting parties will adhere to contract terms

Addtl pair of eyes on raw data + addtl copies of data in new locations

Full privacy, but questionable utility!

Computer power can possibly re-ID

What Are Privacy Enhancing Technologies (PETs)?

• Cryptographic techniques that increase data protection while allowing for greater data utility
• Also known as Privacy Preserving Technologies
• Can enhance how data are

analyzed and/or published

​

35

35

PETs are safer and more secure ways to analyze, link, and share data

PETs complement, but don’t replace, DSAs or good governance protocols.

PETs may not be compliant, and do not guarantee complete privacy.

How PETs Address Data Governance Issues

​

Input Privacy

Secure hashing

​

Secure enclaves

​

Intermediaries

​

Secure multiparty computation

​

Homomorphic encryption

Output Privacy

Traditional SDL

​

Differential privacy

​

Private query server

​

Synthetic data

36

36

Secure Multiparty Computation (SMC)

• Examples: Estonia, Virginia, our NCES demonstration, Boston Women’s Workforce, Allegheny County Department of Human Services demonstration, DARPA and IARPA investments

37

SMC Overview

Party One

Party Two

SMC

Result

Party 1 encrypts and uploads its data to SMC application

Party 2 encrypts and uploads its to SMC application

Data are encrypted by sharing slivers across different servers.

Only aggregate results are released as decrypted data

SMC code has been pre-programmed to add shares together, and then calculate the desired queries.

Secure Multiparty Computation (SMC):

A Note on Encryption…

• Encryption: two-way function where data is passed in as plaintext and comes out as ‘ciphertext.’
• Only those with the decryption key(s) can undo.

​

• SMC: “encryption” is often additive secret sharing // the shares = the ‘ciphertext’

​

whereas

​

• Performing joint computations on disparate datasets, while the data remain encrypted (ciphertext) → is homomorphic encryption
• HE: computations performed directly on encrypted data without first decrypting.

39

39

Secure Multiparty Computation (SMC) &

Homomorphic Encryption (HE)

• Who can see the original data? Only the original data owners, before they upload their data to the SMC/HE application.

​

• How do you know no one tampered with your data? The decryption key will not work if so.

​

• Who has the decryption key(s)? Usually, the data owners, by design. All keys are needed to get decrypted results.

​

• What queries are being asked? Up to the data owners.

​

• What would I see if I hacked SMC or HE? SMC: a sliver of a piece of data. HE: ciphertext (gibberish)

40

40

Secure Hashing

• Examples: Coleridge Initiative's ADRF, Georgia Policy Labs, CAPriCORN in healthcare, N3C system at NCATS, ASPE at HHS

41

Secure Hashing

Overview

Party One

Party Two

Result

c

SSN: 123-45-6789

SSN: 123-45-6789

SSN: spq1=v3?@plaa&&q72

SSN: spq1=v3?@plaa&&q72

Linkage on hashed inputs

Both parties have some overlapping individuals in their datasets

The secure hashing algorithm ensures the same individual across their two datasets gets hashed in the same way

The resulting linked data contains no PII, but does contain row-level data.

Secure Hashing

• Who has access to the secure hashing algorithm? Only data owners, or those doing the hashing.

​

• What do you mean it’s not reversible? Encryption is two-way. Hashing is one-way: there is no ‘decryption key.’ Once the sensitive fields/PII variables are hashed, they remain that way in the data. Row-level data can be shared.

​

• Why should we trust it? Approved by National Institutes of Standards and Technology. Many leverage use of a salt, or random additional data that further complicates the hash, and prevents cryptographic attacks.

43

43

Key Questions & Challenges on Use Cases

44

44

Corinna Turbes

Director, Center for Data Policy

Data Foundation

Key Questions & Challenges on Use Cases

• How are you approaching these use cases in your organizations?
• What data sharing or privacy protection tools are you using?
• How have you interpreted the data privacy statutes?
• What challenges are you encountering?
• Are we missing any challenges or key questions?

45

45

Key Questions & Challenges on Use Cases

1. Internally
2. Institution - Researcher
3. Institution - EdTech provider (or any contracted 3rd party)
4. EdTech provider - Researcher
5. Institution - Institution
6. Institution - Trusted Third Party
7. SEA - other state agencies
8. SEA -> Researcher
9. Many Institutions -> Many EdTech provider -> Many Researchers

46

46

After Lunch:

• For each use case:

→ which PET might be able to be leveraged?

→ how might FERPA and other data privacy laws come into play?

47

47

Lunch

11:45 am - 12:45 pm

48

48

FERPA + PETs Key Issues/Questions:

Disclosure

• Is access within a PET considered a disclosure under FERPA?
• Purpose of disclosure/Which, if any FERPA exception?
• Who is touching the data?
• Who is querying/Who has “direct control”?
• Which direct identifier(s) are they querying on, and are direct identifiers exposed?
• Who is seeing results?

49

49

• Secure multiparty computation
• Homomorphic encryption
• Secure hashing

FERPA + PETs Key Issues/Questions:

Disclosure

Is access within a PET considered a disclosure under FERPA?

• Which, if any FERPA exception?--school official
• Who is touching the data? (Use Case)-agency
• What PET?-HE
• Who is querying/Who has “direct control”? -Agency
• Which direct identifier(s) are they querying on, and are direct identifiers exposed?--None
• Who is seeing results?--Agency

50

50

• Secure multiparty computation
• Homomorphic encryption
• Secure hashing

FERPA + PETs Key Issues/Questions:

Consent and FERPA Exceptions

• Is consent, or a valid FERPA exception, required under for access of data via a PET?
• Purpose of the use/access?
• Are data encrypted, hashed, or neither?
• Who is seeing or using it?
• What are they doing with it?

51

51

• Secure multiparty computation
• Homomorphic encryption
• Secure hashing

FERPA + PETs Key Issues/Questions:

De-identification

• Are PETs considered a form of de-identification, or do they provide ‘reasonable’ enough de-identification under FERPA?

52

52

• Secure multiparty computation
• Homomorphic encryption
• Secure hashing

FERPA + PETs Key Issues/Questions:

Other considerations

• Should ‘access’ by code be treated differently than access by a person?
• IF so, what constraints/assumptions should apply?
• Where in the infrastructure/cloud stack is this ‘disclosure’?
• Which privacy laws apply to EdTech vendors?

53

53

• Secure multiparty computation
• Homomorphic encryption
• Secure hashing

Closing

2:45 - 3 pm

54

54

More Resources

• Fixing FERPA series (Public Interest Privacy Center)
• Multi-Regulation Computing: Examining the Legal and Policy Questions That Arise From Secure Multiparty Computation (Boston University)
• The United Nations Guide on Privacy-Enhancing Technologies for Official Statistics (UN BigData)
• De-Identification and Student Data (FPF)
• Implementing the Vision of the Evidence Act (Data Foundation)

55

55

Thank You

corinna.turbes@datafoundation.org

​

jsiegl@fpf.org

​

amy.ohara@georgetown.edu

stephanie.straus@georgetown.edu

​

​

​

56