This month, we welcome Dave Archer to our blog. Dave leads the secure computing effort at Galois, an R&D company hailing from Portland, Oregon. Over the years, we have jointly been educating people on secure computing, looking for applications that can't be done in any other way. Today, Dave tells us about Callisto, an undertaking using privacy technologies for social good.
Why has the search for high-impact secure computation (SC) apps been so hard? Everyone wants privacy, and that’s what SC provides, right? Zuck proclaimed, “[Facebook has] a responsibility to protect your data, and if we can't then we don't deserve to serve you.” Well, they likely don’t deserve to serve you, but I digress. The reason “killer” SC apps are hard to find is that our data is valuable to anyone who can get it. From 1999’s “Privacy is dead - get over it” - a rather self-serving statement - to 2018’s GDPR - 55,000 words full of loopholes that allow exploitation of personal data on an epic scale, it’s clear that industry hates privacy. “Please click here to acknowledge that you accept our piracy”…[pesky spell checker]… “privacy policy.”.
Perhaps, though, there really are businesses that value privacy: businesses that deal in such intimate information with such stark consequences if revealed, that end-to-end privacy is sine qua non. Enter the #metoo movement.
On US college campuses, 20% of women, 7% of men, and 24% of transgender and gender nonconforming students are victims of sexual assault, but less than 10% of those assaults are reported. When survivors have the courage to report, they do so slowly - on average 11 months later - often too late to build a case. Survivors say that reporting isn’t worth the risk of retaliation, disbelief, and stigma.
The result? Without clear evidence, or an established pattern of behavior, authorities are hesitant to take action against suspects. Why? It’s far more common for colleges to be sued for expelling an accused sexual assailant than for neglecting the safety and rights of victims. The endgame? Only 6% of reported assaults, less than 1% of all assaults, end with the assailant spending a single day in prison.
Unwinding this cultural train wreck of under-reporting and non-accountability is not easy. While efforts to stop sexual assault and harassment would benefit from full disclosure and transparency, that idea works against victims whose identity, incident details, and suspect identities could be used to cause them further harm. Suspects could certainly leverage such transparency to intimidate or threaten victims. Society uses such information to damage victims’ or suspects’ reputations or wellbeing. Most importantly, full disclosure interferes with each victim’s right to choose paths to justice that respect privacy and personal security.
Where are the levers for enabling that justice in this sordid story? Most sexual assaults are committed by serial perpetrators. In addition, research shows that for most victims, learning that there are other victims of the same assailant dramatically increased willingness to report.
I bring your attention to Callisto, who take a game-theoretic approach to the problem of under-reporting sexual assault. In game theory terms, there is a large first-mover disadvantage for a single victim disclosing a suspect. The disclosure move opens the victim up to consequences or countermoves of retaliation, as well as disbelief by authorities, reputation damage, or stigma. Callisto’s solution aims to eliminate that first-mover disadvantage by allowing multiple victims of a suspect to act together, discouraging retaliatory countermoves. Such combined action by victims also reduces disbelief by authorities and likelihood of victim reputation damage.
Callisto protects each victim’s and suspect’s privacy through comprehensive use of encryption and user authentication technologies. Multi-factor authentication, hashed username storage, strong passwords, and encrypted e-mail between users and Callisto are used to protect user accounts. All personal information that users provide to Callisto, along with reports of incidents and identities of suspects, are protected by a panoply of broadcast, public key, and symmetric key encryption from before they leave the user’s computer until they are decrypted on the highly protected workstation of a Callisto Options Counselor. Moreover, counselors can only see the fact of reporting, the reported incident, and suspect information such as phone numbers, social media URLs, or e-mail addresses once more than one user identifies the same suspect - through an application of linear secret sharing. Once those matches are identified, an Options Counselor reaches out personally to each victim to help find their desired pathway to justice.
Move over, GDPR and Facebook. Secure computation should look for killer apps - and provide real value - in markets such as Callisto’s: where privacy really is job number one.