From a general point of view, we live immersed in what we call the “smart society,” an ecosystem where technological infrastructure is as ubiquitous as it is invisible. Concepts that once belonged to the academic realm, such as IoT, Edge Computing, or the Cloud, are today the fabric that sustains our daily lives. This hyperconnection generates an incessant flow of data; every interaction, every movement, and every service used feeds a massive knowledge engine. However, herein lies the great strategic paradox: the “intelligence” of the system depends on its ability to observe and share that data, but in that process, we often lose track of our information. The challenge is not only technical but existential: how can we extract value and collaborate across organizations without literally throwing our data out the window?
Some comments after our participation in https://bioderecho.eu/eventos/xxxii-congreso-internacional-sobre-derecho-y-genoma-humano/ to discuss the main technological challenges in the implementation of the European Data Health Space. As part of GiCP’s work in Safehorizon and in CIRMA, we have to deal with the difficulties arising from the requirements to adequately balance security and privacy, and utility and privacy. This is something of major relevance when building collaboration protocols for easing research in health.
The Myth of the Digital “Post-it”: Why Policy is Not Protection
We have spent a quarter of a century dragging around the fallacy that a legal label can contain a stream of bits. In the industry, we talk about the concept of Sticky Policy: the idea that we can “stick” usage rules to data so that the recipient respects them. But the technical reality is unforgiving. As rightly pointed out from a strategic perspective:
“Policy is like a post-it note that can be removed if there is no technology backing it up.”
If the recipient can “peel off” the privacy policy, privacy disappears. Therefore, modern governance demands enforcing technologies that operate at the technical level. Here we must distinguish two essential architectures: Data Wrapping and Sanitization. Wrapping, like encryption, is a reversible layer; it protects the data while it transits through foreign hands, allowing us to regain original visibility when the information returns to our control. In contrast, sanitization seeks to generate less sensitive versions irreversibly (such as anonymization), creating a different utility from the original data. Without a dynamic technical baseline of protection, any privacy policy is nothing more than a declaration of good intentions.
Invisible Baggage: When Data Talks Behind Our Backs
One of the most critical and least intuitive risks in collaborative environments is what we call “information baggage.” We often believe that by hiding certain sensitive attributes, we are protected, but security is frequently counterintuitive. The danger lies not only in what we show, but in what the computation process implicitly reveals.
Imagine crossing data between a hospital and an insurance company. Even if the hospital hides the diagnoses, the simple act of performing a selection operation or a database join can leak lethal information. If the insurer crosses its client list with that of patients treated for “stroke” and the system returns a result, the mere presence of an individual in that set already “carries the baggage” of their medical condition. The leak occurs through the logic of the operation: the data does not need to be seen to be inferred.
“On-the-Fly” Cryptography and the Follow-the-Sun Strategy
Faced with the inefficiency of encrypting everything by default—a practice that hinders performance and skyrockets costs—the vanguard strategy proposes an intelligent orchestration of keys. The question is no longer how to encrypt, but who should process it.
The modern approach first decides who is the most suitable actor to perform the computation, based on criteria of economy and sustainability (Green Computing). We can choose providers that “follow the sun” to take advantage of data centers with a lower carbon footprint or reduced energy costs at that time of day. Once the provider is selected, we apply “on-the-fly” encryption solely to the attributes necessary for that specific operation. This dynamic model ensures that security is not a burden, but an optimized layer that adapts to the workflow and the CO2 environmental impact.
The School Field Trip Trick: Spotting the Lazy Server
Confidentiality is useless if the results we receive are incomplete or manipulated. In an outsourcing environment, we face the risk of the “lazy worker” (or lazy server). How can we know if a provider has processed all the records or simply skipped part of the work to save resources? A historical example is the use of Google’s Mechanical Turk to search for lost ships in the ocean: a worker could simply say “there is nothing” without really looking, given that 99% of the sea is just water.
To combat this, we employ probabilistic techniques based on redundancy:
- Sentinels: We insert fake data for which we know the answer (like a fictional patient with a specific disease). If the result does not include them, the server has failed.
- Twins: We duplicate real data so that the server cannot distinguish between them.
The school field trip analogy illustrates this perfectly: children walk in pairs; if the teacher sees a child walking alone (a twin without its partner), they immediately know someone is lost. However, this technique has a limit: faced with an extreme omission—where the entire block containing both twins disappears—the system fails to detect the error because there is no “lone child” left to raise the alarm. Integrity is, therefore, a constant risk assessment, not an absolute guarantee.
The Price of Noise: Why Differential Privacy Isn’t for Everyone
In recent years, Differential Privacy has been presented as the ultimate solution by adding statistical “noise” to protect identities. It is an extraordinary tool for consumer giants like Google or Meta, which handle massive statistics. But in critical sectors, noise can be catastrophic.
In medicine, precision is not a luxury; it is the utility itself. A hospital cannot afford to work with approximations when lives are at stake.
“If you tell a hospital to apply differential privacy tomorrow… half the patients will be dead because you cannot force noise when deciding a treatment.”
For individual clinical treatment, noise is the enemy. In these scenarios, the orchestration of cryptographic techniques that preserve the total integrity of the original values remains the only ethical and functional path.
Towards Privacy-Aware Utility
Absolute security is a technical mirage. True progress lies in the ability to meet specific requirements in dynamic and collaborative environments. It is not about blocking the flow of information, but orchestrating it so that utility is context-aware.
The future of our smart society depends on a fundamental question: Are we willing to sacrifice precision for automated, noise-based privacy, or will we advance toward technical control systems that enable exact and verifiable collaboration? The answer will define the level of trust we place in the infrastructures that, from today onwards, govern our lives.
