Watch It, Facebook: Israeli Startups Devise Ways to Protect User Privacy

Once an offshoot of cybersecurity, privacy tech has come into its own in recent years as regulations get tougher and users demand protection

Send in e-mailSend in e-mail
D-ID startup.
D-ID startup.Credit: No credit

When Gil Perry, Sella Blondheim and Elira Kuta were serving in the Israeli army they had a problem: They were all a part of units that banned them from sharing pictures online. So they worked on developing a way to upload pictures without being identified.

From that early effort to stay in touch with friends and family arose a startup called D-ID, which employs image processing and artificial intelligence to create a “digital noise” that thwarts facial recognition tools.

As the company describes its technology, it is a kind of personal ID firewall.” D-ID-protected photos looks no different to the human eye, but they can’t be decrypted or reverse-engineered even by the most advanced facial recognition engines.

>> Read more: This Israeli face-recognition startup is secretly tracking Palestinians ■ By providing face-recognition software, Israeli high-tech is on the wrong side of justice | Analysis 

“The engines that learn how to identify picture on the internet look for biometric details like the color of your eyes, the thickness of your lips, the geometric structure of your face, your jaw and hairline,” said Yoel Knoll, D-ID’s head of marketing.

“We alter these details – a slight change to eye color, moving the bridge of the nose a few millimeters. The solution is designed to make it difficult for AI systems to learn and overcome it, even as algorithms continue to improve their capabilities.”

D-ID’s products are designed for organization that keep databases of sensitive pictures, enabling them to prevent the picture from being identified in the event of a hacker attack.

For example, it could be used by companies issuing employee ID tags with pictures, government biometric databases, organizations storing sensitive data, like banks or health care providers or organizations that have databases of children’s photos.

“A picture of your face is more sensitive than your fingerprint because its more widely available,” said Knoll. “Hackers try to steal from organizations with masses of such information that can be IDed in an automated way. But if a picture isn’t similar to anything, there’s nothing they can do with it.”

D-ID belongs to a growing group of startups in Israel dedicated to protecting people’s most sensitive personal information, including your face and your name, address and identity or social security number.

All told, there are about 80 Israeli startups in the segment offering different ways of helping organizations cope with an array of issues, such as mapping the information it has collected over the years on employees and customers, encryption technologies and tools for rendering data anonymous in case it’s stolen.

Elira Kuta, Gil Perry and Sella Blondheim. Credit: Avner Levi

Initially they regarded themselves as part of the broad category of cybersecurity, an area where Israel is a world leader. But more recently, as demand for solutions has grown, the sector has begun to distinguish itself as a separate category called privacy tech.

Israel represents a big chuck of the global privacy tech industry, which the market research firm Gartner estimates as numbering 600 companies. Gartner forecast the sector growing at an 8% rate to $143 billion in 2021, compared with $114 billion last year.

Demand for solutions has grown as privacy regulations have become tougher.

The European Union’s General Data Protection Regulation, which went into effect last year, imposes fines of up to 4% of annual turnover or 20 million euros ($22.3 million) on organizations that fail to ensure that personal data is gathered legally and under strict conditions, and is protected from misuse and exploitation.

California is due to out its California Consumer Privacy Act into effect in January, which will impose similar rules on companies whose business is based in databases of personal information or have annual turnover of $25 million or more. Violators will face penalties as high as $7,500.

“Technology for protecting privacy has been the fastest-growing segment of cybersecurity in recent years and it’s growing a lot faster than segments like the internet of things or automation,” said Nir Falevich, cybersecurity analyst at Startup Nation Central, a nonprofit that tracks and promotes Israeli high-tech.

“Over the years we’d gotten used to the idea that the data we provide to different applications, whether it’s an HMO, a search engine or a social media network belonging to them. Today people have started to realize that it belongs to us and that we should have the ability to see exactly what information has been collected and how it is used, and to take control of it ourselves.”

The EU rules are based on that principle – that the user should be able to see what data has been collected about them, have it removed or corrected if they want and have control over whether it is given to a third party.

When Mark Zuckerberg was Techcrunch’s startup of the year award in 2009 he declared that privacy is no longer “a social norm.” In the past decade, consumers have discovered what that meant as their personal data became the basis of the business model for Facebook and other online companies selling advertising tailored to their personal needs and interests.

Mark Zuckerberg testifies before Congress, July 23, 2019. Credit: Alex Brandon//AP

In one famous instance, the irate father of a high school girl in Minneapolis went into a Target store to complain to the manager that it was sending her coupons for baby clothes and cribs. “Are you trying to encourage to get pregnant?” he yelled.

As it turned out Target knew more about his daughter than the father. The girl was pregnant and Target knew it because she was looking at and buying products the big data analysis showed was being purchased by pregnant women, including less obvious ones such as unscented lotions. Target did the math and not only guessed she was expecting but was able to estimate the due date.

The story embarrassed Target and pointed up the need to safeguard user privacy not only to avoid regulatory penalties but to avoid reputational damage said Limor Shmerling Magazanik, managing director of the Israel Tech Policy Institute.

“Being a company that respects privacy isn’t impossible, and it will be reflected in business results. It’s simple math,” she said.

The institute recently launched a Privacy tech Alliance to encourage more innovation by linking Israeli startups with investors, researchers and companies looking for solutions, especially overseas governments.

“In the government sector the most sensitive information of all is held. Educational institutions, for example, not only keep data on students, including minors, but also medical and financial information, grades and family matters – and if any of its gets out it’s a serious violation of privacy,” she said.

BigID, another Israeli startup, offers a solution for companies faced with these new requirements. “Most companies don’t have the ability to map out the data they have,” said Nimrod Vax, the company’s chief product officer.

BigID connects all the information systems in an organization – databases and file servers, cloud and customer-relations management systems -- and tells them what kind of information the company holds, which of it is sensitive and to whom it belongs. It offers tools to protect it.

“We’ve consolidated everything into one system that allows the company to easily find each user and access all their information,” said Vax, who founded BigID in 2016 with CEO Dimitri Sirota. The two met when they were working for the U.S. company CA Technologies.

“While we were there are encountered quite of few cases of data theft and what they all had in common was that the thieves wanted personal information, not nuclear secrets,” Vax said. “We saw that hackers were moving into high gear in their efforts to steal data and that regulators were starting to relate to data protection seriously and enforces it with a strong hand. We saw an opportunity.”

BigID has raised $100 million in venture capital, half of it last July, in a round last led by the U.S. company Comcast’s venture capital unit and Boldstart Ventures, BigID employs 120 people.

In July the giant American credit rating company Equifax was fined $650 million after hackers stole personal data of 143 million people from the company’s database. The thieves got ahold of credit data on nearly half of all Americans in the incident. A subsequent investigation revealed huge shortfalls in Equifax’s data security. Not counting the penalties, the affair cost the company $1.35 billion.

To help solve the problems Equifax and other big organizations have with fake users, like hackers, the Israeli startup Identiq has developed a distributed network that enables them to validate new users and vouch for ones they already know, without sharing any user information

Most solutions validate identity information using large databases of private and personal user information, which by nature involve the risk of data being shared without user consent, or even stolen. Identiq’s Fully Anonymous Identity Resolution technology, in contrast, gets validation from other network members while preserving user privacy.

“If Airbnb today, for example, wants to validate that a user who registered on the site is using a real credit card and is now trying to defraud them, it can turn to a third party to check it, like a finance company,” explained Shmuli Goldberg, vice president for marketing at Identiq.

“Our system replaces these kinds of companies. It does this by hooking up with other servers the user has used ….The information that passes between the companies is encrypted on the system and anonymized. No company that participates in verification has any idea who the company has verified or who the customer is,” Goldberg said.

The companies buy the verified information from each other, enabling them to earn revenues from the data they hold. Identiq transfers the payments between companies anonymously, taking a fee along the way for its service.

Identiq was formed less than a year ago by CEO Itay Levy, who sold his previous startup Appoxee to Teradata 2015; Uri Arad; and Ido Shilon.