Secure Multi Party Computation
Can Secure Multi Party Computation be a solution to reduce the non-use of SVB schemes? This is the main question of this experiment. One scheme that is often not used is the supplementary income provision for the elderly, or AIO for short. Here you can read more about the Multi-Party Computation technique and the ambition we have to use it to reduce the non-use of AIO.
What is AIO?
If AOW beneficiaries are below the subsistence level (social assistance level), they are entitled to a supplement, this supplement is called: supplementary income provision for the elderly (AIO). However, this supplement must be requested by the titleholder. The challenge for the SVB in this is that many people do not know that this supplement exists. In addition, the SVB has no insight into the income of the citizen, which means that it is not possible to proactively manage the provision of information to the right citizens. A survey by the Court of Audit shows that between 48% and 56% of AIO entitled households did not receive AIO on 1 January 2017 (rounded percentages). Partly because of this, 34,000 (48%) to 50,000 (56%) households have an income below the subsistence level. In the second chamber, this topic was discussed several times and calls were made for solutions to reduce the non-use of AIO.
How could we fix it?
The SVB could send a letter to everyone who receives AOW, stating that a supplement like this exists. However, sending more than 3 million letters to reach the target group of 50,000 people is not in proportion to the goal to be achieved. In 2018, therefore, a first step was taken to establish a collaboration with the UWV. The UWV is responsible for managing the policy administration. The policy administration is a register in which most Dutch income data is stored. This includes labor allowances from employers to employees, but also, for example, social benefits, annuities and pensions. The aim was to link the policy administration of the UWV to the AOW beneficiaries in order to gain insight into potential AIO beneficiaries. The SVB could inform these people about the AIO allowance and thus financially support citizens below the subsistence level.
What about privacy then?
To find out whether this is permitted by law and regulations, a privacy impact assessment (PIA) is written. This PIA revealed that the processing of millions of income data to reach 50,000 citizens is not proportional. That is why this way of reaching the right target group was also rejected.
Presentation by TNO about MPC
At the end of 2019, the SVB held a presentation by TNO about the new cryptographic computing technology Secure Multi Party Computation (MPC). MPC is a functionality in which a joint database can be generated without the data having to be revealed to each other. The participating parties determine who may view the outcome of the calculation. Soon there was an enthusiastic response within Novum to try to use this technique to reduce the non-use of AIO.
After an initial meeting between TNO, SVB and UWV, it was decided that a proof of concept (PoC) will be initiated by Novum. If this is successful, the SVB will continue it through a project in which it is divided into a pilot and production phase.
The goal of the overall project is:
- Mapping potential AIO beneficiaries so that the SVB can come into contact and thus not reduce AIO use
- A secure data exchange with the UWV so that use can be made of income data, whereby the most minimal invasion of privacy is made
- Writing an approved PIA so that the exchange is legally possible
During the PoC phase, two parallel tracks run. This will work on the technical side (track 1) and the legal side (track 2) of MPC. During this phase, we only work with fake data. It may be that the technical side is successful but the legal side is not. Both tracks must be completed positively to get a go for the next phase. If that is the case, work will continue to a pilot phase. In this phase, the learnings from the PoC phase are processed in the MPC model in order to reach 1000 citizens who are potentially entitled to AIO in a first tranche.
Start of the PoC
During a first formal session with TNO, SVB and UWV, the first possible MPC solutions were proposed by TNO. The team has developed two variants for this. In order to paint a good picture of the solutions offered, it is good to compare them with the 0 variant, the exchange that was rejected in 2018 by means of a PIA.
The 0 variant
The SVB sends AOW beneficiaries BNS numbers encrypted to the UWV. UWV decrypts and sends the income data of these BSN numbers encrypted to the SVB. The SVB can use this to see which citizens can be contacted to inquire about the possible AIO allowance.
MPC: Homomorphic encryption
- The SVB creates a dataset of potential AIO beneficiaries and encrypts it with MPC
- The SVB sends the MPC-encrypted dataset to the UWV
- UWV makes a copy of the BSN & income data and makes it encrypted.
- Based on the encrypted dataset of the SVB, the encrypted dataset of the UWV is filtered so that only the BSN numbers requested by the SVB are included.
- This encrypted dataset is sent to the SVB
- Calculations are made on the encrypted dataset during the SVB (household income, gross net income, above / below threshold value)
- An encrypted dataset of potential AIO beneficiaries is created
- This set is sent to the UWV to filter for “yes” and then decrypt
- The BSN numbers with a “yes” are sent to the SVB
- SVB has insight into the potential AIO beneficiaries
MPC: Secret Sharing
It is decided in advance where (SVB or UWV) the calculations will take place (gross / net, household, etc.). The BSN data is split into two separate datasets within the SVB by means of an algorithm. Half of the dataset remains with the SVB, the other half of the dataset is encrypted and sent to the UWV. At the UWV, the exact same thing happens with the policy administration datasets. Subsequently, encrypted exchange takes place, whereby matches are made simultaneously. This results in an overview of BSN numbers that can be decrypted at the SVB. The potential AIO beneficiaries can then be approached.
It took a relatively long time before an MPC decision was made by the project team. Variant homomorphic encryption & secret sharing have both advantages and disadvantages, see overview below. Ultimately, the decisive factor was that most of the work should remain with the SVB, given that the SVB is also legally the implementing body for AIO and not the UWV. With Secret Sharing, the calculations would be divided between the two organizations, which would lead to extra work at the UWV. A second important reason for not choosing Secret Sharing is the new way of exchanging data. If data is exchanged between UWV and SVB, a safe is used, in which large files are sent in one go. Homomorphic encryption supports this method of exchange. With Secret Sharing, very small particles are exchanged very often millions of times. This requires a new infrastructure to be built on the UWV and SVB side.
Based on conversations with UWV & SVB architects / IT / AIO experts, Homomorphic Encryption seems to have the greatest chance of success with the least impact on current infrastructure.
Progressive insight is not weakness but wisdom
During the PoC phase, the project team delved deeper into the matter. It would have been very easy to create a PoC with fake data, provide proof that it works and write a PIA on it. However, this could lead to huge setbacks during the pilot phase. That is why the team had to do a lot of research during the process, which actually belongs in the pilot phase. Because what good is the SVB of a successful PoC that tests for fake data, which ultimately can never be connected to the infrastructure at UWV and SVB. .
Important issues that were addressed were simplifying pre-calculations & simplifying income calculations by means of supervised machine learning. This took time for the team to inquire with colleagues, carry out research and test the solutions with lawyers. At the same time, it was important to keep timelines and budget sharp. Risk would be that the project team would end up with half a PoC and half a pilot and no budget to complete the project. The solution to this challenge was simple, as soon as something had to be sorted out, the search was not for the answer but for an estimate of the possibility that this would lead to a positive answer during the pilot phase. An example of this is simplifying the income calculation. For this, a supervised machine learning model must be made. However, this is not realistic within the current PoC budget. That is why the question was not asked to make a model, the question was to what extent is the possibility of making a usable model in the pilot phase considered realistic with the given data that is now available. On the one hand, this provided sufficient information to make decisions, did not face surprises during the pilot phase and provided a clear overview of the resources to be expected in the pilot phase.
This has resulted in an adapted project design as the project continued:
Build the PoC
The construction of the PoC is planned for December and January. The PoC phase will be completed by means of a demo in mid-February. The second part of the article will be shared before the end of February. In this article we describe the steps taken in the construction of the PoC and show a demo of the delivered MPC technique for reducing non-use AIO.