Today, Meta engineers delivered a talk as part of the Systems@Scale virtual event detailing the organization’s approach to data minimization and elaborated on an internal solution it’s developed called the Anonymous Credentials Service (ACS). 

Meta’s ACS is designed to enable it to authenticate users in a “de-identified manner,” permitting access to services without gathering any data that could be used to identify the subject’s identity. 

Under the ACS, a client contacts the server through an authentication channel and sends a token, which the server signs and sends back. 

Then the client uses an anonymous channel to submit data to the server and authenticates it using a modified form of the token rather than the user’s ID. This allows servers to authenticate clients without knowing what client a token belongs to. 

The organization’s approach highlights a potential alternative for enterprises and technical decision makers who are looking at techniques for minimizing the amount of data they collect. 

The need to de-identify data

Meta’s ACS comes as data privacy regulations mount up across the globe, and as the organization has come under fire under the GDPR for transatlantic data sharing, with the company recently announcing that it would pull Facebook and Instagram from Europe if the GDPR prevented sharing user data from the US to the EU.

“We have absolutely no desire and no plans to withdraw from Europe, but the simple reality is that Meta, and many other businesses, organizations and services, rely on data transfers between the E.U. and the U.S. in order to operate global services,” a Meta spokesperson said. 

For all organizations doing business, there is a need to collect the minimum amount of data to prevent personally identifiable information from falling into the wrong hands. 

Meta’s development of the ACS provides a new technique that the organization can use to  authenticate users and ensure the security of key services while decoupling their identities from personally identifiable information.

“Collecting the minimum amount of data required to support our services – is one of our core principles at Meta as we continue developing new privacy enhancing technologies (PETs). We are constantly seeking ways to improve privacy and protect user data on our family of products,” said Meta Software Engineers Shiv Kushwah and Haozhi Xiong in the official blog post. 

The ACS provides a way to keep protected information private while ensuring that the organization has enough data to perform its critical tasks. 

“So, we leveraged the ‘anonymous credential’ collaboratively designed over the years between industry and academia, to create a core service called Anonymous Credentials Service (ACS). ACS is a highly available, multi-tenant service that allows clients to authenticate in a de-identified manner,” Kushwah and Xiong said. 

It enhances privacy and security while also being compute-conscious. ACS is one of the newest additions to our PETS portfolio and is currently in use across several high-volume use cases at Meta,” 

The trials and tribulations of data protection 

Meta’s engineering talk comes as the data protection market is in a state of growth, with the market anticipated to increase from $61 million in 2020 to reach $11 million by 2027 as the volume of data increases alongside government regulations implementing new data protection standards.

Among social media companies there’s certainly a need for innovation regarding data protection, with Twitter recently incurring a €450,000 ($502,440.75 USD) fine from The Irish Data Protection Commission, following GDPR violations after a 2019 data breach. 

Likewise, TikTok has made costly mistakes regarding data management, when in July last year, the Dutch Data Protection Authority (DPA) imposed a fine of €750,000 ($837,198.75 USD) for violating the privacy of children for failing to offer the privacy statement in Dutch. 

Currently Meta is aiming to differentiate itself from other social media providers by developing a new solution for sharing data that will ensure data can be leveraged without exposing any personal information to regulatory liabilities and threat actors.