Non-technical comment to consider the conseqeunces of FHE. This is not to diminish the amazing work that has gone into FHE, and the theoretical use cases for FHE in a few fields I've worked in are significant. The challenge I found in working with people who want the data is that they really do just want the data.
Examples include government agencies who used made up in-house encryption schemes to get their data sharing plan past their legal privacy and security gates and then there was a secret key a small cadre had who could unscramble it after it was distributed in the sector, researchers rejecting synthesized data for uncontrolled test environments because "it was too hard," when really they just wanted the data sets outside the legal controls on it, rejecting differential privacy queries because they didn't want to come up with or specify their queries first based on metadata and again just wanted the data, rejecting identifying the individuals with access to millions of peoples health information data because as institutions they felt entitled to it, banks and payment firms rejecting zero knowledge proofs of user attributes because it violated KYC, and these are just a few.
There has been a concerted effort to squeeze the data toothpaste out of the tube when it comes to health information and other types, and so I am ambivalent about FHE use cases because its primary use case is side stepping rules that protect the privacy of data subjects.
The question I would have is, if data synthesis, legal risk-based de-identification, differential privacy, and cryptographic tokenization protocols were insufficient, what technical improvement in actual accountability does FHE offer to data subjects, and given the size of the data sets this facilitates, what are the consequences of its failure modes?
Given the entire history of cryptography is defined by one party convincing their targets that a given scheme provides them security, the way that FHE scales to giving data collectors impunity "because it's encrypted!" seems like it is vulnerable to every criticism leveled at blockchains, where just because it's encrypted doesn't mean it isn't laundering.
"The question I would have is, if data synthesis, legal risk-based de-identification, differential privacy, and cryptographic tokenization protocols were insufficient, what technical improvement in actual accountability does FHE offer to data subjects, and given the size of the data sets this facilitates, what are the consequences of its failure modes?"
It doesn't. Because its not aiming at solving these problems. Encryption in-use is aiming to solve trusting hardware (and maybe code) you don't own. Privacy is a different (IMO more complex) problem.
The whole cloud provider using FHE usecase always seemed a bit utopian to me. As you say, most of the time they dont want to provide user privacy, they want your data. Maybe i could imagine some sort of B2B case where there are strong requirements working out, but i struggle imagining it for consumer use cases.
Not to mention, if you are outsourcing data computation, presumably its a lot of computation or you would do it yourself, so the overhead seems extra important in that case.
The most convincing case i've heard is blockchain stuff - where everything is distributed to non trusted parties. (Normally i hate bitcoin hype, but maybe FHE would let you do something interesting with it)
Yeah, I don't think this will work on commercial scale exactly for the same reasons as blockchain is useless for anything outside the illegal niches where you need to avoid the legal banking system.
You may let people store homomorphic data on your servers and even run your algorithms on that data, but you have no way of handling customer complaints or fine-tuning / debugging your service because you can not understand ANY of the customer data you are storing.
I dont know what you are doing, but if you are using FHE explicitly for its post quantumness, you are doing something wrong as there are much much better choices if you need post-quantum versions of traditional primitives.
Setting aside issues about knowing where the data originates, such encrypted data is really really difficult to use if no-one is providing a way to link the possible calculations performed to observables. If all you have are encrypted inputs and outputs, it is unclear what is being modelled, for example.
I don't think FHE is primarily aimed at privacy use cases anyway, more at ways of cooperating etc. where transparency could be detrimental to some or all parties.
Examples include government agencies who used made up in-house encryption schemes to get their data sharing plan past their legal privacy and security gates and then there was a secret key a small cadre had who could unscramble it after it was distributed in the sector, researchers rejecting synthesized data for uncontrolled test environments because "it was too hard," when really they just wanted the data sets outside the legal controls on it, rejecting differential privacy queries because they didn't want to come up with or specify their queries first based on metadata and again just wanted the data, rejecting identifying the individuals with access to millions of peoples health information data because as institutions they felt entitled to it, banks and payment firms rejecting zero knowledge proofs of user attributes because it violated KYC, and these are just a few.
There has been a concerted effort to squeeze the data toothpaste out of the tube when it comes to health information and other types, and so I am ambivalent about FHE use cases because its primary use case is side stepping rules that protect the privacy of data subjects.
The question I would have is, if data synthesis, legal risk-based de-identification, differential privacy, and cryptographic tokenization protocols were insufficient, what technical improvement in actual accountability does FHE offer to data subjects, and given the size of the data sets this facilitates, what are the consequences of its failure modes?
Given the entire history of cryptography is defined by one party convincing their targets that a given scheme provides them security, the way that FHE scales to giving data collectors impunity "because it's encrypted!" seems like it is vulnerable to every criticism leveled at blockchains, where just because it's encrypted doesn't mean it isn't laundering.