In two blog posts (here and here), I have argued that in an era of widespread hacking, the credit bureau’s business model is unsustainable because it requires storing enormous amounts of confidential information on tens of millions of individuals who are not even its customers.
However, these bureaus serve a useful function of aggregating information about an individual from multiple sources and condensing all this information into a credit score that measures the credit worthiness of the individual, An individual has credit relationships with many banks and other agencies. He might have a credit card from one bank, a car loan from another bank and a home loan from a third; he may have overdue payments on one or more of these loans. He might also have an unpaid utility bill. When he applies for a new loan from a yet another bank, the new bank would like to have all this information before deciding on granting the loan, but it is obviously impractical to write to every bank in the country to seek this information. It is far easier for all banks to provide information about all their customers to a central credit bureau which consolidates all this information into a composite credit score which can be accessed by any bank while granting a new loan.
The problem is that though this model is very efficient, it creates a single point of failure – a single entity that knows too much information about too many individuals. What is worse, these individuals are not customers of the bureau and cannot stop doing business with it if they do not like the privacy and security practices of the bureau.
We need to find ways to let the bureaus perform their credit scoring function without receiving storing confidential information at all. The tool required to do this (homomorphic encryption) has been available for over a decade now, but has been under utilized in finance as I discussed in a blog post two years ago.
Suppose there is only one bank
To explain how a secure credit bureau can be built, I begin with a simple example where the bureau obtains information only from one bank (or other agency) which has the individual as a customer. I will then extend this to multiple banks.
 The credit score of an individual can be approximated by a linear function (weighted sum) of a bunch of attributes relating to the individual:
score = w_{1} x_{1} + w_{2} x_{2} + … + w_{n} x_{n}
where w_{i} is a weight (coefficient) and x_{i} is an attribute (for example, x_{i} could indicate whether the individual is delinquent on a car loan and x_{2} could represent the credit card debt outstanding as a percentage of the credit limit). Since x_{i} could be a non linear function (for example, the square or logarithm) of the underlying variable, the linear form is not really restrictive.
 The attributes x_{i} are known only to the bank. These are never revealed to the bureau which sees only the weighted sum above.

The weights w_{i} are proprietary information that needs to be known only to the credit bureau. The bureau encrypts the weights and sends the encrypted weights to the bank.

Homomorphic encryption allows the bank to compute the weighted sum
score = w_{1} x_{1} + w_{2} x_{2} + … + w_{n} x_{n}
without decrypting the weights. Actually, the bank does not see the weighted sum (the score). What it computes using homomorphic encryption is the encrypted weighted sum, but the credit bureau can decrpyt this and obtain the score. Since the x_{i} are known to the bank, the computation of this scalar product requires only Additive or Partial Homomorphic Encryption (AHE or PHE) which is much more efficient than Full Homomorphic Encryption (FHE). The GLLM method (Goethals et al. “On private scalar product computation for privacypreserving data mining.” ICISC. Vol. 3506. 2004.) based on the Paillier AHE can do the job.

At the end therefore:
 The credit bureau knows the credit score of the individual.

The credit bureau has not revealed either its scoring rule or the credit score of the individual.

The bank has not revealed any confidential information about the customer to the credit bureau other than the credit score. (Note for the geeks: The privacy guarantee here is at the highest possible level – it is information theoretical (Theorem 1 of Goethals et al.) and not merely cryptographic. Even in the implausible worst case scenario where the cryptography is somehow broken, that would leak information from the credit bureau to the banks but not in the other direction.)

The above procedure is repeated for each individual. The w_{i} would be the same for all individuals, but x_{i} would of course vary from individual to individual. To be precise, we should write the i’th attribute of the k’th individual as x^{k}_{i}.

If the credit bureau is hacked, confidential information belonging to the individuals is not exposed because the bureau does not have this at all. The credit scores and the scoring rule may be exposed, but this is a loss primarily to the credit bureau and there are no negative externalities involved.
Extension to Multiple Banks
In general, the credit bureau will need information from many (say m) banks (or other agencies).
 The credit score of an individual can be represented as a weighted sum of sub scores from various banks (the bureau may or may not use equal weights u_{i} = 1 or u_{i} = 1/m for this purpose):
Total Score = u_{1} subscore_{1} + u_{2} subscore_{2} + … + u_{m} subscore_{m}
where the u_{j} is the weight of bank j and subscore_{j} is the sub score computed using information only from bank j as follows:
subscore_{j} = w_{1} x^{j}_{1} + w_{2} x^{j}_{2} + … + w_{n} x^{j}_{n}
where x^{j}_{i} is the i’th attribute of the individual at bank j.

Bank j can use homomorphic encryption to compute u_{j} subscore_{j}. We first define a set of modified weights v^{j}_{i} for attribute i for bank j as:
v^{j}_{i} = u_{j} w_{i}
and then let the bank compute a weighted sum exactly as in the one bank case but using weights v^{j}_{i} instead of w_{i}:
u_{j} subscore_{j} = v^{j}_{1} x^{j}_{1} + v^{j}_{2} x^{j}_{2} + … + v^{j}_{n} x^{j}_{n}

The credit bureau adds up all the u_{j} subscore_{j} that it receives from various banks to find the credit score of the individual.

We can however get one further level of privacy in this case where the credit bureau is able to compute the total score of an individual without learning any of the subscore_{j}. If this extra privacy is desired, we modify the procedure as follows:
 Bank j computes
disguised_subscore_{j} = u_{j} subscore_{j} + r_{j}
where r_{j} is a random number chosen by bank j. The bank communicates the disguised_subscore to the credit bureau. (Note for the geeks: Actually since the bank computes and communicates an encrypted form of this quantity homomorphically, it needs to encrypt r_{j} also. This is possible since we are using public key cryptography – the public key of the credit bureau is publicly available and anybody can encrypt using this key; but only the bureau can perform decrpytion because only it has the private key).

All the banks collectively compute the sum of all the r_{j} using secure multi party computation based on secret sharing methods which ensure that no bank learns the r_{j} of any other bank. The sum of all the r_{j} (let us call it sum_r) is communicated to the credit bureau.

The credit bureau computes the sum of all the disguised_subscore_{j}. From this result, it subtracts sum_r to get the correct total credit score.
 Bank j computes

At the end therefore:
 The credit bureau knows the total credit score of the individual.

The credit bureau has not revealed either its scoring rule or the credit score of the individual.

The bank has not revealed any confidential information about the customer to the credit bureau: not even the sub score based on data in its possession.

The above procedure is repeated for each individual. The modified weights v^{j}_{i} would be the same for all individuals at the same bank, but x^{j}_{i} would of course vary from individual to individual. To be precise, we should write the i’th attribute of the k’th individual at the j’th bank as x^{jk}_{i}. The r_{j} (and therefore sum_r) should also ideally vary from individual to individual: strictly speaking, these are actually r^{k}_{j} and sum_r^{k} for individual k. Similarly, disguised_subscore_{j} should strictly speaking be disguised_subscore^{k}_{j}
Allowing the individual to verify all computations
How does an individual detect any errors in the credit score? How does an external auditor verify the computations for a sample of individuals?
The individual k would be entitled to receive a credit report from the credit bureau that includes (a) the unencrypted total credit score (total_score^{k}), (b) the encrypted disguised_subscore^{k}_{j} for all j, (c) the encrypted modified weights v^{j}_{i} for all i and j and (d) sum_r^{k}. Actually, (b), (c) and (d) should be publicly revealed by the credit bureau on its website because they do not leak any information.
The individual k would also be entitled to get two pieces of information from bank j: (a) the attributes x^{jk}_{i} for all i and (b) the random number r^{k}_{j}.
With this information, the individual k can verify the computation of the encrypted disguised_subscore^{k}_{j} for all j (using the same homomorphic encryption method used by the banks). The individual can also verify sum_r^{k} by adding up the r^{k}_{j}. Using the public key of the credit bureau, the individual can also encrypt total_score^{k} – sum_r^{k} and compare this with the encrypted sum obtained by adding up all the disguised_subscore^{k}_{j} homomorphically.
The same procedure would allow an auditor to verify the computation for any sample of individuals.
The careful reader might wonder how the individual can detect an attempt by a bank to falsify r^{k}_{j}. In that case, sum_r^{k} will not match the sum obtained by adding up the r^{k}_{j}, but how can the individual determine which bank is at fault? To alleviate this problem, each bank j would be required to construct a Merkle tree of the r^{k}_{j} (for all k) and publicly reveal the root hash of this Merkle tree. Individual k would then also be entitled to receive a path of hashes in the Merkle tree leading up to r^{k}_{j}. It is then impossible to falsify any of the r^{k}_{j} without falsifying the entire Merkle tree. Any reasonable audit procedure would detect a falsification of the entire Merkle tree. Depending on the setup, the auditor might also be able to audit (a sample of) the secure multi party computation of r^{k}_{j} directly by verifying a (sub) sample of the secret shares.
Conclusion
At the end, we would have built a secure credit bureau. A Equifax scale hacking of such a bureau would be of no concern to the public; it would be a loss only for the bureau itself. Mathematics gives us the tools required to do this. The question is whether we have the good sense and the will to use these tools. The principal obstacle might be that the credit bureau would have to earn its entire income by selling credit scores; it would not be able to sell personal information about the individual because it does not have that information. But this is a feature and not a bug.