August 27, 2002, 12:17 PM — Most people don't think twice about offering any information to their doctor or physician, and possible misuse of the data won't keep them up at night worrying. But when it comes to supplying the most mundane personal information for storage in a computer database, the reaction is different.
With headlines telling of purposeful and inadvertent data leaks and system intrusions, people are becoming increasingly aware of the amount of personal data held on them in a myriad of databases from government agencies to credit card companies, their employer or even the local dry cleaners. A researcher at IBM Corp. is hoping to change this air of mistrust by duplicating the very basis of our trust in our physicians.
"I had been doing work in data mining and people were starting to worry about data mining becoming too powerful a technology," said Rakesh Agrawal, an IBM fellow and lead scientist on a new database project at IBM's Almaden Research Center. "I was talking about this with my brother, Rajeev, who is a doctor and he said 'When we are studying to be a doctor, we take the Hippocratic oath and that is one of the biggest tenets in medicine.'"
The oath is a wide-ranging code of ethics for doctors that includes a strong commitment to privacy, in part: "Whatever in connection with my professional practice or not in connection with it I may see or hear in the lives of my patients ... I will not divulge, reckoning that all such should be kept secret."
"I started wondering why databases cannot be like that," said Agrawal, who then set off to build a database system that had at its foundation a responsibility for the data it holds.
The result is a blueprint for a Hippocratic database that not just specifies to users how and where the data collected will be used and where it will be shared, but crucially also includes a verification element to make sure the system is living up to its promises. Agrawal presented details of the system at the Very Large Databases 2002 conference in Hong Kong last week.
Here's how it works:
Before data is collected, the types of information to be obtained and basic rules about how the data will be used are decided. These rules include who should have access to the data and how long it will be retained. When it comes time for a user to enter information, an application at the user end will interact with the database to check that its data privacy policies are acceptable to the user, who has already programmed their preferences into the application. Once verified, data is transferred from the user to the database.
"Right now, if you look at a database, they just keep records but there is no instructions about what you can do with the data. (With a Hippocratic database) when you collect data, you attach a reason for why you are collecting the data."
For a real world example, consider an online book merchant. A customer's name, address and e-mail address might be required for the purpose of registration. Other information, such as a credit card number and details of books required will also be needed for the purpose of fulfilling the order. Some data sharing will also take place, the customer name and address with the shipping company, and the name and credit card number with the credit card company.
Agrawal isn't the only person working on such a system. The World Wide Web Consortium (W3C) endorsed its Platform for Privacy Preferences (P3P) earlier this year and has won the support of industry and government for the platform, which is intended to allow users to examine a site's privacy policy and ensure it matches their own preferences.
But where that system falls down is in the absence of enforcement of the privacy policy, he said. "Making a database forget something is an extremely hard thing to do. The way (the W3C) standard is written, it does the initial check but after that there is no enforcement. We have started thinking about how to add enforcement."
The Hippocratic database sets limits on the amount of time the data can be used for the stated purposes -- perhaps up to one month for issues directly related to the purchase, one year for recognizing customers when they return and three years for basic registration -- and then ensures the information is cleared from the database.
To date, Agrawal has succeeded in building the first part of the system into an IBM DB2 database and is now working on adding the enforcement support.
"We will start prototyping it, developing a concrete application and I would also like to get into a customer partnership and get some feedback," he said. "My guess is, we might have some parts ready in one and a half to two years."
