Tips for Corporations
Jonas had some good tips for corporations when it comes to forging a strategy for handling personal data, and Im passing them on here:The new technique amounts to comparing data after its been shredded. What it results in is the ability of two entities to compare two sets of records without the data ever being unencrypted. The product thats come out of this work, DB2 Anonymous Resolution, was released last May. It wont tell a government that John Smith is coming into port on the QEII, nor will it tell a cruise line that a suspected terrorist by the name of Billy the Kid is onboard. What it will do is point them to matches that each respective party will have to look up for themselves to find that Record 1, 2 and 3 correlate with the data sets to which theyre comparing their own watch lists. It does so without exposing phone numbers, credit card numbers, names or anything beyond pointers to which records the given entities have in common. The product is in use now by one U.S. government entity and one foreign government entity. It sounds like promising technology, and thats good, because in order to guard against horrific events such as 9/11, we need to get governments and corporations swapping information. Heck, we need to get government able to swap data with itself. As Jonas pointed out in our chat, most people would find it shocking that in one government building, you can walk out the corridor, head down three doors and find a system that isnt connected to the system where you started out. "If one group is working on money laundering, and three doors down another group is working on anti-drug efforts, each system has its own set of secrets," he said. They dont know when they have three people in common. Of course, theyre people. They talk to each other. They can pick up the phone and run down their lists. But its kind of like go fish. Its highly unproductive to read a whole list to you. In more quotidian terms, businesses need to compare data sets without exposing sensitive information, as well. Think of retailers who are plagued by shoplifting rings. Think of ChoicePoint and the data verification services it provides. Then think of the record-setting fines imposed on ChoicePoint for its breach of 163,000 consumers personal financial data: $15 million in fines to the FTC, including the largest civil penalty in FTC history, along with 20 years of independent security audits every other year. Yes, with consequences like that, we definitely need some new ideas for end-to-end encryption, so kudos to IBM for going there. Lisa Vaas is eWEEKs news editor in charge of operations. She is also the editor of the Database and Business Intelligence topic center. She has been with eWEEK since 1995, most recently covering enterprise applications and database technology. She can be reached at firstname.lastname@example.org. Check out eWEEK.coms for the latest database news, reviews and analysis.
- Do an inventory: know what data you are using and managing and where it is going.
- Get senior people to formulate a vision of what kind of company you are, how you want to market and how you want to be respected.
- Determine what laws you have to comply with.
- Keep your strategy to yourselvesdont tell customers or clients until you figure out whether youre in position to execute quickly to close the gap on your desired state and your current reality.
- When you have a good idea of what you need to do to get to where you want to be, you can share the vision with customers and clients.
- Work to close the gaps.
When it comes to privacy/security policy goals, anonymizing data is a good one to work toward. IBM has been working on new technologies that allow for deep correlation on data while it remains in an encrypted or anonymized form.