On May 24, IBM introduced new software technology designed to give organizations the ability to share and compare information without revealing the private personal details of the individuals represented.
The technology, called DB2 Anonymous Resolution, is targeted for use by the financial services, healthcare, and retail industries, which create large data warehouses of information but are prevented from collaborating with other institutions because of legal restrictions against revealing private, sensitive personal details of the data's subjects.
IBM says that this new technology will expand the analytics capabilities of organizations through the use of irreversible "digital signatures" and several advanced techniques for correlating data in an anonymous form. According to IBM, this technique enhances privacy by preventing data from being examined in its original form, reducing the risk of misuse or accidental exposure.
A Time for Privacy Concern
On May 15, executives from ChoicePoint and LexisNexis appeared before the Senate Commerce Committee to apologize for their companies' well-publicized data breaches, promising to strengthened security measures.
On May 24, the same day that IBM announced its new technology, the House of Representatives voted to establish new penalties for purveyors of Internet "spyware"--software that disables users' computers and secretly monitors their activities.
Privacy and Post-9/11 Security
Yet at the same time that Congress is trying to pass more-stringent laws to protect personal data in the commercial arena, the government itself is gaining greater powers to amass more information on individuals in the aftermath of 9/11.
The Real ID Act, which was approved by both houses of Congress earlier in the month, establishes a national driver's license and requires driver's license applicants to show a photo ID, a birth certificate, proof of their Social Security number, and a document showing their full name and address. All of these documents will then be checked against federal databases, which will consolidate the information to verify the identity of the individual. The Read ID Act also requires driver's licenses to include a "common machine-readable technology."
Identity Theft Concerns Deepen
Many analysts believe that the Real ID Act will actually make identity theft easier. These analysts point out that as businesses scan customers' licenses, they will then turn around and sell their demographic data to companies like ChoicePoint. In these analysts' minds, it doesn't matter how well the state and federal governments protect the data on driver's licenses because companies like ChoicePoint will establish parallel commercial databases with the same information.
Striking Balance with New Technology
IBM's DB2 Anonymous Resolution technology seems targeted to make such parallel commercial databases more immune to the problem of identity theft. According to IBM, DB2 Anonymous Resolution enables organizations to share data to create demographics and other analytics without revealing the underlying identities of the individuals who are represented by the data.
The IBM software uses a trademarked technology called Entity Resolution to resolve data and determine who is who across multiple disparate data sets. This software then is able to determine when identities are the same without relying on a master person key such as Social Security Number or other identity marker.
The process performs a one-way encryption of the identity of the user and then provides the ability to discover non-obvious relationships between data elements, such as shared phone numbers, addresses, or bank accounts. This enables the software to detect and recognize records based on who knows who, without exposing the underlying identity of the individuals represented.
DB2 Anonymous Resolution is a product from IBM's Entity Analytic Solutions (EAS) business, formerly known as SRD, which IBM acquired in January 2005. IBM Entity Analytics specializes in providing middleware products to enable organizations to increase business insight by delivering real-time business intelligence solutions associated with identity and relationship data resolution.
Privacy Rights and Unanswered Questions
For instance, if a person's identity is stolen due to negligence or accident by a business that has accumulated data, there is still no legally sanctioned means to undo the damage created by the theft. In fact, there is no national license issued to commercial organizations that accumulate identity information, so there's no means by which an individual or business can discover or rectify the fraudulent use of an identity.
Some privacy advocates contend that the best way to control the abuse of personal information hijacking is to establish a national license for the accumulation and the sale of analytics. In this way, at the very least, individuals whose identity has been compromised will have a central mechanism to prove and correct fraudulent information propagated in the commercial databases.
IBM's DB2 Anonymous Resolution technology may better help companies safely and anonymously exchange sensitive analytic information, but it does nothing to address the issues of the ownership rights of the underlying information itself.
Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.