The pendulum that swings between community concern about privacy and concern about security is heading back in the privacy direction, according to an IBM executive.
Steve Adler heads IBM’s privacy management council, a two-year-old body among whose members is the Ministry of Health. Adler was in the country last week to address a privacy commissioner-organised seminar on IBM’s software-based approach to data privacy.
Two years after the September 11 attacks in the US gave much of the world security jitters — and sweeping new anti-terrorism laws — Adler says people are seeing the dangers of overreacting.
“Perhaps the pendulum is swinging back a little,” says Adler. Hints of that can be seen in the appointment of a privacy officer, Nuala O’Connor Kelly, at the US Department of Homeland Security, and similar new roles in other government agencies.
Adler says O’Connor Kelly’s appointment is not a sop to civil libertarians, but she is having a “tremendous impact” in protecting individuals’ interests.
He takes the view that security and privacy go hand-in-hand.
“You can’t have effective security if you’re not protecting privacy as well; they’re not mutually exclusive, they’re mutually inclusive.”
But those intent on protecting privacy are up against a growing array of data collection devices and systems.
“IBM has customers who are carrying out billions of transactions with millions of their own customers. That data persists — it doesn’t go away.”
Most companies that collect personal information in the course of doing business want to do the right thing with it, Adler believes.
“What’s lacking is not goodwill but systematic management solutions.”
It can be used to build privacy-related rules and conditions, says Adler. For instance, privacy policies could be written and attached to each record in a customer database. The policies then travel wherever the data goes and can be used to control the manner in which the data is accessed and used.
EPAL builds on the World Wide Web Consortium’s Platform for Privacy Preferences Protocol (P3P), Adler says. P3P allows privacy preferences that are expressed in plain text to be turned into a digital or machine-readable code.
But P3P doesn’t allow developers to set conditions or give them a way to express negative rules — telling what a user can’t do, for instance, Adler says. In contrast, “EPAL provides this positive and negative language that allows you to articulate what people are allowed to do or not allowed to do with data”.
Adler says that as a member of the IBM privacy council, the Ministry of Health gets
opportunities to evaluate the company’s privacy software, which includes Privacy Manager, which stores policies and logs activity.