However, most of those gathered here have no intention of throwing in the towel. Harry Guess, a researcher at pharmaceutical company Merck, noted that both an individual's privacy and the ability to track overall data are essential to the medical profession. "If you cannot aggregate data, you could not track the SARS (Severe Acute Respiratory Syndrome) epidemic," Guess said. "You wouldn't know there was a SARS." At the same time, Guess said, the idea that one's conversations with a doctor should be private date back to Hippocrates. Aiming to follow those principles while still tapping today's technology, IBM demonstrated what it termed a "Hippocratic database" in which a sample health care database returned results based on the right to know of the individual making the query. A primary care physician might have total access to test results, while the billing department clerk could find out which tests a patient had, but not the results. A medical researcher might have access only to generalised information or to records from those patients that had opted to share their information to researchers. Another option would be to allow the researcher to see whether there was a pattern among people whose blood pressure was elevated, but not allow the researcher to see people's actual pressure levels. The principle underlying the database -- which is a lab project rather than a product IBM is marketing -- is to limit use of information based on the degree of consent a patient gives. But even technology's biggest proponents agree that technology is only part of the solution. Regulation, marketing, financial incentive and culture change are all part of preserving some measure of privacy. "Technology alone is not going to solve this problem," said IBM researcher Tom Rosamilla. Rosamilla points to the popularisation of seat belts as an example. It was the combination of seat belt laws, insurance industry mandates, advertising and a societal shift that finally led seat belt use to become ubiquitous -- years after the technology first emerged. Regulation, though seen as important, is also thorny in that it varies so much from one jurisdiction to another. While Europe has had strong privacy laws since the 1990s, the United States has taken largely a self-regulation approach, for example. Even where there are laws on how data can be used, they are often difficult to enforce. That has led some to focus on minimising the data that companies can collect as opposed to trying to regulate how the information can be used. "It's hard to enforce that it is only used by the 'right' people for the 'right' purposes," said Marit Hansen, a computer scientist who works for a state-funded independent center for privacy protection in Kiel, Germany. Another approach discussed was trying to reward companies that enact strong privacy protections. There seemed to be consensus that privacy will only take off in the marketplace if companies perceive it to be in their financial interest. "We want businesses to know there are tangible benefits to offering privacy," said Ann Cavoukian, who is the privacy commissioner for Ontario and also author of a book on the subject, "Privacy Payoff". But helping create those incentives can be problematic. In the German state of Schleswig-Holstein, where Hansen is based, a 2000 law created a privacy seal for companies that meet certain standards and also offered preference in government purchases for products that have the certification. So far, though, only three products have earned the seal, with another 15 or so seeking approval. A better approach, Hansen said, would have been a European or even an international standard, but Hansen said there was not enough will or cooperation for that to occur. "We couldn't wait any more, so we started," Hansen said.
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.
Let the editors know what you think in the Mailroom.
