Databases Reference
In-Depth Information
3 Hippocratic Database Technologies
In the sections that follow, we describe a number of technologies that advance
the principles of a Hippocratic database. These technologies are at various
stages of development, but demonstrate the potential for future information
systems to comply with the HDB vision.
3.1 Active Enforcement
One enabling technology of a Hippocratic database is an active enforcement
system that limits access to and disclosure of personal information in accor-
dance with fine-grained privacy policies, applicable laws, and individual opt-in
and opt-out choices [3]. HDB active enforcement stores enterprise privacy poli-
cies and individual choices in database tables. It intercepts user queries at the
database level and transforms these queries to comply with privacy policies
and choices, ensuring that only authorized individuals have access to permit-
ted information for proper purposes. Therefore, active enforcement satisfies
the HDB principles of purpose specification, consent, limited use, and limited
disclosure. Because it operates at the database level, HDB active enforcement
enables enterprises to comply with detailed policies without modifying their
applications or otherwise negatively impacting existing systems. In the cur-
rent implementation (Figure 1), HDB active enforcement is executed in three
stages: (1) policy creation, (2) preference negotiation, and (3) application data
retrieval [4].
In the
policy creation stage
, an enterprise that safeguards personal
information specifies its privacy policies. These policies govern access and dis-
closure of information in accordance with user authorization privileges, the
purpose of the query, and the intended recipient of the query results, if differ-
ent from the user issuing the query. The policies may also provide individuals
with an opportunity to opt-in or opt-out of certain disclosures of their infor-
mation. For example, an individual may opt to share his medical records with
universities for research purposes, but opt not to disclose these records to drug
companies for marketing purposes. The enterprise expresses these policies in a
privacy language through a policy specification interface. The active enforce-
ment component then parses the policies and installs them in the database
as metadata. Subsequently, the enterprise may update or replace its policies
through this one-step process without recoding any of its applications. The
database stores all policy versions to allow accurate compliance verification.
In the
preference negotiation stage
, the active enforcement component
notifies the individual of the enterprise's privacy policies. The individual for-
mulates his or her own privacy preferences and expresses them in a preference
language though a dedicated plug-in on the client side [5]. Prior to disclos-
ing any personal information, the system matches these preferences with the
enterprise's policies and informs the individual of any conflicts. The parties
may either resolve these conflicts or terminate the process. If they proceed,
