IBM is tuning in to customer concerns about how businesses, the government, and other organizations collect and use personal information. The company is developing database technology to help implement and enforce data-management policies.

At the VLDB 2002 database conference in Hong Kong last week, Rakesh Agrawal, IBM's project lead scientist, spoke about database privacy technology under development in IBM's Almaden Research Center. "The kind of information systems we create are going to have a major impact on society," he says. "Database scientists have a responsibility to step up and address these issues," he says.

New database capabilities under development include privacy metadata tables that will control how data can be used and who has permission to access it. Such a database would grant a billing department employee access to a customer's financial records, for ex-ample, but a shipping department worker's access would be limited to the customer's address. Similar restrictions would apply to applications querying the database.

IBM is also developing capabilities to delete information that's no longer needed. Additionally, future databases should let people see what information about them is stored in a database without seeing other data, Agrawal says.

Some of the privacy-protection capabilities will appear in new versions of IBM's DB2 database within 18 months. But others will require such fundamental architectural changes that it could be years before they appear in new generations of database software.

Oracle, IBM's chief competitor in the database market, says it already offers the capabilities users want. The virtual private database capabilities in Oracle's database provide row-level data security and limit access according to an employee's role or title. "That's as granular as customers want," says Mary Ann Davidson, Oracle's chief security officer.

But Alexander Veletsos, information systems director at Florida Hospital, likes IBM's plans. Says Veletsos, "There's a plethora of capabilities there we can use for privacy protection."