The Defense Advanced Research Projects Agency has awarded a $3.5 million contract to Xerox Corp.'s Palo Alto Research Center to create a privacy-protection system as part of Darpa's controversial Total Information Awareness program. If successful, PARC researchers say, the system could potentially be used by businesses to ensure that their privacy policies are enforced even while opening corporate databases to new data-sharing arrangements.

Darpa's Total Information Awareness program has been a lightening rod for privacy advocates concerned about the agency's plan to collect transactional data from a wide variety of private-sector databases. PARC plans to develop a "privacy appliance" that would help blunt some of those concerns by making it harder for intelligence agencies and other government users to get personally identifiable information--names, addresses, or Social Security numbers, for example--from such databases, or even to narrow queries in such a way that only a handful of people meet certain criteria. Theoretically, intelligence officials would require the equivalent of a search warrant in order to gain access to that kind of information.

Teresa Lunt, the PARC researcher who will lead the 42-month project, says the privacy appliance is being designed for potential use in the business world, too.

"It certainly was in my mind from the beginning," Lunt says. For example, she says, medical institutions might use the appliance to allow access to their databases for research in surgical procedures, while protecting the identities of patients.

In the area of homeland security, the appliance would put control over private-sector database access in the hands of businesses, rather than government agencies. The appliance "is separate from the data source that's being queried," Lunt says. "You can take it out of the government's hands and put it in the hands of the data owners themselves to manage that box."