IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions

Sean C. scc4fun at
Tue May 24 21:40:35 CEST 2005

See comment at bottom.

Business/Financial Desk; SECTCTECHNOLOGY
I.B.M. Software Aims to Provide Security Without Sacrificing Privacy
624 words
24 May 2005
The New York Times
Late Edition - Final
Copyright 2005 The New York Times Company. All Rights Reserved.

International Business Machines is introducing software today that is intended
to let companies share and compare information with other companies or
government agencies without identifying the people connected to it.

Security specialists familiar with the technology say that, if truly effective,
it could help tackle many security and privacy problems in handling personal
information in fields like health care, financial services and national

''There is real promise here,'' said Fred H. Cate, director of the Center for
Applied Cybersecurity Research at Indiana University. ''But we'll have to see
how well it works in all kinds of settings.''

The technology for anonymous data-matching has been under development by S.R.D.
(Systems Research and Development), a start-up company that I.B.M. acquired
this year.

Much of the company's early financial backing came from In-Q-Tel, a venture
capital firm financed by the Central Intelligence Agency that invests in
companies whose technologies have government security uses.

S.R.D., now I.B.M.'s Entity Analytics unit, has worked for years on specialized
software for quickly detecting relationships within vast storehouses of data.
Its early market was in Las Vegas, where casinos used the company's technology
to help prevent fraud or employee theft. The matching software might sift
through databases of known felons, for example, to find any links to casino

By the late 1990's, United States intelligence agencies had discovered S.R.D.
and the potential to use its technology for winnowing leads in pursuing
terrorists or spies. After 9/11, the government's interest increased, and today
most of the company's business comes from government contracts.

The new product goes beyond finding relationships in different sets of data. The
software, which I.B.M. calls DB2 Anonymous Resolution, enables companies or
government agencies to share personal information on customers or citizens
without identifying them.

For example, say the government were looking for suspected terrorists on cruise
ships. The government had a ''watch list,'' but it did not want to give that
list to a cruise line, fearing it might leak out. Similarly, the cruise lines
did not want to hand over their entire customer lists to the government, out of
privacy concerns.

The I.B.M. software would convert data on a person into a string of seemingly
random characters, using a technique known as a one-way hash function. No
names, addresses or Social Security numbers, for example, would be embedded
within the character string.

The strings would be fed through a program to detect a matching pattern of
characters. In the case of the cruise line and the government, an alert would
be sent to both sides that a match had been detected.

''But what you get is a message that there is a match on record Number 678 or
whatever, and then the government can ask the cruise line for that specific
record, not a whole passenger list,'' explained Jeff Jonas, the founder of
S.R.D. and now chief scientist of I.B.M.'s Entity Analytics unit. ''What you
get is discovery without disclosure.''

To date, the software for anonymously sharing and matching data has been tested
in a few projects, but I.B.M. is aiming for day-to-day use in several

In health care, for example, more secure and anonymous handling of patient
information could alleviate privacy concerns in the shift to electronic health
records, potentially increasing efficiency and reducing costs, analysts said.

The technology, specialists noted, could also reduce the risk of identity theft,
especially if personal data held by companies were made anonymous.

Document NYTF000020050524e15o001dj

© 2005 Dow Jones Reuters Business Interactive LLC (trading as Factiva). All
rights reserved.

I'm confused though.
I just read this article from the New York Times. As a newbie to encryption and
hash algorithms I thought the idea behind hashes was that you couldn't
reconstruct the data from the hash.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: PGP Digital Signature
Url : /pipermail/attachments/20050524/5732fa9d/attachment.pgp

More information about the Gnupg-users mailing list