Hippocratic Databases
Rakesh Agrawal
Jerry Kiernan Ramakrishnan Srikant
IBM Almaden Research Center
650 Harry Road, San Jose, CA 95120
Yirong Xu
Abstract
The Hippocratic Oath has guided the conduct of
physicians for centuries. Inspired by its tenet of
preserving privacy, we argue that future database
systems must include responsibility for the pri-
vacy of data they manage as a founding tenet. We
enunciate the key privacy principles for such Hip-
pocratic database systems. We propose a straw-
man design for Hippocratic databases, identify the
technical challenges and problems in designing
such databases, and suggest some approaches that
may lead to solutions. Our hope is that this paper
will serve to catalyze a fruitful and exciting direc-
tion for future database research.
1 Introduction
"And about whatever I may see or hear in treat-
ment, or even without treatment, in the life of
human beings - things that should not ever be
blurted out outside - I will remain silent, hold-
ing such things to be unutterable"- Hippocratic
Oath, 81
The explosive progress in networking, storage, and
processor technologies is resulting in an unprecedented
amount of digitization of information. It is estimated that
the amount of information in the world is doubling every
20 months, and the size and number of databases are in-
creasing even faster [37]. In concert with this dramatic and
escalating increase in digital data, concerns about the pri-
vacy of personal information have emerged globally [15]
[17] [37] [51]. Privacy issues are further exacerbated now
1Translation by Heinrich Von Staden. In a Pure and Holy Way: Per-
sonal and Professional Conduct in the Hippocratic Oath.
Journal of the
History of Medicine and Applied Sciences
51 (1966) 406-408.
Permission to copy without fee all or part of this material is granted pro-
vided that the copies are not made or distributed for direct commercial
advantage, the VLDB copyright notice and the title of the publication and
its date appear, and notice is given that copying is by permission of the
Very Large Data Base Endowment. To copy otherwise, or to republish,
requires a fee and~or special permission from the Endowment.
Proceedings of the 28th VLDB Conference,
Hong Kong, China, 2002
that the Internet makes it easy for new data to be automat-
ically collected and added to databases [6] [10] [58] [59]
[60].
Privacy is the fight of individuals to determine for them-
selves when, how and to what extent information about
them is communicated to others. 2 Privacy concerns are be-
ing fueled by an ever increasing list of privacy violations,
ranging from privacy accidents to illegal actions. Of equal
concern is the lax security for sensitive data. See Appendix
A for some examples of recent privacy violations. Database
systems, with their ubiquitous acceptance as the primary
tool for information management, are in the middle of this
gathering storm.
We suggest that the database community has an oppor-
tunity to play a central role in this crucial debate involving
the most cherished of human freedoms 3 by re-architecting
our database systems to include responsibility for the pri-
vacy of data as a fundamental tenet. We have been inspired
by the privacy tenet of the Hippocratic Oath, and propose
that the databases that include privacy as a central con-
cern be called Hippocratic databases. We enunciate the key
principles for such Hippocratic database systems, distilled
from the principles behind current privacy legislations and
guidelines. We identify the technical challenges and prob-
lems in designing Hippocratic databases, and also outline
some approaches that may lead to solutions. Our hope is
that future database research will convert the Hippocratic
database vision into reality.
We recognize that technology alone cannot address all
of the concerns surrounding a complex issue like privacy.
The total solution has to be a goulash of laws, societal
norms, markets, and technology [32]. However, by ad-
vancing what is technically realizable, we can influence
the proportion of the ingredients and the overall quality of
the solution. We also recognize that all of the world's data
does not live in database systems. We hope the Hippocratic
databases will provide additional inducement for privacy-
sensitive data to move to its fight home. If nothing else,
2This
definition is attributed to Alan Westin, Professor Emeritus of
Public Law and Government, Columbia University.
3Samuel Warren and Louis Brandeis. The right to privacy.
Harvard
Law Review
4 (1890) 193-220. See also [2].
143

Get Proceedings 2002 VLDB Conference now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.