The dark side of XML and privacy

• By Peter Bochner
• August 29, 2002

[August 29, 2002; XML Web Services One Show Daily] -- The data-describing power of XML could have a very dark side in the hand of mischievous individuals, says Ron Schmelzer, a senior analyst at industry analyst firm ZapThink, Waltham, Mass. 'XML is essentially automating identity theft,' said Schmelzer, a speaker at the XML Web Services One Conference in Boston.

By creating what Schmelzer described as a 'human-readable, machine-processable, meta data-enhanced, text-based way of reading information that is tagged,' XML has given developers a way to tag data fields that may be too efficient. With XML, developers don't really have the ability to tell DBAs to ignore the information. 'It's like telling them not to think about polar bears. They're essentially drawing a big red flag' pointing to those data fields that hold sensitive information.

To resolve this problem, said Schmelzer, some programmers have turned to a strategy of obfuscation -- creating a field called XJ12 as the tag for credit cards, and splitting the credit card number into four fields or even hashing the number.

The Platform for Privacy Preferences is a popular XML-based effort that defines privacy policies in machine-readable formats and generates such policies. According to Schmelzer, attempts at offering customers P3P-based user-centric services to store and access personal information, such as Microsoft Passport, the Liberty Alliance, CPExchange and Oasis CIQ, at best create as many questions as answers; at worst, they are doomed to failure.

All these plans have one thing in common: They use XML tags to standardize customer information. But, said Schmelzer, 'if it's hard to [get agreement on] standardized simple address fields internationally, then think about how hard it will be to tag other, more complex forms of customer information.'