Monday, 31 December 2007

Privacy - How are we doing in New Zealand?

Just as we get embarrassed here in NZ when our clean green image is tarnished by farmers polluting streams , we should sit up and take notice when we our privacy is not protected in what we assume is a 'free society'. The 2007 International Privacy Ranking from the US-based Electronic Privacy Information Center and the UK-based Privacy International does not present a pretty picture of the NZ attitude to privacy . Overall the rating represents a systematic failure to uphold safeguards. Notably, NZ is up there with the worst, leading in bad practice in communications interception.

The findings are available in PDF format by clicking here.

Tuesday, 18 December 2007


It has taken a while for me to notice this bit of participatory democracy but I have taken the opportunity to add my name to a petition.

Downing Street is working in partnership with the non-partisan charitable project mySociety to provide a service to allow citizens, charities and campaign groups to set up petitions that are hosted on the Downing Street website, enabling anyone to address and deliver a petition directly to the Prime Minister.

mySociety is a charitable project that runs many of the UK's best-known non-partisan political websites, like and mySociety is strictly neutral on party political issues, and the e-petition service is within its remit to build websites which give people simple, tangible benefits in the civic and community aspects of their lives. For more information about mySociety and its work, visit its website.

While you are looking, take the opportunity to consider and support this
We the undersigned petition the Prime Minister to require all organisations notify customers immediately of any personal data security breaches.

Thursday, 6 December 2007

Using Intalio to Develop a new Business Process

While Intalio is a BPMS tool rather than an all singing and dancing development workbench, you can deliver a working solution that is useful to a business unit. In this scenario a business analyst or consultant may take a pure business solution approach without attempting to specify system services or enterprise-grade business services. A question that has been raised with me is how do I know that the business process design is sufficiently developed that it is worth investing time and money in building or buying service components. With a tool like Intalio, the answer is when the business process is executable and the business can work through it. That does not necessarily mean that the BA has to solve all the integration issues.

As the BA works through the process, s/he will encounter interactions with services that may or may not exist. In a significant portion of enterprises, there will not be a catalogue of every business service that has been implemented, let alone every one that could be desired. Rather than stopping at each case of need of interaction with a business service, the BA could 'simply' define the interface as the business process sees it and support it with a quick and dirty database (a bit like using MS Access to deliver you operational support systems because it takes too long to get the necessary work done with SAP). Using Intalio, MySQL and a bit of AXIS generation the BA could refine the business process with a working example (I suspect that this may fit within the Agile manifesto). At the point that the working solution satisfies the business for flow, it could be handed over for technical improvement. (integration into the normal pattern of user interface - say MS Outlook or Facebook; and integration into the back office systems of CMS and Finance). For the enterprise, there is a risk associated with this approach ... the initial delivery may become operational and valuable enterprise level information remain hidden from the organisation as a whole (very much as happened with the general use of Access databases).

Jacques-Alexandre Gerber covered this aspect in a post

To summarize, here is how simulation and emulation can be envisioned to be used in order to indeed provide valuable business information before deploying processes in a production environment:

  1. Business Analysts create new process models in Intalio|BPMS Designer
  2. Business Analysts use Intalio|BPMS Designer simulation capabilities to ensure their process models meet their objectives and requirements as far as they can tell.
  3. IT Engineers add emulation processes and deploy them in the emulation environment.
  4. Business Analysts analyze the business reports they get from the emulation environment.
  5. Based on the reports, Business Analysts may revisit their models and go back to step #2. Once they are happy with the business outcome they can truly expect to get, it’s time to actually implement those processes.
  6. IT Engineers now fully implement processes by integrating external systems and users. The next steps are the traditional steps to deploy an application in a production system (test, acceptance, production)
I suggest that step 3 in most cases should not need a propeller-head 'IT Engineer' but a sandpit and toolset for the BA to work with ideas about what the service should look like at that point. Generally, a simple database will do the job for a business process emulation but more exotic plug-ins may evolve in this space (for example instant-messenger presence behavior).

The world does not stand still so the effectiveness of the business process should be measured in production. This is where the BPMS really pays off, as the throughput and utilisation of every activity is automatically gathered and available for analysis. The cycle then resumes at step 2 with improvement in process.

Somewhere in the development cycle, some human-factor engineering needs to take place. If the enterprise has a particular style of working with information "the way we work here", then the BA tool-set could include some helpers here. For example, if the culture is to manage personal tasks through Outlook task lists then providing the task management user interface through an OBA.

If you are faced with inertia in database and enterprise services then building solutions with CRUD services delivered out of the business process delivery seems a good way of establishing what the business requirement is, and what the value will be without having to deal with the triage mechanisms that stand in your way.

Wednesday, 5 December 2007

Open Information v Privacy

There is an increasing amount of personal information being collected for all manner of worthy? reasons like ensuring that health providers do not use taxpayer dollars to treat aliens. Combined with the desire for more openness in government and means to provide data rather than just the results of a conclusion there is a risk of exposure of personal information.
In the paper, Robust De-anonymization of Large Datasets (How to Break Anonymity of the Netflix Prize Dataset), Arvind Narayanan and Vitaly Shmatikov of The University of Texas at Austin describe the problem; show a general method of de-anonymizing statistical data and demonstrate its use in an area where the participants were under the impression that their information was anonymous.
Datasets containing “micro-data,” that is, information about specific individuals, are increasingly becoming
public—both in response to “open government” laws, and to support data mining research. Some datasets
include legally protected information such as health histories; others contain individual preferences, purchases,
and transactions, which many people may view as private or sensitive.
Privacy risks of publishing micro-data are well-known. Even if identifying information such as names,
addresses, and Social Security numbers has been removed, the adversary can use contextual and background
knowledge, as well as cross-correlation with publicly available databases, to re-identify individual
data records. Famous re-identification attacks include de-anonymization of a Massachusetts hospital discharge
database by joining it with with a public voter database [...]

We present a very general class of statistical de-anonymization algorithms which
demonstrate the fundamental limits of privacy in public micro-data. We then show how these methods
can be used in practice to de-anonymize the Netflix Prize dataset, a 500,000-record public dataset.
Collectors and publishers of data need to be aware of the potential for exposure of information that may be regarded as sensitive.
The issue is not limited to widely disseminated information. Individuals or special-interest groups may have legitimate need for micro-data (for example in health funding policy) but then have the means of uncovering personal data for an unauthorised purpose.
  • are ethics sufficient to protect the privacy of individuals described by such micro-data?
  • is the information exposed by statistical de-anonymization sufficiently protected by legislation?
  • where would you go for assurance that the data that you are providing is not susceptible to statistical de-anonymization?

Friday, 16 November 2007

Intalio as a complete development environment?

Virgil Green, a contributor to the Intalio forum posed a question which approaches my own reason for studying Intalio

I've been considering BMPS in general and Intalio specifically as a development platform. I'm wondering if I'm expecting too much from this technology. I'd like to replace a complete software system including Contract Management, Claim Management, Invoicing, Letter Generation, etc.

My question is (rather broadly) whether the combination of Intalio Community edition (or any higher level edition), a database for which there are adapters, and a reporting tool such as BIRT provide sufficient tools to develop a complete enterprise system.

Business rules? Are they covered/enforceable in Intalio? User Inquiry and Data Entry? Are XForms enough? Am I expecting too much or should I continue to think of this software as middleware for moving data between other systems that handle those functions?

At present the answer is probably that you are asking too much of Intalio alone and that you are being very ambitious. However, the underlying ideas of Intalio and its open-source, and standards basis mean that there is likely to be a way of working with Intalio as a core to deliver a reasonable enterprise architecture.

I think it is a good idea to consider BPMS as the centre of an execution platform. Intalio then provides a good implementation of the BPEL engine and a corresponding designer. Because BPMS does not work well without people somewhere in the end to end operation, there is an element of human workflow required to complete the picture. Intalio adds to the BPMS a web application that implements the human workflow using a standard form expression BPEL4People. This is the TEMPO component. The Intalio Designer integrates this for you automatically. If you are happy to express your workflow with the BPEL4People constructs, and there are plenty of for and against arguments, that covers your business processes very well.

Either side of the business process management system you will require technology components that interact with people (the human interface) and services (the IT systems components for you Contract Management, Claim Management etc.).

Let us consider the services first. My observation of organisations which are not unduly tied into technology (a retailer or small manufacturer rather than a national Telco) is that when you manage the Business Process independently of the business services, the both the services and the business process implementations will become much simpler than if they are combined in say a customer management suite.

Intalio itself does not provide much in the way of application development of the kind you might find in IBM's Websphere or Microsoft Visual Studio. However, once the business processes are managed there may be little left to worry about other than the persistence layer of simple create, read, update and delete of data (CRUD). Of course there are a number of development tools that would work alongside Intalio to deliver the services components.

The user interface components of Intalio are designed for the workflow alone. This will not be sufficient for a complete software solution for many organisations. Although Intalio makes use of a generic user interface product (ORBEON ) which itself is a server implementation of the XFORMS standard, the method of development of user interface in Intalio does not allow the full capabilities of either to be used.

  • There is no direct control over the presentation within the designer. The view of the form is defined by CSS , but the CSS scripting has to be unpacked from the Intalio distribution and modified independently of the forms designer component.
  • The form input and output messages are defined automatically from the form components (widgets) which precludes the use of standard schemas common in business and government circles (for example the XNAL standard used for names and addresses).
  • Fundamental XFORMS presentation controls are not available within the designer (for example, Appearance, which is used by XFORMS implementations to decide how the input/output should be presented)
  • There is no control over XFORMS submission. Submission is limited to the messages to TEMPO.

However, the presentation layer of the architecture can be readily replaced with anything else that can communicate with SOAP (doc-literal) messaging. A commercial organisation might even consider using Microsoft Office as the presentation layer. Organisations with an architectural bias to Open Source and standards might still choose XFORMS but with a different development tool.

Whether Intalio is sufficient to develop for the enterprise will ultimately depend on the complexity of that enterprise. There will be plenty of businesses that perform their functions within Microsoft Office and Access environments. Intalio and a database would be a step up from that. MySQL and JDBC seems to fit well with Intalio. There are some samples of providing data access services through MySQL in Intalio.

At first glance, BIRT for reporting looks a good companion for Intalio in the development area as it is also based on the Eclipse development platform. However, the Intalio distribution seems a bit hostile to other Eclipse plug-ins. This may be resolved as Intalio matures.

Explicitly calling a business rules engine within the BPMS seems to be a reasonable approach and is readily achieved in Intalio provided the BRE provides a web service interface. Intalio provides a sample implementation with OpenLexicon.

Intalio could not be classed as a general development environment in its current incarnation but it is certainly capable of becoming one.

Thursday, 8 November 2007

Health Information Privacy

IT managers often fail to do their best work in delivering security to the information within the health sector but they certainly do better than the health managers themselves.
A recent audit of the Wellington region's health service revealed patient records being stored in public corridors with no controls on access

The audit [Telarc] underlines that the organisation is bordering on dysfunctional. It records grave failings, such as leaving patient records in public corridors where anybody passing can take a peek,.... Dominion Post 8 Nov 2007
There are plenty of things that can be done technically to meet the required standards of privacy but if the underlying organisation has an irresponsible attitude to security we will see ill-considered technical 'solutions' that compound the problem.

As Blindside comments on one mobile health care device
Let’s see. Wireless transmission of sensitive information–yeah, we’ll get to that right after we take care of those pesky ergonomic and battery life issues. And preventing hacking and malware to ensure that the information is accurate? Hmm. Let’s put that on the list of things to do after we make sure it doesn’t add to the weight of the tablet device
I suspect that the subject of healthcare privacy needs a shake up from top to bottom. A few questions ...
  • Is it clear what the customer (that's us, not the health managers) wants?
  • What 'need' do these 'wants' reflect?
  • Do the legislation and ethical requirements reflect this underlying need?
  • Is there suitable compliance and enforcement of the legislation and ethical requirements?
  • Should we get anaesthetists and paediatric cancer specialists before worrying about privacy and security?
When we have a good answer to those, we may be able to evaluate the technical questions about encrypting data at point of entry; securing information over wifi; ensuring that laptops and tablet devices are not attractive to thieves of information, identity or property (because they certainly will be available to all of those).

Wednesday, 31 October 2007

Intalio Components

It may be worth clarifying the relationships between the standards and open source components of Intalio. From my perspective as an architect :

The central feature of the Intalio run-time is a business process engine implementation of BPEL 2.0.
Human interaction with the business process is termed workflow and in Intalio is an implementation of loose standard specification BPEL4PEOPLE. This is packaged as an application TEMPO. There is a form-based user interface for this workflow which relies on the XFORMS W3C standard. Note that XFORMS is a device-independent standard which does not define the presentation form, only the function. ORBEON is used to present the user interface in HTML. This is a server-based implementation of XFORMS with the transformation from XFORMS to HTML taking place at the server.
The Intalio Designer component for forms design is specific to workflow and not a generic user interface designer nor even a full-function graphical XFORMS designer.

An advantage of the open source approach is that components can be bypassed or supplemented to extend the capabilities.

If your organisation has adopted XFORMS as a standard, it is likely that the limitations of the Intalio Designer will force you into a development method that delivers the XFORMS by other means. You could use the Intalio ORBEON implementation for your separately developed XFORMS or use the browser implementations of XFORMS (eg XFORMS Plugin in Mozilla Firefox or Formsplayer for IE). Designing a user interface with XFORMS is not necessarily a job for a graphical design tool. Unfortunately, the Intalio Designer does not provide a source editor for the XFORMS XML and may loose edits that you make externally to forms.

There is a reasonable application design/development approach in which a business analyst uses Intalio Designer with the included workflow to develop a working model of the business process. Then the user interface could be replaced with a house style anywhere in the range from all singing and dancing Silverlight down to plain text forms.
Developers asking how to add buttons or improve the look and feel of Intalio forms for production quality applications would be advised to look at their forms as a separate piece of design rather than attempting to work within the constraints of the Intalio implementation. The interface between the presentation layer and the TEMPO and BPMS components is fully defined and implemented in standards.

Monday, 1 October 2007

Intalio - A usable and accessible BPMS

Ismael Ghalimi is justly proud of the current incarnation of Intalio.
Intalio provides a useful development and runtime environment for initiatives centred on the business process. There is a real opportunity for analyst and business subject matter expert to explore a target business process and deliver a functioning solution with human workflow and integration with legacy applications. Based on standards with an active development path (BPMN, BPEL, SOAP, XFORMS ...) and open source components (Apache Geronimo, Derby, Orbeon, Eclipse... ), it is a development platform with low cost of entry and little risk of being left with an unsupported orphan. Low cost of entry? - I have managed to work through a proof of concept using the free community edition on my laptop. Many small organisations would be able to develop and run exclusively in the community edition while government and corporates may be happier with the support and connector technology (for SAP, Oracle, DB/2) from an enterprise edition.

For organisations, large and small, now exploring the BPMS world, Intalio provides a useful means of developing practical end to end solutions that can be used as the proof of concept, prototype and initial production. Fitting with enterprise standards for user interface and database can come later when the business design is fully explored.

Saturday, 29 September 2007

I need a Redux Model/1!

Ismael Ghalimi has developed an idea of a need into a specification for a practical product in a few days. I really want one of these devices .

I will be looking for this to be the email interface for HF/SSB radio when ocean sailing ... I will not want to be running expensive power hungry pc/laptop computers. I will be happy to leave browsing the internet to download charts etc until I reach port. Any chance of ruggedising Redux Model 1? Protecting it from the salty element can't be much more of a problem than the exposure to coffee and worse around the meeting rooms, planes and lounges of its natural habitat.

Thursday, 6 September 2007

A Universal DNA matching database?

Andreas Busch summarises developments in the DNA identification debate arising from
One of the United Kingdom's most senior judges, Lord Justice Sedley, today demanded that every UK resident and every visitor to the country should have their DNA recorded on the national DNA database ...
The judge has logic on his side. Britain has the largest DNA database in the world covering 7.5% of the population. Mathematical techniques can extend the range of matching further by detecting relatives of people on the database. So the brits are well on their way to achieving the judge's goal.

However consider,
  • Outside of CSI and similar TV programs, how many crimes are solved through DNA matching? Is there a reasonable value proposition to extend this collection because of the current success rate?
  • How often is unknown DNA (not on match database) available as a pointer to an otherwise unknown perpetrator?
My guess is that a universal DNA database (relatively simple to achieve by diverting sample collected at birth) does not add much to detection or prevention of crime because there is generally a small set of persons of interest around a particular crime not the whole population.

But as matching technology improves, what a great resource for control of the population at large ... no need for pesky ID cards, passports, fingerprints at airports ... just a bit of sweat or saliva as you pass myriad control points.

Information Commissioner, Richard Thomas, warned that it raised serious issues around the criminal justice system: "if you get the knock on the door saying 'we’ve found your DNA’, you’ve got to start proving your innocence"
If the British justice system has descended to that level then a dna database does not make much difference. There is a risk at present that relying on DNA for more than supporting evidence introduces the defence that other (unidentified) DNA indicates reasonable doubt that the identified person is the guilty party. It seems to me that the only clear benefit of a universal DNA database is to avoid such a defence.

As an aside, why stop at the border? why not share the DNA database worldwide and track fugitives as they supply dna at the border?

I think the debate lies outside the technology arena and more in the political and philosophical area. Do I have right not to be identified?

Are you safely backed up?

Sean McBreen highlights the potential for information loss in our multi-gigabyte stores at home.
I guess that some assumptions had been made about the use of RAID arrays.

...terror as I cam home to hear my Maxtor Onetouch III 1TB external HDD clicking away and no longer in explorer... SCARY!

A few quick searches on the web and looks like I'm toast - so ironic as we have had a few HDD failures in our team over the last month. I just knew I should have backed up all those new baby photos we had been taking (I'm a dad now for 3 months).

After looking on-line and deciding that a fee of up to $2,000 and a distinct lack or warranty cover from the vendor I decided that I should take my chances and pop off the lid...

...I had the 2x500Gb drives configures in a Raid 0 set-up so ...

Unfortunately, RAID 0 does not provide any fault tolerance from disk failure, just better performance. In this case it doubles the chance of loss of data because either disk failing destroys the array. The RAID 1 option available on the Maxtor unit is preferable for resilience with marginal loss in write performance.
I think this takes you into the forensic data recovery area and having to re-build the entire 2 disk array sector by sector (assuming that some forensic geek can read the sectors off the dead drive). I recommend that you do not write to the remaining drive of the array as you may increase the rebuild effort.

Wednesday, 29 August 2007

Safety fears over new register of all children

The headline is from The Times in the UK but the concerns apply everywhere that a 'database' is seen as solution to a communication problem.
ContactPoint was set up after the official report into the death of Victoria Climbié. Lord Laming concluded that the eight-year-old’s murder could have been prevented had there been better communication between professionals.
Communication is not the same as broadcasting or publication. There is a sense of checks and balances between the participants in a communication. This is rarely apparent in stores of data offered to people on the basis of the role they undertake.
As Tom Fuller points out persons having a particular role are not necessarily to be trusted with the information. There will be inevitable bad eggs present in teaching; medical; legal; social work professions; and the police. Also leakage of information which should be private to the individual can occur from simple careless behaviour of otherwise trustworthy individuals. Sadly, assigning information access rights to a role (for example, head-teacher), does not prevent individual head-teachers delegating that responsibility to a temporary secretary which is probably not how the legislators or system designers saw the 'database' being acceptable.
In conventional communication, each request for information can trigger a question in the mind of the receiver about the possible use being made of the information provided. Ideally, technology solutions to the communication problems around public safety, health information and other privacy-loaded areas should not bypass these checks and balances. Given the risk of misuse of information by persons in a position of trust through their role, technology solutions should ensure that the minimum (necessary) information is released and that a clear trail of information release is maintained. If an authorised person enquires on such a database, they should expect to face enquiries themselves as to why and how the information was used. The kind of pattern analysis that detects potential credit card fraud should be applied to detect the abusers of the information systems.

Thursday, 9 August 2007

Health Information Privacy - When Rights Conflict

Tom Fuller writing in the respectable Blindside Blog presents a simple dilemma on the conflicting "rights" to have and to conceal information about a health issue.

As part of your treatment you need genetic analysis of predisposition towards several disease pathways. You are frightened that exposure of the results will a) reveal your mixed race heritage and b) prejudice your employability, insurability and sociability. So you agree with your consultant to test under an alias. And your treatment proceeds and you get on with your life.

Unbeknownst to you (does Beyonce have an evil twin called UnBeyonce?), your consultant also treats your child/children from a previous relationship, and recognizes that your genetic results are relevant to them. Your consultant knows that you would refuse to release your information, but their continued good health is dependent on having this information available. Just for the sake of preserving the moral dilemma, getting the genetic information from the children is not adequate, sufficient or practical (they live now in a foreign country, or something like that).

1. Is your right to control of information regarding your genetic history absolute?
2. Does your consultant have ethical responsibilities to act despite your desire for secrecy?
3. If sperm donors are required to disclose identity to their children, is a precedent established for requiring you to yield your genetic information?
4. Who should make the final decision?

With local health authorities taking a generous approach to information sharing citing "common good" but more likely for administrative convenience (see Patients' privacy could be compromised by health b...), the opportunity to consider cases like the one presented will be swept aside.

My view ... 1. Yes ; 2. No, not outside the individual patient - carer relationship ; 3. Probably, in a legal sense. This is a bad thing! Genetic information is probably the ultimate in "identity" information; 4. The patient fully informed by consultant.

Friday, 3 August 2007

Visualisation of Boring Statistics

Jon Udell has been working on making public data more accessible. His interesting example of local crime statistics brought to mind an early example of crime hotspot mapping here in New Zealand ... apparently police stations are the source of crime. Jon even showed that crime moves with the police stations ! He is "thinking about ways to meld Python and Excel together more closely" You might like to try OpenOffice which supports Python directly. Unfortunately the current charting model still lets OpenOffice down.

Saturday, 28 July 2007

Information Sharing in Primary Healthcare

The push to electronic patient information systems to share information between the players in primary health care is not a bad thing, although some implementations may give rise to concern (see: patients-privacy-could-be-compromised ). A peer-reviewed paper on the subject quantifies the effects of the missing information.

Clinicians reported missing clinical information in 13.6% of visits; missing information included laboratory results (6.1% of all visits), letters/dictation (5.4%), radiology results (3.8%), history and physical examination (3.7%), and medications (3.2%). Missing clinical information was frequently reported to be located outside their clinical system but within the United States (52.3%), to be at least somewhat likely to adversely affect patients (44%), and to potentially result in delayed care or additional services (59.5%).

Missing Clinical Information During Primary Care Visits Peter C. Smith, MD; Rodrigo Araya-Guerra, BA; Caroline Bublitz, MS; Bennett Parnes, MD; L. Miriam Dickinson, PhD; Rebecca Van Vorst, BA; John M. Westfall, MD, MPH; Wilson D. Pace, MD JAMA. 2005;293:565-571


Friday, 27 July 2007

Patients' privacy could be compromised by health board action

RUTH HILL in The Dominion Post on Wednesday, 25 July 2007 reports that "Patients' privacy could be compromised by a Hutt Valley initiative allowing GPs and hospital clinicians to exchange clinical information, medical ethics experts and patient advocates warn. "
It is good to see the concerns are being discussed within health circles but a wider public debate should be encouraged before this significant erosion of personal privacy becomes more than an exploration of technical capability.

There are two separate issues touched on in the article. Firstly that "A lot of problems in the health sector come about when patients are wrongly identified." and secondly that "Sharing information (between providers in the health sector) closes the loops."
There is an implication here that sharing all information enhances the identification process and, that a common information pool is a necessary requirement for the exchange of clinical information.
Identification of the individual is critical where information flows and the individual become separated. A simple example can be seen in blood testing where the results may be routed through a complex process to ultimate information users and may result in life or death decisions impacting on the subject person. However, there is no indication that the proposed sharing of information would address the issues of identification.

There can be no doubt that there should be a flow of information amongst health providers. However, there has been little or no public debate about what information should be contained in the flows and what rights over the information are retained by the patient.

General Practitioner Access to Hospital Data

From the description of the pilot, the flow of information to GPs from hospitals is to be achieved by allowing GPs to access the internal hospital information systems.

Four GPs also have direct access to the hospital's electronic database, allowing them to access the records of all patients registered with their primary health organisation, or any other patient for whom they have a National Health Index number.
Implicit in this is:
  1. It is OK for GPs to access information held in the hospital's electronic database for any patient; not just those registered with their PHO. Hypothetically, a fishing expedition could be mounted using the 12,567,273 valid NHIs.
  2. A GP would have legitimate access to the records of any hospital by having a single patient in common between PHO and Hospital. Given the concentrations of population and specialist medical services in NZ, the health records of a large proportion of people will be open to many GPs.
  3. If a patient is referred to a hospital by a GP, the GP's within the PHO have access to that patient's information from the hospital's electronic database regardless of the patient's wishes.

There is a clear risk arising from this. Information that might reasonably be expected to be a matter between the patient and someone with a direct clinical responsibility of care of the patient, will be available to a wider audience which degrades the privacy of the individuals involved.

Potentially, well defined electronic information systems and data-interchange services can enhance privacy and security.
Mr Cook [CIO] said electronic patient information systems were "more secure" than paper-based ones because access could be controlled and audited.
Those of us with even limited contact with public/civil service or legal organisations will have come across "the Registry" where access to paper based records are managed according to right or need to know. Electronic systems may be more cost-effective but they are not inherently more or less secure than the paper-based ones that they replace. Note also use the term "could" in the quotation. Actual control and audit of information retrieval is often omitted from electronic retrieval systems perhaps because IT people focus on the every part of the system be used in the intended fashion. An assertion, from the CIO, that the access to information "will be controlled and audited" would be more comforting.

The privacy requirements do not seem to have been sufficiently addressed.

However, Otago University's bioethics centre director, Donald Evans, said ....

"My concern is, if patients become aware that information given on a confidential basis to their GP is likely to be shared with other people, it destroys the relationship of trust; people will be reluctant to be honest with their doctors; and quality of care will be compromised."

I suggest that the patients' concerns may be associated with any consultation not just with the GP. It may not be good thing medically, but there will be reasons for not sharing information of a specialist consultation with a particular GP. We can debate whether the information belongs to the clinician or the patient, but passing the information about the patient to third parties should generally be controlled by the patient.

Monday, 14 May 2007

Myth and Chips

Myth and Chips

"Super Gold Card" Issue

Privacy and security hit the broadsheets briefly as the NZ government introduced legislation including microchips in a new entitlement card. The Press reported:

Senior citizens looking forward to their Super Gold entitlement cards have been warned that microchips in the cards could expose them to identity theft and illegal monitoring.

Privacy Commissioner Marie Shroff said yesterday the possible use of the microchips had "far-reaching implications" that must be explored thoroughly before introduction. "Security is a real issue, both for the data stored on the cards and the risk of identity theft."

Under an agreement with New Zealand First leader Winston Peters, the Government plans to make the cards available from August..

They will be sent to people receiving New Zealand superannuation or a veteran's pension, and will provide what Peters calls "meaningful discounts" on a range of goods and services.

However, Shroff said a comprehensive assessment of privacy impacts should be undertaken before decisions were made on whether to introduce smart card technology as part of the scheme.

"A microchipped card may mean many things, especially if it is also used as an identity card for commercial purposes, perhaps with a unique identifying number for each person."

The actual statement of the Privacy Commissioner is more reasoned:

A possible micro chipped SuperGold card has some far-reaching implications that need to be explored thoroughly before a final decision is made. I understand the government intends to do that.

Our office has contributed to the policy discussions and our consistent position has been that a comprehensive assessment of privacy impacts should be undertaken before decisions are made on whether to introduce smart card technology as part of the SuperGold card.

Micro chipped smart cards have not been widely used by state sector agencies in their dealings with the New Zealand public. I am not opposed in principle to the use of smart card technology, but I believe introduction needs to be preceded by a proper assessment of the implications and an opportunity for public debate on the issues.

A micro chipped card may mean many things – especially if it is also used as an identity card for commercial purposes, perhaps with a unique identifying number for each person. There is the potential for ‘function creep’ - where the card ends up being used for far more than was originally intended. Security is a real issue – both for the data stored on the cards and the risk of identity theft.

There appears to be special emphasis being placed on micro-chipped or smart-cards. Introduction of an identifying card that is to be widely used by a large proportion of the population (approximately 1 in 8) has serious privacy issues regardless of the smarts in the card. That proportion of the population is also clearly segmented by age making the effect of identity information more significant. Numbers like those appearing on credit cards would meet the undesirable criteria of a unique identifying number but in a small population like that of New Zealand even the full name with a narrowing of the age-range implicit in a pension entitlement will provide a good opportunity for correlating usages of the card without application of a number. The widespread use of a national identity cards within New Zealand does not have much support. Introducing an identity card with national coverage for a significant proportion of the population seems likely to have the same perceived downside.

Technical Issue

Technically, the micro-chip provides the means to secure the data and protect the privacy of the holder. Only with micro-chips and a selective disclosure regime is the privacy, that is apparently an issue for a few politicians around here, going to be maintained.

Selective Disclosure is a cryptographic means of ensuring that the individual retains control over personal identifying data. Ben Laurie provides a useful technical overview of the subject in his recent paper[LAURIE].

If the requirement is for the card to demonstrate that an entitlement exists, a micro-chipped card can provide confirmation of the entitlement without revealing any other data that could be used for correlating the use of the card with an individual. That is, the use of the card says it represents a pensioner and not that a uniquely identified person is a pensioner nor is the usage necessarily associated with a uniquely identified individual.

Barbara Stewart, MP introduced the subject in parliament (available in this podcast Question Time for 10th May). Reference was made by the minister (Rt Hon. Winston Peters) to the use of micro-chips in NZ Passports protecting the individual. By inference, the usage in passports was held to justify their use elsewhere. Actually, the technology in passports only assures the integrity of the data within the passport and provides no protection of the individual nor of the identifying information within the passport.

Call for Wider Debate

Listening to the issues discussed in parliament does not give me confidence that a reasoned approach will come from there. Judith Collins, MP even confused the issue of physically inserting microchips into dogs with the use of microchips in the super gold card. However, I am sure that wider discussion of both the personal privacy issues and the technological protection of personally identifying data is required before unnecessary exposure becomes routine.

  • Citizens should be opposed in principle to identity cards without smart card technology.
  • The smart card technology should be implemented to utilise selective disclosure where identity cards are implemented electronically.
  • Reference can usefully be made to Kim Cameron's Laws of Identity [CAMERON] to review the usage of identity information in the context of the super gold card.


[LAURIE] Laurie, B;Selective Disclosure (v0.2);;May2007

[CAMERON] Cameron,K;

Tuesday, 8 May 2007

Secure User Identification

Secure User Identification

Stefan Brands tackles the thorny problem of user identification without unnecessary privacy loss in a very readable paper (with pictures here ). It seems to offer a greater level of privacy than, for example, the New Zealand Government Logon Service which is targeted at the same risks of exposure.
Apart from Government, there are other arenas where there are compromises to user privacy. In the Health Sector, collating health records into a common picture may be seen as an administrative convenience, a medical necessity and for the 'common good'. However, labelling everyone with a common identity (in NZ the NHI ) has the same potential for privacy loss and the consequential bad things happening as it does within the wider government arena.
There are of course laws covering who has access to what information in the government and health sectors but that does not prevent accidental exposure or covert action.
There are legitimate reasons for the statistical correlation of data about people (especially in the health sector) allowing this without a common identifier is probably worth a bit of study. Otherwise, the potential need for statistics will be an overpowering argument for a single digital identity.

Thursday, 26 April 2007

What is an Architect?

What is an Architect?

I participated in two meetings in two weeks that addressed the question "What is an Architect?"
Mark Carroll and Darryl Chantry of Microsoft got the Wellington Microsoft Architects' forum thinking about what was needed to develop an architect. Horia Slusanschi led a lively discussion about Enterprise Architecture at the NZ Chapter meeting of Association of Enterprise Architects

A stumbling block for Microsoft's approach clearly was the lack of definition of what an architect was or should be. Although Darryl started with a view from the Greeks and history that architecture is about aesthetics, there seemed a split between a desire for certification of ability to construct solutions from Microsoft components; and capability to take on a wider vendor agnostic perspective.

Horia presented a choice for EA "Just technology, or the works?". Although some of those present with EA in their job title were clearly limited to the technology arena, there appeared to be a consensus for EA going well beyond technology application. The functions of EA are mainly strategic and addressing technology alone misses the point of why the technology matters at all.

When I started in IT 37 years ago we had the distinct jobs of Programmer and System Analyst. The programmer role was defined in some detail but the system analyst could best be described as "everything that the programmer did not do". Those may have been the bad old days but I think that a similar situation has arisen with the "architect" job. There are a myriad of specialist functions that are defined in some detail, generally around the arcana of some product or vendor strategy and there is the role that joins it up. As specialisations evolve (security, information, etc) there is a tendency to give the label of "architect" to the job or role that makes it all hang together.

There certainly is a wealth of information in the and msdn sites but it is lacking in structure and it is difficult from there to determine what a complete architecture would be (enterprise, solution, infrastructure or ...) made up of in Microsoft terms or vendor agnostic terms. Some consistency in terms would help ... Strategic Architecture or Enterprise Architecture?

I recommend a look at A Better Path to Enterprise Architectures by Roger Sessions (avoid the version in which has broken links).

Certification was a hot topic for Microsoft. At $10,000 a time, it must look like an interesting revenue stream. Until the role is specified in terms of what is included rather than the 'any other business' present situation there is dubious value in a certification.

It will be interesting to follow these initiatives.

Wednesday, 18 April 2007

Wireless hijacking under scrutiny

Wireless hijacking under scrutiny

Following on the heels of the report of the District Health Board insecurely providing access to its network through a wireless port....

Just in case you think there should be a law against it, there is! Accessing other peoples networks seems pretty well covered in New Zealand by Section 249 Accessing computer system for dishonest purpose of the Crimes Act 1961
[Part 10] [Crimes against rights of property] (s [217 to s 305) which shows the forethought of the legislators in describing a computer system by

computer system


(i)a computer; or

(ii)2 or more interconnected computers; or

(iii)any communication links between computers or to remote terminals or another device; or

(iv)2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and

(b)includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.]

The BBC reports a British case in which Gregory Straszkiewicz had "piggybacked" on a wireless broadband network of a local Ealing resident, using a laptop while sitting in his car and was fined £500 and sentenced to 12 months' conditional discharge.

The penalties here in NZ (up to 7 years imprisonment) may discourage wholesale assaults on WiFi networks as a pastime but do not absolve the network owner from taking precautions.

The same report also addresses the issue of responsibility for what was done by the unauthorised user of the network where the network is inadequately protected

"There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn't them that used the network for illegal purposes," said NetSurity's Mr Cracknell.

Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.

So, if you expose your network deliberately or by negligence to a bad person who manipulates it (perhaps by denial of service attack) so that bad things happen to others , you could carry the can for it legally as well as morally.

Kim Cameron touched on the issue of responsibility for preventing bad people doing things in your name or through your means
There was a security flaw in WordPress 2.0.1 that was exploited to post something in my name .

By what logic was I responsible for it? Because I chose to use WordPress - along with the other 900,000 people who had downloaded it and were thus open to this vulnerability?

I guess, by this logic, I would also be responsible for any issues related to problems in the linux kernel operating underneath my blog; and for potential bugs in MySQL and PHP. Not to mention any improper behavior by those working at my hosting company or ISP.

Clearly this is unlikely to be a black/white issue but a matter of judgement on what the reasonable person could be expected to do in the circumstances.

Friday, 13 April 2007

Health Information Exposed

A scary report from an organisation responsible for the health information of 5% of New Zealand.

An anonymous “war driver” has told Computerworld that it’s possible to access internal systems through the wireless service run by the Otago District Health Board (ODHB). As a result, the Dunedin hospital authority may have to review the security arrangements relating to its wi-fi pilot.
The ODHB’s acting CIO, John Tolchard, says the need to achieve a balance between security and cost-effectiveness was behind the choice of WEP. There are always trade-offs between security and complexity for users, he says.

Tolchard asks: with the WEP key cracked, “then what would he [the attacker] do?”

According to Tolchard, all the systems on the ODHB’s network are password-protected and only select users who need access — and who attend a training programme — get logins. There is no way anyone could access confidential information, such as patient records, without a valid username and password, he says.[my emphasis]
Yeah Right! as they say around here. Generously assuming that any brute force attack would be detected and foiled, the unprotected network can be sniffed to collect user id/passwords of "select users" or passively collect information handled by legitimate users. Aside from that, it would appear possible to mount denial of service attacks on the internal network or worse, subvert network components.

As George Ou reported way back in March 2005, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes!

While I can have some sympathy with an organisation caught with its guard/pants down in this way, there is incredible naivety shown in the report. We may debate the value of information revealed by illicit access to networks or services and the loss an individual may face when medical information is exposed and therefore establish what is to be traded-off. However, loss of confidence in the medical provider's security of information may have the fundamental outcome of people simply not trusting the organisation as a whole.

The legalese that covers the issue in NZ is contained in the Health Information Privacy Code 1994

Rule 5 Storage and Security of Health Information
(1) A health agency that holds health information must ensure:
(a) that the information is protected, by such security safeguards as it is
reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of
the agency; and
(iii) other misuse;

Perhaps it is time that the protection of information here in New Zealand had the visibility and force of law in the manner of HIPAA in the USA. Then boards and officers would have it brought home to them that protection of information is a requirement and not an optional extra.

Tuesday, 10 April 2007

Sleepwalking into a surveillance society

Nice to see the issue of privacy hitting the front page of the capital's press. Dominion Post 10 Apr 2007 . It was a pretty quiet Easter!
Our Privacy commissioner Ms Shroff told The Dominion Post New Zealand could expect to follow the same track (as the UK). "What happens in the UK is probably going to happen here tomorrow," she said. "We're the same sort of society."

What a horrible thought! Apart from the cameras, the UK appears to be aiming at universal monitoring of vehicle location and fingerprinting of children to control the lunchtime turkey twizzler rations.

Technology is certainly well in advance of the general understanding of the issues involved in all this surveillance capability.

Are you the same Richard Gray?

Kim Cameron summarises some thoughtful comments from Richard Gray on identity and authorisation spread over Jon Udell's blog and Kim's own. Richard notes on Jon Udell's blog:
As you don’t have CardSpace enabled here, you can’t actually verify that I am the said same Richard from Kim’s blog.
But without Kim's co-operation Jon could not verify that the same Richard, presented the same or equivalent credentials using Cardspace. A third party would require co-operation from both Jon and Kim to verify that it was the same Mr Gray. This appears to be the case even if he used the same managed card from an Id Provider trusted by all the parties.
I think we need to explore this use-case further.

Monday, 2 April 2007

Biometric Identification

Kim Cameron is doing a nice job of keeping both the technical and social implications of fingerprinting or other biometric identification visible so that we do not get led astray by the relative ease of delivering a biometric identification system. Way back when I was designing systems for IBM360s and the like, identification of people for the systems was always a significant part of the work and often we would call for everybody to be tattooed with a bar code at birth. Somehow this never caught on... damn liberals! Now we have extremists in governments of significance who have brought gunboat diplomacy to new levels and who view state collection of information about the individual as a natural part of keeping the world safe.
It may not be clear what the issue is ... why shouldn't governments, law enforcement, and lunch monitors require you to be registered on a database of good guys (or bad guys) in order for you to receive your rights or go about your lawful business? Even if the systems were 100% trustworthy and secure, governments; law enforcement officers; and lunch monitors certainly are not.
In The Honest Truth on Biometrics in Schools (but not the whole truth), Mitch Johns states:

How do school lunch biometric systems work and do they protect privacy?
In most school lunch biometric systems, students place a forefinger on a small fingerprint reader by the register. In seconds, the system translates the electronic print into a mathematical pattern, discards the fingerprint image, and matches the pattern to the student’s meal account information. Food Service Solutions (FSS) biometric software, for example, plots 27 points on a grid that correspond with the fingerprint's ridges to achieve positive identification, but saves no actual fingerprint image.
When school lunch biometric systems like FSS's are numerically-based and discard the actual fingerprint image, they cannot be used for any purpose other than recognizing a student within a registered group of students. Since there's no stored fingerprint image, the data is useless to law enforcement, which requires actual fingerprint images. As there’s no way for any fingerprint or computer expert to extract a record and reconstruct a person's fingerprint image from purely numerical data, privacy is protected.

Kim gives him the benefit of the doubt
I hope your statement is the product of not having thought through the potential uses ...

I think it is straightforward marketing obfuscation. A concern is admitted and addressed, as though it is the only possible concern (in this case that someone will reconstruct a fingerprint from the stored data). This distracts from the other issues that cannot be so easily dealt with.

Strictly the fingerprint expert compares an unknown fingerprint with a known and states that they are the same on the basis of similarity across a number of points. The more points of similarity, the more likely the identification. Where the bulk of the population is fingerprinted conventionally or through DNA, a system could be devised to provide a subset that includes the target of an investigation to a very high degree of probability. The size of the subset is determined by the confidence that you wish to have in stating that the target is inside. In the fictional world of CSI, we would see this happening in the twinkling of an eye with only a few false arrests but in the real world, we can expect some serious cock-ups as police, security, librarians and lunch monitors react to False Rejects or False Accepts of the identity.

The use of an encrypted biometric does address the issue of law enforcement scooping up large sections of the population on the basis that there is a 50% chance that the bad guy is in the scoop but encrypted biometric systems must be implemented with a very high level of integrity and trust. Certainly relying on a school to manage the acquisition and storage of such sensitive data as identity is not sensible. We barely trust schools to do their core business of teaching.

Thursday, 15 March 2007

Surfacing SOA by leveraging composite applications

At the Microsoft Architects dinner in Wellington, Richard Hook gave us some hope that SOA and BPM may be accessible through the familiar MS Office. With a highly professional borrow from The Devil Wears Prada, perhaps the ultimate in product placement movies, Richard showed how workflow could be done.
Unfortunately, we do not seem to be at the stage where development of business process is a natural part of doing the business. So the Miranda, Andy, Emily and Nigel roles in this brave new world would still be chained to a business process designed and built by some super business analyst, developer, implementation team.
A lesson that could have been taken from the movie itself is that the people who do the job are the key part of a successful business process. Empowering them to develop or extend the processes that they are involved in is essential to avoid missing large chunks of what actually goes on in a business. I suggest that offering them a Visual Studio-like workbench is not going to be the answer and neither are we likely to spawn enough process development experts for it to successfully occur in the background. In the real world, the people at the sharp end of the business are innovating all the time. This can be seen in the unhappy state of spreadsheets and Access databases dotted around shared filestore or "C: drives" in government and major businesses. The data in these repositories is essentially hidden from management dashboards and reporting tools but is arguably the very data that demonstrates how the business is operating.
After all the standards work done in expressing business process (BPMN, BPEL ...), the means of changing a bit of XML that represents the executing process does not seem a big ask.
Of course there is a fairly entrenched IT world out there with waterfall development, change control and other reasons for not doing things. It is hard enough to get the idea across that the business analysts might work with the same toolset as the developers to shorten the solution development process.
Certainly, if an organisation is wedded to MS Office, it is reasonable to take on all it offers as SOA componentry at the much neglected user interface layer but for the looser arrangements of the Office 2.0 world with a process execution engine may be a viable alternative for developing dynamic business processes where change can be effected at the shopfloor rather than in the ivory tower of IT or process improvement departments.

Monday, 12 March 2007

Data Protection Rules (no more)

Alan Travis in the Guardian, reports on a disturbing change in the handling of information in the UK .

The change is to allow widespread data sharing between public and private sectors for the first time in the name of tackling fraud.

The serious crime bill, which also proposes so-called "super Asbos" to target criminal masterminds, will allow public and private sector anti-fraud agencies to access personal financial information, including pay, tax, pension and benefit records held across the public sector.

The legislation follows a decision by the cabinet last summer to overturn the basic data protection principle that personal information provided to a government department for one purpose should in general not be used for another. Instead ministers have reversed the principle so "information will normally be shared in the public sector, provided it is in the public interest".

As we, in New Zealand, have the same underlying principles enshrined in our data protection provisions that the UK have overturned, we may see some opportunist shifting of the rules here. It is difficult to argue against any measure labeled as anti-crime, anti-terror or anti-rape but much intellectual effort went into the framing of the Privacy Act and associated regulations and practices, serious consideration of the issues and public debate should take place before any similar action takes place in NZ.

Monday, 5 March 2007

Case Management

Bruce Silver asks, and provides an answer to, the question What is Case Management? in his blog BPMS Watch .

To me, case management is about the organisational responsibility for dealing with a problem. IT people and increasingly, business process experts like to believe that the business problems can be modelled and coded so that the solutions are just waiting for an instance of the well known problem to arise. However, the essence of dealing with problems presented by real people is the need to adjust the process to the problem at hand within the current instance.

Whether the case is provisioning to a customer, delivering an entitlement or meeting a contract, innovation in the process is a desirable state of affairs.

For any 'case' we need to be able to answer ... Who has the ball? What is the plan? Where are we up to in the plan?

In some cases, the ownership of the case may be accepted with the understanding that the owner has to decide how best to deal with the problems presented (the health 'business' is an example of where the activities within the case may be novel and certainly the treatment plan may be a unique arrangement of activities).

Case management could be regarded as

  1. Problem Manager Accepts Case ;
  2. Problem Manager Chooses or Develops a problem resolution process;
  3. Problem Resolution Process;
  4. Problem Manager Closes The Case.

A more general view suggests that the process path to the final outcome of a case is dependent on more than one development of a new problem resolution process
  1. Problem Manager Accepts Case ;
  2. Loop until resolved
    1. Problem Manager Chooses or Develops a problem resolution process;
    2. Problem Resolution Process;
    3. Problem Manager determines whether problem is resolved;
  3. Problem Manager Closes The Case.

Case Management adds value if the the subject (customer; social welfare beneficiary; medical patient; legal complainant) and the organisation can identify where they are in the resolution process.

A BPMS supporting this aspect of case management would need to treat the process design and development as a piece of normal business. Ideally the business of the process designer is handled in the same way as any other aspect of the organisation business

  • Define a new (executable) process, message, document
  • Manage the delivery of a process into the execution arena
  • View the current state of cases through a developing business process in management dashboard and other reporting tools
  • Support cases within cases (if it turns out that a case is something distinct from a business process)

Given the preponderance of Visual Studio and similar developer workbench approaches to solution development, a fairly radical change seems to be required from the BPMS providers.

There are some real advantages to be gleaned from treating business process innovation as a normal part of business in the BPMS toolset as well as the business.

  • The ability to change is inherent in day to day processes;
  • The paralysis associated with the need to analyse everything in great depth and through vast numbers of future scenarios can be avoided.
  • Case managers do not lose sight what is actually happening because the process management and reporting systems actually deal with what would otherwise be an exception case.
  • Process designers can use the standard BPMS tools to understand the 'as is' processes because they are not hidden in ad hoc spreadsheets and MS Access databases