Keeping information within the domain

Google Apps administrators have some useful controls and tools to track where documents are being shared. Often there is a fundamental policy about sharing outside the domain (for example,  to limit exposure of privileged or private information).
An  administrator can set up the Drive app to prevent sharing beyond the domain.
Note that this does not revoke existing shares! If you are closing off a loophole in your security, then you can discover the documents and files that have been shared publicly (beyond the domain) using a script or custom app like the General Audit Tool.
This also provides a means of enabling sharing of documents and files by exception. Keep the domain normally secured so that users cannot share outside the domain but open the gate briefly to share a document or folder publicly and then close it again. This is handy if you want to use Google Drive Hosting on an otherwise closed domain.

Privacy Watchdog with Teeth?

Lets take computer privacy breaches seriously here in New Zealand. Give the Privacy Commission some teeth and send appropriate messages to the likes of ACC.
A recent case in the UK resulted in a significant fine being levied on a National Health Trust which failed to destroy sensitive data on 1000 hard disks before releasing them. More worrying was that they thought that they could contract out of the responsibility by using a 3rd party to facilitate the disposal.
Here in New Zealand, we get investigations but no sense that responsibility for the protection of sensitive data is sheeted home to senior management. The pressure on organisations that mishandle sensitive data is reduced by the requirement that the “complainant can show that they have suffered harm” rather than that there was a breach. Only “if the harm is significant, a complainant might be able to claim that they are entitled to compensation”. Note that there is no actual entitlement to compensation nor a means of making orders like that made in the UK case. The best we can hope for is a sound drubbing of the Minister by the the capital’s press but even that has been lacklustre.

Smart Meter Privacy

John Udel has raised Smart Meters up the conciousness ladder in a timely post.

Smart meters are new. But we can’t afford to think that every new technology rewrites all the rules, requiring new legislation which, as we know, can never keep pace with innovation. Here’s a powerful simplifying rule: It’s your data. That’s the default. And you shouldn’t need to be a do-it-yourselfer to assert ownership. Even if you use a utility-supplied meter, as most people will, it’s still your data.

It's your data??? I am not sure that it is so simple. It is 'their' accounting record. The meter certainly reveals something about the occupier, which is not necessarily the other party to the power company contract, and there are certainly undesirable uses for the information - for example knowing that the house has a pattern of occupation.
There needs to be an auditable protocol for dealing with the handling of the broad swathe of surveillance data from smart power meters to smart parking and cctv but I don't think it starts with "It's my data"!
I am looking forward to the views of the NZ Privacy Commisioner on this. I would hope that some clear direction is given so that surveillance data which can be associated with individuals is treated in the same way as Personal Information and therefore covered by the privacy principles. Attaching some teeth to the principles would be good too, but one step at a time.

Intercepts for Facebook etc?

Computerworld seems to have woken up to this issue which has been around the privacy community for sometime.

The Obama Administration is reportedly considering a statute that would make it easier for federal authorities to intercept communications over services such as Facebook, Skype and BlackBerry -- an idea that's stoking anxiety within the privacy community.

The debate includes worthy noises about the need to eavesdrop on terrorists but does not address the trust that gets placed in the government agency.

For those of us outside the US whose communications are incidentally caught up in US service providers like Google, or Skype there are another set of considerations.

• Does every tin-pot government agency in the world get its own feed from the communications honeypot?
• Are we going towards a 2-level communications regime (inside and outside US regulation)?
  

• While end-end encryption inherent in RIM's BlackBerry defeats the eavesdropper, it is easily identifable that encryption is taking place and could lead to the assumption that the parties involved are 'evil' rather than simply private.

Those interested in privacy rights would do well to advocate end-end encryption of every communication to make wholesale eavesdropping ineffective until encryption scheme breaking moves forward a few more generations.

UPDATE: An expert view here from Bruce Schneier.

Security Barriers are not Enough

Lauren Weinstein commented reasonably on the Alleged Snooping at Teens' Data by Google Engineer . Yet again we are shown that technology is no match for the evilly disposed or simply stupid. You do not have to be a conspiracy theorist to understand that there is a lot of sensitive information flying around the internet or that by collating seemingly harmless data, sensitive information can be reconstructed. Points of concentration in the network (your ISP, Google, Bing and the like) increase the threat simply through the quantity of data available for analysis. Network security, database security and the strangely titled "Site Reliability Engineer" have fairly free range to see controlled information in order to do their job but are they to be trusted? and who watches the watchers?

The trusted person does not have to be in the shadows. There are plenty of jobs where an authorised person could misuse authority. Law enforcement immediately springs to mind. Generally we trust those people in law enforcement, they are checked, double checked and swear allegiance. But what do we do when people in these positions abuse the trust. In New Zealand, they get promoted!

A senior policeman caught accessing the police computer to pass on information to a private investigator working for convicted pack rapist Brad Shipton has been promoted to head the Police College's investigation and intelligence school. In 2005, then Senior Sergeant Dave Archibald was reprimanded for accessing the computer system known as National Intelligence Application during the trial of former police officers Shipton, Bob Schollum and two Mt Maunganui residents. from Dominion Post 25/08/2010

Remember that it is the information that has to be controlled and protected, and that its presence in a computer network is not the whole of its life. On the systems side we need to ensure that:

• information is appropriately classified
• if the information needs to be restricted to authorised parties, there are systems
  

• to ensure that the information access is appropriately controlled
• to track the handling of that information so that misuse is detected
  

and, out in the real world, we need to behave as though privacy and personal security matter.

Smart Meter Privacy Issue

For the ultimate monitoring of your home life consider the humble electricity meter now being updated to the internet age. This post covers the issue in some detail. Smart meters, like other devices that are associated with what you do, have the underlying privacy genie that , once out of the bottle, will be a devil to get back in.

Locational Privacy

EFF (Electronic Frontier Foundation) has published a great article covering the implications that location-aware services and technology have on privacy.

Transit passes and access cards

Another broad area of application is for passcards and devices
allowing access to protected areas; for instance, passcards which allow
access to bike lockers near train stations, or cards which function as
a monthly bus pass. A simple implementation might involve an RFID card
reporting that Bob has checked his bike into or out of the storage
facility (and deducts his account accordingly), or equivalently that
Bob has stepped onto the bus (and checks to make sure Bob has paid for
his pass). This sort of scheme might put Bob at risk.

A better approach would involve the use of recent work on anonymous credentials.
These give Bob a special set of digital signatures with which he can
prove that he is entitled to enter the bike locker (i.e. prove you're a
paying customer) or get on the bus. But the protocols are such that
these interactions can't be linked to him specifically and moreover
repeated accesses can't be correlated with one another. That is, the
bike locker knows that someone authorized to enter has come by, but it can't tell who it was, and it can't tell when this individual last came by. Combined with electronic cash, there are a wide-range of card-access solutions which preserves locational privacy.

The time has come for the unnecessary collection of personally identifying information by transport operators to stop, permanently addressing this aspect of locational privacy.

This subject surfaced briefly with the introduction of the Snapper transport payment card in Wellington but was not addressed practically by the transport operators who appear to rely on assertions of the security associated with the device rather than prevent the undesirable uses that the gathered information may be put to.

The technology required for anonymous credentials is now practical. Legislators and privacy guardians should move from the wording policy statements to demanding that personally identifying information is not collected unnecessarily.

Snapper Privacy

A thoughtful post from Alan Macdougall on the privacy implications associated with the 'low value' Snapper used for transport and other payments in Wellington.
Aside from trusting the bus company (and whoever they want to share it with) with your personal data. You may also end up sharing information with people with really bad reputations as in the recent TradeMe case where transaction data was provided to a prisoner as a result of police action.
Creating a false identity to avoid linking a trail of your movements directly to you is actually against the terms of use of the device

...When you order a Card, you must: provide all required information (and you must ensure that such information is complete and correct)....

Desktop on Demand

In Desktop on Demand Concept looks to quash privacy issues Desire Athow presents a new service as a solution to a privacy issue associated with web browsing...

Desktop on Demand, a remote desktop service launched by Security Firm De Futuro, aims at providing IT and document management teams with a full office suite, enhanced privacy and file sharing functionality.

The additional privacy inherent in the product is the result of a remotely hosted Web browser, which eliminates the possibility of the user's usage habits being tracked by the ISP.

"Our users surf from behind the curtain of our domain," explained Paresh Morjaria, managing director of De Futuro. "As a result, web browsing is once more anonymous. This is a huge benefit for users concerned about Big Brother peeping into their Web usage records. From here information can be derived that could negatively impact on their employment opportunities, insurance prospects or relationship with current employers.

Apart from replacing one potential Big Brother with one, the mere use of such a service could be regarded as a black mark against the individual ... if you use this you must have something to hide about your web traffic ... leaking sensitive info, porn, money laundering.

NSW Police ask public to be cameraphone cops

Vikram draws attention to a move to encourage citizens to capture crimes on their cellphones and send the information to the police in NSW. Although increasing the surveillance society normally makes me very uneasy and the police forces across the ditch (and here in NZ) are not always noted for their probity, I think that this is a step in the right direction. This is a step up from the well established 111 (911, 999 ...) call with better information content. The French have laws against recording violent crime unless you are a professional journalist which seems a bit repressive, even for the Europeans, but there is a measure of sense in this. How about encouraging a society where it is normal to report crime to the legitimate enforcement authorities rather than publish for a dubious or prurient purpose? There is a problem however with the general capture storage of surveillance material ... Quis custodiet ipsos custodes?

Children to be added to Britain's DNA database

Mark Townsend and Anushka Asthana in The Observer, March 16 2008 report on the burgeoning DNA database. Now the police are looking to capture data on children who might be thought by someone to be a potential future criminal.

Gary Pugh, director of forensic sciences at Scotland Yard and the new DNA spokesman for the Association of Chief Police Officers (Acpo), said a debate was needed on how far Britain should go in identifying potential offenders, given that some experts believe it is possible to identify future offending traits in children as young as five.

Privacy and Text Communications

We appear to be facing another challenge to privacy in New Zealand which would take us further towards the surveillance society. The police are seeking the storage of all text communications to facilitate their enquiries. Fortunately, this requires a change in law and will get a bit of discussion. It is to be hoped that the Office of the Privacy Commissioner will be active in the debate.

The relevant rule applying to the retention of text data in NZ is found in the TELECOMMUNICATIONS INFORMATION PRIVACY RULES

Rule 1
Purpose of Collection of Telecommunications Information
Telecommunications information must not be collected by a telecommunications agency
unless:
(a) the information is collected for a lawful purpose connected with a function or
activity of the agency; and
(b) the collection of the information is necessary for that purpose.
Note: Except where it is itself a party to a communication, a telecommunications agency will rarely have a lawful purpose to collect the content of any telecommunication. Indeed, it is unlawful to intercept the content of a private communication in most cases (Crimes Act 1961, Part 9A). There are some limited exceptional circumstances relevant to telecommunications agencies (e.g. where acting pursuant to an interception warrant to assist the Police or SIS). Employees of network operators can, in the course of their duties, intercept telecommunications for maintenance purposes but it is an offence for an employee of a network operator to use or disclose information so obtained for unauthorised purposes – Telecommunications Act 2001, ss.114 and 115).

It is apparent that there is no technical requirement to store all texts to provide services to a party in the communication. Vodafone NZ does not do it and Telecom NZ is going to stop the practice.
Although it may be attractive to the enforcement agencies to be able to dip into a historical pool of all telecommunications in pursuit of information about possible criminals and crimes, this would be a fundamental turn-around in perception of the privacy of communications. It is ridiculous to suggest that telecommunications providers should be breaching this basic requirement of the Privacy Commissioner to be "good corporate citizens" as suggested by Police national crime manager Win van der Velde quoted in Dominion Post 8March .

Privacy - How are we doing in New Zealand?

Just as we get embarrassed here in NZ when our clean green image is tarnished by farmers polluting streams , we should sit up and take notice when we our privacy is not protected in what we assume is a 'free society'. The 2007 International Privacy Ranking from the US-based Electronic Privacy Information Center and the UK-based Privacy International does not present a pretty picture of the NZ attitude to privacy . Overall the rating represents a systematic failure to uphold safeguards. Notably, NZ is up there with the worst, leading in bad practice in communications interception.


The findings are available in PDF format by clicking here.

Open Information v Privacy

There is an increasing amount of personal information being collected for all manner of worthy? reasons like ensuring that health providers do not use taxpayer dollars to treat aliens. Combined with the desire for more openness in government and means to provide data rather than just the results of a conclusion there is a risk of exposure of personal information.
In the paper, Robust De-anonymization of Large Datasets (How to Break Anonymity of the Netflix Prize Dataset), Arvind Narayanan and Vitaly Shmatikov of The University of Texas at Austin describe the problem; show a general method of de-anonymizing statistical data and demonstrate its use in an area where the participants were under the impression that their information was anonymous.

Datasets containing “micro-data,” that is, information about specific individuals, are increasingly becoming
public—both in response to “open government” laws, and to support data mining research. Some datasets
include legally protected information such as health histories; others contain individual preferences, purchases,
and transactions, which many people may view as private or sensitive.
Privacy risks of publishing micro-data are well-known. Even if identifying information such as names,
addresses, and Social Security numbers has been removed, the adversary can use contextual and background
knowledge, as well as cross-correlation with publicly available databases, to re-identify individual
data records. Famous re-identification attacks include de-anonymization of a Massachusetts hospital discharge
database by joining it with with a public voter database [...]

We present a very general class of statistical de-anonymization algorithms which
demonstrate the fundamental limits of privacy in public micro-data. We then show how these methods
can be used in practice to de-anonymize the Netflix Prize dataset, a 500,000-record public dataset.

Collectors and publishers of data need to be aware of the potential for exposure of information that may be regarded as sensitive.
The issue is not limited to widely disseminated information. Individuals or special-interest groups may have legitimate need for micro-data (for example in health funding policy) but then have the means of uncovering personal data for an unauthorised purpose.
Consider:

• are ethics sufficient to protect the privacy of individuals described by such micro-data?
• is the information exposed by statistical de-anonymization sufficiently protected by legislation?
• where would you go for assurance that the data that you are providing is not susceptible to statistical de-anonymization?

Health Information Privacy

IT managers often fail to do their best work in delivering security to the information within the health sector but they certainly do better than the health managers themselves.
A recent audit of the Wellington region's health service revealed patient records being stored in public corridors with no controls on access

The audit [Telarc] underlines that the organisation is bordering on dysfunctional. It records grave failings, such as leaving patient records in public corridors where anybody passing can take a peek,.... Dominion Post 8 Nov 2007

There are plenty of things that can be done technically to meet the required standards of privacy but if the underlying organisation has an irresponsible attitude to security we will see ill-considered technical 'solutions' that compound the problem.

As Blindside comments on one mobile health care device

Let’s see. Wireless transmission of sensitive information–yeah, we’ll get to that right after we take care of those pesky ergonomic and battery life issues. And preventing hacking and malware to ensure that the information is accurate? Hmm. Let’s put that on the list of things to do after we make sure it doesn’t add to the weight of the tablet device

I suspect that the subject of healthcare privacy needs a shake up from top to bottom. A few questions ...

• Is it clear what the customer (that's us, not the health managers) wants?
• What 'need' do these 'wants' reflect?
• Do the legislation and ethical requirements reflect this underlying need?
• Is there suitable compliance and enforcement of the legislation and ethical requirements?
• Should we get anaesthetists and paediatric cancer specialists before worrying about privacy and security?

When we have a good answer to those, we may be able to evaluate the technical questions about encrypting data at point of entry; securing information over wifi; ensuring that laptops and tablet devices are not attractive to thieves of information, identity or property (because they certainly will be available to all of those).

A Universal DNA matching database?

Andreas Busch summarises developments in the DNA identification debate arising from

One of the United Kingdom's most senior judges, Lord Justice Sedley, today demanded that every UK resident and every visitor to the country should have their DNA recorded on the national DNA database ...

The judge has logic on his side. Britain has the largest DNA database in the world covering 7.5% of the population. Mathematical techniques can extend the range of matching further by detecting relatives of people on the database. So the brits are well on their way to achieving the judge's goal.

However consider,

• Outside of CSI and similar TV programs, how many crimes are solved through DNA matching? Is there a reasonable value proposition to extend this collection because of the current success rate?

• How often is unknown DNA (not on match database) available as a pointer to an otherwise unknown perpetrator?

My guess is that a universal DNA database (relatively simple to achieve by diverting sample collected at birth) does not add much to detection or prevention of crime because there is generally a small set of persons of interest around a particular crime not the whole population.

But as matching technology improves, what a great resource for control of the population at large ... no need for pesky ID cards, passports, fingerprints at airports ... just a bit of sweat or saliva as you pass myriad control points.

Information Commissioner, Richard Thomas, warned that it raised serious issues around the criminal justice system: "if you get the knock on the door saying 'we’ve found your DNA’, you’ve got to start proving your innocence"

If the British justice system has descended to that level then a dna database does not make much difference. There is a risk at present that relying on DNA for more than supporting evidence introduces the defence that other (unidentified) DNA indicates reasonable doubt that the identified person is the guilty party. It seems to me that the only clear benefit of a universal DNA database is to avoid such a defence.

As an aside, why stop at the border? why not share the DNA database worldwide and track fugitives as they supply dna at the border?

I think the debate lies outside the technology arena and more in the political and philosophical area. Do I have right not to be identified?

Safety fears over new register of all children

The headline is from The Times in the UK but the concerns apply everywhere that a 'database' is seen as solution to a communication problem.

ContactPoint was set up after the official report into the death of Victoria Climbié. Lord Laming concluded that the eight-year-old’s murder could have been prevented had there been better communication between professionals.

Communication is not the same as broadcasting or publication. There is a sense of checks and balances between the participants in a communication. This is rarely apparent in stores of data offered to people on the basis of the role they undertake.
As Tom Fuller points out persons having a particular role are not necessarily to be trusted with the information. There will be inevitable bad eggs present in teaching; medical; legal; social work professions; and the police. Also leakage of information which should be private to the individual can occur from simple careless behaviour of otherwise trustworthy individuals. Sadly, assigning information access rights to a role (for example, head-teacher), does not prevent individual head-teachers delegating that responsibility to a temporary secretary which is probably not how the legislators or system designers saw the 'database' being acceptable.
In conventional communication, each request for information can trigger a question in the mind of the receiver about the possible use being made of the information provided. Ideally, technology solutions to the communication problems around public safety, health information and other privacy-loaded areas should not bypass these checks and balances. Given the risk of misuse of information by persons in a position of trust through their role, technology solutions should ensure that the minimum (necessary) information is released and that a clear trail of information release is maintained. If an authorised person enquires on such a database, they should expect to face enquiries themselves as to why and how the information was used. The kind of pattern analysis that detects potential credit card fraud should be applied to detect the abusers of the information systems.

Health Information Privacy - When Rights Conflict

Tom Fuller writing in the respectable Blindside Blog presents a simple dilemma on the conflicting "rights" to have and to conceal information about a health issue.

As part of your treatment you need genetic analysis of predisposition towards several disease pathways. You are frightened that exposure of the results will a) reveal your mixed race heritage and b) prejudice your employability, insurability and sociability. So you agree with your consultant to test under an alias. And your treatment proceeds and you get on with your life.

Unbeknownst to you (does Beyonce have an evil twin called UnBeyonce?), your consultant also treats your child/children from a previous relationship, and recognizes that your genetic results are relevant to them. Your consultant knows that you would refuse to release your information, but their continued good health is dependent on having this information available. Just for the sake of preserving the moral dilemma, getting the genetic information from the children is not adequate, sufficient or practical (they live now in a foreign country, or something like that).

1. Is your right to control of information regarding your genetic history absolute?
2. Does your consultant have ethical responsibilities to act despite your desire for secrecy?
3. If sperm donors are required to disclose identity to their children, is a precedent established for requiring you to yield your genetic information?
4. Who should make the final decision?

With local health authorities taking a generous approach to information sharing citing "common good" but more likely for administrative convenience (see Patients' privacy could be compromised by health b...), the opportunity to consider cases like the one presented will be swept aside.

My view ... 1. Yes ; 2. No, not outside the individual patient - carer relationship ; 3. Probably, in a legal sense. This is a bad thing! Genetic information is probably the ultimate in "identity" information; 4. The patient fully informed by consultant.

Information Sharing in Primary Healthcare

The push to electronic patient information systems to share information between the players in primary health care is not a bad thing, although some implementations may give rise to concern (see: patients-privacy-could-be-compromised ). A peer-reviewed paper on the subject quantifies the effects of the missing information.

Clinicians reported missing clinical information in 13.6% of visits; missing information included laboratory results (6.1% of all visits), letters/dictation (5.4%), radiology results (3.8%), history and physical examination (3.7%), and medications (3.2%). Missing clinical information was frequently reported to be located outside their clinical system but within the United States (52.3%), to be at least somewhat likely to adversely affect patients (44%), and to potentially result in delayed care or additional services (59.5%).

Missing Clinical Information During Primary Care Visits Peter C. Smith, MD; Rodrigo Araya-Guerra, BA; Caroline Bublitz, MS; Bennett Parnes, MD; L. Miriam Dickinson, PhD; Rebecca Van Vorst, BA; John M. Westfall, MD, MPH; Wilson D. Pace, MD JAMA. 2005;293:565-571

.

Patients' privacy could be compromised by health board action

RUTH HILL in The Dominion Post on Wednesday, 25 July 2007 reports that "Patients' privacy could be compromised by a Hutt Valley initiative allowing GPs and hospital clinicians to exchange clinical information, medical ethics experts and patient advocates warn. "
It is good to see the concerns are being discussed within health circles but a wider public debate should be encouraged before this significant erosion of personal privacy becomes more than an exploration of technical capability.

There are two separate issues touched on in the article. Firstly that "A lot of problems in the health sector come about when patients are wrongly identified." and secondly that "Sharing information (between providers in the health sector) closes the loops."
There is an implication here that sharing all information enhances the identification process and, that a common information pool is a necessary requirement for the exchange of clinical information.
Identification of the individual is critical where information flows and the individual become separated. A simple example can be seen in blood testing where the results may be routed through a complex process to ultimate information users and may result in life or death decisions impacting on the subject person. However, there is no indication that the proposed sharing of information would address the issues of identification.

There can be no doubt that there should be a flow of information amongst health providers. However, there has been little or no public debate about what information should be contained in the flows and what rights over the information are retained by the patient.

General Practitioner Access to Hospital Data

From the description of the pilot, the flow of information to GPs from hospitals is to be achieved by allowing GPs to access the internal hospital information systems.

Four GPs also have direct access to the hospital's electronic database, allowing them to access the records of all patients registered with their primary health organisation, or any other patient for whom they have a National Health Index number.

Implicit in this is:

1. It is OK for GPs to access information held in the hospital's electronic database for any patient; not just those registered with their PHO. Hypothetically, a fishing expedition could be mounted using the 12,567,273 valid NHIs.
   
2. A GP would have legitimate access to the records of any hospital by having a single patient in common between PHO and Hospital. Given the concentrations of population and specialist medical services in NZ, the health records of a large proportion of people will be open to many GPs.
   
3. If a patient is referred to a hospital by a GP, the GP's within the PHO have access to that patient's information from the hospital's electronic database regardless of the patient's wishes.

There is a clear risk arising from this. Information that might reasonably be expected to be a matter between the patient and someone with a direct clinical responsibility of care of the patient, will be available to a wider audience which degrades the privacy of the individuals involved.


Potentially, well defined electronic information systems and data-interchange services can enhance privacy and security.

Mr Cook [CIO] said electronic patient information systems were "more secure" than paper-based ones because access could be controlled and audited.

Those of us with even limited contact with public/civil service or legal organisations will have come across "the Registry" where access to paper based records are managed according to right or need to know. Electronic systems may be more cost-effective but they are not inherently more or less secure than the paper-based ones that they replace. Note also use the term "could" in the quotation. Actual control and audit of information retrieval is often omitted from electronic retrieval systems perhaps because IT people focus on the every part of the system be used in the intended fashion. An assertion, from the CIO, that the access to information "will be controlled and audited" would be more comforting.

The privacy requirements do not seem to have been sufficiently addressed.

However, Otago University's bioethics centre director, Donald Evans, said ....

"My concern is, if patients become aware that information given on a confidential basis to their GP is likely to be shared with other people, it destroys the relationship of trust; people will be reluctant to be honest with their doctors; and quality of care will be compromised."

I suggest that the patients' concerns may be associated with any consultation not just with the GP. It may not be good thing medically, but there will be reasons for not sharing information of a specialist consultation with a particular GP. We can debate whether the information belongs to the clinician or the patient, but passing the information about the patient to third parties should generally be controlled by the patient.