gregh  2008-06-11 05:35  information_privacy  medical_records  personal_information   

NY Times: Kaiser Backs Microsoft Patient-Data Plan:

Kaiser Permanente, the nation’s largest nonprofit health maintenance organization, is endorsing the drive toward consumer-controlled personal health records in a partnership with Microsoft.

The partnership, announced Monday, will begin with a pilot project open to Kaiser’s 156,000 employees, which will run until November. If successful, the product linking Kaiser’s patient information with Microsoft’s Health Vault personal health record service will be offered to Kaiser’s 8.7 million members in nine states and the District of Columbia.

The article waxes on about how portability is a problem, and how this will solve all of those issues.

A more cynical -- and in my mind realistic -- view is that Kaiser moving its records accomplishes goals that allow it to get around HIPAA. Microsoft becomes a provider of services for storage of medical records, so there is no issue with Kaiser sharing. Once Microsoft has the records, the vulnerabilities lie with Microsoft's technologies, the users, and the service providers who sign up with HealthVault.

Microsoft gets data it can sell, Kaiser lightens its burdens of protecting records, and users are exposed to errors not only by Kaiser, but now also by Microsoft, Microsoft's partners, and themselves.

Ms. Silvestre said Kaiser had also looked closely at Google, but had been particularly impressed by Microsoft’s technology for protecting the privacy and security of personal data.

One of the really disappointing things about HealthVault is that it's still using usernames and passwords. What's more, it makes release of and access to information very easy to the record holder, which means it's more likely that individuals will errantly release their own records. Microsoft is leading the way on safe, user-centric identity technology, and to date, none of it has been applied to HealthVault, so far as I'm aware. The responsible thing would be to wait on services like HealthVault until the identity picture is fixed. Instead, people are so eager to jump on board, they'll gladly put the privacy of medical records at risk.

HIPAA isn't keeping pace with technological change, and systems like this, structured to provide workarounds, only show how feckless it is.

gregh  2007-11-11 16:23  information_privacy  Law  privacy   

Definition Changing for People's Privacy:

Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information.

How lovely for Kerr to think that way. You silly Americans; let me tell you what you can have. What should happen is that our intelligence and law enforcement agencies need to work within the confines of our Constitution and laws. If they can't work within those confines, they need to show why they can't, so we can consider going about the business of amending the Constitution.

One problem with the land grab like the one Kerr describes is that there's been no evidence presented that it's either necessary or useful. Instead, what evidence exists shows that it's a crutch, violating our traditional notions of privacy with little benefit.

The other -- huge! -- problem is that the government cannot be trusted to properly safeguard private communications and financial information. That has been made clear in recent years. Business is even worse, unless it's strategically competitive information, of course.

Perhaps the definition that needs to be changed defines suitable government employees. Rather than the Kerrs and Chertoffs, who feel it is their position to determine what we can demand, we need people who will recognize that a Constitution and body of privacy protection laws exists, and that their inability to do their jobs without dreaming up ways around those things suggests their incompetence, not a need for the American people to change how they live their lives.

gregh  2007-01-21 01:09  homeland_security  information_privacy  Law  real_id   

Following up on my recent post about the DHS recommending a commercial data aggregator to create a new database for the data access requirements of the Real ID Act, it appears that it may not be as dire as original reported by Unreal ID. Specifically, Unreal ID claimed that the DHS recommendation was to:

[h]ave a private data aggregator act as the central database. This is the plan advocated by DHS. The plan calls for the outsourcing of all drivers license and ID card checks to a private corporation, who would then charge the states for each check performed. DHS head Michael Chertoff personally ordered this option to be chosen, according to a senior administration source.

A Wired story takes some issue with this, and provides text of the recommendations Unreal ID was operating from. This is pretty useful. While this entire component of Real ID is awful, it's not quite as bad as I surmised and wrote about previously. Let's look at the suggestions as they exist in this text (whether this is the actual text of the recommendations or not):

First, the States could simply be left to make whatever arrangements they choose among themselves. This approach would maximize State flexibility but could prove burdensome and chaotic in implementation.

There is no doubt that this would prove "burdensome and chaotic." Of course, that's one of the pluses. Imagine the states opening up their databases in ways that made using that access completely unworkable. They'd give up on this unnecessary requirement and it would go away. It's no surprise that DHS would dislike this one; it should be clear that the intention was never really to allow states full access to the databases of other states, but rather to make access easier for federal agencies by standardizing access. Why would Jim Sensenbrenner care about giving all the states access, when it's something they've never pursued?

The language is a bit confusing for this second item, and that's somewhat disturbing. It's disturbing because it's not clear just how it works in conjunction with the third recommendation. I'll explain more below:

Second, the States could create a "federated" or "decentralized" system, in which each State continues to maintain its own records but the interface among databases is standardized. This might be implemented as a "pointer" index that allows States to determine where to find relevant records about applicants. This system would be similar to DOT's Commercial Driver's License Information System (CDLIS).

The third possibility, listed below, does have distinguishing characteristics, but some of the language of this possibility is unclear. It appears to blend federated data and decentralized data. There's no reason states couldn't standardize interfaces to their data without providing some central federation service that provides pointers to the data. That sounds like it comes suspiciously close to the clearinghouse discussed below. Instead, the data could simply be decentralized with standardized access methods used across the states.

Both possibilities sound horrid. The pointer database suggests a database of identifying information -- quick, tell me what other than SSN could be sensibly used as the pointer -- that provides ready access to go gather anything a wily user wants to get out of the system. The "chaotic and burdensome" approach sounds much better. This sounds like a data protection nightmare. After all, this pointer index would, as a matter of course, contain enough information to identify a person. Getting that data would expose a hundreds of millions of identities.

Of course, it would also make it easier for the TIA replacement to find the data.

Finally, there's the third possibility, the "clearinghouse" solution. Here's how it appears in the Wired document:

Third, the States could utilize an intermediary, or clearinghouse, to assemble necessary information about a particular applicant. This approach would require only one entry of information by a State DMV, and one transmission of all verifiable information to the clearinghouse. The clearinghouse would not store data about applicants; instead, it would determine which databases and systems to search and then would provide the relevant information once the data is assembled about that applicant. For example, the clearinghouse would communicate with SSA to verify the applicant's Social Security number (submitting the applicant's full legal name, date of birth and Social Security number provided by the applicant), submit applicant data through EVVE, submit applicant data to USCIS' SAVE program as applicable, and check whether the applicant is licensed in another state through queries to individual States. Once all these lines of data were verified, the clearinghouse would return the full, verified response back to the State DMV. In none of these approaches would a large permanent multistate collection of individual records be created. The "federated" and clearinghouse alternatives are focused on the infrastructure among systems, and would not act as a substitute for the databases that hold the actual information (i.e., the databases would not "dump" into the clearinghouse).

Note that the description is very clear that there would not be "a large permanent multistate collection of individual records" here. Of course, that's patently untrue, because the pointer index of the federation would, in fact, have a gigantic collection of individual records. It would have to, if the goal is to find all records, for example, that pertain to my license and potential licenses I might have had elsewhere, which is really the sole reason to create this monstrosity in the first place (excepting the ulterior motives I suspect are at this requirement's heart.)

It's easy to see why this solution looks like such a good sell. A rogue user from some random state is going to have a much more difficult time acting independently to harvest huge numbers of records from the other states; that risk is greatest when only the individual states will be tracking access, such as in the federated or "burdensome and chaotic" solutions. What's more, this one might be seen as attractive because it doesn't have to store anything, outside of the time that it's assembling these nice little records packages for the state DMVs. However, there's something far more sinister here.

From a data leakage perspective, it's going to be far more difficult to track American citizens if the records of movement are stored in requests between states. First, states would have to give it up. Second, the feds would have to be able to make use of the morass of various audit records. Oh, but that beautiful clearinghouse. It's going to know exactly where I am, when I requested a license or otherwise had business with the DMV. It will quickly put the federal government on a path to track movements of Americans (further on the path than it already is.) The data may come and go, but those logs will be rife with rich information to be mined, intruding into the private comings and goings of Americans.

No, this third option doesn't create a new database. Instead, it creates a new tracking system without the encumbrances of a new database.

The concluding paragraph of the text provided by Wired is someone comical:

In developing such a system, DHS expects that the all appropriate privacy and security mechanisms will be included to reduce the risk of unauthorized access, misuse, fraud, and identity theft. Although DHS considers the third option to have the highest probability of timely and effective implementation, DHS will not require States to adopt one of these approaches as part of these regulations. DHS will consult actively with States and other stakeholders with a view to assisting the States in choosing the alternative that is most likely to reduce the costs of meeting the verification requirement. DHS will be examining ways in which DHS may assist States in most effectively meeting the requirements of the REAL ID Act. This may involve assistance through federal procurements or grants. Any such assistance will likely be provided separately from this NPRM, but DHS welcomes comments on the alternatives and on methods by which it may assist the States in reducing the burden of complying with the requirements of the REAL ID Act.

(emphasis added.) Of course, it's rich enough to read about DHS expecting "all appropriate privacy and security mechanisms" to be included, given their repeated failing ratings for computer security and data protection, when they're even capable of filing their reports. However, the suggestion that they won't be requiring one of these to be selected is something of a joke. After all, does anyone believe that DHS will fund any option a state may choose?

Over at Homeland Stupidity, Michael Hampton has followed up his previous post to put these recommendations in context, concluding:

Don’t be too surprised in a few months when it’s announced that AAMVA got the contract after a lengthy wait, required for the sake of appearances and bureaucracy. After all, they’re already maintaining a similar, but much smaller, database for the states, which holds data on every commercial driver license holder in the country. This is the blueprint on which the national identity database will be built.

It does, oddly, sound a whole lot like the third possibility.

gregh  2007-01-11 13:48  homeland_security  information_privacy  Law  personal_information  Politics  privacy  real_id   

Update: See my follow-up, covering the actual text leading to these suggestions. It's not quite as bad as suggested. It still ain't great.

If the following is actually correct, the Department of Homeland Security is even more worthless than I could have imagined.

UnRealID.com:

The Department of Homeland Security has finished their proposed regulations for implementing the Real ID Act and has sent them to the Office of Management and Budget for approval.  The publication of DHS's REAL ID regulations will follow shortly.  The compliance guidelines are almost one year overdue.

According to a still-secret several hundred-page dossier sent last week by DHS to the Office of Management and Budget, DHS considered three ways to implement the REAL ID Act:

Plan A: Order the individual states to find a way of communicating data to one another.  This idea was given short shrift by DHS, who dismissed it out of hand.
Plan B: Have DHS build a centralized database for the states to query before issuing REAL ID-compliant drivers licenses.  This idea was also rejected.
Plan C: Have a private data aggregator act as the central database.  This is the plan advocated by DHS.  The plan calls for the outsourcing of all drivers license and ID card checks to a private corporation, who would then charge the states for each check performed.  DHS head Michael Chertoff personally ordered this option to be chosen, according to a senior administration source.

One would hope that this would be the final nail in the Real ID coffin, and this would surely bring about swift introduction of the Akaka-Sununu Identification Security Enhancement Act of 2006.

Given the poor data protection histories of the commercial data aggregators, not to mention their incredibly poor histories of data matching, the very idea of them being called upon to manage aggregation of all of the drivers databases sounds more like a cruel joke. There may be more interesting issues.

To begin with, the Real ID Act doesn't call for a large database of driver's license data. In order to issue Real ID-compliant driver's licenses, states must:

(12) Provide electronic access to all other States to
information contained in the motor vehicle database of the
State.
(13) Maintain a State motor vehicle database that contains,
at a minimum--
(A) all data fields printed on drivers' licenses and
identification cards issued by the State; and
(B) motor vehicle drivers' histories, including
motor vehicle violations, suspensions, and points on
licenses.

Driver's license database information is commercial information owned by the states. This is clear from Reno v. Condon:

The motor vehicle information which the States have historically sold is used by insurers, manufacturers, direct marketers, and others engaged in interstate commerce to contact drivers with customized solicitations. The information is also used in the stream of interstate commerce by various public and private entities for matters related to interstate motoring. Because drivers’ information is, in this context, an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation.

There were already some questions hanging around (most dismissed by commentators) about the Constitutionality of allowing the federal government to require states to grant other states access to their own commercial items without compensation in order to comply with the Real ID Act. Permitting commercial data aggregators to take possession or ownership of that state property without compensation is somewhat more egregious. As things now, those aggregators would be forced to purchase that information from the states; at least in that instance, the coffers of the states are gaining something to help cover the maintenance of that data. Under this plan, it would seem plausible (especially if the aggregators "accidentally" released the information into the public domain) that the states would simply be forced to give it away. This may raise greater Constitutional questions about those portions of the Real ID Act.

It makes the security aspect even worse.

It likely removes the (feckless) Privacy Act and the Computer Matching and Privacy Protection Act from the mix.

In short, I'm currently even a bit skeptical that even the inept Department of Homeland Security could proffer a suggestion as ludicrous as this one; I can't wait to see the actual proposed regulations to find out if it's true.

gregh  2006-12-13 01:01  elections  homeland_security  information_privacy  Law  personal_information  privacy  real_id   

This is good news. Getting through finals kept me from seeing this right away. The text is not currently on Thomas yet, so I'm not sure what the details are. Homeland Security Watch says it rolls back to § 7212 of the Intelligence Reform and Terrorism Prevention Act, but the text from the ACLU press release below makes it sound like it goes even further.

In particular, increased protection of driver's license data from third parties (esp. if beyond what the DPPA provides), encryption of collected data, and the protection of state privacy laws (which weren't impacted by § 7212, anyway) all sound good.

Hopefully, with the new Congress, this thing will stand a chance.

American Civil Liberties Union : ACLU Lauds Akaka-Sununu Real ID Fix Bill, Says Additional Privacy and Civil Liberties Safeguards Still Needed:

WASHINGTON - The American Civil Liberties Union today welcomed the introduction of bipartisan legislation authored by Senators Daniel Akaka (D-HI) and John Sununu (R-NH) that would add privacy and civil liberties safeguards to the Real ID Act. The 'Identification Security Enhancement Act of 2006' would address several of the shortcomings of the controversial legislation adopted last year, including the establishment of a National ID.

. . .

The Real ID Act was adopted last year as part of a must-pass military appropriations bill. The act rolls back civil liberties protections, attacks privacy rights and sets the stage for a national ID. Many diverse groups including the ACLU, the National Association of Evangelicals, the Ancient Order of Hibernians, the National Conference of State Legislatures, the National Governors Association and the American Association of Motor Vehicle Administrators opposed the Real ID Act. Conservative estimates place the minimum cost of the program at $12 billion.

The Akaka-Sununu bill would eliminate most of the requirements that laid the foundation for a National ID card, such as the obligation that all data and systems be standardized. The bill also changes the approach to drivers’ licenses by calling for more flexible 'standards' instead of the current uniform mandates. In perhaps its most significant privacy fix, the legislation prohibits the use of license data by third parties, requires encryption of the data itself and preserves any state privacy laws that may provide greater protections.

(Via Homeland Security Watch.)

gregh  2006-11-09 18:14  identity  information_privacy  personal_information  privacy   

Daniel Solove comments on USA Today article about financial institutions culling from public records databases to arrive at identifying facts, rather than using Social Security Numbers:

Concurring Opinions: Verifying Identity: From One Foolish Way to Another:

The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you -- after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people's backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.

Anyone who has had someone else's information in a credit reports know that matching records, even when there is a solid, government-issued identifier, seems impossible on the scale that's required for the credit agencies. These public records databases often work with pieces of data that aren't tied to a unique identifier like a SSN. Imagine the torture of trying to get access to your money -- or get a new credit card -- when your financial institution is using data that is, often at best, tenuously matched.

gregh  2006-11-08 16:14  elections  identity  information_privacy  Law  real_id   

The Cato Institute wonders if, especially in the "Live Free or Die" state, perhaps Real ID didn't have some impact on yesterday's election results:

Cato-at-liberty » REAL ID and a Sweep for Democrats in New Hampshire:

There are many explanations for the strong result Democrats got in the election yesterday. Focusing on New Hampshire, there is a neat correlation between support for the REAL ID Act and defeat at the polls yesterday.

Jeb Bradley was one of “several Washington officials . . . urging state senators to support Real ID” when the state legislature was considering a bill to reject it. He was defeated by Carol Shea-Porter, a surprise victor who enjoyed little help from national Democrats. Here’s Shea-Porter speaking at an anti-REAL-ID rally.

Representing the Second District, Charlie Bass was an original co-sponsor of the REAL ID Act, and he touted that fact on his Web site. His replacement is Paul Hodes. Hodes is not a full-throated critic of REAL ID, but he did tell AP, “I do not favor creating a new central federal database using the permanent images of these documents. . . . A piece of paper is not the solution to securing our borders from terrorism. We need to better coordinate our existing law enforcement databases and watch lists.”

New Hampshire resisted Real ID for a long time, until Congress offered to pay them off, and the state legislature caved. That was unfortunate, because a state holdout was going to be a good challenge to the practicality and legality of the act.

Now, perhaps the best hope for some sanity to return is for the Democrats to repeal the Real ID nonsense and bring some sensibility back to reliable identification. The U.S. Government should, presumably, be working to strengthen and protect identity. It shouldn't be working to weaken it.

gregh  2006-11-03 09:41  diebold  elections  information_privacy   

The overarching problem is that this impacts far more than just Maryland voters, as other states bring these Diebold vote gathering sieves into production based on the praises of the early adopters.

The Blog | Rebecca Abrahams: The Two Faces of Diebold | The Huffington Post:

Enter the world of electronic voting machines, the 'cure' to hanging and dimpled chad.

It is a seamy world of secrecy, proprietary software, partisan executives 'committed to helping Ohio deliver its electoral votes to the President', politicians asking programmers to design software to flip vote totals, and lots and lots of money.

And it is a world of completely inconsistent realities. Diebold and the other manufacturers insist that their machines are safe and secure yet every single cyber security expert and computer scientist has, for years, been screaming into an empty wilderness of media attention, that . . .

The machines can be hacked, by the implanting of malicious code, at the factory.

The machines can be hacked during transport from the factory.

The machines can be hacked while on 'Sleepovers' before the election.

The machines can be hacked (in 1 minute with a .50cent mini bar key) during the election, and

These machines can be hacked, at the tabulator, after the election.

We have Constitutional guarantees of fair elections. Something really must be done about this electronic voting fiasco. There are solutions beyond the Diebold Goliath. There are a number of interesting cryptographic voting schemes that have been put forward.

Unfortunately, we appear to be stuck at a point where the elected politicians and their appointees are too eager to enact changes to claim victory ("No more hanging chads!") rather than enacting change to solve the problems.

At some point, we're going to end up back in contentious court hearings over close elections. That's inevitable, because the fundamental right to vote is too important not to protect. It's unfortunate, because it puts the courts in a dicey situation, such as in Bush v. Gore. It's a no-win for the courts in those politically charged situations, and in the end, it only results in diminished faith in the courts.

(Via Stan.)

gregh  2006-10-31 10:03  homeland_security  information_privacy  Law  personal_information  privacy  real_id   

Of course Total Information Awareness never died.

It helps connect the dots, as I've previously suggested:

Certainly, there's probably good reason to believe that TIA never died. There's also very good reason to believe that one of the great benefits of forcing the electronic opening of all state driver databases is that it would benefit a TIA-like system.

Why else would the federal government force the states to electronically open their databases to all other states, when the states hadn't even been asking for that? Well, of course. It makes it easier for the federal government to collect the information to stuff their databases. Unfortunately, it also leaves everyone else's information more prone to theft. Government agencies haven't exactly shown themselves to be adept at protecting personal information.

NATIONAL JOURNAL: Terrorist Profiling, Version 2.0 (10/20/2006):

The government's top intelligence agency is building a computerized system to search very large stores of information for patterns of activity that look like terrorist planning. The system, which is run by the Office of the Director of National Intelligence, is in the early research phases and is being tested, in part, with government intelligence that may contain information on U.S. citizens and other people inside the country.
 
It encompasses existing profiling and detection systems, including those that create 'suspicion scores' for suspected terrorists by analyzing very large databases of government intelligence, as well as records of individuals' private communications, financial transactions, and other everyday activities.

(Via Schneier on Security.)

gregh  2006-10-24 11:09  information_privacy  Law  personal_information  privacy  real_id   

Why should we fight government attempts to gather and open up even more information, regardless of the promises that might be put forward by our representatives and agencies?

Health care privacy law: All bark, no bite? - The Red Tape Chronicles - MSNBC.com:

In fact, there have been 22,664 HIPAA privacy-related complaints filed since the privacy rule took effect in 2004, and not a single institution has been fined for privacy lapses, according to the Department of Health and Human Services, which enforces HIPPA. It's not clear that any of the three incidents above generated HIPAA privacy complaints, so the total number of privacy-related incidents is no doubt higher.

The government won't even enforce statutory information protection laws against private entities. Why would we ever expect the government to enforce regulations against itself? Of course, my favorite whipping boy, the Real ID Act, didn't even legislate privacy; it removed what limited privacy was already in place.

Two questions to consider:

1. What's the likelihood DHS will enhance privacy protections (rather than merely the legislated weakening of the DPPA inherent in the Real ID ACt) with its draft regulations for Real ID?
2. How likely is it that even if there is enhanced privacy, it will ever be enforced, when the easiest defense is "We were trying to root out terrorists?"