The year 2005 was not only the year of the Rooster; it was also the year of privacy invasion and ID theft. On thinking about the last year, news flashes such as “ChoicePoint data theft widens to 145,000 people“, “Stolen laptop puts 98,000 at risk of ID theft” (UC Berkley), “Personal info on 310,000 people possibly stolen, 10 times more than what was disclosed last month” (Siesent), comes to mind.

This past year, more than 152 security breaches exposed at least 57.7 million Americans to ID theft ( 1 ) and privacy invasions, which suitably makes “privacy” the biggest concern of generic internet population, businesses and governing bodies. The result: legislatures being passed by the government and billions of dollars being invested by businesses to confirm to these legislatures. More than fifty bills were introduced in the first session of the 107th Congress to regulate online privacy, resulting in a national cost of complying to be approximately US$9-36 billion (Hahn 2001). With so much at stake it becomes important to measure not only the economic cost of privacy per person, but also the trade offs (for example convenience and rewards) that lure people to succumb and provide PII to organizations.

A peek into sociological research regarding user behavior clearly indicates that individuals perform a privacy calculus, assessing the cost and benefit of providing information ( 2 ). The calculus depends on factors such as self-ego, environmental stimuli, and interpersonal relationships (Laufer and Wolfe 1977; Stone and Stone 1990).

Studies indicate a huge deficit between the compliance expenditure and the net worth of privacy. This deficit may be owing to limited user awareness and the fact that privacy concerns are usually traded for environmental stimuli such as rewards and convenience.

Read the rest of this entry »

While doing a literature search, I ran across an interesting news article. According to this article, Representative Ed Markey (D-MA) is introducing a bill called “Eliminate Warehousing of Consumer Internet Data Act of 2006″. One of the more compelling notions behind this bill is that of deleting data after use. I wonder — could this be a key component to protecting privacy?

Think about it. Even if a company used your information, if they had to delete it afterwards, wouldn’t your privacy most likely be preserved? Furthermore, if they used it to transfer to someone else, and that person is bound by the same law, the same logic would follow. The recipient of the transfer could use your information for its intended purpose and then they must delete it. Granted, there would need to be stringent guidelines for what constitutes “intended use”.

If we were to accept this approach, we would no longer have the staggering number of ubiquitous data warehouses full of our private information, and companies such as ChoicePoint and Axiom would not be selling our information to other vendors.

This sounds like a nice idea, but would such a bill ever be passed? Would politicians be able to withstand the lobbying power of organizations seeking to bar such legislation from being passed?

This certainly isn’t a solution to our privacy woes, but it is a simple idea that may be a step in the right direction. Read more in Markey’s press realease.

We all are aware that our lives are practically becoming digital; so are hospitals. Major funding initiatives are underway to support the transition of hospitals into the digital age. In 2004, the US government spent $50 million to test computerization of health records and further proposed $125 million in related federal spending for the year 2005.

In April 2004, President Bush asked the IT industry to build a system that would provide every citizen of the United States with an electronic health record (EHR) that could be accessed from any location by 2014. He appointed Dr. Brailer (national coordinator for Health Information Technology for the Department of Health and Human Services) to coordinate this effort and establish the Nationwide Health Information Network (NHIN).

In December 2005, Dr. Brailer’s office awarded $18.6 million in contracts to four consortia led by IBM, Computer Science Corporation, Accenture and Northrop Grumman to develop prototype architectures for the NHIN. Each group consists of developers, hospitals, laboratories, pharmacies and physicians who must prove that EHRs can be exchanged across different health organizations.

In a similar effort to build such data interchange networks, Connecting for Health, a public-private collaborative led by the Markle Foundation, developed a prototype system (which will release in Spring 2006) that was successful in exchanging thousands of health records from three independently developed regional records systems (California, Massachusetts and Indiana). These three independently developed health systems had no common architecture but were able to apply the common framework developed by Connecting for Health for the exchange of records.

Seeing such successful projects, we can be rest assured that our federal money is being utilized efficiently and in the right direction.

That is the question that this blog post pontificates. According to a recent study by the Privacy Rights Clearinghouse, of 113 data breaches since February 2005, 55 of them took place at colleges, universities, and university-affiliated medical centers. A list of data breaches for 2005 have been posted by Neo Scale here, but a few noteworthy ones are Stanford University, UC-Berkeley, and Carnegie Mellon University.

One of the primary reasons cited for the disproportionate number of data breaches at universities is the decentralized environment — data being spread out in various locations on campus which makes it difficult to control the access to the data. To a degree, this doesn’t seem very intuitive and certainly contrary to the old saying ‘don’t put all your eggs in one basket’. Centralization not only serves as an even more enticing target for would-be hackers, but it also means the result of a successful breakin would be even more catastrophic. However, centralization is more cost effective, as it requires organizations to procure less hardware which results in cost savings.

Decentralization, on the other hand, means that if there were a breakin, consumers/students are less likely to have their information compromised. However, decentralization also means that it is possible that there are multiple copies of a person’s information floating around. The preferable and more secure approach is not entirely clear.

It seems that the largest problem facing decentralized environments is accountability, management, and standards. What can be done about this? Certainly, formalized, comprehensive privacy and security policies would be a step in the right direction. Adherence to these policies is essential. And continued research efforts into technologies and techniques to combat intrusions.

A full article on the Privacy Clearinghouse study can be found here on the UCSD Guardian Online.