We all are aware that our lives are practically becoming digital; so are hospitals. Major funding initiatives are underway to support the transition of hospitals into the digital age. In 2004, the US government spent $50 million to test computerization of health records and further proposed $125 million in related federal spending for the year 2005.

In April 2004, President Bush asked the IT industry to build a system that would provide every citizen of the United States with an electronic health record (EHR) that could be accessed from any location by 2014. He appointed Dr. Brailer (national coordinator for Health Information Technology for the Department of Health and Human Services) to coordinate this effort and establish the Nationwide Health Information Network (NHIN).

In December 2005, Dr. Brailer’s office awarded $18.6 million in contracts to four consortia led by IBM, Computer Science Corporation, Accenture and Northrop Grumman to develop prototype architectures for the NHIN. Each group consists of developers, hospitals, laboratories, pharmacies and physicians who must prove that EHRs can be exchanged across different health organizations.

In a similar effort to build such data interchange networks, Connecting for Health, a public-private collaborative led by the Markle Foundation, developed a prototype system (which will release in Spring 2006) that was successful in exchanging thousands of health records from three independently developed regional records systems (California, Massachusetts and Indiana). These three independently developed health systems had no common architecture but were able to apply the common framework developed by Connecting for Health for the exchange of records.

Seeing such successful projects, we can be rest assured that our federal money is being utilized efficiently and in the right direction.

According to a C|Net article, 30,000 airline passengers have been mistakenly placed on the federal watch list. Having your name match with a name on the watchlist means you are subject to extra screening. According to Jim Kennedy, director of the Transportation Security Administration’s redress office, none of these passengers were kept from boarding.

In order to avoid these inconveniences, a person must submit forms to the TSA proving their identity, and the evaluation of these forms can take 45 to 60 days. At this point, the passenger’s name is not removed from the list. Instead, their name is put on a “clearance” list. This means they will not be able to check-in at a kiosk, and they would typically have to explain their situation to a customer service representative at check-in.

As a private citizen, I understand that sometimes all we have to go on is a name. Consider the possibility that a list of names were found in a known-terrorist’s desk drawer. These names are then put on the watchlist. This seems like a reasonable action. However, as a computer scientist and a researcher, it seems inefficient and almost irresponsible to just place a person’s name on a “clearance” list after having their identity verified and still subject the individual to inconvenience whenever they travel. If this is the best that the government has come up with, it seems a bit disturbing.

In the government’s defense, it seems they are trying to rectify these issues with a new Secure Flight program that is currently being scrutinized before approval. According to this GovExec.com article, Homeland Security is in the final stages of approving a new pre-flight screening process. The Data Privacy and Integrity Advisory Commitee is advising them to narrowly focus the pre-screening program, possibly by requiring a passenger’s name and date of birth. The advisory panel also says that the TSA has yet to fully define Secure Flight, while the American Civil Liberties Union has repeatedly called on Homeland Security to eliminate the program.

Read more about this C|Net story here.

ThePrivacyPlace.org is currently conducting a survey to gauge user comprehension and views on privacy policies. While conducting the survey, we’ve received several pieces of valuable feedback from our participants. One particular area of interest is the lack of enforceability of privacy policies. Many respondants expressed concerned that privacy policies are useless because the privacy practices of an institution may not be in compliance with their privacy policy. Furthermore, the privacy policy may not be a consideration when the business is sold or goes bankrupt.

This is a very good point. However, we cannot abandon privacy policies because of current lack of enforcement. We will need to maintain privacy policies for those mechanisms that are in place, or being put into place, to ensure compliance of the policies. For example, consider the UK Information Commisioner’s Office’s recent unveiling of their new enforcement strategy. David Smith, the new deputy information commissioner, has announced that his office will bring enforcement actions against businesses that deliberately or repeatedly ignore their responsibilities under the Data Protection Act of 1998.

Privacy policies are necessary policies because we require accountability. We need to hold organizations accountable for their privacy practices, and one such way of doing so is to ensure that companies are keeping their promises (via the privacy policies) to consumers.

Read more about the Information Commisioner’s Office’s new Strategy here.

According to a Washington Post article, the FBI can issue a letter to an Internet Service Provider (ISP) or Financial Institution forcing them to hand over information on their customers. The Post article describes a situation where George Christian, who manages digital records for libraries in Connecticut, was approached by the FBI who demanded he turn over information about usage on a specific computer. They also warned him not to tell anyone about the demand, ever.

The Washington Post explains the nature of the letters:

The FBI now issues more than 30,000 national security letters a year, according to government sources, a hundredfold increase over historic norms. The letters — one of which can be used to sweep up the records of many people — are extending the bureau’s reach as never before into the telephone calls, correspondence and financial lives of ordinary Americans.

Issued by FBI field supervisors, national security letters do not need the imprimatur of a prosecutor, grand jury or judge. They receive no review after the fact by the Justice Department or Congress. The executive branch maintains only statistics, which are incomplete and confined to classified reports. The Bush administration defeated legislation and a lawsuit to require a public accounting, and has offered no example in which the use of a national security letter helped disrupt a terrorist plot.

The most disturbing part about this, to me at least, is the lack of checks and balances in place. This gives the FBI carte blanche to invade the privacy of any individual, at any time, for any reason, leaving individuals with little to no recourse.

Read more in the Washington Post article here.

There have been several stories regarding TSA’s Secure Flight program and no-fly lists over the past few days. The major news this week is that TSA has announced that they will not use commercial data brokers in the initial deployment of Secure Flight (news presented in a News.com article and confirmed at EPIC’s overview of Secure Flight). This announcement came just before a major report by the Secure Flight Privacy/IT Working Group [pdf] was released yesterday, in which the group was highly critical of the TSA’s actions regarding Secure Flight. Bruce Schneier discusses the report more in depth in a blog entry; he was a member of the working group.

Some other major stories regarding the TSA have come forward regarding people’s difficulties with the no-fly lists and the pains they endure in trying to remove themselves from the list, once mistakenly placed on it. Wired is running a story about several people who have had bad experiences with the system, including a nun who spent ninth months on the list, missing meetings and events, until an appeal was made to Karl Rove and the situation was rectified. Another person’s dilemma is described in this Boston.com article: a pilot was placed on the no-fly list and thus effectively unable to work, all because of what seems to be a data error. The pilot is fighting the situation in court. In this case, the government is maintaining that a person’s presence on the list and reasons for being there are so secret that even in court, they will not be disclosed to the defense.

In the Wired article, Secure Flight is presented by the TSA as the solution to these types of problems. However, with so many criticisms and concerns over privacy practices and data accuracy, there is much to be done before Secure Flight will have a chance to adequately address these issues.

A new report released by OpenTheGovernment.org indicates that the government’s spending on maintaining secrets is rising across the board. The summary of findings indicates that in 2004, $148 was spent keeping new secrets for every $1 spent releasing old secrets; this cost has been on the rise for the past several years, and as recently as 2001 the government only spent $20 to keep secrets for every $1 to release them.

The U.S. government also classified more documents last year than any year previously: 15.6 million documents classified, at a cost of $460 per document to keep it secret. Conversely, the number of Freedom of Information Requests hit an all-time annual high, with 4,080,737 requests for information. The government is still unable to keep up, though agencies are improving in their ability to handle requests.

This report is interesting in its discussion of how the government keeps secrets, what types of secrets are being kept, and the costs involved.

The AP has a story on the new report that summarizes many of the key findings and presents some reasons for the increased secrecy.

President Bush is stumping for many provisions of the original Patriot Act to be not only renewed before expiring at the end of 2005, but permanent fixtures in the American legislative landscape. Bush argues that these provisions have all but singlehandedly saved America from terrorism, having “closed dangerous gaps in America’s law enforcement and intelligence capabilities” (as quoted in this CNN article).

While Bush is presenting the frightening could-have-been scenarios that were thwarted by the Patriot Act’s presence, however, many civil liberties and privacy advocates continue to argue the potential and real abuses of the Patriot Act’s sweeping power. While the opposition has been hard-pressed to point to specific cases of overreaching authorities, many still argue from a fundamental and constitutional standpoint that the Act should not be renewed. Some Senators are pushing for a scaled-back version of the Patriot Act (see this Wired article). The same article quotes an ACLU senior counsel’s key point: “the lack of a documented case of abuse doesn’t mean the law doesn’t violate civil liberties.”

Read the rest of this entry »

IBM has contracted with UAE CERT Telematics, the “leading technology and research organization of the United Arab Emirates” (according to their site), to develop and deploy over 100,000 automobile-monitoring systems in the next four years. The devices, according to this article at GeekCoffee, “would be installed in cars to provide a voice warning if the driver exceeds the local speed limit for wherever he may be driving. If the voice warning is ignored, the system would use a GSM/GPRS link to beam the car’s speed, identity and location to the police so that a ticket could be issued.”

There is no announcement yet as to whether these devices will be mandatory, or who will be selected for having to install the devices in their vehicles.

Read the rest of this entry »

The Privacy Commissioner of Canada has ruled that business e-mail addresses are personal information. The ruling is intended to protect people from spam at work that is not work-related. The case itself involved a local football team sending an unsolicited email to a University of Ottawa law professor. The professor asked them to remove him from their list, and the same message appeared a few days later.

Read more here.

In today’s economic and technologically advanced culture, there are two constants: (1) the amount of personal information available on the Internet is increasing, and therefore the greater the risk of identify theft; and (2) people are depending less on cash and more on credit as a way to obtain goods and services. When you combine these two factors, the risks to each individual increases dramatically. However, a concerned individual could always obtain a copy of their credit report to investigate any anamolies. Obtaining a copy of your credit report is one of the best ways to prevent and combat identity theft. Beginning last month, legally, Americans were entitled to one free credit report per year. I encourage everyone to exercise this new right and obtain their credit report.

The following article contains more information about this new law, as well as factoids about obtaining your credit report and identity theft: “Giving credit where it is due: Check out your rating“