Last week, Microsoft announced a new PHR (Patient Health Records) system called HealthVault. HealthVault is a web-based portal that enables end-users to upload their health records on the web. Unfortunately, what people don’t realize is that HealthVault and similar PHR systems are not subject to or governed by law. When the Health Insurance Portability and Accountability Act (HIPAA) was enacted, we did not envision that private software firms would eventually want to create databases for our health records. As a result, HealthVault and other PHR systems are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States because they are not “covered entities” as specified in the HIPAA.

Over the course of the past 7 years, researchers at ThePrivacyPlace.org have evaluated over 100 privacy statements for financial and healthcare web portals. In addition, we focus on evaluating the extent to which the privacy of sensitive information is protected in these systems as well as the extent to which system comply with relevant regulations.

Even though physicians and the press are excited about the introduction of these new PHR systems [1], there are questions that I urge the public to ask before entrusting their sensitive health records to any PHR system. My concerns are based on a careful evaluation of the HealthVault privacy statements [2, 3]. Microsoft appears to have sought the counsel of physicians who believe that patient consent is the best indicator of privacy protections. Unfortunately, most physicians do not understand the subtleties buried within healthcare privacy statements within the context of the software that implements those statements. For this reason, I now list three primary questions that one should ask before entrusting their health records to HealthVault or any other PHR system:

Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?

The HealthVault privacy statement explicitly states that your health records may be off-shored to countries that do not afford the same privacy protections for sensitive information that we do in the United States. In particular, if information is disclosed or altered, do you have any legal recourse or remedy?

Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?

Within the context of HealthVault, the answer to this question is yes. Microsoft explicitly states that they will merge the information they have previously collected from you via non-health related services with your HealthVault information. Moreover, it is unclear what information Microsoft already has about us other than our names and contact information and precisely what information third parties may access. Furthermore, we don’t know if that information is accurate or complete. Thus, use of the merged information may not be what we expect.

Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?

Although HealthVault requires patient consent for any accesses and sharing of your health records, access controls leave the door wide open for data breaches. HealthVault enables individuals to grant access to other people and programs that can further grant read/write access to your health record. The only safeguard is a history mechanism to provide an accounting of accesses if you suspect that your information has been breached after the fact. A better approach would be for Microsoft to proactively enforce contractual obligations via audits and monitoring mechanisms.

The hype surrounding HealthVault’s privacy protections among those in the medical community must be balanced with the reality of the information security and privacy practice expressed in its public privacy statements. It is critical to address these privacy concerns in the design of PHR systems before we deploy them with vulnerabilities that will ultimately lead to yet another rash of data breaches.

References

[1] Steve Lohr. Microsoft Rolls Out Personal Health Records, New York Times, 4 October 2007.

[2] Microsoft HealthVault Search and HealthVault.com Beta Version Privacy Statement, October 2007.

[3] Microsoft HealthVault Beta Version Privacy Statement, October 2007.

While doing a literature search, I ran across an interesting news article. According to this article, Representative Ed Markey (D-MA) is introducing a bill called “Eliminate Warehousing of Consumer Internet Data Act of 2006″. One of the more compelling notions behind this bill is that of deleting data after use. I wonder — could this be a key component to protecting privacy?

Think about it. Even if a company used your information, if they had to delete it afterwards, wouldn’t your privacy most likely be preserved? Furthermore, if they used it to transfer to someone else, and that person is bound by the same law, the same logic would follow. The recipient of the transfer could use your information for its intended purpose and then they must delete it. Granted, there would need to be stringent guidelines for what constitutes “intended use”.

If we were to accept this approach, we would no longer have the staggering number of ubiquitous data warehouses full of our private information, and companies such as ChoicePoint and Axiom would not be selling our information to other vendors.

This sounds like a nice idea, but would such a bill ever be passed? Would politicians be able to withstand the lobbying power of organizations seeking to bar such legislation from being passed?

This certainly isn’t a solution to our privacy woes, but it is a simple idea that may be a step in the right direction. Read more in Markey’s press realease.

A previous blog entry discussed Diebold’s struggles with the latest electronic voting law passed in North Carolina. The situation then was that Diebold said it could not meet the law’s requirements, and its efforts in seeking an exemption had been dismissed. On Friday, December 2, the North Carolina Board of Elections still certified Diebold as one of three approved vendors for the state, despite Diebold’s admitted inability to comply with law.

The EFF, which had fought Diebold’s attempts at an exemption in court, immediately posted its criticism of the board’s decision. An EFF attorney is quoted as saying: “In August, the state passed tough new rules designed to ensure transparency in the election process, and the Board simply decided to take it upon itself to overrule the legislature. The Board’s job is to protect voters, not corporations who want to obtain multi-million dollar contracts with the state.” The position of the North Carolina Board of Elections is that none of the electronic voting machine vendors could fully meet the requirements, so the board simply loosened the standards regarding source code escrow. The EFF disputes this claim, however, saying that at least one of the other vendors “has publicly stated that it is capable of meeting the escrow requirement for the code used it its system.”

A C|Net article quotes an advisor to the board as saying that “the Board of Elections decided at the last minute that it would allow the companies to be certified as long as they provided the state with the outside escrow locations of all the codes” - a requirement that must be met by December 22. This advisor to the board further says: “This is an extra step the board has decided to put in to strengthen the law that we have to work with.” I find this statement to be very inaccurate and unfortunate - how can making an exception and an end-run around the law possibly strengthen it?

The Baltimore Sun put up a well-reasoned editorial on the general concerns with electronic voting companies. Their conclusion: “Most nations do not use private companies to count their national election results; if the United States must, it had better make sure the voting, counting and transmission of poll data are as transparent and auditable - at every point - as possible.”

Earlier this year, the North Carolina legislature passed a bill that sets up standards for voting equipment used in elections. The bill sets out to “restore public confidence in the election process”. The law outlines many vendor responsibilities in Section 2.(a), including that “the vendor shall place in escrow with an independent escrow agent approved by the State Board of Elections all software that is relevant to functionality, setup, configuration, and operation of the voting system, including, but not limited to, a complete copy of the source and executable code…” as well as including “a list of programmers responsible for creating the software”. The penalties for violating the bill include a felony charge and a civil penalty of up to $100,000 per violation.

The new state law has led to Diebold threatening to pull out of the state, due to not being able to meet these openness requirements. Diebold originally sought an exemption, via an injunction guarding against prosecution as well as reinterpreting the law to not include Diebold’s situation. According to this AP article, Diebold claims that it cannot provide the source code nor list of programmers for Windows, on which their voting machines are based. The EFF was involved in the case to thwart Diebold’s exemption status; the EFF details its involvement and links to its legal brief here.

I find Diebold’s position confusing and questionable in this situation. To say that they cannot comply with the state law means that they are either unwilling to comply, find it overly difficult to do so, or actually find it impossible to meet the requirements. If the first or second case is true, then Diebold is simply making a business decision not to compete in North Carolina. If, however, compliance is actually impossible, then one wonders how Diebold is still able to do business in California, where the Elections Code requires “an exact copy of the source code” for voting machines be provided to the state. Is the North Carolina market simply not worth it to Diebold?

North Carolina is supposed to announce today the list of approved vendors for electronic voting machines that meet the new law’s requirements.

Slashdot posted a blurb about a Raleigh, NC WRAL.com news article detailing how a Google search has been used in a criminal case. Apparently, the defendent searched Google for the words “neck”, “snap”, “break”, and “hold” before the death of his wife. The evidence was found on the defendent’s computer after a search of his home.

The slashdot blogger asks questions such as: “Should police be able to search through your search history for “questionable” searches before you’ve been arrested for a crime, and what effect would this have on the health of society?”

It seems to me that the debate here is about the confidentiality of your online activities and whether the lack thereof would compromise the health of society. Personally, I believe that, with probable cause and a warrant, Google searches and search histories are fair game. It seems no different than rifling through your videotapes, mail, and magazines to see what you’ve been reading about lately. If all of these media are admissible, I don’t see why Google searches wouldn’t be. The fact that it is in digital form and easily accessible would seem irrelevant.

As privacy researchers, we are interested in protecting the rights of individuals. However, this must be tempered with common sense and an overarching goal of benefiting society. In this case, it seems that this particular invasion of privacy is legal and probably just.

Read more about the article and commentary here.

Every communications medium brings with it the potential for misuse, and the government has always been eager to have some sort of ‘backdoor’ access into that medium so as to avoid being left in the dark. Sometimes the only way to catch criminals/terrorists in the act has been to tap their communications - be it on traditional phone lines, cell phones, or email. Now with the recent surge in VoIP (Voice over IP) usage, the government once again seeks to ensure its ability to ‘tap the lines’ and monitor any suspected criminal activity.

CALEA, the Communications Assistance for Law Enforcement Act, came into effect 11 years ago as a way for the federal government to wiretap ‘telecommunications carriers’; the government now wants to expand that act’s coverage to include VoIP providers and ISPs carrying VoIP traffic. The current push is to get CALEA extended in full force to Internet phone traffic in the next 18 months. A new C|Net article details the government’s position, as well as some of the challenges being raised to this expansion. The challenges, however, largely focus on seeking exemptions for particular groups, such as universities, from having to add such backdoors to their systems.

Upon some basic review, it seems that the government’s position is a difficult one to maintain. The desire for wiretapping is understandable: in theory, wiretapping is reserved for when the government cannot gather evidence in other ways but has verifiable suspicion of wrongdoing. Granting exemptions to several groups may, however, simply result in criminals using those systems for their activities; if all universities are exempt from providing backdoor access to their systems, then surely those networks would be the logical place to conduct (illegal) business. From a privacy perspective, in gaining this expansion the government would be extending a very broad net of backdoor access to Internet traffic. It is also unclear whether CALEA was ever meant to extend into the online world. An earlier C|Net article covered many of the privacy and legal arguments raised by VoIP providers and concerned advocacy groups.

According to a Washington Post article, in an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.

To many of us, this is shocking news. However shocking, though, it is good news for privacy advocates. Microsoft is proposing that data keepers notify consumers when the institution’s privacy policy has changed, as well as allowing users to be able to view information that companies hold about them. If such legislation is enacted, and if no provisions are written in to prevent it, consumers can query data keepers such as ChoicePoint as to what information they have aggregated about the themselves.

Personally and professionally, I believe this would be a step in the right direction and a victory for privacy advocates. It also helps that a large company such as Microsoft is advocating on our behalf. Maybe now that the corporations are lining up, Congress will listen to us.

Missouri governor Matt Blunt, signed an insurance audit bill HB 388 on July 12, 2005 that requires the Missouri Department of Insurance to modify the consumer complaint form to include a provision in which consumers can authorize the public release of their file. The bill took effect in September 2005. Of the 377 complaints filed with the department during the first month, 334 consumers chose to not authorize the release of any information. That’s an overwhelmingly 90 percent of the insurance consumers who choose to keep personal information confidential. The new law allows consumers who file a complaint with the state about their insurance company to prevent disclosure of their personal information, including healthcare details. Prior to the new law, Missouri

The Chicago Bulls requested NBA player Eddy Curry to provide his DNA sample for testing his genetic makeup before signing a one-year $5M contract with the Bulls. Curry’s lawyer Alan Milstein says this is an invasion to Curry’s privacy and the implication could go beyond the sports world. “Hand that information to an employer,” he said, “and imagine the implications. If the NBA were to get away with it, what about everyone else in this country looking for a job.” Read the whole story.

California’s governor signed a new anti-phishing bill into law on September 30, 2005. The law “makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business” (quoted from Information Week). This law establishes a general rule for penalties in phishing cases: the government can fine convicted phishers for up to $2,500 per violation, while victims can either pursue actual damages or up to $500,000 per violation (whichever is greater).

Phishing is still a growing problem, according to an earlier PC World article and groups such as the Anti-Phishing Working Group. Gartner research indicates that, “between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million” (quoted from a CSO Online discussion). Clearly phishing is a growing and very real problem, but it remains to be seen whether legislative efforts like the new CA law will have any substantial effect. A PC World article notes that the new law may have a symbolic effect in raising awareness of the issue, and could have real impact starting with the first few phishers that are actually convicted and fined under the law’s provisions.