Last year, Governor Easley proclaimed January 28th as Data Privacy Day for the state of North Carolina. This year, he proclaimed January Data Privacy Month. North Carolina, Washington, California, Oregon, Massachusetts, and Arizona have also declared January 28th to be state-wide Data Privacy Day. Last but certainly not least, Congressman David Price and Congressman Cliff Stearns introduced House Resolution 31 which was passed on January 26th with a vote of 402 to 0 to make today National Data Privacy Day in the United States. It is truly outstanding to see such strong support in the form of resolutions and proclamations.

The best way to support or celebrate Data Privacy Day is to take action. Since the goal of Data Privacy Day is to promote awareness and education about data privacy, one easy way to act is to check out all the great educational resources made available in conjunction with Data Privacy Day. For example, Google has posted about what it has done to protect privacy and increase awareness of privacy. Microsoft is holding an event tonight and has more information on data privacy on their website.

Here at The Privacy Place, we were once again pleased to have the opportunity to celebrate Data Privacy Day at Duke University by attending the panel discussion on Protecting National Security and Privacy. The panel discussion was extremely well-attended and well-received. This event had a number of sponsors, including Intel who has a fantastic website with extensive information on Data Privacy Day. If you weren’t able to make it to the panel, I would strongly encourage you to check out Intel’s site.

Lastly, Data Privacy Day is all about awareness and education, so be sure to spread the word!

[Update: Fixed the link to the House Resolution that passed on Monday.]

This season’s premiere of Grey’s Anatomy showed interns using camera phones to take pictures of their resident’s injury. This episode aired only days after a story broke about an incident at the University of New Mexico Hospital. Two employees at the University of New Mexico Hospital had used their cell phones to take pictures of patients and then posted these pictures online. These two employees were fired because these actions were a violation of the hospital’s policy.

The University of New Mexico Hospital is not the first hospital to experience problems with cell phone cameras in a hospital. In March 2008, Resnick Neuropsychiatric Hospital at UCLA banned cell phones in the hospital to protect the rights of its patients because of past incidents in the hospital. San Diego’s Rady Children’s Hospital has banned cell phones in patient areas after pictures of children were found on an employee’s phone and computer. Other hospitals have also experienced problems with employees using camera phones in ways that violate patient privacy. Although there are policies are in place, enforcement is difficult.

Privacy law in the United States is historically tied to innovations in cameras. Warren and Brandeis wrote their famous article, “The Right to Privacy,” in response to the invention of the portable “instantaneous photography.” These fears have been reborn now that most people carry cell phones with them at all times and a majority of these phones have cameras within them.

Newer phones are capable of easily sharing pictures and videos with others – regardless of location. As a result, candid pictures can be taken at unexpected times and in someone’s worst moments. For example, a customer at a grocery store recently had an embarrassing picture taken in a moment of anger after the store couldn’t process his credit card. Within moments, the picture was online and generating comments. In the article linked above, Harmon discusses the use of the candid camera phone:

“In recent weeks the devices have been banned from some federal buildings, Hollywood movie screenings, health club locker rooms and corporate offices. But the more potent threat posed by the phonecams, privacy experts say, may not be in the settings where people are already protective of their privacy but in those where they have never thought to care.”

The recent incidents with cell phone cameras at hospitals are troubling examples of why people should be concerned about privacy in places they previously “never thought to care.” Hopefully people will become more aware of cell phone use and capabilities as it relates to individuals’ privacy—not just in a hospital but everywhere.

Incognito is a user-visible feature that enables a private browsing mode. Private browsing is a relatively simple concept with tangible benefits to privacy. Under normal operation, a browser will store information about a user’s browsing history. Stored information could include sites visited, data downloaded, searches conducted, or even personal information entered. Under private browsing mode, that same browser simply doesn’t store this type of information. Essentially, a browser has no memory of what users do when private browsing is enabled.

Although private browsing is conceptually simple, it is not easy to implement because everything the browser does is affected by private browsing. Apple’s Safari browser has had a private browsing mode since version 2.0 (April 2005). Currently in version 3.1.2, Safari still is the only major browser to have a built-in private browsing mode. However, Safari’s private browsing mode isn’t perfect.

Private browsing was a planned feature for Firefox 3.0, but was dropped before the release because the developers “didn’t want to put something in that was half baked.” The Mozilla Wiki describes the current state of this feature and provides a link to a Firefox plugin called Stealther, which provides some private browsing features.

Microsoft has announced that they will include a private browsing feature, called InPrivate, in their next version of Internet Explorer. Microsoft’s effort seems to be even more ambitious than simply not storing data locally. For example, a Microsoft blog post describes a feature, called InPrivate Blocking, that would add the ability to block browsing information that would normally flow to third party sites.

Clearly, private browsing mode is not a trivial engineering task, but Chrome has some fundamental advantages over the “big three” that may simply make real private browsing easier to implement and maintain. Since Chrome will have Incognito on its first release there is less code that needs to be re-engineered to respect a private browsing mode. Also, Chrome uses a separate process for each tab, whereas a traditional browser only has a single process for all of its tabs. Multiple processes make it easier to sandbox tabs. As a result of these strict separations, it could be possible that Chrome would allow individual tabs to go “Incognito” while others act normally.

It is difficult to predict what sort of impact Chrome will have on the browser market, web application development, or Internet privacy, but if Chrome will have any impact, then it must compete with the “big three.” They are big for a reason, and a comic book isn’t going to solve that problem.

[ Update: Google has officially released Chrome at the following URL: http://www.google.com/chrome ]

VentureBeat author David P. Hamilton has been covering HealthVault. He began with an attempt to review HealthVault that ended in frustration attempting to register a password. His next post was a review of HealthVault itself. Recently he posted his thoughts regarding our coverage of HealthVault.

Our comments also received some attention from Dana Blankenhorn at ZDNet. Robin Harris, another ZDNet author, believes that HealthVault is a sick joke. ZDNet also has some screenshots of HealthVault in action for those who may not have the time to play around with the site themselves. ZDNet also has a news article about Microsoft’s efforts to get health records online.

All of the articles are well worth reading if you are concerned about the privacy implications of electronic health records.

Over the course of the past 7 years, researchers at ThePrivacyPlace.org have evaluated over 100 privacy statements for financial and healthcare web portals. In addition, we focus on evaluating the extent to which the privacy of sensitive information is protected in these systems as well as the extent to which system comply with relevant regulations.

Even though physicians and the press are excited about the introduction of these new PHR systems [1], there are questions that I urge the public to ask before entrusting their sensitive health records to any PHR system. My concerns are based on a careful evaluation of the HealthVault privacy statements [2, 3]. Microsoft appears to have sought the counsel of physicians who believe that patient consent is the best indicator of privacy protections. Unfortunately, most physicians do not understand the subtleties buried within healthcare privacy statements within the context of the software that implements those statements. For this reason, I now list three primary questions that one should ask before entrusting their health records to HealthVault or any other PHR system:

Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?

The HealthVault privacy statement explicitly states that your health records may be off-shored to countries that do not afford the same privacy protections for sensitive information that we do in the United States. In particular, if information is disclosed or altered, do you have any legal recourse or remedy?

Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?

Within the context of HealthVault, the answer to this question is yes. Microsoft explicitly states that they will merge the information they have previously collected from you via non-health related services with your HealthVault information. Moreover, it is unclear what information Microsoft already has about us other than our names and contact information and precisely what information third parties may access. Furthermore, we don’t know if that information is accurate or complete. Thus, use of the merged information may not be what we expect.

Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?

Although HealthVault requires patient consent for any accesses and sharing of your health records, access controls leave the door wide open for data breaches. HealthVault enables individuals to grant access to other people and programs that can further grant read/write access to your health record. The only safeguard is a history mechanism to provide an accounting of accesses if you suspect that your information has been breached after the fact. A better approach would be for Microsoft to proactively enforce contractual obligations via audits and monitoring mechanisms.

The hype surrounding HealthVault’s privacy protections among those in the medical community must be balanced with the reality of the information security and privacy practice expressed in its public privacy statements. It is critical to address these privacy concerns in the design of PHR systems before we deploy them with vulnerabilities that will ultimately lead to yet another rash of data breaches.

References

[1] Steve Lohr. Microsoft Rolls Out Personal Health Records, New York Times, 4 October 2007.

[2] Microsoft HealthVault Search and HealthVault.com Beta Version Privacy Statement, October 2007.

[3] Microsoft HealthVault Beta Version Privacy Statement, October 2007.

Traditionally we think of privacy enhancing technologies has tools for hiding, obfuscating, and controlling disclosure. But in terms of an overall approach to privacy management we should also think about how technology can be used to creates visibility and awareness of informations security practices.

This point was made quite well recently by Harriet Pearson, VP of corporate affairs and Chief Privacy Office for IBM, in an interview with Computer World.

Ms. Pearson was asked about her opinion of the various state data breach notfication laws and the trigger language in those laws:

Q: What is your personal opinion of breach notification triggers as they exist today?

A: I have an analogy that I use. In the 1980s and the 1990s, I was an environmental lawyer, and I was in California around that time when a law called Proposition 65 was passed. What happened was California required businesses to make disclosures of the release of chemicals and stuff like that. When you are actually required to disclose those kinds of things, it changes people’s behavior. But you want to be careful and strike a reasonable balance. I don’t know exactly what the formulation of language should be. If it is too [restrictive], you are going to get too many warnings, and it’s going to result in overnotification.

Transparency changes behavior. That’s a very simple and powerful idea that is all too often overlooked by the IT security industry.

There have been some efforts to in the field of privacy enhancing technologies that help create transparency of information security practices. The Platform For Privacy Preferences is one such standard. It enables web sites to produce a machine interpretable representation of some of their information security practices. There are also emerging standards around service oriented architecture. One such standard is WS-Agreement . I’m sure there are many other examples.

One thing to keep in mind is that we often think of transparency as an external reporting tool so that the public or oversight bodies can be reasonably informed, but transparency can also be a powerful internal tool for modifying behavior. For example, if an internal department has awareness of how much and what kinds of information are being given to a business partner, they will naturally have a tendency to minimize it. As we look at new challenges in information security practices coming at us in the next few years, those of us in the technology community need to think just as much about how to use technology to raise awareness of risks and create transparency in our data handling as we do in creating technology to mitigate the risks.

The ComputerWorld article correctly points out, in my opinion, that this is an example of the rising problem of insider threats from rogue employees.

On April 6th 2006, ComputerWorld posted a story about an employee of Progressive Casualty Insurance being fired for “wrongfully accessing” sensitive and personal information. Seems the employee was looking up information about foreclosures in the employee’s local area to determine which ones the employee might want to buy. The IT groups are getting a good handle on perimeter security and how to prevent unauthorized accesses of sensitive information from outside the company’s firewalls. It’s true that we still get a steady trickle of internet based data breaches in the press. But when they happen, our conclusions are almost never, “There’s no good way to handle this.” The conclusions from stories about perimeter breaches are more likely to be along the lines of, “why didn’t they move that machine out of the DMZ?” or “why didn’t they configure X on their firewall?” In traditional perimeter security breaches, there is good broad understanding of what ought to be done. The trick is just keeping track of it all.

But for the rogue employee problem, the solutions are less clear. Indeed, the ComputerWorld story goes on to talk about a company, Reconnex, which sells a network appliance which “sits at [a company's] network-egress points . . . and monitors traffic to ensure that confidential information doesn

In April 2004, President Bush asked the IT industry to build a system that would provide every citizen of the United States with an electronic health record (EHR) that could be accessed from any location by 2014. He appointed Dr. Brailer (national coordinator for Health Information Technology for the Department of Health and Human Services) to coordinate this effort and establish the Nationwide Health Information Network (NHIN).

In December 2005, Dr. Brailer’s office awarded $18.6 million in contracts to four consortia led by IBM, Computer Science Corporation, Accenture and Northrop Grumman to develop prototype architectures for the NHIN. Each group consists of developers, hospitals, laboratories, pharmacies and physicians who must prove that EHRs can be exchanged across different health organizations.

In a similar effort to build such data interchange networks, Connecting for Health, a public-private collaborative led by the Markle Foundation, developed a prototype system (which will release in Spring 2006) that was successful in exchanging thousands of health records from three independently developed regional records systems (California, Massachusetts and Indiana). These three independently developed health systems had no common architecture but were able to apply the common framework developed by Connecting for Health for the exchange of records.

Seeing such successful projects, we can be rest assured that our federal money is being utilized efficiently and in the right direction.

I was reminded about data minimization recently when I tried for the first time a service from my credit card company, virtual credit card numbers. With so many people experiencing credit card fraud online, I’m surprised more people aren’t using virtual credit card numbers. They are a great way to minimize the disclosures of your real credit card to others. So I thought I’d share my experience with the service so far.

Virtual credit card numbers are valid credit card numbers that can be used for only one transaction. You use them exactly like a regular credit card when making an online purchase and it is linked to your real credit card and shows up on your credit card statement just like normal. As far as an online vendor is concerned, a virtual credit card number is exactly like your real credit card number.

So today I wanted to buy some touch up paint for my TSX. Found a vendor online. Never heard of them. Seemed like a mom ‘n pop kinda operation. So I decided to try it out. I followed the check out process all the way up to the point where it asked me for the billing information. Then I opened up a separate browser window and went to my credit card company site. (I use citicards.com but I believe other credit card vendors have similar services.) I logged on to the credit card site and went through a brief one-time set up wizard. Then it let me into the virtual CC site and I clicked a button and it generated a CC number for me. It was early January 2006 when I was making my purchse and the CC number expired in February 2006, so it was only valid for about 60 days, unlike my regular card which was scheduled to expire much later. It also told me the credit card verification number and then it also showed my billing name, address, etc which I had on file so I could enter all the right info on the vendors web site.

So I copied all that information into the appropriate fields on the touch up paint vendor’s site and submitted my order. It took the virtual card number just fine.

There is also a section on the virtual credit card web site where you can list all the virtual card numbers you have and the transactions that were done with those numbers.

Anyway, it’s a bit of extra pain. At first I thought I would only use virtual credit card numbers with web site vendors that don’t have well established brand names and reputations. But as I began to get the hang of generating the virtual credit card numbers, it added less than 2 minutes to the overall amount of time it takes me to complete an online transaction. For me, that extra two minutes is well worth the peace of mind knowing that even if the vendor’s site gets hacked, they can’t steal my credit card number becuase it simply isn’t there and the credit card number that _is_ on the site was invalid as soon as it was used by the vendor to charge me for my order.

Your mileage may vary of course, but it works for me.