Google recently announced their new open source browser, called Chrome, via a comic book. Although slated for release sometime today, the link mentioned in the comic book (http://www.google.com/chrome) appears to be down is now up! The 38-page comic book is surprisingly informative, mildly entertaining, and certainly a unique way to release a new product, but don’t let the playfulness of the announcement fool you. Chrome has many important features, including a privacy-enhancing feature called “Incognito.”

Incognito is a user-visible feature that enables a private browsing mode. Private browsing is a relatively simple concept with tangible benefits to privacy. Under normal operation, a browser will store information about a user’s browsing history. Stored information could include sites visited, data downloaded, searches conducted, or even personal information entered. Under private browsing mode, that same browser simply doesn’t store this type of information. Essentially, a browser has no memory of what users do when private browsing is enabled.

Although private browsing is conceptually simple, it is not easy to implement because everything the browser does is affected by private browsing. Apple’s Safari browser has had a private browsing mode since version 2.0 (April 2005). Currently in version 3.1.2, Safari still is the only major browser to have a built-in private browsing mode. However, Safari’s private browsing mode isn’t perfect.

Private browsing was a planned feature for Firefox 3.0, but was dropped before the release because the developers “didn’t want to put something in that was half baked.” The Mozilla Wiki describes the current state of this feature and provides a link to a Firefox plugin called Stealther, which provides some private browsing features.

Microsoft has announced that they will include a private browsing feature, called InPrivate, in their next version of Internet Explorer. Microsoft’s effort seems to be even more ambitious than simply not storing data locally. For example, a Microsoft blog post describes a feature, called InPrivate Blocking, that would add the ability to block browsing information that would normally flow to third party sites.

Clearly, private browsing mode is not a trivial engineering task, but Chrome has some fundamental advantages over the “big three” that may simply make real private browsing easier to implement and maintain. Since Chrome will have Incognito on its first release there is less code that needs to be re-engineered to respect a private browsing mode. Also, Chrome uses a separate process for each tab, whereas a traditional browser only has a single process for all of its tabs. Multiple processes make it easier to sandbox tabs. As a result of these strict separations, it could be possible that Chrome would allow individual tabs to go “Incognito” while others act normally.

It is difficult to predict what sort of impact Chrome will have on the browser market, web application development, or Internet privacy, but if Chrome will have any impact, then it must compete with the “big three.” They are big for a reason, and a comic book isn’t going to solve that problem.

[ Update: Google has officially released Chrome at the following URL: http://www.google.com/chrome ]

by Jessica Young and Annie I. Antón

On May 19, 2008, Google launched Google Health [1], a new Personal Health Record (PHR) web portal that allows patients to gather and organize their medical records while keeping their physicians up to date about their health condition. As with other PHRs, like Microsoft’s HealthVault, Google Health does not appear to be covered by federal or state health privacy laws. According to the Google Health Terms of Service, Google is not a “covered entity” as defined in the Health Insurance Portability and Accountability Act (HIPAA); as such, “HIPAA does not apply to the transmission of health information by Google to any third party” [2].

Researchers at ThePrivacyPlace.org have evaluated privacy policies and privacy breaches since its founding in 2001. In particular, The Privacy Place researchers are addressing the extent to which information is protected in financial and health care systems that must comply with relevant laws and regulations.

Google Health is not a covered entity as defined in HIPAA. Thus, any personal health data that you submit to Google Health will not be afforded the same legal protections required of health care providers under HIPAA. Until state and federal agencies establish and enforce laws to protect the privacy of personal health records maintained by non-covered entities, individuals should carefully consider the risks involved in submitting sensitive health information to Google Health and other PHRs such as HealthVault. PHRs are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States.

As with our analysis of Microsoft’s HealthVault [3] in October 2007, we encourage patients to carefully consider and question the privacy practices as articulated in the Google Health privacy policy, terms of service, and frequently asked questions. To further explore this new service, we analyzed and evaluated the protections and vulnerabilities involved in using Google Health. The Google Health Help Center provides a link and U.S. Postal Address—but no other contact method, such as email address or phone number —for users to submit a “Question About Privacy” [4]; clicking on this link displays a web page with a form for inquiries that states, “[w]e hope this information [Privacy Policy] will help you make an informed decision about sharing your personal information with us” [5]. Unfortunately, Google has been unresponsive to our questions regarding its Google Health privacy policy.

We sent four questions regarding Google Health’s privacy practices via the Google Health Help Center [5] on May 23, 2008. On June 4, 2008, we submitted the same four questions but this time via Google’s Web Search Help Center [6], where users are invited to submit questions specifically about Google’s privacy practices. It has been over three weeks since our first inquiry and we have yet to receive a response of any kind to any of our questions. Patients are concerned about the privacy of their health information [7]. A lack of prompt replies to questions regarding health privacy is disconcerting and suggests that privacy is not a priority for those managing Google Health or manning the Google Help Center.

We focused on three questions of Microsoft’s HealthVault in our previous analysis [3]. Here we examine these same three questions within the context of Google Health.

Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?

The three Google Health privacy-related documents provide no insights about where personal health information will be stored. As we received no answers to our inquiries to the Google Health Help Center, we turned to the general Google Privacy Policy, which states, “Google processes personal information on our servers in the United States of America and in other countries” [8]. Users should always be concerned about the location of their data because different countries have different data protection standards and laws. If your data is breached in some way, the physical location of the server on which it was stored will affect the recourses that will be available to you.

Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?

No, according to the documents we reviewed. Google Health’s Privacy Policy states: “The [record] log information will be used to operate and improve service and will not be correlated with your use of other Google services” [9]. This is also addressed in the FAQ by the statement that “no personal or medical information in your Google Health profile is used to customize your Google.com search results or used for advertising” [10]. At this point in time, it appears that Google Health information will not be merged with information from other Google services without your consent.

Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?

Google Health allows users to grant read/write access to their information to other third-party sites and/or individuals. The Google Health Privacy Policy states: “you [as a Google Health user] can revoke sharing privileges at any time. When you revoke someone’s ability to read your health information, that party will no longer be able to read your information, but may have already seen or may retain a copy of the information” [9]. Thus, users should determine their access control rules as soon as possible when setting up their accounts. Access control rules and the ability to change these rules become immaterial once private health information reaches an unauthorized or unintended agent. Google is not clearly implementing the principle of least privilege, because it appears that others may be able to grant read/write access to your health information, leaving the door open for data breaches.

References

[1] Google Health.

[2] Google Health Terms of Service, April 28, 2008

[3] A.I. Antón. Is That Vault Really Protecting Your Privacy?, ThePrivacyPlace.org Blog, October 9, 2007.

[4] Google Health Help Center Contacting Support page.

[5] Google Health Help Center Contact Us [Question about privacy] page.

[6] Google Web Search Help Center.

[7] National Consumer Health Privacy Survey, California Health Care Foundation, 2005.

[8] Google Privacy Policy, October 14, 2005.

[9] Google Health Privacy Policy, no date provided.

[10] Google Health Frequently Asked Questions, no date provided.

ThePrivacyPlace is pleased to announce that we are moving to a new hosting provider and will be revamping our site to make it more informative. Please bear with us as we work to provide better service!

ThePrivacyPlace.org is pleased to announce that Peter Swire, a law professor at Ohio State University, and Annie Antón, a computer science professor at North Carolina State University, have co-authored comments to the Federal Trade Commission regarding Online Behavioral Advertising. The FTC has requested comments for its Proposed Self-Regulatory Principles for Online Behavioral Advertising. Professor Swire and Professor Antón’s comments examine the technical steps necessary to achieve consumer control. Their comments are available on the Center for American Progress website.

ThePrivacyPlace.org is pleased to announce that our latest privacy policy has gone live. You can see the new privacy policy here. You may also be interested in seeing a summary of changes from our previous version or perhaps older versions of the privacy policy.

Researchers at ThePrivacyPlace.Org are still conducting an online survey about individuals’ experience with and perceptions of authentication technologies. The survey was released last August and is supported by an NSF ITR grant (National Science Foundation Information Technology Research). Your participation will help us with our investigations regarding digital identities. It will take about 15 to 20 minutes to complete the survey.

As a way of saying thank you for taking the time to complete our survey, we are also offering the chance to enter a drawing for one of two $50 Amazon gift certificates.

The URL is: http://www.theprivacyplace.org/current-survey/

The results will be posted on ThePrivacyPlace.org later in 2008.

Coinciding with the Duke Law School Data Privacy Conference, this Monday, January 28th, is officially Data Privacy Day by proclamation of the Governor of North Carolina. Please take the day to raise awareness and educate your colleagues about the importance of data privacy in all areas of information technology. Alternatively, as Governor Easley, suggests you can “observe the day with appropriate ceremonies and activities that promote awareness of data privacy.”

On Monday January 28, 2008, the Duke University School of Law will be sponsoring Data Privacy in Transatlantic Perspective: Conflict or Cooperation? The event will focus on the privacy differences between the United States and Europe. The all-day conference will include internationally recognized privacy experts from government and industry discussing the history of privacy, consumer privacy concerns, national security as it affects privacy and how global data flows interact with national privacy standards. Dr. Annie Antón, director of ThePrivacyPlace.org, will be a panelist on panel 2: Consumer Privacy through Notice and Consent.

Our recent coverage of HealthVault has received some attention from other news outlets.

VentureBeat author David P. Hamilton has been covering HealthVault. He began with an attempt to review HealthVault that ended in frustration attempting to register a password. His next post was a review of HealthVault itself. Recently he posted his thoughts regarding our coverage of HealthVault.

Our comments also received some attention from Dana Blankenhorn at ZDNet. Robin Harris, another ZDNet author, believes that HealthVault is a sick joke. ZDNet also has some screenshots of HealthVault in action for those who may not have the time to play around with the site themselves. ZDNet also has a news article about Microsoft’s efforts to get health records online.

All of the articles are well worth reading if you are concerned about the privacy implications of electronic health records.