BIG Oil. Big Food. Big Pharma.
By Natasha Singer, NYTimes, April 30, 2011
To the catalog of corporate "bigs" that worry a lot of us little people, add this: Big Data. It was not a good week for those who guard their privacy. First, we learned that Apple and Google have been using our smartphones to collect location data. Then Sony acknowledged that its PlayStation network had been hacked — the latest in a string of troubling data breaches. You'd have to be living off the grid not to realize that just about everything there is to know about you — what you buy, where you go — is worth something to someone. And the more we live online, the more companies learn about us.
But to what extent do others have a right to share and sell that information? That is the crux of a data-mining case that had arguments last Tuesday before the Supreme Court. The case, Sorrell v. IMS Health, is ostensibly about medical privacy: Vermont passed a law in 2007 that lets each doctor decide whether pharmacies can, for marketing purposes, sell prescription records linking him or her by name to the kinds and amounts of drugs prescribed. State legislators passed the law after the Vermont Medical Society said that such marketing intruded on doctors and could exert too much influence on prescriptions.
But three health information firms, including IMS Health and Verispan, along with a pharmaceutical industry trade group, challenged the law, saying it restricted commercial free speech. Access to prescription records, IMS Health says, helps pharmaceutical companies market efficiently to doctors whose patients would most benefit from specific drugs. Now the justices are to decide whether the Vermont law is constitutional.
But with the recent headlines about privacy invasion — the PlayStation hack followed a recent breach at the online marketing company Epsilon that exposed e-mail addresses of customers of Citibank, Walgreens, Target and other companies — the Vermont case is tapping into a much broader conversation about consumer protection and informed consent.
The case raises questions about who is collecting, managing, storing, sharing and selling all that data. Just as important, privacy advocates say, it raises questions about whether data brokers are adequately safeguarding it.
People generally don't have much control over who collects and sells information about them. Moreover, says Christopher Calabrese, a legislative counsel at the American Civil Liberties Union, they also don't even know the names of the data brokers who compile those electronic profiles. And, so, consumer advocates are setting their sights on Big Data.
"Without government intervention, we may soon find the Internet has been transformed from a library and playground to a fishbowl," Mr. Calabrese testified in March during a Senate hearing on consumer privacy, "and that we have unwittingly ceded core values of privacy and autonomy."
There are a few laws, like the Video Privacy Protection Act, that prohibit businesses from releasing personally identifiable records, like video rental histories, without customer consent. The Digital Advertising Alliance, a coalition of online marketing groups, introduced a program last year that notifies consumers about online tracking and allows them to opt out of advertising tailored to them. The Vermont law amounts to a kind of do-not-call option for doctors who may welcome visits from pharmaceutical sales reps but don't want drug marketing based on their own prescription records.
That marketing practice is possible because pharmacies, which are required by law to collect detailed information about prescriptions they fill, can sell doctor-specific prescription records to data brokers. (According to federal privacy regulations, personal information about patients, like names and addresses, must be removed before the records can be sold for marketing.) Firms like IMS Health then combine the records, and pharmaceutical reps often use them to tailor presentations to individual doctors.
The central concern is privacy — of both doctors and their patients. While pharmacies remove the names of patients before selling the records, those names are replaced with unique codes that track patients over time from doctor to doctor, according to the Vermont complaint. That means data firms could create a profile that includes a person's prescriptions as well as the names of the pharmacies and dates at which the person picked up the medications, says Latanya Sweeney, a visiting professor of computer science at Harvard.
"It ends up building a detailed prescription profile of individuals," says Professor Sweeney, whose research on data re-identification was cited by several briefs in the case. "Those extended profiles tend to be very unique."
The concern, she says, particularly in a small state like Vermont, is that a nameless prescription record could theoretically be enough to identify someone who might not want others to know that he takes, say, anti-depressants. Moreover, Professor Sweeney argues, data miners could collate those files with public information, like voter registration and hospital discharge records, to link prescriptions to specific people.
Federal health privacy regulation, she says, does not protect patient records once they have been de-identified. Nor does the law prohibit re-identification. But IMS Health says it isn't aware of any case of re-identifying patients whose prescription records were de-identified in accordance with federal rules. The company says it doubly encrypts each patient's identity and gives the encryption keys to several third parties — meaning that no single entity can decode a file by itself, says Kimberly Gray, chief privacy officer at IMS Health.
The company typically sells combined reports that show how many patients received a certain drug from a certain doctor, but not the specific drugstores those patients frequent, Ms. Gray says. IMS never uses public information or outside data sets to try to re-identify patients, she says, and when it does provide encoded patient histories to others for research purposes, it prohibits those third parties from making such attempts. "We would never want to re-identify someone," Ms. Gray says. "No good can come from that."
Still, it is hard to prevent people from trying to re-identify patients, says Lee Tien, a staff lawyer at the Electronic Frontier Foundation, a digital civil liberties group that filed a brief in support of Vermont. It would be easier, he says, if Congress passed a law that went further than Vermont's, giving people the right to consent before their encrypted prescription records were sold for marketing purposes. "In Vermont, the doctor can decide," Mr. Tien says. "But we'd prefer it if the patient were able to say, 'Don't sell my data.' "