Friday, September 23, 2011

Old data learns new tricks: Managing patient security and privacy on a new data-sharing playground

Data is quickly becoming one of the health industry’s most treasured commodities. Yet, health organizations are acutely aware that sensitive data can be easily compromised. In just the last year and a half, a breach of personal health information occurred, on average, every other day. Breaches erode productivity and patient trust. They’re costly, unpredictable, and unfortunately quite common. More than half of healthcare organizations surveyed by PwC have had at least one privacy/security-related issue in the last two years

·        Download: Old data learns new tricks (1.24mb)
·       Download: Old data learns new tricks: Chart pack (58kb)

Monday, September 19, 2011

NYTimes on ID

Call It Your Online Driver’s License


Consumers who still pay bills via snail mail. Hospitals leery of making treatment records available online to their patients. Some state motor vehicle registries that require car owners to appear in person — or to mail back license plates — in order to transfer vehicle ownership.

But the White House is out to fight cyberphobia with an initiative intended to bolster confidence in e-commerce.

The plan, called the National Strategy for Trusted Identities in Cyberspace and introduced earlier this year, encourages the private-sector development and public adoption of online user authentication systems. Think of it as a driver’s license for the Internet. The idea is that if people have a simple, easy way to prove who they are online with more than a flimsy password, they’ll naturally do more business on the Web. And companies and government agencies, like Social Security or the I.R.S., could offer those consumers faster, more secure online services without having to come up with their own individual vetting systems.

“What if states had a better way to authenticate your identity online, so that you didn’t have to make a trip to the D.M.V.?” says Jeremy Grant, the senior executive adviser for identity management at the National Institute of Standards and Technology, the agency overseeing the initiative.

But authentication proponents and privacy advocates disagree about whether Internet IDs would actually heighten consumer protection — or end up increasing consumer exposure to online surveillance and identity theft.

If the plan works, consumers who opt in might soon be able to choose among trusted third parties — such as banks, technology companies or cellphone service providers — that could verify certain personal information about them and issue them secure credentials to use in online transactions.

Industry experts expect that each authentication technology would rely on at least two different ID confirmation methods. Those might include embedding an encryption chip in people’s phones, issuing smart cards or using one-time passwords or biometric identifiers like fingerprints to confirm substantial transactions. Banks already use two-factor authentication, confirming people’s identities when they open accounts and then issuing depositors with A.T.M. cards, says Kaliya Hamlin, an online identity expert known by the name of her Web site, Identity Woman.

The system would allow Internet users to use the same secure credential on many Web sites, says Mr. Grant, and it might increase privacy. In practical terms, for example, people could have their identity authenticator automatically confirm that they are old enough to sign up for Pandora on their own, without having to share their year of birth with the music site.

The Open Identity Exchange, a group of companies including AT&T, Google, Paypal, Symantec and Verizon, is helping to develop certification standards for online identity authentication; it believes that industry can address privacy issues through self-regulation. The government has pledged to be an early adopter of the cyber IDs.

But privacy advocates say that in the absence of stringent safeguards, widespread identity verification online could actually make consumers more vulnerable. If people start entrusting their most sensitive information to a few third-party verifiers and use the ID credentials for a variety of transactions, these advocates say, authentication companies would become honey pots for hackers.

“Look at it this way: You can have one key that opens every lock for everything you might need online in your daily life,” says Lillie Coney, the associate director of the Electronic Privacy Information Center in Washington. “Or, would you rather have a key ring that would allow you to open some things but not others?”

Even leading industry experts foresee challenges in instituting across-the-board privacy protections for consumers and companies.

For example, people may not want the banks they might use as their authenticators to know which government sites they visit, says Kim Cameron, whose title is distinguished engineer at Microsoft, a leading player in identity technology. Banks, meanwhile, may not want their rivals to have access to data profiles about their clients. But both situations could arise if identity authenticators assigned each user with an individual name, number, e-mail address or code, allowing companies to follow people around the Web and amass detailed profiles on their transactions.

“The whole thing is fraught with the potential for doing things wrong,” Mr. Cameron says.

But next-generation software could solve part of the problem by allowing authentication systems to verify certain claims about a person, like age or citizenship, without needing to know their identities. Microsoft bought one brand of user-blind software, called U-Prove, in 2008 and has made it available as an open-source platform for developers.

Google, meanwhile, already has a free system, called the “Google Identity Toolkit,” for Web site operators who want to shift users from passwords to third-party authentication. It’s the kind of platform that makes Google poised to become a major player in identity authentication.

But privacy advocates like Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, a digital rights group, say the government would need new privacy laws or regulations to prohibit identity verifiers from selling user data or sharing it with law enforcement officials without a warrant. And what would happen if, say, people lost devices containing their ID chips or smart cards?

“It took us decades to realize that we shouldn’t carry our Social Security cards around in our wallets,” says Aaron Titus, the chief privacy officer at Identity Finder, a company that helps users locate and quarantine personal information on their computers.

Carrying around cyber IDs seems even riskier than Social Security cards, Mr. Titus says, because they could let people complete even bigger transactions, like buying a house online. “What happens when you leave your phone at a bar?” he asks. “Could someone take it and use it to commit a form of hyper identity theft?”

For the government’s part, Mr. Grant acknowledges that no system is invulnerable. But better online identity authentication would certainly improve the current situation — in which many people use the same one or two passwords for a dozen or more of their e-mail, e-tail, online banking and social network accounts, he says.

Mr. Grant likens that kind of weak security to flimsy locks on bathroom doors.

“If we can get everyone to use a strong deadbolt instead of a flimsy bathroom door lock,” he says, “you significantly improve the kind of security we have.”

But not if the keys can be compromised.
A version of this article appeared in print on September 18, 2011, on page BU4 of the New York edition with the headline: Call It Your Online Driver’s License.

Friday, September 16, 2011

Privacy Law Would Help U.S. Compete, Official Says

Privacy Law Would Help U.S. Compete, Official Says
By Juliana Gruenwald    Updated: September 15, 2011 | 5:59 p.m.  National Journal

U.S. firms would be more competitive and better able to comply with foreign privacy laws if the United States had a broad law protecting consumer privacy online, a Commerce Department official told a House panel on Thursday.

“It would be helpful and I think it would help the competitiveness of our businesses if we had baseline privacy protections that are flexible and take into account really the changing economy, [and] changing technologies,” Nicole Lamb-Hale of Commerce’s International Trade Administration told the Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.

Some privacy advocates have called on the EU to get tougher with the United States and require it to harden up the current mix of industry self-regulation and some specific privacy laws related to health and finance. They say industry self-regulation has failed to protect Internet users who are increasingly being tracked  by companies that collect information for advertising purposes. The Obama administration and even some tech firms such as Intel and Microsoft have called on Congress to pass legislation that would establish baseline privacy protections.

The House panel examined how the European Union’s privacy law, which was first adopted in 1995, affects U.S. firms and what lessons it may provide U.S. policymakers. The law bars the flow of personal data about EU citizens to countries that do not have “adequate” privacy protections.

To ensure that U.S. firms would not be harmed by the law, the U.S. government negotiated a “safe harbor” in the late 1990s with the EU that allows companies to be deemed in compliance with the EU privacy law if they follow an agreed set of privacy principles.

Paula Bruening, vice president for global policy for the Center for Information Policy Leadership, said the EU law has not been implemented or enforced consistently among member states. She said it imposes burdensome administrative requirements on U.S. companies.

The EU is currently considering changes to the law to respond to some of these criticisms, but may also make it tougher. Lamb-Hale said it is unclear whether the European Union would continue to recognize the safe harbor after it revises its privacy law.

The Trans Atlantic Consumer Dialogue, a coalition of nearly 80 European and U.S. consumer groups, wrote the subcommittee earlier this week saying there is much the United States could learn from the Europeans on privacy given the rising levels of privacy breaches in the United States.

Ohio State University law professor Peter Swire, a privacy adviser in the Clinton administration, noted that countries outside of Europe have been passing privacy laws based on the EU directive. He said U.S. companies could face problems moving data out of those countries as well.

However, Consumer Data Industry Association President Stuart Pratt told National Journal after the hearing that he believes the cost of complying with a U.S. privacy law would far outweigh any benefits companies would receive from it.

Subcommittee Chairwoman Mary Bono Mack, R-Calif., said she has not decided whether Congress should pass privacy legislation. She plans more hearings to explore the issue. “My purpose in holding this hearing is not to point fingers,” she said. “Instead, my goal is to point to a better way to protect privacy online and promote e-commerce.”

Want to stay ahead of the curve? Sign up for National Journal's AM & PM Must Reads. News and analysis to ensure you don't miss a thing.

Tuesday, September 13, 2011

Jeff Rosen in NYTimes: Protect Our Right to Anonymity

By Jeffrey Rosen  September 12, 2011   NYT
 IN November, the Supreme Court will hear arguments in a case that could redefine the scope of privacy in an age of increasingly ubiquitous surveillance technologies like GPS devices and face-recognition software.

The case, United States v. Jones, concerns a GPS device that the police, without a valid warrant, placed on the car of a suspected drug dealer in Washington, D.C. The police then tracked his movements for a month and used the information to convict him of conspiracy to sell cocaine. The question before the court is whether this violated the Fourth Amendment to the Constitution, which prohibits unreasonable searches and seizures of our “persons, houses, papers, and effects.”

It’s imperative that the court says yes. Otherwise, Americans will no longer be able to expect the same degree of anonymity in public places that they have rightfully enjoyed since the founding era.

Two federal appellate courts have upheld the use of GPS devices without warrants in similar cases, on the grounds that we have no expectation of privacy when we are in public places and that tracking technology merely makes public surveillance easier and more effective.

But in a visionary opinion in August 2010, Judge Douglas H. Ginsburg, of the United States Court of Appeals for the District of Columbia Circuit, disagreed. No reasonable person, he argued, expects that his public movements will be tracked 24 hours a day, seven days a week, and therefore we do have an expectation of privacy in the “whole” of our public movements.
“Unlike one’s movements during a single journey,” Judge Ginsburg wrote, “the whole of one’s movements over the course of a month is not actually exposed to the public because the likelihood anyone will observe all those movements is effectively nil.”

Judge Ginsburg realized that ubiquitous surveillance for a month is impossible, in practice, without technological enhancements like a GPS device, and that it is therefore qualitatively different than the more limited technologically enhanced public surveillance that the Supreme Court has upheld in the past (like using a beeper to help the police follow a car for a 100-mile trip).

The Supreme Court case is an appeal of Judge Ginsburg’s decision. If the court rejects his logic and sides with those who maintain that we have no expectation of privacy in our public movements, surveillance is likely to expand, radically transforming our experience of both public and virtual spaces.

For what’s at stake in the Supreme Court case is more than just the future of GPS tracking: there’s also online surveillance. Facebook, for example, announced in June that it was implementing face-recognition technology that scans all the photos in its database and automatically suggests identifying tags that match every face with a name. (After a public outcry, Facebook said that users could opt out of the tagging system.) With the help of this kind of photo tagging, law enforcement officials could post on Facebook a photo of, say, an anonymous antiwar protester and identify him.

There is also the specter of video surveillance. In 2008, at a Google conference on the future of law and technology, Andrew McLaughlin, then the head of public policy at Google, said he expected that, within a few years, public agencies and private companies would be asking Google to post live feeds from public and private surveillance cameras all around the world. If the feeds were linked and archived, anyone with a Web browser would be able to click on a picture of anyone on any monitored street and follow his movements.

To preserve our right to some degree of anonymity in public, we can’t rely on the courts alone. Fortunately, 15 states have enacted laws imposing criminal and civil penalties for the use of electronic tracking devices in various forms and restricting their use without a warrant. And in June, Senator Ron Wyden, Democrat of Oregon, and Representative Jason Chaffetz, Republican of Utah, introduced the Geolocation Privacy and Surveillance Act, which would provide federal protection against public surveillance.

Their act would require the government to get a warrant before acquiring the geolocational information of an American citizen or legal alien; create criminal penalties for secretly using an electronic device to track someone’s movements; and prohibit commercial service providers from sharing customers’ geolocational information without their consent — a necessary restriction at a time of increasing cellphone tracking by private companies.

It’s encouraging that Democrats and Republicans in Congress are coming together to preserve the expectations of anonymity in public that Americans have long taken for granted. Soon, liberal and conservative justices on the Supreme Court will have an opportunity to meet the same challenge.

If they fail to rise to the occasion, our public life may be transformed in ways we can only begin to imagine.

Jeffrey Rosen, a law professor at George Washington University, is an editor of the forthcoming book “Constitution 3.0: Freedom and Technological Change.”