Friday, 30 April 2010

EU - cloud computing - data protection, security

EU cybersecurity agency ENISA's recent report on research priorities includes cloud computing, and the EDPS has also made a speech on privacy and cloud computing.

1. ENISA - technology research priorities

ENISA's Priorities for Research on Current & Emerging Network Technologies (PROCENT) study paper (full paper, PDF) has highlighted five areas which they consider are most in need of research in the next 3 to 5 years, as having an impact on the important area of resilience of networks. These areas are -

  1. cloud computing - the paper includes discussion of its impacts on data protection, both benefits and risks, as well as possible directions for future research
  2. real-time detection and diagnosis systems
  3. future wireless networks
  4. sensor networks, and
  5. supply chain integrity.

2. EDPS - data protection & cloud computing

European Data Protection Supervisor Peter Hustinx made a speech "Data Protection and Cloud Computing under EU law", for the Third European Cyber Security Awareness Day, 13 April 2010.

The main challenges he sees in relation to applying the data protection legal framework to cloud computing are -

  1. what role cloud computing providers play - controller or processor
  2. determining whether EU law applies
  3. international data transfers
  4. ensuring more effective data protection - accountability, PbD
  5. processing data for purely personal purposes i.e. cloud computing services provided to end users who use them for purely personal purposes.

Areas of law which he thinks may need amendment, in relation to the proposed updating of the Data Protection Directive, are -

- Applicable law, including a new criterion such as targeting.

- International data transfers, including streamlining the use of BCR and possibly extending the responsibility of controllers.

- Accountability and 'privacy by design', and if necessary even with some ‘privacy by default’.

- The need to impose 'processor' obligations where services are provided to individuals acting in a purely personal capacity.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Data Protection Directive reform - Hustinx views

No surprises in European Data Protection Supervisor Peter Hustinx's latest speech "The Strategic Context and the Role of Data Protection Authorities in the Debate on the Future of Privacy" of 29 April 2010 at a European Privacy and Data Protection Commissioners’ Conference, calling for an ambitious approach by the Commission in their review of the Data Protection Directive, proposals for reform & revision of which are due by the end of 2010, and on which they consulted last year. Press release 29 April (PDF).

The central message of his contribution is that (as I've argued before) the main principles of data protection "are still valid despite new technologies and globalisation. However, the level of data protection in the EU should benefit from a better application of the existing principles."

He called on the Commission "to remain ambitious in updating the existing framework to avoid the risk of an increasing loss of relevance and effectiveness of data protection in a society that is ever more driven by technological change and globalisation."

"The stakes are not more and not less than how to ensure privacy and data protection in a highly developed Information Society of 2015, 2020 or beyond" said Peter Hustinx. "An ambitious approach is the only way in which we can ensure that our privacy and personal data are well protected, also in the future. It is essential that the Commission comes up with proposals that take into account what is really needed and does not settle for less ambitious results".

He said that to protect individuals' personal data we need a comprehensive legal framework in the EU to ensure more effectiveness, as well as:

  1. integration of "privacy by design" and "privacy by default" in information and communication technologies;
  2. more accountability for controllers: data controllers should be made more accountable to ensure compliance with data protection rules in practice. This would bring significant added value for an effective implementation of data protection and would considerably help data protection authorities in supervision and enforcement;
  3. stronger enforcement powers for data protection authorities: it is essential that data protection authorities have sufficient resources to exercise their monitoring tasks and, if necessary, enforce compliance with data protection rules.

I agree, of course - especially on privacy enhancing technologies (PbD) and enforcement. Again, let's hope the EU legislators listen to him more than they have before.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 29 April 2010

Privacy vs. freedom of speech?

An eternally topical issue. Here are some perspectives -

  1. UK Master of the Rolls Lord Neuberger on Privacy & Freedom of Expression - a Delicate Balance, 29 April 2010 (discussing Campbell, super-injunctions and John Terry, Human Rights Act etc)
  2. US academic Amy Gajda on Judging Journalism: The Turn Toward Privacy and Judicial Regulation of the Press (for summary see news release 8 April 2010).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 27 April 2010

Government requests to access citizens' personal information from Google; European telcos

1. Google

Privacy International have published an interview with Google about Google's transparency initiative to publicise data about government requests for personal information.

Google, to their credit, last week released their Government Requests Tool, based on their principles surrounding freedom of expression and controversial content on the web -

"to give people information about the requests for user data or content removal we [Google and YouTube] receive from government agencies around the world. For this launch, we are using data from July-December, 2009, and we plan to update the data in 6-month increments."

You can view this info by data requests or removal requests, and click on a country on the map (or in the list) to view more info about requests from that country's government.

The initiative has met with much praise and will certainly help the image of beleaguered Google, who have been the target of much criticism lately e.g. by privacy regulators in relation to StreetView and Buzz, with a PI satire on their privacy principles and an Onion spoof video on Google opt-out (on which by the way see also Google employees' - genuine, not spoof! - article on consent and opt-in or opt-out, if you missed it before).

2. EU telcos

Also, Oxford University researcher Dr Ian Brown has some specific data on European government requests for user data from telecommunications companies during 2008, from a recently-leaked European Commission review (NB, huge document!) of the EU Data Retention Directive, from which he's created a chart and table of government requests for comms data, by country name, per million population - see his blog post. (And see more generally his presentation on internet surveillance and monitoring.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Stopping Twitter spambots & social networking spam

Interesting paper by HP researcher Miranda Mowbray, entitled The Twittering Machine, for the 6th International Conference on Web Information Systems and Technologies, 7-10 April 2010, Valencia, Spain -

"This paper is a study of the use of Twitter by automated agents, based on data sampled in July-September 2009. It discusses the dramatic rise in rapidly-tweeting automated Twitter accounts beginning in late June 2009; some surprising behaviour by automated Twitter profiles that make direct use of Twitter’s API; and techniques used for automated spamming on Twitter. Ideas are suggested for ways in which Twitter might defend against some common types of automated Twitter spam. The paper ends by outlining some general conclusions for designers of social information systems."

In terms of spambot-preventative lessons for designers of social networking sites, she says that "Forbidding automated use is not the solution… The solution is rather to create technical limits to the automated use of the system so as to allow nonautomated use to flourish… by increasing the cost (in money, time or human effort) of… particular automated behaviours…that decrease the usefulness of the system for non-automated users, without being essential for legitimate marketing that may provide revenue… Another observation is that to ensure that marketers do not make a nuisance of themselves in a social information network, it is not sufficient that marketing messages are opt-in only… Content validation may also help protect against some kinds of automated misbehaviour."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 26 April 2010

E-commerce & consumers - OECD report

In 2009 the OECD’s Committee on Consumer Policy launched a review of the 1999 OECD Guidelines on Consumer Protection in the Context of Electronic Commerce, following the 2008 OECD Seoul Ministerial meeting on The Future of the Internet Economy.

As part of this review, a conference on Empowering E-Consumers: Strengthening Consumer Protection in the Internet Economy was held on 8-10 December 2009, in Washington, D.C, USA.

A summary of the key issues and conclusions from the conference has now been released, with suggestions for future work provided by stakeholders to advance the review of the 1999 Guidelines.

From the report (emphasis added) - 

Summary of issues that could be addressed in the CCP review

Strengthening payment protection/mobile commerce: examining the effectiveness of mechanisms in protecting consumers from fraud and in providing consumers with adequate redress in payment systems (looking at the role that payment intermediaries play in that regard). Particular focus could be made on consumer challenges arising from payments systems in the mobile commerce area.
Behavioural advertising: exploring ways to enhance transparency in the collection, storage, sharing, and use of consumers’ personal information, in particular in the context of C2C transactions and social networking.
Contracts: exploring ways to enhance transparency and clarity; identifying unfair contract terms, with particular focus on contracts relating to the purchase of digital content products. A non-exhaustive list of typical unfair contract terms may be ultimately included in an Annex to the 1999 Guidelines.
C2C transactions: identifying trends, and consumer challenges, with a focus on the rights and responsibilities of all parties (including Internet intermediaries) involved in such transactions. The scope of the 1999 Guidelines, which is currently restricted to B2C transactions, could ultimately be expanded to cover C2C transactions.
Digital content products:
- Identifying the type of information needed by consumers to make informed choices in the purchase of digital content products. This would notably entail providing clear information on the restrictions of the usage of digital content products (including post-purchase restrictions).
- Developing adequate redress mechanisms for consumers.
- Exploring the consumer protection implications resulting from interoperability. A workshop could be organised jointly with the OECD’s Competition Committee in that regard.
Children: the work would look at the applicability of consumer protection laws to advertising targeting children, with particular focus on situations where children engage in participative activities, such as social networking.
Enforcement: Exploring ways to enhance consumer protection and other relevant agencies’ enforcement capacity, in particular at the international level. Co-operation with the ICPEN on this issue would be needed.
Cyber fraud: understanding further the trends and impact of cyber fraud in e-commerce. The scope of the 1999 Guidelines could be expanded to cover commercial and non-commercial illegitimate activities.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

EU - RFID tags - study

The EU are inviting tenders for a study on RFID tags and the recycling industry to "improve the understanding of the nuisances and advantages that RFID technology could have on the recycling industry" -

"First, it shall assess the environmental impact of the RFID tags themselves as a non-communicating, inert object, on the recycling processes of other products and materials with a view, if needed, to adjust such processes. Second, it shall assess the environmental advantages that the use of RFID can provide to product lifecycle management."

Especially given the European Data Protection Supervisor's opinions on privacy by design including RFID and on waste electronics, it seems a shame that the spec says -

"6.4 Privacy, data protection and health impacts related to RFID
The use of RFID technology regularly raises questions related to the privacy, data protection and health impacts that they can have on the individuals who are interacting with it.
These aspects shall not be disregarded when conducting the study. For example, the right to privacy could be identified as an issue/barrier put forward in some scenarios. However, as these issues are treated under other Commission activities, they shall not constitute the core of the study but instead be referred to in the background of the study."

Is that a missed opportunity there?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 25 April 2010

UK election - parties' privacy & data protection promises

Hawk Talk have usefully put together in one place extracts relevant to privacy and data protection from the UK election manifestos of the Liberal Democrats, Conservatives, Labour, and Scottish Nationalist and Plaid Cymru parties.

I'll do my bit and add stuff on the Green Party - purely based on a crude search on their site for "privacy" and "data protection" so may not be comprehensive -

PUBLIC ADMINISTRATION and GOVERNMENT - Identity, Privacy and Freedom of Information

PA850 The Green Party believes that there must be a balance between the need of government on behalf of the community to obtain and hold information to identify individual citizens and the civil rights of individuals, particularly that of privacy. The individual's civil rights should prevail, unless waived by specific agreement or overridden by a specific public interest stipulated by law as overriding privacy. Information on individual identity so obtained should be held confidential, unless that confidentiality is waived by specific agreement or overridden by a specific public interest stipulated by law as overriding confidentiality.
PA851 Such information must be obtained and held only by government servants subject to appropriate regulations on privacy and confidentiality; the task must not be given to commercial organisations. In accordance with the Green Party's policy on a 'Freedom of Information Act' (RR401), information acquired by government agencies and other organisations for specified purposes must not be given to other such organisations or used for other purposes.
PA852 The need for the state and other organisations to obtain information on individuals for specific purposes must not entitle them to access unrelated information at other times for any other purpose. This would undermine the civil liberties of individuals. It would enable those in charge of government and other organisations to obtain and use the information to attack the legitimate rights and activities of those opposed to them.
PA853 Information obtained and held by the state or other organisations must not be used to subvert and attack the legitimate rights and activities of those opposed to them.
PA854 The Green Party opposes the introduction of a general identity card, whether on a compulsory basis or on a "voluntary" basis tantamount to compulsion, and would seek to abolish such identity cards if introduced.
PA855 "Identity" in this context means a name by which a person may be known, and where necessary an address through which they can be contacted. For the purposes of the Electoral Roll, a location for the purposes of qualification may be required.
PA856 The Green Party believes that citizens should be entitled to access to information held by all levels of government and public authorities and by bodies acting on their behalf. Information should be available except where specifically restricted, and quickly and at reasonable cost. Restrictions shall be limited to those necessary to protect the privacy of individual citizens, national security, certain international relations, and information properly provided in confidence. Information on policy formulation, the conduct of public affairs, the environment and health and safety should be freely available. In addition, restrictions should only apply where the government can show they are required to prevent real harm to the public interest. Provision shall be made for an independent commission to test the latter contention and require access if that contention is not sustained.
PA857 The circumstances in which access to council meetings and documents and files may be withheld from the public shall be clearly defined. In particular the Local Government (Access to Information) Act 1985 will be tightened up in a number of ways, for example:
The creation by local authorities of 'working parties', 'panels' or other such bodies, which are not covered by the Act, will be ended. All such bodies will be defined as committees or subcommittees, to ensure that the Act applies to them;
The use of valid exemptions to public access to documents pursuant to the 1985 Act, to restrict public access to matters not intended to be covered by those exemptions, will be ended; for instance the practice of excluding the public from decisions about grants given to organisations - as distinct from individuals where genuine personal privacy may apply;
Steps will be taken to curtail decision-making in secret party group meetings as this practice makes the subsequent meetings of the council or its committees or sub-committees meaningless as the decisions ostensibly taken in public will in practice have been made beforehand. We would also wish to end the practice in which all members of a party are required to follow a whip imposed in secret, with penalties if they fail to do so.

RESPONSIBILITIES AND RIGHTS - Human rights & civil liberties
RR400 The Green Party supports the principles of the National Council for Civil Liberties' Charter for Civil Rights and Liberties, and would introduce a 'Bill of Civil Rights and Liberties' based on this charter.
RR401 The Green Party would introduce a 'Freedom of Information Act' which would include a clear definition of what constitutes national security, with broad provisions for data protection.

CULTURE MEDIA & SPORT - Censorship & Privacy
CMS206 The Green Party is opposed to all forms of censorship in the media and cultural activities for adults. The state and persons holding positions of power to control activities shall not censor freedom of artistic expression or freedom of speech. Where there is a conflict between the right to free expression or speech and the responsibility not to cause offence this should be dealt with by allowing the offended person equal right of reply.
CMS207 The Green Party recognises that not all freedoms may be appropriate for young persons. Parents and guardians have a responsibility to protect those in their charge from inappropriate material. In the case of material targeted directly at children the relevant authorities may have a duty to control content in loco parentis. (in the place of a parent)
CMS208 The Green Party recognises the right of citizens to enjoy privacy within their home and domestic activities. Where there is a conflict between the individual's right to privacy and legitimate public interest then the onus is on those claiming public interest to demonstrate their case. The Green Party recognises that an individual's actions in placing their private life in the public domain (for example politicians or celebrities inviting media attention) may undermine their right to privacy.

EUROPE - Schengen Convention
EU740 In June 1985, France, the Federal Republic of Germany and the Benelux countries signed an agreement, in Schengen, to remove border controls between their countries. In 1990, this became the Schengen convention, separate from and parallel to the EU. With the Amsterdam treaty, the arrangements laid out in this convention have come under the aegis of the EU. All other EU states have or are about to join, with the exception of the UK and Ireland.
EU741 It is the declared aim of the EU that there shall be free movement of goods, capital, services and people. In practice it has emphasised cross border trade and investment rather than people's freedom to move. Ostensibly it is the aim of the Schengen convention to facilitate such freedom of movement. In fact the arrangements set up pose great threats to the freedom of both EU citizens and others, discriminate against ethnic minorities, and fail to take account of the diverse situations of different member countries.
EU742 The Green Party is committed in principle to freedom of movement for people. However we will oppose vigorously any moves for the UK to sign up to the inappropriate Schengen arrangements, to impose the Schengen arrangements on the EU as a whole.
EU743 The "compensatory measures" put in place by the Schengen arrangements to counteract their opening of internal borders include much stricter surveillance of people within borders, and much tougher policing of the external borders to create a "Fortress Europe". EU citizens may not need to show a passport to cross a border between Schengen states, but may instead be required at any time to produce proof that they are EU citizens. In practice these arrangements have been used to discriminate against ethnic minorities perceived as "non European".
EU744 We are completely opposed to this attack on civil liberties, and to any such proposal to require identity cards.
EU745 A database has been set up (SIS, or Schengen Information Service) of information on people, vehicles and artefacts. Its purpose is to prevent crime, and to "maintain order and public security, including the security of the state".
EU746 The SIRENE system supplements SIS. This allows police in a member state to request supplementary information about people, which the SIS is not allowed to hold, thus avoiding completely the already inadequate data protection measures relating to SIS.
EU747 We are completely opposed to these developments, which evade accountability for and scrutiny of information held on people, and undermine civil liberties thereby. The Green Party will work to make these arrangements better known, to mobilise public support for removing them.
EU748 The Schengen arrangements fail to recognise the distinction between land and sea borders, the different nature of traffic across each, the particular position of island states and those on the periphery of the Schengen area, on which the burden of external border control falls. It is notable that it is the two island members of the EU which have not joined the Convention, and that it has created major difficulties for countries on the periphery with much sea traffic, such as Sweden.

HOUSING - House building standards
HO501 All new houses will be built to improved standards for accessibility, space and facilities, ergonomics, sound and thermal insulation, and energy efficiency. Design standards shall also include consideration of social factors, such as the need for privacy and the need for community focal points. Existing buildings shall be brought as near these standards as practical.

There's also (for some reason unavailable except via cache) - RRR95.1 Video Surveillance Safe-guards (Spring 1995)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 21 April 2010

RFID chips for smart cards, e-voting - more security flaws

The problems with RFID continue. Prof. Avishai Wool of Tel Aviv University's School of Electrical Engineering has found

"serious security drawbacks in similar chips that are being embedded in credit, debit and "smart" cards. The vulnerabilities of this electronic approach - and the vulnerability of the private information contained in the chips - are becoming more acute.

Using simple devices constructed from $20 disposable cameras and copper cooking-gas pipes, Prof. Wool and his students Yossi Oren and Dvir Schirman have demonstrated how easily the cards' radio frequency (RF) signals can be disrupted."

But some small steps can make smart cards more secure, he says. The easiest: shield the card with something as simple as aluminium foil to insulate the e-transmission. For e-voting, make the ballot box frm conductive materials. "The US State Department has already taken Prof. Wool's advice: since 2007, they've also added conductive fibres to the back of every American passport."

See the press release for more info including on the risks of the e-voting technology being implemented in Israel based on RFID chips -

"It allows hackers who are not much more than amateurs to break the system," Prof. Wool explains. He constructed an attack mechanism — an RFID "zapper" — from a disposable camera. Replacing the camera's bulb with an RFID antenna, he showed how the EMP (electro-magnetic pulse) signal produced by the camera could destroy the data on nearby RFID chips such as ballots, credit cards or passports. "In a voting system, this would be the equivalent of burning ballots — but without the fire and smoke," he says.

Another attack involves jamming the radio frequencies that read the card. Though the card's transmissions are designed to be read by antennae no more than two feet distant, they demonstrated jamming transmissions via a battery-powered transmitter 20 yards away. So an attacker can disable an entire voting station from across the street. Similarly, a terror group could "jam" passport systems at U.S. border controls relatively easily.

A "relay attack" is also possible where the voting station thinks it's communicating with an RFID ballot nearby but a hacker or terrorist can easily make equipment to trick it and transfer votes from party to party or nullify votes to undesired parties. A relay attack may also be used to allow a terrorist to cross a border using someone else's e-passport.

I wonder what they'd make of the supposed next generation PACS (physical access control system)?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Security - coding & web programming errors

I'd previously mentioned the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors, which ComputerWeekly said New York State was updating its procurement terms (application security procurement language) to address, with other states to follow. Latest version is now 5 April 2010.

It's useful for those buying software as well as developers, in terms of security requirements to specify in the contract.

I've mentioned it again as a reminder, because Heise Security report that the Open Web Application Security Project (OWASP) on 19 April 2010 released their Top 10 Web Security Risks for 2010 - another useful list.

Not surprisingly, there's a big overlap between the two lists.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 20 April 2010

Privacy chiefs send Dear Google letter; & Google makes noises on privacy issues

Privacy and data protection regulators from Canada, France, Germany, Ireland, Israel, Italy, Netherlands, New Zealand, Spain and UK sent Google a joint letter yesterday, 19 April 2010, expressing their concerns.

They said to Google that they were "disturbed by your [i.e. Google's] recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services."

They also said they

"remain extremely concerned about how a product with such significant privacy issues was launched in the first place. We would have expected a company of your stature to set a better example. Launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms."

The privacy authorities have called on Google to incorporate privacy principles into the design of new services, at a minimum -

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
    giving people simple procedures for deleting their accounts and honouring their requests in a timely way.

And they've asked Google for "a response indicating how Google will ensure that privacy and data protection requirements are met before the launch of future products."

Now Google published their "privacy principles" back in Jan 2010 (complete with YouTube video). Here they are, if you care to compare them with the above (just in outline, see the principles for their detailed notes, though some might question to what extent item 1 is a "privacy principle"!):

  1. Use information to provide our users with valuable products and services.
  2. Develop products that reflect strong privacy standards and practices.
  3. Make the collection of personal information transparent.
  4. Give users meaningful choices to protect their privacy.
  5. Be a responsible steward of the information we hold.

Good noises, but it looks like the focus has to be on the implementation in practice.

It certainly seems Google have latterly become more aware of the importance of being (or appearing to be) privacy-friendly, as witness their letter to the US FTC about Google's commitment to transparency etc etc - coincidentally or not, sent the same day as the privacy chiefs' joint letter. (Side comment - oddly enough, Google posted the letter on Scribd rather than Google Docs. I've also noticed other Google info posted on Scribd recently. AFAIK Google haven't acquired Scribd - yet? Should one invest in Scribd??)

Back on topic, amusingly enough I found that a Google blog post "privacy protections are good for our..." does not exist! More precisely, my Google Reader feed showed an item for a Google blog post (about a Forbes article and presentation regarding "how privacy is something we think about everyday because it’s good for our users and critical for our business"), but clicking the link in the feed led to the following -

I suspect the poster deleted and reposted their blog but it's not updated on Reader yet! That blog post is actually here.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Consent - opt in or opt out? Google article

An article by Google’s Senior Policy Counsel Nicklas Lundblad and Policy Manager Betsy Masiello “Opt-in dystopias” (PDF) in the SCRIPTed journal "examines the possible consequences of mandatory opt-in policies for application service providers on the Internet. Our claim is that focusing the privacy debate on the opt-in / opt-out dichotomy creates false choices for end users. Instead, we argue for a structure in which providers are encouraged to create ongoing negotiations with their users."

Their conclusions, with my comments in italics -

"We have argued that mandatory opt-in applied across contexts of information collection is poised to have several unintended consequences on social welfare and individual privacy:

Dual cost structure: Opt-in is necessarily a partially informed decision because users lack experience with the service and value it provides until after opting-in. Potential costs of the opt-in decision loom larger than potential benefits, whereas potential benefits of the opt-out decision loom larger than potential costs.
[Yes, whether you make it opt in or opt out does matter - see further on engineered consent and human psychology.]

Excessive scope: Under an opt-in regime, the provider has an incentive to exaggerate the scope of what he asks for, while under the opt-out regime the provider has an incentive to allow for feature-by-feature opt-out.
[Yes. I've always felt this to be the case in relation to opt in, and again see the notes on engineered consent.]

Desensitisation: If everyone requires opt-in to use services, users will be desensitised to the choice, resulting in automatic opt-in.
[Point taken about desensitisation. Although Commissioner Reding seems to be favouring banning pre-ticked boxes, at least on the consumer front, and I think there will be less automatic opt-in if boxes aren't pre-checked. Also note the view in the Article 29 Working Party Future of Privacy paper that "consent is an inappropriate ground for processing"]

Balkanisation: The increase in switching costs presented by opt-in decisions is likely to lead to proliferation of walled gardens.
[I'm not sure about this, personally.]

We have laid the initial foundation for thinking about opt-out regimes as repeated negotiations between users and service providers. This framework may suggest implementations of opt-out be designed to allow for these repeated negotiations and even optimise for them. We recognise that there may be contexts in which mandatory opt-in is the optimal policy for individual privacy as, for example, when the information in question is particularly sensitive. In subsequent work, the authors intend to propose a framework in which opt-out creates not only a viable but in many cases an optimal architecture for privacy online and to explore the contexts in which implementing opt-in is the optimal privacy architecture."
[A "repeated negotiations" approach is certainly one possibility for privacy by design, but it can suffer from similar disadvantages as now e.g. desensitisation. Any technological framework won't be easy to design and get working properly, and it certainly won't be effective even then unless all services can be made to have and use it - so I await their promised subsequent work with interest.]

Via Google Public Policy Blog.

See also the work of EnCore on the technical management of consents, which might fit in with the "ongoing negotiation" approach.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Electronic authentication & e-signatures - legal issues & UNCITRAL legislation

I just came across a UNCITRAL paper from 2009, Promoting confidence in electronic commerce: legal issues on international use of electronic authentication and signature methods including cross border aspects, which is a very detailed (114 page) discussion that:

"analyses the main legal issues arising out of the use of electronic signatures and authentication methods in international transactions. Part one provides an overview of methods used for electronic signature and authentication and their legal treatment in various jurisdictions. Part two considers the use of electronic signature and authentication methods in international transactions and identifies the main legal issues related to cross-border recognition of such methods. It has been observed that, from an international perspective, legal difficulties are more likely to arise in connection with the cross-border use of electronic signature and authentication methods that require the involvement of third parties in the signature or authentication process. This is the case, for instance, of electronic signature and authentication methods supported by certificates issued by a trusted third-party certification services provider, in particular digital signatures under a public key infrastructure (PKI). For this reason, part two of this publication devotes special attention to international use of digital signatures under a PKI."

See also slides - UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction, Luca G. Castellani, UN Secretariat. Via ITU.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Personal data on hard drives etc - EDPS opinion on waste electrical & electronic equipment

On disposing of computers etc in a way that preserves privacy (i.e. deleting personal data on there first), see the European Data Protection Supervisor's Opinion of 14 April 2010 on the Proposal for a Directive of the European Parliament and of the Council on waste electrical and electronic equipment (WEEE).

The Commission had adopted a Proposal for a Directive of the European Parliament and of the Council on waste electrical and electronic equipment (WEEE) in December 2008 but again, the EDPS wasn't consulted, even though that was required by EU law, and even though the EDPS's role is to advise the Commission. It's clear why Amberhawk despaired. I have yet to look into whether there's any sanction if they ignore him, but I suspect there isn't. There really should be. One for the reform of the Data Protection Directive maybe?

On WEEE, the EDPS in his opinion advises that the Proposal should include specific provisions:

  • spelling out that the WEEE Directive applies without prejudice to the Data Protection Directive 95/46/EC;
  • prohibiting marketing of used devices which haven't undergone appropriate security measures in compliance with state-of-the-art technical standards to erase any personal data they may contain; and
  • for "Privacy by design" or "security by design", as far as possible requiring privacy and data protection to be integrated into the design of electrical and electronic equipment by default, to help users easily and free of charge delete personal data on equipment which they get rid of.

Let's hope they listen to him - a big source of data security breaches by organisations has been unerased or easily recoverable personal data still stored on the hard drives of computers sold on eBay, etc, and individuals really ought to be able to securely wipe their personal data easily before they sell or indeed donate to charity or give away their computers or other electronic equipment too (mobile phones, anyone?).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Patent Absurdity: how software patents broke the system - documentary

Most people interested in software patents and business method patents - developers as well as lawyers - will know that the US Supreme Court is to rule on the Bilski case soon, by the end of June 2010 I've heard.

According to Heise (I've not had the chance to watch it yet) a new documentary "presents complex issues in a factual way that can be grasped by lay persons, Patent Absurdity is not just a film for free software fans or patent lawyers."

Patent Absurdity is a freely downloadable (or watch online) 30 minute documentary by Luca Lucarini using free software, supported by the Free Software Foundation, containing interviews with Bernhard Bilski himself and his lawyer Michael Jakes as well as Eben Moglen, Dan Bricklin, Karen Sandler, Richard Stallman and others.

The site says:

"Patent Absurdity explores the case of software patents and the history of judicial activism that led to their rise, and the harm being done to software developers and the wider economy. The film is based on a series of interviews conducted during the Supreme Court's review of in re Bilski — a case that could have profound implications for the patenting of software. The Court's decision is due soon..."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 19 April 2010

Internet intermediaries - OECD report on economic & social role

The Economic and Social Role of Internet Intermediaries, April 2010, is a report by Ms. Karine Perset of the OECD‘s Directorate for Science Technology and Industry.

"This report is Part I of the larger project on Internet intermediaries. It develops a common definition and understanding of what Internet intermediaries are, of their economic function and economic models, of recent market developments, and discusses the economic and social uses that these actors satisfy. The overall goal of the horizontal report of the Committee for Information, Computer and Communications Policy (ICCP) is to obtain a comprehensive view of Internet intermediaries, their economic and social function, development and prospects, benefits and costs, and responsibilities. It corresponds to the item on 'Forging Partnerships for Advancing Policy Objectives for the Internet Economy' in the Committee‘s work programme."

Contents include:

Definition of Internet intermediaries
Internet access and service providers
Data processing and web hosting providers, including domain name registrars
Internet search engines and portals
Web e-commerce intermediaries
E-commerce payment systems
Participative networked platforms
Role of Internet intermediaries
Network externalities
Two-sided markets
Revenue models
Advertising model
Fee models
Brokerage model
Voluntary donations / community models
The impact of the economic crisis on Internet intermediary markets
Internet access and service provider sector
Wired Internet access and broadband
Mobile Internet access
Data processing and web hosting sector
Internet search engines and portals sector
Web e-commerce sector
B2C retail e-commerce
Electronic business-to-business marketplaces
E-commerce payment
Participative networked platforms
Wider ICT-related growth and productivity
Investment in infrastructure
Entrepreneurship and employment
Trust and user privacy
User/consumer empowerment and choice
Individuality, self-expression, democracy and social relationships

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Open data - legal issues - new EU network LAPSI

"Information generated and collected by public sector entities represents a veritable minefield; it might make a much greater contribution to EU economies and societies, if current legal barriers to access and re-use were removed."

So the LAPSI (Legal Aspects of Public Sector Information) project will build a network (over the period Mar/Apr 2010 Jul 2012) that aims to become "the main European point of reference for high-level policy discussions and strategic action on all legal issues related to the access and the re-use of the PSI namely in the digital environment."

"The debate is to be organized around four focal points: (1) implementation and deployment issues; (2) design of the incentives for public bodies and private players, both in the for-profit and non-profit sectors, to make available and, respectively, to re-use public data; (3) special consideration of infra- and supra-national levels of access and re-use policies and practices, intended to enlist the dynamic forces of regulatory competition and to bring out the full potential of cross-border, EU-wide services; and crucially (4) strategic vision and occasions for out-of-the box thinking for the next steps ahead in policy making."

More info on LAPSI goals.

It launched on 22 March 2010 - see slides from the launch.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

ITU - identity management, privacy, security in the cloud

More tech than law, this - encryption etc. Harmonizing identity management, privacy and security in the cloud and in the grid: dynamic distributed key infrastructures and dynamic identity verification and authentication, 10 April 2010, Andre Brisson & Stephen Boren, International Telecommunications Union Work Group 27 on Cloud Computing  - detailed slides.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 18 April 2010

Mobile identity management - ENISA report on risks, legal issues, recommendations

An ENISA position paper of 13 April 2010 on Mobile Identity Management by a team of authors:

  • reports on information security risks and best practices in the area of Mobile Identity Management (Mobile IDM) - including identity theft, eavesdropping, spyware, surveillance, phishing, collection and storage of private information beyond the stated purpose, failure to recognize context, inadequate device resources (to process stronger authentication algorithms), intrusive authentication and lack of user awareness
  • analyses key legal issues relating to mobile ID management including a summary of applicable legislation, analysis of EU provisions on location data (Directive on privacy and electronic communication 2002/58/EC of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector on location data etc and the Data Protection Directive 95/46/EC and article 29 Working Party views), transparency requirements for mobile IDM (information which must be given to the data subject), consent requirements for mobile IDM and their application to geo-localization services, the right to withdraw consent and its application in the mobile IDM context, data retention considerations and security measures applicable to service providers and transmission to third parties, and
  • provides recommendations of systems, protocols and/or approaches to address these challenges - interoperability, user awareness, and a set of design objectives (here comes privacy by design again) relating to user experience, access & authorisation, scalability, resilient connectivity, malware defences, control over privacy settings, delegation, accountability, and identity selection and composition. Good to see lots of overlap with my suggested data dozen principles for privacy-preserving identity management systems.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Flight security - ENISA report on RFID, Internet of Things

On 13 April 2010 EU cybersecurity agency ENISA issued their risk assessment report of the risks associated with a future air travel scenario enabled with “Internet of things”, IoT / RFID technology -  Flying 2.0 - Enabling automated air travel by identifying and addressing the challenges of IoT & RFID technology (IoT = "Internet of Things") with Annex I - " Scenario Building & Analysis", and Annex II - "Risk Assessment Spreadsheet" on assets, impact areas, threats, vulnerabilities etc.

It identifies major security risks, as well as privacy, social and legal implications and also makes concrete policy and research and legal, recommendations. Risks include "failure of the air travel procedures, passenger frustration and low social acceptance, loss/violation of citizen/passenger privacy and social exclusion". It doesn't just deal with RFID technology, it also considers the EU-US PNR agreement.

From the press release:

"Three policy recommendations: 1. Rethink existing business structures and introduce new business models.  Air transportation actors (e.g. airlines, airports, logistics, aviation security agencies, etc) should proactively stay alert for new business models. 2. User-friendliness and inclusiveness of devices, processes and procedures - we need to be inclusive. 3. Develop and adopt policies for data management and protection

Five research recommendations: 1. Data protection and privacy, 2. Usability, 3. Multi-modal person authentication, e.g. biometric procedures, 4. Proposing standards of light cryptography protocols, and, 5. Managing trust as a central consideration: an enterprise should understand its own trust framework.

Three legal recommendations: 1. Support for users, e.g. for data subjects to better exercise their rights. 2. Placing a high value on information and data. 3. Harmonisation of data collection by airport shops and efforts to raise awareness, among travellers of the collection and processing of data."

Their recommendations for the EU (emphasis added, and some comments in italics) -

"We recommend that the European Commission prepare guidelines on the better enforcement and application of the European regulatory framework, especially in view of the challenges posed by technological developments. More specifically, we recommend that:
- amendments of data protection legislation be introduced to give Data Protection Authorities (DPAs) stronger powers to audit companies or government departments with regard to their compliance with the relevant data protection legislation and that DPAs should be given the resources needed in order to achieve this task;
[Absolutely - I've been saying that in the PETs context, and the Article 29 Working Party certainly feel DPA powers and resources should be beefed up]
- the European Commission negotiate amendments to the EU-US PNR agreement so that there is transparency what the US does with PNR data, whether such data is shared, and so that European citizens have access to their data in a timely, low or no-cost way.
[See the EU's recent report of the 2010 review of the EU-US PNR agreement]
- the European Commission gives a priority to the regulation of profiling and behavioural marketing in order to ensure the protection of the data subject from their consequences.
We further recommend that the European Commission:
- adopt an ‘end-to-end’ approach for securing IoT/RFID applications: appropriately mitigating IoT/RFID risks lies beyond securing the RFID tags, it actually extends from smart devices to readers and back-end databases
[An end to end approach should be taken to all personal data throughout its life cycle - see my post Data Dozen - Identity Management for Privacy]
- in order to improve the usability of future research results, and align research with industrial and societal needs, promote the participation of industry, and in particular SMEs in research activities as FP7. More specifically, we recommend that the Commission reinforce pilot activities in the line of the present CIP ICT-PSP programme with more ambitious targets and measures for participation of SMEs, and also initiate support actions, to better disseminate the results of such research to them;
- encourage more (and better) research at EU level on the ethical limits of private data capture and circulation, and on the societal implications of developments in this regard, e.g. under the Science and Society programme of FP7.
- endorse and promote awareness raising and educational activities for the citizens, as well as other specialised audience (professionals, personnel etc.)"

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

EU-US PNR agreement - EU review report issued

Not that Europeans are doing much flying at the moment, but on 7 April 2010 the Commission released their official report of a joint review on the EU-USA agreement on transfer of EU air passengers' personal data (passenger name record info) to the US government Department of Homeland Security. The review was carried out on 8-9 February 2010 in Washington with teams from both EU and USA.

See also:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 12 April 2010

US - NIST guide to protecting confidentiality of personally identifiable information (PII)

The US standards agency National Institute of Standards and Technology (NIST) on 6 April 2010 issued a practical 59-pg Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) with guidelines on identifying PII and determining the appropriate level of protection for each instance of PII, suggesting safeguards that may offer appropriate levels of protection for PII and providing recommendations for developing response plans for incidents involving PII.

It includes Appendices with scenarios, FAQs about PII, glossary and definitions of common terms, abbreviations etc.

From the summary:

"To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds."

(The UK Information Commissioner's recent Privacy Dividend paper focused on promoting the business case for implementing data protection best practices rather than providing detailed guidelines or recommendations, but the ICO has a raft of guidance notes.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 9 April 2010

OECD privacy guidelines - papers on their impact 30 years on, in USA, EU, Canada, Japan etc

Several OECD events were planned for the 30th anniversary in 2010 of the seminal 1980 OECD privacy guidelines, including an OECD roundtable in March 2010 on the impact of the guidelines.

Some helpful notes or papers from the conference are now available including:

There were also papers by representatives from various member countries - the links against the names below lead to their presentations, some more detailed than others, describing experiences with the guidelines in their own countries:

Jane Hamilton, Acting Director, Electronic Commerce Branch, Industry (Canada)
Fumio Shimpo, Assistant Professor, Graduate School of Media and Governance, Keio University (Japan)  -  slides
Blair Stewart, Assistant Commissioner, Office of the Privacy Commissioner (New Zealand)
David Smith, Deputy Commissioner, Office of the Information Commissioner (United Kingdom) [there's no copy of his presentation, unfortunately]
Hugh Stevenson, Deputy Director, Office of International Affairs, Federal Trade Commission  (United States)

And see also the views of US privacy advocate EPIC (Marc Rotenberg), and a paper on the Privacy Framework developed by the Asia Pacific Economic Cooperation forum (APEC) as an example where the OECD Guidelines were used as a benchmark to draw up a privacy framework (Malcolm Crompton, Information Integrity Solutions Pty Ltd and Privacy Commissioner of Australia 1999‑2004).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Privacy & location info - re-identification risks, especially with health data

A new Canadian research study A Method for managing Re-identification Risk form Small Geographic Areas in Canada (full text), by Khaled El Emam, Ann Brown, Philip AbdelMalik, Angelica Neisa, Mark Walker, Jim Bottomley  and Tyson Roffey, published in the BMC Medical Informatics and Decision Making journal, measures how easy it is to determine the identity of individuals using their geographical information (de-anonymization), and suggests a method to reduce re-identification of individuals from anonymised datasets.

It notes the increasing collection by websites etc of location information, "such as where we live, where the clinic we visited is located, and where we work", and the resulting privacy concerns when location is coupled with basic demographics and sensitive health information. Individuals living in small areas tend to be more easily identifiable because they are unique on their local demographics.

From the press release (NB in Word format!):

"Prof. Khaled El Emam, Canada Research Chair in Electronic Health Information and lead author, explains that they have developed a new method for measuring the privacy risk for Canadians, in particular, those living in small geographic areas. This privacy risk measure can then be used to decide whether it is appropriate to release/share geographic information or not and what demographics to include with this geographic information. The article also presents a set of criteria and checklists for managing the privacy risks when releasing/sharing location information.

“What we have developed is an overall risk management approach to decide how best to protect people’s privacy by taking into account their locations, the sensitivity of the data, and who they are sharing the data with,” explains Dr. El Emam.

This study shows that by protecting only the individuals living in small geographic areas, as defined by the new measures, it is possible to share more information while still being able to manage privacy risks."

From the abstract:

"A common disclosure control practice for health datasets is to identify small geographic areas and either suppress records from these small areas or aggregate them into larger ones. A recent study provided a method for deciding when an area is too small based on the uniqueness criterion. The uniqueness criterion stipulates that an the area is no longer too small when the proportion of unique individuals on the relevant variables (the quasi-identifiers) approaches zero. However, using a uniqueness value of zero is quite a stringent threshold, and is only suitable when the risks from data disclosure are quite high. Other uniqueness thresholds that have been proposed for health data are 5% and 20%…

We have also included concrete guidance for data custodians in deciding which one of the three uniqueness thresholds to use (0%, 5%, 20%), depending on the mitigating controls that the data recipients have in place, the potential invasion of privacy if the data is disclosed, and the motives and capacity of the data recipient to re-identify the data…

The models we developed can be used to manage the re-identification risk from small geographic areas. Being able to choose among three possible thresholds, a data custodian can adjust the definition of "small geographic area" to the nature of the data and recipient."

An interesting approach, and of course the issue of when an "area" is "too small", thus enabling de-anonymization, applies more widely to areas other than physical geographic location - especially when you can combine and link different types of data.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Electronic health records and e-health technology in the USA

Research in the USA suggests that "The implementation of electronic health record systems may not be enough to significantly improve health quality and reduce costs" - Electronic Health Records' Limited Successes Suggest More Targeted Use, published in Health Affairs, by Catherine M. DesRoches, Eric G. Campbell, Christine Vogeli, Jie Zheng, Sowmya R. Rao, Alexandra E. Shields, Karen Donelan, Sara Rosenbaum, Steffanie J. Bristol, and Ashish K. Jha, researchers from the Mongan Institute for Health Policy at Massachusetts General Hospital.

They found, from analysing very comprehensive data (from a 2008 survey sent to chief operating officers of acute care hospitals belonging to the American Hospital Association, with completed surveys returned from almost 3,000 hospitals in the 50 states and District of Columbia), that "currently implemented systems have little effect on measures such as patient mortality, surgical complications, length of stay and costs. The authors note that greater attention may need to be paid to how systems are being implemented and used, with the goal of identifying best practices."

"Our findings suggest that hospitals need to pay special attention to how they implement these systems. Simply having the technology available is probably not going to be enough," says DesRoches, an assistant professor of Medicine at Harvard Medical School. "Hospitals will need to effectively integrate new systems into their current practices. Studying institutions that have been successful will provide important lessons for everyone."

The abstract:

"Understanding whether electronic health records, as currently adopted, improve quality and efficiency has important implications for how best to employ the estimated $20 billion in health information technology incentives authorized by the American Recovery and Reinvestment Act of 2009. We examined electronic health record adoption in U.S. hospitals and the relationship to quality and efficiency. Across a large number of metrics examined, the relationships were modest at best and generally lacked statistical or clinical significance. However, the presence of clinical decision support was associated with small quality gains. Our findings suggest that to drive substantial gains in quality and efficiency, simply adopting electronic health records is likely to be insufficient. Instead, policies are needed that encourage the use of electronic health records in ways that will lead to improvements in care."

In other words, if you build it they will not necessarily come - technology alone is not enough, implementation and processes matter as much if not more (along with high level buy-in and comprehensive stakeholder engagement, of course), as anyone who has ever been involved in a technology project will know.

Now it seems that if you actually ask the patients what they want from technology, and honour their values and preferences, electronic medical records adoption and use of health information technology will rise. Goodness me, what a novel idea!

But seriously - there's been a separate study in the USA showing this, "Patient Experience Should Be Part Of Meaningful-Use Criteria" by James D. Ralston, Katie Coleman, Robert J. Reid, Matthew R. Handley and Eric B. Larson, from Group Health Research Institute, also published in Health Affairs. This was specific to one particular organisation, Group Health Cooperative, which was an “early adopter” of health information technology that directly engages patients online.


"The proposed federal "meaningful use" criteria for electronic health records include the direct engagement of patients in their care. In this study, we sought to describe the adoption and use of online services linked to the electronic health record at Group Health Cooperative. By August 2009, six years after the introduction of these services, 30 percent of outpatient "encounters" were actually conducted through secure electronic messaging. Meanwhile, 10 percent of enrollees reviewed medical test results online, while 10 percent went online to request medication refills. These results highlight the need to measure the patient experience as part of meaningful use and to enact policies supporting online and phone communication by patients and providers."

And from the news report, with YouTube video:

"Group Health was an “early adopter” of health information technology that directly engages patients online. By 2003, Group Health patients could use its Web site to: exchange secure e-mail with their health care providers; schedule office visits; get after-visit summaries and medication refills; and see parts of their electronic health record (EHR), including test results, medications, and immunizations. Since then, the integrated health care system has kept improving its health information technology based on surveys of randomly selected patients every two years.

Dr. Ralston used those biennial surveys as part of an evaluation of Group Health’s use of health information technology. He found patients were highly satisfied with the technology, and they
were most satisfied with the services they used most often: reviewing test results, requesting medication refills, exchanging secure e-mail with providers, and reviewing after-visit summaries.

By the end of 2009, 58 percent of Group Health’s adult patients had registered for access to online services, and that percentage keeps rising. And of every 10 times that Group Health patients consulted with their primary care team, three times were through secure e-mail, two were over the phone, and five were in person.

The Stimulus (American Recovery and Reinvestment Act) of 2009 included incentives for medical systems to adopt EHRs if they use them “meaningfully.” Accordingly, in 2011, the Centers for Medicare and Medicaid Services (CMS) will start paying incentives to providers and hospitals that show “meaningful use” of EHRs. But current meaningful-use criteria don’t include any assessment of patients’ experience.

“Based on our evaluation, we strongly urge policy makers to include measures of patients’ experience when setting criteria for meaningful use of health information technology,” Dr. Ralston said. “Because of concerns about disparities in access to care, especially the ‘technology gap,’ patients must be able to communicate with providers in the way they need or prefer, whether in person, over the phone, or through secure e-mail.”

At Group Health, patients can connect with their health care providers in whichever way they prefer. And providers are paid on salary for caring for a group of patients, not reimbursed for each visit and procedure they do. By contrast, most U.S. providers are paid for each procedure and office visit—but not for connecting with their patients by e-mail or phone."

The payment reforms they urge make a lot of sense.

For those interested in these areas, see the April 2010 Health Affairs issue generally (needs subscription for full access).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 8 April 2010

AP News Registry & hNews - Associated Press's digital news registry passes DoJ vetting

I previously blogged US news agency Associated Press's announcement of a proposed news registry and "tracking beacon" (which had been called "DRM for news", though it isn't DRM, it's just Javascript).

The US Department of Justice have recently approved the Associated Press's planned "news registry", according to an AP press release of 1 April - and no I don't think it's a joke despite its date (unlike my own very obvious April's Fool spoof!).

"A beta test of the registry began in November of 2009, and some 200 AP newspaper members are now participating in the test. We expect the registry to go live in July [2010]," AP have said.

The DoJ said it "supports a proposal by The Associated Press (AP) to develop and operate a voluntary news registry to facilitate the licensing and Internet distribution of news content created by the AP, its members, and other news originators. The department said that the development and operation of the registry is not likely to reduce competition among news content owners and could provide procompetitive benefits to both participating content owners and content users."

There's some more detailed info about what the AP News Registry is and what it will do, i.e. "create a system that registers key identifying information about every piece of content AP distributes as well as the terms of use for that content, and employs a built-in tracking device to notify AP about how that content is used online. The Registry will enable third parties and customers to find and use content through new digital platforms, devices and services, while assuring AP that its content will be protected against unauthorized use."

I've decided to split out an explanation of hNews, and an hNews tutorial to make a Blogger blog hNews-compatible or hNews-compliant (as I've done on this blog), into a different blog post.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 7 April 2010

Privacy is now about control, not secrecy

There's an excellent blog post by security guru Bruce Schneier on Privacy and Control, explaining very clearly why legislation is needed to protect privacy by giving people control over their personal data (see his talk on privacy and security). When internet household names and NGOs too have united in calling for updated laws, in the Digital Due Process coalition, hopefully legislators will take note and act. Perhaps even in the forthcoming proposals to revise the EU Data Protection Directive?

But as I've said before, personally I don't think laws (or PETs) will do much good without better monitoring and enforcement, and meaningful penalties for breach.

Talking about control over personal data, and in particular its use for different purposes, see also the 33 Bits of Entropy blog post by de-anonymization expert Arvind Narayanan on whether it's a privacy violation to make "public" data even more public. He makes the point that "We need to figure out some ground rules to decide what uses of public data on the web are acceptable." Which is the most difficult issue. The aims have to be clear before laws can be made or privacy policies enforced whether by machines or humans.

The "public vs. more public" issue seems to have become more topical after danah boyd's SXSW keynote speech Making sense of privacy and publicity. E.g. see Broadstuff's comments on the speech and his interesting final observation:

"the people who are heading the companies espousing Public Living the most, are also ensuring their own privacy the most - to the extent that I think we are seeing the emergence of "Privacy Feudalism" - there is a risk that in the future only the rich/powerful will have privacy, life will be lived in a public bubble except for those who can live behind the gated online communities."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Gossip on the internet - privacy, reputation, free speech

There's an interesting free event in May if you're in London then and have time to spare - on the afternoon of Friday 7 May, 2.30pm-4.30pm.

The Management of Gossip on the Internet: An Exploration of the Interrelationship between the Rights to Reputation, Privacy and Free Speech

Anne Cheung, Department of Law, University of Hong Kong; Visiting Fellow, SAS Human Rights Consortium.

Gus Hosein, Senior Fellow, Privacy International. (He chaired the future of internet rights event I reported previously.)
Dr Julia Hornle, Senior Lecturer in Internet Law, Queen Mary, University of London.

James Michael, IALS Associate Senior Research Fellow; Editor, Privacy Laws & Business International

Free. To attend, RSVP

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 5 April 2010

Cloud computing privacy - Canada, EU etc

The Canadian Privacy Commissioner has published a paper "Reaching for the Cloud(s): Privacy Issues related to Cloud Computing" 29 March 2010 looking at general and privacy-specific issues raised by the phenomenon of cloud computing, including of course jurisdiction, and setting out the Commissioner's likely approach to any complaints about cloud computing.

One thoughtful and influential paper which the Canadian paper doesn't cite though is Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing by US lawyer Robert Gellman for the Cloud Privacy Forum, issued 23 February 2009 but obviously the issues raised in it are still very current. (And see the Forum's cloud computing page generally.)

In the EU, European cyber-security agency ENISA published an excellent Cloud Computing Security Risk Assessment in November 2009 (along with a recommended Cloud Computing Information Assurance Framework and an SME perspective on cloud computing survey), with some coverage of legal issues such as data protection, while the Article 29 Working Party's work programme for 2010-2011 is to include work on cloud computing.

Microsoft's General Counsel Brad Smith has called for both legal and industry changes in Europe to build confidence in the cloud (and similarly in relation to the USA), and Google's Global Privacy Counsel Peter Fleischer has pointed out the difficulties with "location" of data in the cloud and the resulting policy issues, praising the "far-sighted model adopted in Canada’s privacy laws".

And of course in the USA the Digital Due Process coalition is lobbying for modernisation of the US Electronic Communications Privacy Act 1986.

A proposal for reforms to the EU Data Protection Directive is due by end 2010, so no doubt all these views will be taken into account.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 4 April 2010

USA - Digital Due Process coalition and e-privacy

There have been many reports of several US technology corporations (including AT&T, AOL, eBay, Google, Intel, Microsoft and, academics and privacy advocates (including the ACLU, CDT and EFF) banding together to form an alliance called Digital Due Process, in order to campaign for the US Electronic Communications Privacy Act 1986 to be updated for the internet age.

But there haven't been many links to what I'd like to draw attention to - a paper for DDP: The Electronic Communications Privacy Act of 1986: Principles for Reform, by US lawyer J Beckwith Burr of US firm Wilmer Cutler Pickering Hale and Dorr, LLP, which analyses the legal position in relation to the ECPA, and the rationale for reform to ensure US Fourth Amendment protection against unreasonable searches and seizures extends to all communications however stored.

A major point DDP make is that currently email privacy in the USA differs depending on whether you store it on your hard drive or "in the cloud" (i.e. webmail like HotMail, YahooMail or Gmail) - and it shouldn't.

Hard copy letters and email anywhere should be treated in exactly the same way as far as government ability to read it is concerned. Other data is increasingly stored in the cloud too, and its privacy protection needs to be considered. Clearly the DDP have more than an eye on the development of cloud computing and the concomitant modernisation of privacy laws so as to continue to be fit for purpose.

Similarly, with the explosion in mobile phone (cellphone) use location data privacy is increasingly important. And the growth of social networking also needs to be taken into account.

Given the heavyweight membership of the coalition, hopefully the US government will be taking matters forward on this and perhaps other related fronts.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 2 April 2010

Space debris & space law

Interesting concise note from the Parliamentary Office of Science & Technology on Space Debris - if you ever wanted to know about the differences between LEO, MEO, GEO & HEO, recent debris incidents and protecting satellites from debris as well as the key international agreements dealing with debris mitigation.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 1 April 2010

Electronic health records - new ISO standards

New International Organization for Standardization standards for electronic medical records -

The ISO press release  says:

"Together, the two documents provide a powerful comprehensive solution to address e-health data integrity, including ethical and legal concerns, privacy protection, regulations concerning access and disclosing of records among other needs specific to the industry.

For instance, unlike other electronic documents, patient records must be available throughout their entire lifecycle (potentially reaching 100+ years), regardless of time and place. The ISO documents take into account the dynamic nature of health data, which may be modified through time, its sensitivity and high security requirements, particularly as transferred between services organizations and healthcare providers, and more.

The ISO documents also take into consideration new initiatives in the field, such as the growing trend to reinforce patients’ self determination and participation in their own healthcare, and the data that must be available to them."

I've not seen copies, does anyone know if they really address the issues as well as the press release says they do? How practicable will it be to implement these standards?

Via epractice.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.