Category: Privacy (Medical)

0

Volume 60, Issue 1 (October 2012)

Volume 60, Issue 1 (October 2012)


Articles

Not This Child: Constitutional Questions in Regulating Noninvasive Prenatal Genetic Diagnosis and Selective Abortion Jaime Staples King 2
A Labor Paradigm for Human Trafficking Hila Shamir 76
Prosecutors Hide, Defendants Seek: The Erosion of Brady Through the Defendant Due Diligence Rule Kate Weisburd 138


Comments

Trade Dress Protection for Cuisine: Monetizing Creativity in a Low-IP Industry Naomi Straus 182
What Happens in the Jury Room Stays in the Jury Room . . . but Should It?: A Conflict Between the Sixth Amendment and Federal Rule of Evidence 606(b) Amanda R. Wolin 262
3

Big Data for All

Much has been written over the past couple of years about “big data” (See, for example, here and here and here). In a new article, Big Data for All: Privacy and User Control in the Age of Analytics, which will be published in the Northwestern Journal of Technology and Intellectual Property, Jules Polonetsky and I try to reconcile the inherent tension between big data business models and individual privacy rights. We argue that going forward, organizations should provide individuals with practical, easy to use access to their information, so they can become active participants in the data economy. In addition, organizations should be required to be transparent about the decisional criteria underlying their data processing activities.

The term “big data” refers to advances in data mining and the massive increase in computing power and data storage capacity, which have expanded by orders of magnitude the scope of information available for organizations. Data are now available for analysis in raw form, escaping the confines of structured databases and enhancing researchers’ abilities to identify correlations and conceive of new, unanticipated uses for existing information. In addition, the increasing number of people, devices, and sensors that are now connected by digital networks has revolutionized the ability to generate, communicate, share, and access data.

Data creates enormous value for the world economy, driving innovation, productivity, efficiency and growth. In the article, we flesh out some compelling use cases for big data analysis. Consider, for example, a group of medical researchers who were able to parse out a harmful side effect of a combination of medications, which were used daily by millions of Americans, by analyzing massive amounts of online search queries. Or scientists who analyze mobile phone communications to better understand the needs of people who live in settlements or slums in developing countries.

Read More

3

Laws Regulating PII

My co-author Sasha Romanosky asks me to post the following:

I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.

For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.

Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.

Thank you!

Sasha is a good guy, and a really careful researcher. Let’s help him!

3

Re-Identification Risks and Myths, Superusers and Super Stories (Part II: Superusers and Super Stories)

The Myth of Superuser: Toward Accurate Assessment of Unrealized Possibilities

In a recent Concurring Opinion blog post, I provided a critical re-examination of the famous re-identification of Massachusetts Governor William Weld’s health information as accounted by Paul Ohm, in his 2010 paper “Broken Promises of Privacy” and exposed a fatal flaw, the “Myth of the Perfect Population Register”  which constitutes a serious challenge to all re-identification attacks.   

In part 2 of this essay, I address the broader issues of how privacy law scholars and policy-makers should evaluate various scenarios being presented as motivators for the need for potential privacy regulations. Fortunately, Professor Ohm in earlier work has written another very compelling and astute paper from which we can draw some useful guidance for such approaches.  In his paper, Ohm cautions public policy makers to beware of the Myth of the Superuser. Ohm’s point with regard to this mythical “Superuser” is not that such Superusers – just substitute “Data Intruders” for our interests here do not exist. Ohm isn’t even trying to imply that the considerable skills needed to facilitate their attacks are mythical. Rather, Ohm is making the point that by inappropriately conflating the rare and anecdotal accomplishments of notorious hackers with the actions of typical users we unwittingly form highly distorted views of the normative behavior which is under consideration for regulatory control. This misdirected focus leads to poorly constructed public policy and unintended consequences. It’s not hard to see that extremely important parallels exist here with regard to “Myth of the Perfect Population Register”. The inability of most data intruders to construct accurate and complete population registers capable of supporting re-identification attacks has wide-reaching implications. The most important implication is how seriously we should take claims about the “astonishing ease” of re-identification. As I’ve written in a previous paper co-authored with University of Arizona Law Professor, Jane Bambauer Yakowitz, “…de-anonymization attacks do not scale well because of the challenges of determining the characteristics of the general population., Each attack must be customized to the particular de-identified database and to the population as it existed at the time of the data-collection. This is likely to be feasible only for small populations under unusual conditions.”

For this very same reason, oft-repeated apprehensions that evolving re-identification risks arising from new data sources like Facebook or new re-identification technologies will rapidly out-pace our abilities to recognize and appropriately respond with effective de-identification methods are simply unfounded. It is not the case that re-identification methods can be easily automated and rapidly spread via the Internet as some have mistakenly asserted. The Myth of the Perfect Population Register assures us that confident re-identifications will always require labor intensive efforts spent building and confirming high quality, time-specific population registers. Re-identification lacks the easy transmission and transferability associated with computer viruses or other computer security vulnerabilities. It will never become the domain of hacker “script kiddies” because of the competing “limits of human bandwidth” discussed in Ohm’s Superuser paper. Even with considerable computer assistance with the requisite data management, there simply isn’t enough human time and effort as would be needed to track, disambiguate and verify the ocean of messy data required to clearly re-identify individuals in large populations – at least when proper de-identification methods have already made the chance of success very small. Careful consideration of Ohm’s Superuser arguments coupled with the Myth of the Perfect Population Register lead us to the conclusion that re-identification attempts will continue to be expensive and time-consuming to conduct, require serious data management and statistical skills to execute, rarely be successful when data has been properly de-identified, and, most importantly, almost always turn out to be ultimately uncertain as to whether any purported re-identifications have actually been correct.

Read More

14

Re-Identification Risks and Myths, Superusers and Super Stories (Part I: Risks and Myths)

In a recent Health Affairs blog article, I provide a critical re-examination of the famous re-identification of Massachusetts Governor William Weld’s health information. This famous re-identification attack was popularized by recently appointed FTC Senior Privacy Adviser, Paul Ohm, in his 2010 paper Broken Promises of Privacy. Ohm’s paper provides a gripping account of Latanya Sweeney’s famous re-identification of Weld’s health insurance data using a Cambridge, MA voter list. The Weld attack has been frequently cited echoing Ohm’s claim that computer scientists can purportedly identify individuals within de-identified data with “astonishing ease.”

However, the voter list supposedly used to “re-identify” Weld contained only 54,000 residents and Cambridge demographics at the time of the re-identification attempt show that the population was nearly 100,000 persons. So the linkage between the data sources could not have provided definitive evidence of re-identification. The findings from this critical re-examination of the famous Weld re-identification attack indicate that he was quite likely re-identifiable only by virtue of his having been a public figure experiencing a well-publicized hospitalization, rather than there being any actual certainty to his purported re-identification via the Cambridge voter data. His “shooting-fish-in-a-barrel” re-identification had several important advantages which would not have existed for any random re-identification target. It is clear from the statistics for this famous re-identification attack that the purported method of voter list linkage could not have definitively re-identified Weld and, while the odds were somewhat better than a coin-flip, they fell quite short of the certainty that is implied by the term “re-identification”.

The full detail of this methodological flaw underlying the famous Weld/Cambridge re-identification attacks is available in my recently released paper. This fatal flaw, the inability to confirm that Weld was indeed the only man with in his ZIP Code with his birthdate, exposes the critical logic underlying all re-identification attacks. Re-identification attacks require confirmation that purportedly “re-identified” individuals are the only person within both the sample data set being attacked and the larger population possessing a particular set of combined “quasi-identifier” characteristics.

Read More

2

Big Data Brokers as Fiduciaries

In a piece entitled “You for Sale,” Sunday’s New York Times raised important concerns about the data broker industry.  Let us add some more perils and seek to reframe the debate about how to regulate Big Data.

Data brokers like Acxiom (and countless others) collect and mine a mind-boggling array of data about us, including Social Security numbers, property records, public-health data, criminal justice sources, car rentals, credit reports, postal and shipping records, utility bills, gaming, insurance claims, divorce records, online musings, browsing habits culled by behavioral advertisers, and the gold mine of drug- and food-store records.  They scrape our social network activity, which with a little mining can reveal our undisclosed sexual preferences, religious affiliations, political views, and other sensitive information.  They may integrate video footage of our offline shopping.  With the help of facial-recognition software, data mining algorithms factor into our dossiers the over-the-counter medicines we pick up, the books we browse, and the pesticides we contemplate buying for our backyards.  Our social media influence scores may make their way into the mix.  Companies, such as Klout, measure our social media influence, usually on a scale from one to 100.  They use variables like the number of our social media followers, frequency of updates, and number of likes, retweets, and shares.  What’s being tracked and analyzed about our online and offline behavior is accelerating – with no sign of slowing down and no assured way to find out.

As the Times piece notes, businesses buy data-broker dossiers to classify those consumers worth pursuing and those worth ignoring (so-called “waste”).  More often those already in an advantaged position get better deals and gifts while the less advantaged get nothing.  The Times piece rightly raised concerns about the growing inequality that such use of Big Data produces.  But far more is at stake.

Government is a major client for data brokers.  More than 70 fusion centers mine data-broker dossiers to detect crimes, “threats,” and “hazards.”  Individuals are routinely flagged as “threats.”  Such classifications make their way into the “information-sharing environment,” with access provided to local, state, and federal agencies as well as private-sector partners.  Troublingly, data-broker dossiers have no quality assurance.  They may include incomplete, misleading, and false data.  Let’s suppose a data broker has amassed a profile on Leslie McCann.  Social media scraped, information compiled, and videos scanned about “Leslie McCann” might include information about jazz artist “Les McCann” as well as information about criminal with a similar name and age.  Inaccurate Big Data has led to individuals’ erroneous inclusion on watch lists, denial of immigration applications, and loss of public benefits.  Read More

0

Dockets and Data Breach Litigation

Alessandro Acquisti, Sasha Romanosky, and I have a new draft up on SSRN, Empirical Analysis of Data Breach Litigation.  Sasha, who’s really led the charge on this paper, has presented it at many venues, but this draft is much improved (and is the first public version).  From the abstract:

In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated, which are not? Which lawsuits settle, or are dismissed? Using a unique database of manually-collected lawsuits from PACER, we analyze the court dockets of over 230 federal data breach lawsuits from 2000 to 2010. We use binary outcome regressions to investigate two research questions: Which data breaches are being litigated in federal court? Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach. We also find that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. While the compromise of financial information appears to lead to more federal litigation, it does not seem to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is more strongly correlated with settlement.

A few thoughts follow after the jump.

Read More

0

Stanford Law Review Online: The Privacy Paradox 2012 Symposium Issue

Stanford Law Review

Our 2012 Symposium Issue, The Privacy Paradox: Privacy and Its Conflicting Values, is now available online:

Essays

The text of Chief Judge Alex Kozinski’s keynote is forthcoming.

2

The Demi Moore 911 Call: A Breach of Medical Confidentiality?

I’ve written before on the issue of whether 911 calls should be public.  The recent release of the Demi Moore 911 call raises the issues once again.  From CBS News:

The tape of the frantic 911 call from actress Demi Moore’s Beverly Hills home Monday night is out and, reports CBS News national correspondent Lee Cowan, the scene sounds a lot more dire than her publicist had let on.

After Moore was rushed to the hospital, a statement said she ‘d be seeking professional help for exhaustion and her overall health.

“The 911 tape really indicates that this is a much more serious situation than we were first led to believe,” says US Weekly’s Melanie Bromley. “We’ve been told it’s exhaustion that she’s suffering from, but you can tell from the tape that there’s a very desperate situation there. She’s having convulsions and she’s almost losing consciousness. It’s a very scary tape to listen to.”

Why is this public?   Many 911 calls, like the one with Demi Moore, involve requests for medical treatment.  Typically, whenever any doctor, nurse, or healthcare professional learns information about a person, it is stringently protected.  A healthcare provider who breaches medical confidentiality can face ethical charges as well as legal liability for the breach of confidentiality tort.  In addition, there may be HIPAA violations of the healthcare provider is HIPAA-regulated.  911 call centers are not HIPAA-regulated, but the operators are in a special position of trust and are often providing healthcare advice (and calling for healthcare services such as ambulances).  If the call from Demi Moore’s home had been to a hospital or a doctor or any other type of healhcare provider, public disclosure of the call would be forbidden.  Why isn’t a 911 call seen in the same light?

As I pointed out in my earlier post about the issue, I believe the release of 911 call transcripts to the public violates the constitutional right to information privacy.  The cases generally recognize strong privacy rights whenever health information is involved.  States with laws, policies, or practices that infringe upon the constitutional right to information privacy might be liable in a Section 1983 suit.  I have not seen one yet, but it is about time something sparks states to rethink their policies about making the calls public.

The rationale for making the calls public is to provide transparency about the responsiveness of 911 call centers.  But this can be done in other ways without violating the privacy of individuals.  The main use of the Demi Moore call being public is to serve as grist for the media to learn about her problems.  This doesn’t make the 911 system safer or better; it just makes the tabloids sell faster.

0

Data Security in Healthcare: Some Startling Statistics

A new report by the Ponemon Institute reveals some startling statistics about data security in healthcare:

The frequency of data breaches among organizations in this study has increased 32 percent from the previous year.  In fact, 96 percent of all healthcare providers say they have had at least one data breach in the last two years. Most of these were due to employee mistakes and sloppiness—49 percent of respondents in this study cite lost or stolen computing devices and 41 percent note unintentional employee action. Another disturbing cause is third-party error, including business associates, according to 46 percent of participants.

There is a lot more alarming information in the report.

Self-interest alert: I provide privacy and data security programs to healthcare institutions.