Our effort to improve electronic health data exchange is starting to pick up some steam: After a very successful rounds of discussions at the HL7 General Plenary in Atlanta in late September (kudos to Andy Gregorowicz for covering this one) and a pretty warm reception, I presented last week at the NIH in Bethesda during the Tao of Attributes workshop on hData and our plans for the identity management and access control piece. I got some really great feedback, and I am hopeful that the idea of using a set of technologies that is know to scale (RESTful architecture style) can address the needs of a complex health data exchange.

Going forward, we would really like to start building a community around hData and L32. To this effect, we have created a couple of email aliases (see here for details) for starting a dialogue. 

hData ehr health care identity

I liked Bob Blakey's recent article on privacy, along with the paper he and Ian Glazer published. One direction that might need some additional coverage at some time is the “privacy of organizations”. Organizational sensitive data (such as trade secrets or classified material) follows a similar pattern of what Bob and Ian are laying out for PII: it is disclosed to a trusted group (as such it would not fall under their definition of secrecy), and a legal instrument (such as a NDA) is used to ensure that this data is not released to non-authorized parties. 

In my own world, I have seen privacy and secrecy as very closely related: to some extend, secrecy was to me privacy with a solid logging/auditing system, so that secrecy is really only preserved operationally, and full access to the audit trail would restore the identity (oh dear *that* loaded term again) of all actors. Bob and Ian obviously use a different definition of privacy, which has much stronger implications for the meta-data architecture, including sensitivity markings or IRM controls.

In order to draw a more precise distinction between different concepts of privacy, it might be relevant to examine the origin of the data about me (the data subject): 

• The first bucket is data for which I am the originator (source).
  
• The next bucket is data that someone I interact with directly collects about me, so they are the originator. This may include web server access logs, shopping profiles, etc.
  
• The final bucket is data that a third party collects about me, without me interacting with them. In many cases they are not the originator of that data, but instead collect other party's data (including myself). Note that data in this bucket gets particularly interesting when aggregated.
  

privacysecrecy

In an earlier article I talked about data ownership - or lack thereof - at a low, technical level. There are three principal technical actors: the physical custodian, the logical custodian, and the data originator. This article deals with the problem (for the data originator) to limit the powers the physical custodian has. As the owner of the physical equipment that hosts the data, the physical custodian can perform a number of undesired actions with the data he hosts, specifically: (i) copy and distribute it and (ii) disable physical access to it. In many cases, both actions are not desired by the data originator or consumer.

As a first step towards limiting the physical custodians powers, it is important to make sure that the physical custodian (PC) is not also a logical custodian (LC). By this I mean the following: the PC has access to the physical equipment that hosts the data, as well as the transport infrastructure to get access to it. By denying the PC the role of the logical custodian, he may ultimately host data, but will not be able to use or interpret the data in a meaningful way. An obvious way to achieve this, is to encrypt the data and make sure that the PC does not get access to the key. For most practical purposes, this addresses action (i).

But even if the PC cannot access the data he hosts, he still has the "power of the plug": if the PC cuts that connection to the network, or switches of the data equipment, all access to data is lost. In order to be able to address this problem, one can use the following scheme:

1. Data is stored in some atomic units like files, that can be represented as a data stream.

2. The data stream is encrypted; keys are not stored with the data.

3. The encrypted stream is chunked into at least two chunks of identical size. The number of chunks is arbitrary.

4. At least one parity chunk is computed - think RAID 5 or 6.

5. The chunks are stored on different data services. This could be a traditional data service, but also other services such as a mail service or a blog service could be used to store the chunks. The table linking the different chunks is stored separate from the data.

The effect of creating such a "Redundant Array of Independent Services" (RAIS) is obvious: not only can the physical custodians not access the data since it is encrypted and they only have a portion. Also, since there is at least one parity chunk, if one provider decides to "pull the plug", the lost data can be reconstructed from the remaining chunks. As an additional protection, users might want to mirror individual chunks on different services as well, thus improving availability.

User-centricity - often expressed in the "7 Laws of Identity" - has been a common theme in identity management for a while now. At the heart of these principles lies the desire to empower the end-users of a computer systems and enable them to negotiate with the provider of service the amount of PII data the users have to disclose for getting access. Beyond the initial authentication and authorization steps for resource access also lies an ocean of other problems such as delegation, pre-authorization, and emergency overrides. These issues play into a vast number of use cases in very different areas such as financials, health care, and social networking.

At the same time, a rather important aspect of identity has been completely ignored: the systems we interact with and their component services and devices do have identities as well, and these identities must be managed with the same details as person identities. The need for non-person identity management goes well beyond the realm of security sensitive environments such as various government services: we are getting ever more dependent on a growing number of devices and services including mundane things such as smart phones and ebook readers, but also critical items such as health monitors. In many cases, high-value or critical services rely on less valued service (such as a health monitors that use the mobile phone system for notification). Overall, we are seeing a polynomial growth of interdependencies of such services of devices.

With these problems looming, it becomes more and more urgent to extend the practices learned in identity management for persons to non-person entities. The solutions for this new class of identities will have to be significantly different, since devices and services will interact with the IdM systems in very different ways and might also have significantly different needs. For example, while privacy protection is important for end-users, devices and services and their operators will likely be more concerned with secrecy, which might borrow from some privacy best practices, but be different in other respects. 

Interestingly enough, PKI has had a notion of non-person identities already for some while. We are relying on the internet PKI for authenticating servers to users and services. At the same time, PKI has been very cumbersome to roll-out to end-users and edge devices. As such, there are some lessons that PKI can provide, so that the efficiencies and abstractions of SAML and related technologies can to go beyond simple user-centricity.

As a challenge, here are some questions that I have with regards to identity management of non-person entities:

1. What identity can devices and services have? How are these identities different from human identities?
2. What are the minimal requirements on machine identities?
3. What new and different interaction patterns are required for enabling machine identities?
4. How do concepts such as reputation translate into the machine world? 
5. When machine and human identities interact, is there a need for disclosure that one party is non-human? Or human?

Data ownership is a rather nasty topic: at a legal level, we have many rights related to data we create or that is about us: privacy regulations, intellectual property rights, copyrights and trademarks, etc. are all aspects of how society attributes ownership to immaterial goods. This practice has been in place since at least the early 19th century, but even then there were critics, among them Thomas Jefferson and James Madison.

With the advent of digitized storage, reproduction of immaterial data has become cheap and lossless. This has a significant impact on the industry: for example, the entertainment industry is currently facing the consequences of this highly disruptive technology advancement, and has yet to redesign their business model to accommodate this paradigm shift.

But this change goes far beyond the entertainment industry or any specific market: at this time, most people have started to realize that data they release about themselves will be reproduced, indexed, and made available via 3rd party search engines. Once the cat is out of the box, it it too late for restricting distribution.

This leads me to believe that we need to re-think the concept of data ownership, at least at a technology level: it does not make a lot of sense to claim ownership of data if one has no means of asserting this ownership in an effective manner. The judicial processes are too slow and too much bound to physical objects. As a result, only a small portion of data ownership infractions is dealt with by courts, and effective enforcement on a global scale is practically impossible.

As a result, it would seem appropriate to me to abandon the concept of data ownership on a technical level altogether - and replace it with concepts that are better suited to how information systems are designed in the 21st century:

• A physical custodian of data has access and control over the physical object where the data is stored. In many cases this will be effectively a system administrator that is taking care of the computer and harddrives where the data is stored. It also makes sense to consider the organization that employs the system administrator(s) to be physical custodians. The physical custodian has significant control over the data, since he can simply "pull the plug" and make data unavailable.
  
• A logical custodian can access and modify the data. A logical custodian can also grant the logical custodian role to other entities. While in many cases a physical custodian is also a logical custodian, there are important cases where this is not the case: in multi-level security systems or environments where data-at-rest is encrypted, the physical custodian might not have meaningful access to the data. The granting of this role can not be reversed: once an entity has access to data, this data can be copied to other physical systems and be re-used.
  
• The data originator is the entity that created the data. While origin may be an important factor to determine authority or validity of the data, it does not guarantee either.
  

Anything beyond these roles cannot - at least with current technology - be properly modeled without relying on concepts beyond the realm of technology. Nevertheless, even these limited roles can be used to model interesting scenarios. For example, a distributed storage system that stores encrypted and chunked data with parity (i.e. RAID 5 or 6 across different services, not disks), can practically eliminate the role of the physical custodian.

Higher level technologies (such as DRM or multi-party encryption) may be successful in restricting the significant control that a logical custodian to some extent, only external mechanisms (such as system certification, trust models, or judicial redress procedures) can limit the logical custodian.

tags: dataprivacyintellectual property

I have talked manytimes before about the privacy concerns that I have about Europe's and Germany's approach to protecting privacy: on the one side citizens have - at least theoretically - a very strong position viz-a-viz non-governmental actors when it comes to data ownership and controls through the Privacy Directive and the "informationelle Selbstbestimmung". On the other hand, the state reserves the right to arbitrarily intrude people’s lives, collect PII, and use any data source – legal or illegal – for fighting so-called tax evasion. In my opinion, this approach is highly hypocritical in itself, but one might argue that different cultures and traditions may justify such laws and procedure.

However, in the current debate about sharing SWIFT financial transaction data with the CIA Germany is crossing a line: all “major German parties” are feverishly opposing the EU Commission’s proposed data sharing agreement with the US administration that would assist in combating terrorism. To get this straight: Germany happily buys stolen financial transaction data from convicted criminals and allows this data as evidence in legal proceedings against alleged “tax evaders”. No controversy ensues, since it only affects a few rich (i.e. successful) that "deserve" to be dispossed. Yet, there is public uproar and another wave of blatant anti-Americanism when the US authorities want to monitor the financing of international terrorism.

Thank you for your time - I rest my case.

tags: hypocrisygermanyprivacy

Title: hData - A Simplified Approach to Health Data Exchange

Interoperability issues have limited the expected benefits of Electronic Health Record (EHR) systems. Ideally, the medical history of a patient is recorded in a set of digital continuity of care documents which are securely available to the patient and their care providers on demand. The history of continuity of care standards includes multiple standards organizations, differing goals, and ongoing efforts to reconcile the various specifications. Existing standards define a format that is too complex for exchanging continuity of care information effectively. We propose hData, a simplified XML framework to describe health information. hData addresses the challenges of the current HL7 Continuity of Care Document format and is explicitly designed for extensibility to address health information exchange needs, in general. hData applies established best practices for XML document architectures to the vertical health domain, which has experienced significant XML-based interoperability issues.

What happens when a bureaucracy goes wild? Well, you can end up in a situation where private companies are facing the most restrictive privacy regime in the world, while government agencies are at liberty to spy on their people at will. Germany - my country of origin, and the country that claims to have "Informationelle Selbstbestimmung" (roughly: information self-determination) - has now completed a fairly comprehensive system of laws limiting fundamental human rights viz-a-viz the government:

• Just yesterday, the so called "BSI Gesetz" was passed, which allows the BSI (roughly comparable to the NSA) to store and analyze any communication of government agencies, in particular exchanges between the people and government employees. So anytime you send an email to any German agency or visit their websites, the BSI will store all communication parameters and use them as they see fit. They claim pseudonymization, but they reserve the right to make the data identifiable again at any time. Inadvertently collected information may be used in any legal proceeding against you. So beware, if you send them mail, call them, or even just visit their web sites. The most chilling aspect is that this total oversight – with an equivalent lack of transparency and accountability - has echoes of two periods in German history which the country does not recall with pride: the periods which are closely associated with the Gestapo and the Stasi.

• Just a week earlier, a censorship law was passed that is officially aimed at blocking access to websites containing pornographic material depicting minors. While I wholeheartedly agree with the goal to persecute the criminals that produce, distribute, and consume such media, the law is implemented in worst possible way: a secret set of lists will be created by the BKA (comparable to the FBI) that determines which web sites are to be blocked. This activity is supposedly to be monitored by the Datenschutzbeauftrager (roughly: federal privacy commissioner), who has already indicated that his agency is neither capable nor willing to perform this function.
  Strong promises were made prior to passing the law that this new "federal firewall" infrastructure will only be used in the context of access prevention to objectionable pornographic material; there have now already been demands to also use it to block access to "Killerspiele" (i.e. first person shooters), Nazi propaganda material, and also pull this entire approach to the E.U. level to guard all Europeans from bad influence. Thought police, anyone?

This new legislation is on top of a slew of other nonsense, like the ability of almost any government agency to investigate your financial situation without a warrant, a lifelong globally unique tax ID, a national ID card that will soon contain biometrics, the requirement to inform the agencies of any change of address, and a federal broadcast tax that is collected by the GEZ, which has received the second ever "Big Brother Lifetime Award".

But - satisfying all prejudices about being thorough - there is more to come: my big favorite is the current health record proposal - which centers around the “Gesundheitskarte” (literally: health card, their health insurance card), but in reality will create the biggest database of medical records ever: Gematik will store all electronic health records of all patients in the entire health care system, including the - nominally - independent private insurers. If interested, take a look at their “Security Whitepaper” (German only, sorry): other than explaining the benefits of using a symmetric key for bulk encryption and public/private keys for key negotiation they have little to offer. If this is Gematik's level of competence in security and privacy, then I predict happy times for identity thieves specializing on the German patient.

What amazes me most is the ease with which all these regulations are introduced and accepted: yes, there has been some protest against the federal firewall law, but in the end it still passed and - quite frankly - I cannot imagine that any future administration will even attempt to remove it. It seems to me perverse that a government is misusing the compassion for victims of the most horrific crime to introduce a comprehensive cyber censorship infrastructure. This can only serve as a sobering reminder that even 20 years after the fall of the last dictators in Europe, there are countries in the continent which still have not fully embraced what her most gifted thinkers had set out to achieve more than 350 years ago. As most of you know, I now live and work in the United States - and fervently hope that this may never happen here.

[Many thanks to Robin for correcting some of my many mistakes].

tags; privacycensorshiporwellnanny statehealthcare

The excellent article "Security and Data Sharing" by Mark Richard and Leslie Lebl points to a few very important ramifications that the less than ideal current data sharing situation with the E.U. brings and what the ratification of the horrible Lisbon Treaty would mean for the future of international security cooperation. The article also mentions the potential positive effects of the U.S.-E.U. MLAT framework.

What really caught my attention, though, was the authors' regard for the supposedly high European standards for data protection and privacy. They are correct in assesing that the implementation of the Privacy Directive varies within the various member countries, with countries like Spain or some of the relatively new members not paying to much attention to privacy issues at all. At the same time, Germany is portrayed as having a very high standard of privacy and PII data protection. Unfortunately, this is not at all the case:

While many middle-aged Germans do remember the strong controversy about the 1983 census (which was relatively harmless in itself) and the German surpreme court even recently emphasized a basic right to privacy protection, the implementation in the real world are a far cry from the supposed nirvana of "information self-determination".

First, it seems prudent to make a fundamental difference between the rights of the German population viz-a-viz the private sector and government. When dealing with private entities, Germans do actually enjoy a fairly high level of control over what information someone might legally store about them, how it is used, and when it has to be amended or destroyed. Reality paints a somewhat different picture, though. Over the last few months, a number of scandals have surfaced, cutting across the entire spectrum of privacy invasions: large companies have spied on their employees and customers using hidden cameras or collected and used profile data without their knowledge. Beyond that, a number of shady address collection agencies have sold millions of records including financial information. In some cases, significant sums of money were misappropriated by thieves that automatically drafted funds from bank customers through the ACH. Obviously, these criminal acts (at least those that have surfaced) are being investigated, and hopefully the judical system will be able to mediate the harm done. 

The situation with respect to government privacy intrusion is much more dire, though, and it would be fair to state that any resident in the U.S. enjoys a much higher level of government intrusion that any German ever had. For starters, every German (in fact, European) is now issued at birth an 11-digit taxpayer identification number that is unique and valid over their entire life. One might argue that the SSN is very similar in this respect, but there are two significant differences: (i) no U.S. resident is *legally required* to obtain a SSN and (ii) the FTC and the other government agencies have realized the ID-Theft threat that such an identifier poses and there is active work to limit the use of SSNs.

But the issues go far beyond unqiue identifiers: every resident of Germany is legally required to notify city hall within 30 days if they move  - either within their street or across the country. Interestingly enough, this data is readily available to any interested private company, and some 400+ towns and cities have made some nice extra cash by selling off these lists. In addition, all residents are required to own a national ID-card, which will soon contain their digital photo, fingerprint, and a practical RFID chip for easy data skimming. 

This list goes on, and includes absurd stories of mandatory public broadcast fees (which are sometimes collected from residents that have been dead for more than 400 years - but, being Germany, they do have to pay.. or at least the church where they are burried). At the end of the day, the de-facto privacy protection in Germany is not at all better than e.g. in the U.S., where at least a strong vertical and horizontal division of powers and an active community prevents a centralization that has become so typical for Europe.

After my initial irritation about Massachusetts Governor Patrick ideas about creating a state-wide Big Brother register of citizen's location died down, I just heard this morning about another state ignoring the "right to be left alone": Oregon is rolling out a GPS based car tracking system pilot for taxing highway usage based on mileage.

Aside from the fact that this is one of the worst ways of invading the privacy of motorists that one can possibly think of^[1], there are some obvious absurdities associated with such a system:

1. It will cost a lot of money and time to build a surveillance system that is capable of tracking all cars on all highways at all time. The money wasted on spying on citizens would be better spent on repairing roads.

2. Since the current federal administration does not seem to be supportive of this idea (as Secretary Gibbs indicated), there will be initially a slew of local, most likely non-interoperable systems, that can only track the cars registered in a particular state. Out-of-staters will have to be free-riders or they cannot use the state's highway system. Imagine that: "No New Hampshire cars are allowed on Massachusetts highways" ... ouch!

3. Eco-friendly cars with excellent gas mileage will be disadvantaged under the current plan to replace the gas tax with a mileage-based system: they will not qualify as zero-emission vehicles (like electric cars that get charged on coal- or oil-generated electricity) and thus buying an efficent car will be discouraged. Unless - of course - the mileage tax is only in addition to the existing gas tax.

4. There will be security breaches - that is just a fact of live. The best way to avoid additional PII data being stolen is not to collect the data in the first place.

What I find most annoying and telling is the fact that there is already a very simple and obvious solution to tax per mile: as far as I know every state already has a yearly safety inspection, at which the odometer reading is read. The states could then prorate past usage to determine a monthly (or yearly) street usage fees, WITHOUT having to invade people's personal lifes.

tags: privacygas taxodometer taxlocation data

[1] It is on par with the absurd German proposal of a "Strecken Radar" - a system that keeps tracks of all cars between two points to determine the average speed and automatically write speeding tickets.

Through Ian Fletcher of Burton: Peter Fleischer of Google is now facing criminal charges for failing to prevent the publication of a defamatory video on Google's video site - taking it down after 24 hours was not sufficient. While this is a somewhat extreme case, I fully expect an increasing number of civil and criminal cases filed against companies and government agencies for failing to protect the privacy of data principals: In the U.S. the efforts to standardize patient's electronic health records and federate access to this data will invriably lead to some cases of unauthorized disclosure. Europe has already had a decent share of privacy violations lately, but the effects have so far been manageable.

Going forward we as a society need to coordinate data access much better than we have so far, thus it starts making sense to star talking about privacy management as a separate discipline in corporate IT and process management. Privacy management is obviously closely related to information and identity management, but has a strong legal/regulatory aspect. Especially the lack of any harmonization of global privacy frameworks is a constant threat to globally operating companies. Some of these aspects will be discussed at the next Liberty Plenary meeting. 

tags: privacygoogleprivacy managementliberty alliance