Ruth Reader, writing for VentureBeat, reports that, in 2014, healthcare providers made up nearly one-third of all data breaches: "Hot medical identities can sell for as little as $50, according to a report issued earlier this year by the FBI. With more and more hospitals moving to electronic health records and healthcare breaches on the rise, its hard to see how this problem won’t become more widespread in the coming year." Reader also points out that, unlike for financial breaches, it is much harder to prove that a consumer didn't receive medical services on their records.
Microsoft is fighting a U.S. warrant for data stored overseas in Ireland, Corporate Counsel reports. The outcome of the litigation could have big implications for cloud computing and data privacy.
Microsoft argues that the warrant doesn't extend to data stored on servers located overseas, while the U.S. government said that the pre-cloud computing-era Stored Communications Act gives it access, Corporate Counsel also reports.
Arguments on the dispute are set to be heard Thursday.
Shawn DuBravac, chief economist of the Consumer Electronics Association, posits in Techdirt that the U.S. Supreme Court's rulings that warrants are needed before police may search criminal suspects' cellphones has struck the first blow to protect digital privacy in the era of the Internet of Things, or physical objects being connected to the Internet like smart thermostats, coffee pots and refrigerators: the decision "comes at just the right time, because it's not just our phones that are getting smart. Soon, just about everything we touch will capture data about us. Our cars. Our watches. Our clothing. The fundamental privacies at stake in this ruling transcend far beyond phones. The Supreme Court needed to write its decision with the bigger picture in mind, and it did."
ProPublica's Julia Angwin reported this week on how marketers' tracking of customers is getting more intrusive: "Online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits—such as recent purchases, where you live, how many kids you have, and what kind of car you drive."
Angwin goes on to explain how it works: after sharing your e-mail address with a store, a marketer locates customers online when they use their email addresses to log into websites, then a marketer tags customers' computers with a tracker, and then when customers arrive at the website of the same story they will see a site customized to them.
The Washington Post reported last week on how some federal magistrate judges are "balking at sweeping requests by law enforcement officials for cellphone and other sensitive personal data, declaring the demands overly broad and at odds with basic constitutional rights." For example, D.C. Magistrate Judge John M. Facciola, "deemed a law enforcement request for the entire contents of an e-mail account 'repugnant' to the U.S. Constitution," the Post also reports. He is an outlier but "part of a small but growing faction, including judges in Texas, Kansas, New York and Pennsylvanai, who have penned decisions seeking to check the reach of federal law enforcement power in the digital world."
Consent does not protect privacy in the era of big data because it is not meaningful in an era of giving permission through clicks on a screen, said Kate Crawford, a researcher at Microsoft Research and MIT, at the Social, Cultural & Ethical Dimensions of 'Big Data' held last night.
Big data analytics are being sliced and diced to create personalization and segmentation, Crawford said. But predictive analytics can create "predictive privacy harms" under the "rubric of personalization," Crawford said.
Instead of using consent to cure potential harms, there should be a data due process framework "placing accountability at the very end of the chain," Crawford argues. When data about a person is being used to make a decision that would affect their lives, disclosure should be mandated so that he or she can have the opportunity to respond, she further argues.
There should be more protection when the decisions involve important matters like health and employment, and there could be weaker protection when the decisions involve less weighty matters like advertising, Crawford said.
Even the most sophisticated systems can leak privacy information, Crawford said. The combination of private signals with public signals can be combined so that people's privacy is deeply violated, Crawford said.
"We need to be a little bit more skeptical when people tell us data is going to be secure," Crawford said.
Steven Hodas, a consultant who has worked on data projects for educational systems, said that the backlash against the InBloom, the company trying to collect, store and share student data with the support of the Gates Foundation, was because parents felt that their kids were being reduced to algorithms and they did not want teaching reimagined as educating a cohort.
Personalization does not mean more human interaction, but better data configuration, he said. We are "headed for dissonance with dissidence not too far behind," he said.
Parents want teachers to be "analog craftsmen, not maker bots," Hodas said.
The blowback against InBloom might have been averted if there had been portals for parents to access parent-oriented data, Hodas added.
Columbia University scholar Alondra Nelson said that data about genetics is a disproportionate issue for minorities because more minorities are arrested or convicted and have their DNA uploaded into criminal justice system databases. Blacks make up 13 percent of the American population, but they are 40 percent of felony convictions, she said. Even innocent people who are not ultimately convicted have their DNA included in the databases, she added.
In another example of how genetic data implicates privacy, sequencing the genome of the HeLa cell line and uploading it on-line meant that personal information about Henrietta Lacks, the woman from whose cervical cancer cells the cell line was developed, and her family could be identified, Nelson said. That included genetic markers for physical appearance and disposition for diseases.
The event was cohosted by the Data & Society Research Institute, the White House Office of Science and Technology Policy, and New York University's Information Law Institute.
Nicole Wong, a former legal director at Twitter and now a deputy U.S. chief technology offer working in the White House' big data workgroup, said we need to "lean into those hard questions" about the issues of technology, privacy and individual liberties.
The Wall Street Journal reports that research by the U.S. Senate Commerce Committee found that data brokers are maintaining health records as part of their massive data collection: "Marketers maintain databases that purport to track and sell the names of people who have diabetes, depression, and osteoporosis, as well as how often women visit a gynecologist."
There is little oversight of data brokers, including from the subjects of the data collection; we don't have the right to find out what type of data is collected about us or who buys the information about us.
"An industry which began in the 1970s collecting data from public records to help marketers send direct mail has become an engine of a global $120 billion digital-advertising industry, helping marketers deliver increasingly targeted ads across the web and on mobile phones," The Journal also reports.
Drug and Device Blog reports on a California Court of Appeal decision in which an intermediate appellate panel held that the California Confidentiality of Medical Information Act does not allow for plaintiffs to sue over the negligent maintenance of their confidential medical information unless their information was accessed wrongfully or without authorization.
In the underlying case, a doctor took home a hard drive containing the personal health information for 16,000 patients. The hard drive, as well as the encryption passcodes, were stolen, but no one knows if the thief viewed or tried to view the patients' personal health information.
Drug and Device Blog said the case has "broad appeal because the fact pattern is so typical of 'data security breach' lawsuits: Private information resides on a stolen hard drive or is sent off into the ether with nary an indication that anyone received, reviewed, used, or otherwise paid any attention to the information. At another level, such lawsuits (which are usually class actions) almost never articulate any credible basis that the plaintiffs suffered any actual harm."