Scott McNeally has been quoted many times with this (in)famous phrase from 1999.
But as Steven Cherry discusses is his podcast (mp3) The Car as Informant – IEEE Spectrum “even he (Scott) would be surprised at the extent to which we can now be tracked, both online and in real life.
“The car navigation and emergency response service OnStar, revealed that it was tracking cars even after their owners cancel their subscriptions—recording where you drive and stop for gas, the diagnostics that the car itself collects, and the speed, direction, and other information generated at the time of an accident.
“You can opt out of OnStar, or even have its sensors removed, but nowadays law enforcement officials can put tracking devices on your car without your knowing about it.
“If that sounds like it might be a violation of the U.S. Constitution’s fourth amendment protection against unreasonable searches, you’re not alone. That very question will be raised in a court case slated for argument at the U.S. Supreme Court in November.”
In the podcast Steven Cherry is interviewing Catherine Crump, a staff attorney with the American Civil Liberties Union’s Speech, Privacy & Technology Project. She expands on some of the legal issues and implications of such surveillance.
In her blog she writes about additional technology enhanced privacy destroying weaponry:
“It’s a remote-controlled plane with a computer in its belly that can fly up to 400 feet above the ground, snoop quietly on wireless networks below and attack one if it wants to. It can also pretend to be a GSM cellphone tower, eavesdropping on calls and text messages that pass through.”
This podcast made me think.
Here is some of my pondering on privacy
Invasion by authorities as well as the bad guys?
Digital technology is profoundly changing our lives. Is it too tempting for authorities and forces from the dark side to tap into your GPS co-ordinates as well as into your phone calls, tweets and mails, your video traces on surveillance cameras? Are our basic privacy rights at stake? Is everything allowed that is technically feasible? Where is a limit? Who will control the controllers?
The fallacy of poorly organized information
Why do we think that when we build information systems that we have to attach all attributes to one key identifier? This is now happening in healthcare in many countries. The well established “male chauvinist” approach to information systems design is the pyramid: One identifier on top and everything is directly connected to it.
Can one make such a system secure once it is delivered? Can we continue to try to just sprinkle some magic security powder or snake oil over the system and hope it will be rendered secure?
The temptation of the Global Identifier
Why do we think we have to connect everything to one identifier? We don’t do this in real life. My passport number is different from my health insurance number, which is different from my retirement benefit number, which is different from my driver’s license number, which is different from my phone number, which is different from . . .
But now that electronic identities come into play the people who build information systems are getting a glazed look at the fantastic opportunity to connect everything together.
No more site-specific identifiers necessary–finally everything can be connected together. We will become totally transparent even without a Twitter or Facebook account.
If we let this happen then privacy will be out of the door for good. These very same people forget that there are attributes that need to be kept private. Think about DNA sequences of a person. Insurers could determine from DNA the likelihood of an individual to get ill from some genetic disease at a certain age and refuse to continue contract and coverage.
Resistance against electronic patient records that we observe in some countries comes from that. Health officials are already planning to connect all the patient information and data to a person’s electronic identity — here in Switzerland to the SuisseID. Are there any systems safe enough that they will never be compromised? Or should we rather rethink?
“Another Major U.S. Medical Data Record Breach: 4.9 Million Patients Affected – IEEE Spectrum.” This recently published article speaks for itself.
Is there anything that can be done?
The Liberty Alliance (today inside the Kantara Initiative) has put in a lot of work to provide the mechanisms to protect privacy. SAML2 for identity assertion, federated identity to connect identities when needed from different realms. But it has been rarely discussed that federated identity can also be used to keep information apart.
The trick here is to willfully keep different information realms separate and to use this pseudonymity (or opaque keys) from the beginning. A well protected table (relational entity) that allows to connect the pointers from the different areas can selectively enable access to the information and connect the dots — but this would be the exception and only accessible to securely authorized professionals. Such a (small) relational table is much easier to protect than an entire system.
“I am confused — can you explain this with an example?”
I hear you. I’m glad you asked. I have used this analogy in numerous of my talks on privacy.
Imagine a general practitioner (house doctor). Today he has one unified wall cabinet full of hanging folders sorted alphabetically by the patients’ last names.
The folders contain all data and information that the doctor collected over time for each patient. The folders, by nature, contain quite sensitive information and the office rule that he set is that the unified cabinet should be locked.
But day-to-day practice is that they remain open since personnel has to access the folders all the time. Locking and unlocking them just seems too cumbersome.
Enters the Smart Doctor:
He arranges the information into two separate wall cabinets. Cabinet number one has the files with administrative data of patients: Name, address, phone, insurance information etc. This is information as you would find it in a phone book.
Cabinet number two holds the hanging folders with cases, a knee operation, a broken bone, a liver exam, an x-ray, etc — the sensitive information.
In both cabinets the hanging folders carry numbers. But these identifiers do not point to each other. They point to entries in a little black book, which the doctor securely carries with him on his body all the time. Only with this book the connection between the two sets of pointers and thus information (the patient and the case) can be achieved.
With this arrangement from now on both cabinets can stay unlocked and open.
Cabinet number one holds publicly available phone book plus some other non-critical administrative information.
Cabinet number two has cases and can become openly accessible, e.g. for public health studies (“how many cases of a certain infection are in this neighborhood?”).
Can we learn from this example?
If we build information systems without a global identifier we can compartmentalize information in a way that we can actually build systems where information security and privacy are an integral property of the whole system from the very beginning.
Is there still hope? — All is not lost.
If we all work together to resist the temptation of universal or global identifiers already when planning the systems we can design system that can be secured. Separation of information with strictly limited access to the links that reveal the relation is key in building “privacy enabled” systems. Spread the word. Talk to your peers. Share this (see below).
“When will we ever learn?—When will we ever learn?”
(Pete Seeger, last line from the song “Where have all the flowers gone“)
- The Car as Informant (spectrum.ieee.org — quoted above)
- Another Major U.S. Medical Data Record Breach: 4.9 Million Patients Affected – IEEE Spectrum, mentioned above
- Internists address dual concerns of privacy and protection of health data (medicalxpress.com)
- Does the West Now Learn From Dictatorships? (ponderingtechnology)
- New OnStar policy draws privacy concerns (news.consumerreports.org)
- OnStar rolls out new privacy terms that have drivers concerned (charlotte.news14.com)
- A Day In the Life of Privacy (yro.slashdot.org)
Martin Schallbruch commented in Xing on this post:
Sehr lesenswert, in der Tat!
Den Gedanken der Vermeidung eines universellen Identifiers haben wir aufgegriffen mit dem dienst- und kartenspezifischen Merkmal des neuen deutschen Personalausweises: Pseudonyme Nutzung macht Datenzusammenführung unmöglich.
Silicon.de published an article based on this blog on Nov 14, 2011. http://www.silicon.de/management/analyse/0,39044010,41557090-t,00/sie_haben_null_privatsphaere_finden_sie_sich_damit_ab.htm
Pingback: Data Are Growing Up: The Big Data Tsunami « Pondering Technology