Don’t let them pull the Aircloak over our eyes

Big business wants our personal information so it can make even more money. Privacy laws say it cannot have our personal data, but do not define anonymized data as ‘personal’. Business-friendly privacy regulators, such as the UK’s Information Commissioner, specifically declare that anonymized personal data is not regulated by the data protection laws — and is therefore fair game and up for grabs by all and sundry. Academics say, hang on, it is impossible in the modern age to truly anonymize personal data — determination can always de-anonymize it. The whole issue becomes even more befuddled with the introduction of pseudonymized data which is even more easily unwrapped — and the Information Commissioner would dearly like to, and probably will, declare pseudonymized personal data unprotected by law and equally up for grabs. Meanwhile, big business doesn’t want any anonymization at all, and is lobbying government ferociously to get what it wants.

It’s a mess; and there is no imminent solution.

Aircloak
Enter Aircloak. Aircloak is a company and product spun out of Max Planck Institute (computer science) research. It tries to turn the argument on its head. If we cannot, or at least cannot agree that we can, truly anonymize personal data, then let’s keep the data raw — but anonymize the statistical analysis from that data. Big business can therefore analyse the full data set, but will receive results that cannot identify any individuals. If this can be done, it will almost certainly be acceptable to the world’s privacy legislators.

Aircloak accepts data into the system, stores it in encrypted format, allows only authorized users to query it, and returns results that (in theory) cannot identify individuals. To provide trust in the Aircloak software and ‘guarantee’ it free of backdoors, it provides the software as open source. This can thus be analysed and verified by anyone. It then uses the Trusted Computing Platform’s attestation option to ensure that the software being used is exactly the same as that which was verified.

This sounds as if it should be acceptable — but it is not. Criminals, whether they be government, business or organized, will always find ways round or over if not through any defences. Anything that is made by software can be unmade by software. Open source does not guarantee secure — just think of Heartbleed. And government agencies are brilliant at finding ways round defences — consider, for example, the hardware on which the system will run.

The prize is huge — complete, raw, big data personal information — and any intelligence agency would be in dereliction of its duty if it did not try to get it.

The solution
The real solution to this problem is simple: ban all and any collection of personal data unless the user specifically and unequivocally allows it in the informed knowledge that anyone and everyone will subsequently have access to it for any purpose.

Big business will throw its hands up in horror at such a suggestion, claiming that it is either necessary or massively beneficial to society that they have unfettered access to everything. So let’s consider three business cases: personal data used for law enforcement, targeted advertising, and medical research.

Law enforcement
Law and intelligence agencies claim that access to communications big data (including content) enables them to locate criminals and terrorists and prevent crime and acts of terror. But they already have that access. All they need is to go to a judge with a reasonable argument that a specific target is a threat to society and they will be granted access to that target’s communications. I don’t think anybody objects to this — judicial oversight (but not by some secret and unaccountable court like FISC) is all we need.

Targeted advertising
The marketing companies claim that collecting personal data allows companies to deliver targeted (that is, relevant) adverts to internet browsers. They claim this is a benefit to the user. But they go further and suggest that without the ability to target, advertisers will desert the internet and the free internet will collapse. The argument is that advertisers need to be able to target.

This is codswallop. Advertisers could and did basic targeting even before the internet — but it was based on location subject. Sports goods were advertised on the sports pages, and shoes were advertised on the fashion pages. Not being able to display a shoe advert to only those readers known to be looking for shoes did not stop the advertisers from advertising. So why should it now? Shoes can be advertised on fashion sites, and sports goods on sports sites. It’s the same thing.

Medical research
The UK’s care.data is the perfect example (see Care.data, pseudonymised data and the ICO). The NHS wants to collect every English patient’s full and intimately personal health data into a single database for sale to researchers for medical research. Nobody doubts that one of the main customers for this data will be Big Pharma, the drug companies. The NHS argument is that this will result in better and faster development of new drugs and new drug campaigns for the benefit of all.

Ben Goldacre

Here’s a passage from Waterstone’s blurb on Ben Goldacre’s book, Bad Pharma. Goldacre is an author, broadcaster, campaigner, medical doctor and academic; and is highly respected.

…companies run bad trials on their own drugs, which distort and exaggerate the benefits by design. When these trials produce unflattering results, the data is simply buried. All of this is perfectly legal. In fact, even government regulators withhold vitally important data from the people who need it most. Doctors and patient groups have stood by too, and failed to protect us. Instead, they take money and favours, in a world so fractured that medics and nurses are now educated by the drugs industry. The result: patients are harmed in huge numbers.
Bad Pharma

Consider this. Big pharma is not interested in our health — it is solely interested in its own profits. When independent research began to show that Chinese herbs are more efficacious than western drugs, it campaigned for and succeeded in getting them banned. Do we really want to hand our personal health information to such people? I think not.

The reality
The reality is that none of these organizations want our data for our benefit — they want it to increase their profits at any cost to society. They make up arguments that do not stand scrutiny — they argue that because something is technologically possible, it is necessary.

Big business controls government — consider the way in which Monsanto has infiltrated the relevant US agencies and now seems to control the UK government as well (see: Defra battles to keep public in the dark over GM industry influence on policy and media — GeneWatch); and how the US telecoms companies have got inside the FCC and reversed its position on net neutrality.

The only solution to the personal privacy problem is to forbid the collection of any personal data. Where it is part of the service provided — such as that provided by GPs — the data must remain with the GP, and the GP must be held responsible for keeping it safe.

Aircloak is a dangerous development because it offers the suggestion that things can be different. They cannot.

Google amends its Terms of Service

With most privacy laws you can pretty much do what you want provided you are up front about it. The key is the ‘informed consent’ of the user.

Google has been getting grief from legislators who claim that the complexity of its privacy policies make it impossible for users to be informed, and difficult for them to opt out if they do not consent.

One continuing argument is over Google’s scanning of email content in order to provide targeted advertising to Gmail users. The nub of the argument is that claimants say they have not given consent to this scanning while Google’s response is that consent is implied by use.

Now Google has made its practices explicit with a Monday addition to its terms of service. It has added a new paragraph:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
Google Terms of Service

I think Google was correct in reality if not legality when it claimed that consent was implicit in use — most if not all users are perfectly aware that email content is scanned electronically. The new paragraph makes this explicit: informed consent is now given by use of Google services.

What I still find interesting is that this consent is said to apply to received emails. If a non-Google user sends me a message, how is that user giving consent for the message to be scanned by Google? Is it realistic for non-Gmail users to read Google’s terms of service before emailing a Google user?

I don’t believe it is. So who owns the content: the sender or receiver? Copyright would suggest it is the sender — in which case this amendment to the terms of service will go some way, but not all the way, towards solving Google’s privacy issues.

Cameron welcomes the Interception Commissioner’s Report, but ignores the European Court ruling

On Tuesday the European Court of Justice ruled that the EU Data Retention Directive breaches the European Convention on Human Rights (details here, European Court dumps the Data Retention Directive and here, The ECJ has declared the Data Retention Directive to be invalid – but what actual effect will it have?). This is particularly important to current intelligence agency debates, since it involves the retention of communications metadata. While the spy agencies and governments insist that this is not personal information since it does not include content, the court started from the basis that it is personal information and concluded that its retention interferes with people’s “fundamental rights to respect for private life and to the protection of personal data.”

David Cameron: prime minister of the UK

With amazing synchronicity, also on Tuesday, David Cameron presented (‘laid before’) parliament the UK Interception Commissioner’s annual report. “The report makes clear,” said Cameron, “the Commissioner’s view that RIPA is fit for purpose, despite advances in technology. He also finds that interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion.”

This is an excellent example of politicking. The commissioner finds that RIPA is capable of doing what it was designed to do; he does not question whether it is right to be able to do that (which would be beyond his remit). Cameron says that “interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion,” as if they are the same thing.

But they are not – ‘public authorities’ are defined in the Freedom of Information Act as bodies such as government departments, the armed forces, local government, the NHS, and the police. The ‘interception agencies’ are basically GCHQ and its allied intelligence agencies. Nobody really believes that the police, the NHS and the army is involved in ‘random mass intrusion’; but Cameron is conflating the ideas to suggest that the interception agencies are also not involved in ‘random mass intrusion’ when clearly they are.

Tom Watson: Labour MP

What Cameron did not do is make any mention of the European Court ruling which throws into doubt the legality of parts of RIPA and pretty much any random mass intrusion. It was left to Labour MP Tom Watson to point this out in a subsequent letter to Cameron:

The speed with which you responded to publication of Sir Antony May the Interception Commissioner’s report yesterday was impressive.

I did not notice a response to the European Court of Justice’s important – and relevant – decision [1] on the ‘wide-ranging and particularly serious’ interference of the Data Retention Directive with two fundamental rights of our citizens, the right to privacy and protection of personal data. Perhaps I missed it.

Watson goes on to say that the Interception Commissioner

in fact expresses significant concern about the potential for institutional overuse of powers to request information on communications data, inadequate records kept, and lengthy periods for over [sic] which public bodies store such data. Again, contrary to your statement, the Commissioner draws attention to the variable practices of law enforcement and intelligence agencies and the absence of regulation of the storage and use of communications data, in contrast to regulation on contents data. Here the Commissioner concludes that he is not satisfied that data retention periods are justified and he is not able to comment on the use to which such data is put.

We know that GCHQ is involved in random mass intrusion through the top secret NSA documents provided by Edward Snowden. Much of this interception would appear to be done by tapping the underwater fibre connections between the UK and the USA outside of UK national waters and therefore outside of RIPA’s jurisdiction. Someone in London sending a confidential email to someone in Newcastle might easily find the message routed via the United States. While outside of the UK, if we are to believe the Snowden files, that message would likely be intercepted by either or both GCHQ and the NSA. So for the UK government to claim that GCHQ operates strictly within UK laws is consequently disingenuous. Even if GCHQ obeys the law, this does not mean it does not engage in indiscriminate random mass intrusion.

Meanwhile, while the UK ignores the European Court’s ruling (and will delay doing anything it is told to do for as long as possible), a Swedish ISP has acted unilaterally and taken the ruling at face value. Without waiting for the Swedish Data Retention enactment to be repealed, Bahnhof CEO Jon Karlung decided to delete all retained user data, and stop collecting any more it immediately. On Wednesday, the company announced (Google translation): “Yesterday Bahnhof chose to discontinue storage of customer traffic and also delete existing data. Jon Karlung, president, called it a ‘day of joy’.”

Swedish Justice Minister Beatrice Ask was not best pleased, and told Radio Sweden, “Swedish law still applies. It is not the case that you can start applying other conditions straight away.”

But Bahnhof’s position is clear. “If we end up in court so we simply appeal to the EU Court of Justice. Their judgment from yesterday is extremely well written.”

You can just imagine (because that’s all it will ever be), BT and other UK ISPs turning round to Cameron and saying, “Listen Dave, what you’re telling us to do is illegal, so we’re simply not going to do it anymore.”

 

The ECJ has declared the Data Retention Directive to be invalid – but what actual effect will it have?

Today the European Court of Justice has declared the Data Retention Directive to be incompatible with the European Convention on Human Rights, and therefore invalid. (See here for details.) Privacy activists are delighted. Jan Philipp Albrecht called it “a major victory for civil rights in Europe.” Privacy International said, “It is right and overdue that this terrible directive was struck down.”

But there is a severe latency between European decisions and national action, especially where the national preference is for inaction. After all, the decision made today doesn’t even settle the complaint against the directive commenced in 2006 (the Irish High Court will have to settle the case, but guided by the ECJ’s decision).

Alexander Hanff, Think Privacy Inc

I wondered, then, what real effect this decision would have on the various European national governments’ predilection for collecting their citizens’ metadata. I asked Alexander Hanff, a long-standing privacy activist and CEO of Think Privacy Inc (a provider of privacy enhancing technologies and privacy consultancy services). I can do nothing better than to repeat what he told me verbatim.

The declaration by the ECJ is long overdue but welcomed and reiterates what many privacy and human rights experts have been arguing for many years. However, what this means for the UK and other EU member states is as yet unclear. For example, the Data Retention Directive is transposed in different ways in different member states’ laws, and is not limited to a single definition in a single statute.

In the UK it is my understanding that the directive is implemented in a couple of regulations and acts such as Privacy and Electronic Communication (EC Directive) Regulations and the Regulation of Investigatory Powers Act. Which means both would need to be changed – but before that can happen the Directive itself would need to be changed to fall in line with the ECJ declaration (or “repealed” in its entirety).

As you know, the wheels of the machine turn incredibly slowly which means it could be some time before we see the relevant changes in the EU Directive – I presume this would make it difficult for citizens to challenge their governments implementation of the Directive into the national laws and regulations, as these member states would simply say they have ratified the existing Directive and cannot change their laws until the Directive itself is changed – in other words, member states are likely to say “Not our problem gov, we are just doing what Strasbourg/Brussels are telling us to do!”

That said, even if a challenge was successfully filed, it would take a great deal of time for anything to happen – look at the situation with the UK and RIPA for example – it took around 2 years from the EU Commission officially commencing infringement proceedings to the UK changing RIPA to comply with EU regulations on interception of communications.

It is of course possible that the UK government (and other member states) will voluntarily repeal the various clauses in various pieces of legislation which relate to data retention or better define them to be compatible with the ECJ declaration – but I would think that is highly unlikely given the intelligence value of this data (which everyone is now very painfully aware of since the Snowden revelations).

It may also be possible for citizens (in the UK at least and potentially other member states) to challenge their Governments in their national courts – given that (again in the UK at least) Court judgments must consider their impact on human rights under what is known as the “horizontal effect” from the Human Rights Act (as the court is a public body) so a challenge against the Government under HRA with the weight of HRA itself having a direct influence on the decision of the Court could lead to an interesting decision. But again, such a challenge would be expensive and take a significant period of time to reach a conclusion – during which time the Government could well pass secondary legislation which creates obstacles (such as some specific national security legislation, anti-terror expansion etc.).

It is too early to know how this will play out, but it is certainly interesting and will worth keeping a watchful eye on.

We should be pleased with today’s result; but there is still much to do and much to prevent. We are still a long way from changing anything in the UK.

European Court dumps the Data Retention Directive

It was inevitable. In December last year the European Court of Justice Advocate General, Pedro Cruz Villalón delivered his opinion on the EU Data Retention Directive, saying that it is incompatible with the Charter of Fundamental Rights of the European Union. With such an opinion from the Advocate General, it was unthinkable that the European Court of Justice (ECJ) itself would formally conclude otherwise.

Today it ruled that the Data Retention Directive is invalid.

The directive was adopted in 2006. Its purpose is to harmonise the retention of communications data (not content) across the EU for law enforcement purposes. Access to the retained data, declares the directive, shall be “in accordance with necessity and proportionality requirements… defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights.”

That is the problem, for the ECJ has now ruled that the directive itself is incompatible with the ECHR. The directive is therefore invalid. “The blanket, unjustified collection and retention of telecommunications data in the EU must now stop!” said Green MEP Jan Philipp Albrecht this morning. “The European Court of Justice’s verdict on the incompatibility of the Data Retention Directive with the EU Charter of Fundamental Rights is a major victory for civil rights in Europe!”

It has always been controversial, with privacy activists claiming it breaches fundamental privacy principles. There have been several challenges to the directive over the years. Perhaps the most important was the immediate legal challenge by Digital Rights Ireland in 2006. In 2010 the Irish High Court referred the case to the ECJ for a ruling – which has now been delivered.

The ruling accepts the validity of the intention behind the directive: “the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.” But in trying to achieve this, “!the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”

The court described five objections:

• the blanket nature of the collection of data, “without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.”
• insufficient limitation on access to and use of the data by national authorities
• the blanket nature of the period of data retention, which fails to ensure that data is only kept for as long as is strictly necessary
• insufficient safeguards against abuse of the data retained, and fails to ensure the irreversible destruction of the data at the end of the retention period
• finally, the directive does not ensure that the retained data remains within the EU, as required by EU law.

For these basic reasons, “The Court of Justice declares the Data Retention Directive to be invalid.”

Although the challenges to the directive were referred to the ECJ by individual national courts, the effect of the judgment is Europe-wide. The implications are far-reaching. “Perhaps most significantly,” said Privacy International in an emailed statement this morning, “this ruling demolishes communications data surveillance laws not just across Europe, but sets the precedent for the world. The widespread and indiscriminate collection of information has been, and always will be bad law, inconsistent with human rights and democratic values.”

Americans who accept or even condone the NSA’s mass collection of metadata should look closely at this ruling. And in the UK, prime minister David Cameron will have to think long and hard about his plans to bring back the Data Communications Bill.

 

 

United States Trade Representative threatens the EU

The United States is accustomed to getting its way internationally through trade threats. One method is the Special 301 Report Watch List, which is an annual list of countries which the US believes are failing in their duties towards copyright protection (specifically, US copyright protection). Once included in the Priority Watch List, a foreign country is liable for legal and/or trade sanctions. The Special 301 Report is compiled by the Office of the United States Trade Representative (USTR), and is seen as a method of bullying recalcitrant nations into conformity with US preferences.

This is not the only annual report from the USTR. It also produces the Section 1377 Review which examines international compliance with telecommunications trade agreements. This too, perhaps because it has become entrenched in the USTR way of doing business, can take a bullying tone. The latest report was released on Friday – but I would suggest that it thinks again if it believes it can bully the European Union at this stage of EU/US relations.

Background
Following the Snowden revelations on NSA/GCHQ spying, the now former head of Deutsche Telekom, René Obermann, proposed in November 2013 that Europe should establish a Schengen-routing and Schengen-cloud. The idea was that any communication from one point in Europe to another point in Europe should never leave Europe; and that personal European data should remain within Europe. This latter would effectively remove the existing safe harbour agreement with the US.

‘Schengen’ was chosen specifically as a mechanism for excluding the UK. The Schengen Area comprises 26 European countries that have abolished border control for Europeans between common borders – the UK has always remained outside of this agreement. As Die Welt described in March, the ‘Schengen-routing’ is intended to be “a defensive measure against the encroachments of the Anglo-Saxon intelligence on European internet users.”

Germany’s Angela Merkel and France’s François Hollande (that is, the central axis of the European Union) have declared support for the idea.

USTR’s Section 1377 Review
At the end of last week the USTR released its 2014 Section 1377 Review. On cross-border data flows it has two concerns: Turkey and the EU.

In Turkey, in the run-up to the recent local elections (‘won’ by Prime Minister Erdogan’s AKP party) and ahead of the presidential elections in August, the government has been tightening its grip on and control over the internet. USTR is concerned over restrictions on data flows and will seek “to ensure that data flows supporting legitimate trade can expand unimpeded.”

In Europe, the report notes that

DTAG [Deutsche Telekom AG] has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU; and has called for revocation of the U.S.-EU “Safe Harbor” Framework, which has provided a practical mechanism for both U.S companies and their business partners in Europe to export data to the United States, while adhering to EU privacy requirements.

Well, obviously, this is a false statement. The safe harbour agreement requires that US companies holding European data do not pass that data to any third-party – but clearly they do pass it to the NSA and law enforcement. The report continues,

The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers. Given the breath [sic] of legitimate services that rely on geographically-dispersed data processing and storage, a requirement to route all traffic involving EU consumers within Europe, would decrease efficiency and stifle innovation. For example, a supplier may transmit, store, and process its data outside the EU more efficiently, depending on the location of its data centers. An innovative supplier from outside of Europe may refrain from offering its services in the EU because it may find EU-based storage and processing requirements infeasible for nascent services launched from outside of Europe.

This is riddled with emotive language and inaccuracies. Draconian? Protectionist advantage? (Now I freely accept that DTAG will be looking for commercial opportunities, and that it is not a company I personally wish to use. From personal experience, I will never have dealings with T-Mobile again. But it is interesting that it seems to be willing to trade the US market for the European market.)

And the inaccuracies… Europeans would suggest that the US has shown scant regard for anyone’s privacy, while it is the US that delivers protectionist advantage (sometimes via economic espionage) to its own companies. Secondly, it completely misrepresents the proposals. European point-to-point communications should stay within Europe (that’s the ‘routing’); while personal data should not leave Europe (that’s the ‘cloud’). But the USTR is lumping the two together into some form of balkanised European intranet completely cut off from the rest of the internet. In reality, it should have little effect on legitimate trade between the EU and US.

It is not, for example, nearly as draconian as the US exclusion of Huawei from the US markets without any proof of actual threat (other than economic).

Then comes the USTR threat:

Furthermore, any mandatory intra-EU routing may raise questions with respect to compliance with the EU’s trade obligations with respect to Internet-enabled services. Accordingly, USTR will be carefully monitoring the development of any such proposals.

In reality we should not take this too seriously. It’s a form of lobbying – perhaps the first of much more to come – and we already know that USTR is not averse to lobbying on behalf of US industry. But it does show that the US is beginning to take the Schengen threat seriously. The UK should too. In the meantime, it should be said that US industry is not without its European allies. Neelie Kroes, the European Commissioner in charge of the European Digital Agenda, has said: “It’s not realistic that we can keep data in the EU, and the trial could jeopardize the open Internet.” Neelie Kroes is the commissioner who recently tried to redefine ‘net neutrality’ to suit big telecoms companies, only to have her definition rejected by the European Parliament.

Microsoft’s new secret weapon: listening to its customers

I am not Microsoft’s greatest fan. It is a dinosaur stuck on the beach while the fleeter of foot are soaring through the clouds. The reality is that it has no, and has never had, any visionaries. Even its domination of the desktop was more down to luck and sharp practices than genuine vision.

It was lucky that Gary Kildall rejected IBM’s overtures, else there would never have been an MS-DOS; and it was sharp practices that killed off Digital Research — its one serious and technically superior competitor. It was lucky that Apple demonstrated the value of Xerox Parc research and paved the way for Windows. It was lucky Jobs was so far ahead of his time he thought he could have a walled garden in the ’80s; and almost destroyed Apple in the process.

But it was sheer arrogant blindness that made Gates think he could ignore the internet. For the last two decades Microsoft has been forced into playing catch up; but catch up never works if you don’t have the vision to get ahead of the competition.

Now, in just one area, Microsoft is showing visionary signs that could differentiate it from all of its competitors. Microsoft has started listening to its customers rather than imposing its will on its customers.

While Facebook is telling everyone that they don’t want privacy, Microsoft is listening and saying, OK, we will give you privacy. While Google is fighting the European Union over privacy and cloud storage, Microsoft is listening to the EU and saying, OK, we can accommodate and store European data in European data centres.

Now, it’s not as simple as that. The US government can still demand customer data from Microsoft’s European data centres simply because Microsoft is a US company. But it’s making that data much more defensible, and telling the EU that it is willing to cooperate rather than fight.

Similar over privacy. When it became clear last week that Microsoft had, quite legally, searched the emails of one of its customers concerning the theft of Microsoft IP, it knew there would be privacy issues. It immediately said two things: firstly that it would in future get a pseudo warrant from an independent lawyer who had previously been a judge, and secondly that it would include its own searches in future ‘transparency reports’ (the ones that publish the number of law enforcement searches).

It wasn’t enough for the privacy advocates who pointed to the hypocrisy of criticising NSA warrantless surveillance and then doing its own.

To Microsoft’s great credit, within a week, it has listened, heard and understood. Brad Smith announced yesterday,

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
We’re listening: Additional steps to protect your privacy

Is this a new Microsoft — the genuinely ‘listening’ company? It no longer dominates the world’s operating systems, and is losing ground on desktop office software. But it seems to be doing one thing that none of its competitors are doing. It is listening to its customers, and giving them what they want. That alone, over the next few years, could catapult Microsoft back into a leading position.

If it’s not outright lies, it is downright deceit: the NHS and patient data

I had to visit the hospital the other day. I’m not going to say why, because that’s private, personal and confidential. Suffice it to say that the condition isn’t one that I wouldn’t tell my mother; but it is one that I’d prefer potential employers and insurers know nothing about unless I tell them (it’s probably nothing anyway). I would most certainly not want the pharmaceutical industry to know — the drugs they offer make the (possible) condition much worse, and introduce new ones.

But I don’t need to worry, do I? At the bottom of the hospital appointment letter, in bold type, is the statement:

All personal information about you is kept confidential at all times and is only shared when necessary to support your care and treatment. If we want to use your information for any other purpose, with the exception of when the law requires us to do so, we will talk with you and obtain your consent. If you have any concerns regarding this, please talk to the person providing your care and treatment.
(see grammatical note at the end of this post)

But that’s a lie. While the government wants to start centralizing our GP records in the autumn, it is already doing so with HES (Hospital Episode Statistics). These are already held by the Health and Social Care Information Centre (HSCIC) which is where all of the records will eventually be held. According to the HSCIC website,

HES is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.

This data is collected during a patient’s time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data.

It is a records-based system that covers all NHS trusts in England, including acute hospitals, primary care trusts and mental health trusts. HES information is stored as a large collection of separate records – one for each period of care – in a secure data warehouse.

We apply a strict statistical disclosure control in accordance with the HES protocol, to all published HES data. This suppresses small numbers to stop people identifying themselves and others, to ensure that patient confidentiality is maintained.

Compare the two statements. It is perfectly clear that the hospital is lying. But the reality is, so is HSCIC.

Back in 2012, the marketing firm PA Consulting bought a copy of the HES data.

So we bought the data and installed it (with certain security restrictions) on our own hardware… [But querying the data took too long.] The alternative was to upload it to the cloud using tools such as Google Storage and use BigQuery to extract data from it… Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.

(That document seems to have been removed from the PA site, or hidden away. Anyway, I can no longer find it, and have to rely on the copy I have. It seems to have been replaced by a press statement from PA here and another from HSCIC here in a coordinated release. Neither of these should satisfy any patient.)

Ask yourself this: how can maps be produced without location data? What is location data if it is not personal identification information? How can data be transferred to a third-party (Google cloud) and stay within the Data Protection Act. Remember that several different data protection regulators in various parts of Europe, including our own, have challenged Google over its privacy policy — and several have already fined Google the maximum possible for being in breach of European data protection laws.

The HES data sold by the government is pseudonymised — but still includes postcode and age (PA denies that it received DOB or address, but doesn’t specify whether that included ‘age’ and ‘postcode’). In other words, standard HES data specifies very clearly exactly who 98% of the patients actually are and where they live.

And then there’s Beacon Dodsworth, a firm that “provides geographical information system (GIS) mapping software and marketing technology to clients in a wide range of industries” including Estee Lauder, Trinity Mirror Group and Boots. It says

Hospital Episode Statistics (HES) have now been integrated with our P2 People & Places people classification thanks to some hard work from our clever developers.

This means you can now better understand the health needs of local communities and populations and identify trends and patterns in order to target health improvement more effectively.
http://www.beacon-dodsworth.co.uk/site/data/hospital-episode-statistics

So we seem to have a system that quite readily sells our hospital records to any marketing company that will pay for them, and then allows those marketing firms to advertise the ability to target us on the basis of our health. And at the same time, the NHS itself tells us something completely different: that the data is only seen by those involved in our treatment.

Now Ross Anderson, chair at the Foundation for Information Policy Research; Phil Booth, coordinator at medConfidential; and Nick Pickles, director at Big Brother Watch, have all filed a complaint with the ICO requesting that the issue be examined in relation to the Data Protection Act.

It will be interesting to see how the ICO can reconcile what to everyone else is a clear but hidden breach of confidential patient data — and the Data Protection Act — with this government’s desire to sell and share everything about us to anyone willing to pay for it, irrespective of our own wishes. Because the one thing we can be very sure about in all of this is that the ICO will do all he can to avoid doing anything at all.

grammatical note
The first sentence is a complete statement. The second sentence is also a complete sentence. There is nothing in the second sentence to indicate that it qualifies the first sentence. There is nothing in these two sentences from which a reasonable patient could infer that it really means, “We will not share your personal data with anyone other than the centralised government database operated by HSCIC, with whom we will always provide all of your details all of the time, and over which we have not the slightest control nor responsibility for your personal data.

Lobbying against data protection reform will now concentrate on national governments

Well, the European Parliament voted overwhelmingly in favour of reforming the Data Protection Directive with a new Regulation that ensures standard data protection rules across the entire EU, strengthens people’s privacy, increases sanctions against transgressors, and provides some rights to have personal data removed from databases. It is not yet, however, a done deal since the Council of Ministers (that is the EU’s national governments) must also agree.

Industry lobbying against national governments will now intensify. Here’s an article from PharmaTimes published two days ago:

The multi-stakeholder Healthcare Coalition on Data Protection has stepped up pressure on lawmakers in the EU to preserve, re-instate or clarify research-friendly provisions in the European Commission’s proposal for a General Data Protection Regulation.

Why?

According to the Royal College of Physicians, the net impact of the LIBE amendments has been to introduce much more stringent requirements for explicit consent to use personal data for health or scientific research than under current legislation.

Furthermore, the EU totally irresponsibly demands that personal data used for research purposes (which they want to take without asking us) be “anonymised or, if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.”

This, according to the Healthcare Coalition on Data Protection “would make much valuable research involving personal data at worst impossible and at best unworkable.”

So why do they need to know who we are? To improve our health (not to mention the pharmaceutical industry’s profits, and indeed, it doesn’t mention them) through data-driven approaches.

These include large disease databases, personalised medicine, medical imaging, eHealth, mHealth, human genome decoding, disease prediction, biobanks, biomarkers and many more.

I’m not sure why they need to know who I am for any of that other than ‘personalised medicine’; and frankly I’d rather get my personalised medicine from my GP than through an advertising campaign delivered to my door by the pharmaceutical industry… who knows who I am, where I live, how old I am, what’s wrong with me, my sexual preferences and any past (or present) STDs, whether I’m pregnant or have had an abortion, and probably (through alignment with other databases) how much I can spend on medicine. All of which they want to know without asking my consent.

Message to Mr Obama: Do not underestimate European anger

Introduction
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.

Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.

To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.

But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.

Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.

FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?

Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.

Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations

So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.

This is not the behaviour of a country that is taking Europe seriously.

Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.

Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)

Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.

Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)

Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.

So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.