Monday, 2 September 2013

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:
Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise.

The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app.

With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.
Ms Steenburger thinks she's just dealing with MapMyRun and one or two other apps suppliers to keep track of her health. She's wrong. Behind the scenes these suppliers are selling her health data to other interested parties. The FT mention "advertising companies, ... digital analytics and tracking groups, ... health insurance and pharmaceutical companies":
The trend has serious implications for consumers. Data which an individual has willingly handed over to an app develop[er] to better track their own health, could now land in the hands of a large insurer who might use that data to set policy premiums ...

iPeriod will soon have the capability to target ads at a very fine level. So a woman who records in the app that she gets headaches before her period could soon receive an ad for a pain reliever at just the right time of the month ...

“By getting certain populations more active, they can reduce the cost burden for employers around those people,” says Chris Glode, the general manager for MapMyFitness. “If you can get people more active, can improve their health outcomes. That’s really cool, we’re really psyched to be part of that.”
"The top 20 most visited apps transmit information to a web of nearly 70 companies", says the FT, naming Google, Apple, Humana, Aetna and Flurry, a mobile data tracking specialist and the recipient of data from nine of the top 20 health-related apps.

That's the business model. You supply the data and the apps developers sell it. Maybe Celeste Steenburger didn't expect that but you should.

Perhaps this business model is restricted to the private sector?

No.

The public sector are at it as well.

It is three years since the Telegraph reported that the Department for Work and Pensions were paying Experian, the credit referencing agency, to analyse the data they hold and try to identify benefit cheats, please see Bounty hunters to cut benefit fraud by £1bn.

And more recently, in May 2013, the Mail told us that Orange/EE (Everything Everywhere) were selling data on their 27 million mobile phone users in the UK and that among the interested parties were the police. In the end, the police didn't buy anything but they were interested and maybe next time ...
Millions of phone records revealing age, address and even the websites you visited were offered for sale to police in controversial deal

... Scotland Yard held a meeting with Ipsos Mori about the possibility of paying for some of the data to fight crime, but yesterday the force said it was not planning to make any offers for it.
Not very convincing, you may say, the public sector hasn't actually bought any personal data from Experian or EE, and they certainly don't sell personal data.

Oh yes they do.

Here's the Guardian on 17 May 2013:
£140 could buy private firms data on NHS patients

... On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures.

The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.
It's a lot cheaper in the Mail, please see Your confidential medical records for sale... at just £1: Hunt insists plan to sell details to private firms is vital to combat epidemics - but critics fear 'unprecedented' privacy threat.

"So who cares if you’ve got haemorrhoids or athlete’s foot?", asks the Telegraph in Patient confidentiality? Not if the price is right – the answer they give is "more people than you might think". It's all that Jeremy Hunt's fault, the Secretary of State for Health, Jeremy Hunt plans to give anonymised patient medical records to private firms.

"Anonymised patient medical records"? Anonymised? Oh yeah? Mr Hunt might believe that but he's not a professor of IT. Martyn Thomas is, and he told the Public Administration Select Committee that "anonymised research data" is an oxymoron (para.4) – if the data's anonymised it's no use for research and if it's any use for research then it's not anonymised.

He is not alone in that belief, please see for example The rush to ‘anonymised’ data by Professor Ross Anderson.

"Anonymised data" must join "secure website" in your list of count-your-fingers-after-shaking-hands phrases.

Bang goes medical confidentiality. Secrecy. Privacy.

You were warned. By Stephan Shakespeare. Health data is "open data" or PSI (public sector information), he says. PSI belongs to everyone and processing it will boost the economy.

Not just Mr Shakespeare – Professor Sir Nigel Shadbolt, too. He's told you that he wants to mix your health data and travel data with anything you've put in your midata personal data store, and give the whole lot to apps-writers to improve your life.

For further information on the state destruction of medical confidentiality in the UK, please visit medConfidential. They provide a form you can use to opt out of HSCIC sales of your medical data.

No comments:

Post a comment