Monday, 2 September 2013

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:
Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise.

The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app.

With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.
Ms Steenburger thinks she's just dealing with MapMyRun and one or two other apps suppliers to keep track of her health. She's wrong. Behind the scenes these suppliers are selling her health data to other interested parties. The FT mention "advertising companies, ... digital analytics and tracking groups, ... health insurance and pharmaceutical companies":
The trend has serious implications for consumers. Data which an individual has willingly handed over to an app develop[er] to better track their own health, could now land in the hands of a large insurer who might use that data to set policy premiums ...

iPeriod will soon have the capability to target ads at a very fine level. So a woman who records in the app that she gets headaches before her period could soon receive an ad for a pain reliever at just the right time of the month ...

“By getting certain populations more active, they can reduce the cost burden for employers around those people,” says Chris Glode, the general manager for MapMyFitness. “If you can get people more active, can improve their health outcomes. That’s really cool, we’re really psyched to be part of that.”
"The top 20 most visited apps transmit information to a web of nearly 70 companies", says the FT, naming Google, Apple, Humana, Aetna and Flurry, a mobile data tracking specialist and the recipient of data from nine of the top 20 health-related apps.

That's the business model. You supply the data and the apps developers sell it. Maybe Celeste Steenburger didn't expect that but you should.

Perhaps this business model is restricted to the private sector?

No.

The public sector are at it as well.

It is three years since the Telegraph reported that the Department for Work and Pensions were paying Experian, the credit referencing agency, to analyse the data they hold and try to identify benefit cheats, please see Bounty hunters to cut benefit fraud by £1bn.

And more recently, in May 2013, the Mail told us that Orange/EE (Everything Everywhere) were selling data on their 27 million mobile phone users in the UK and that among the interested parties were the police. In the end, the police didn't buy anything but they were interested and maybe next time ...
Millions of phone records revealing age, address and even the websites you visited were offered for sale to police in controversial deal

... Scotland Yard held a meeting with Ipsos Mori about the possibility of paying for some of the data to fight crime, but yesterday the force said it was not planning to make any offers for it.
Not very convincing, you may say, the public sector hasn't actually bought any personal data from Experian or EE, and they certainly don't sell personal data.

Oh yes they do.

Here's the Guardian on 17 May 2013:
£140 could buy private firms data on NHS patients

... On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures.

The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.
It's a lot cheaper in the Mail, please see Your confidential medical records for sale... at just £1: Hunt insists plan to sell details to private firms is vital to combat epidemics - but critics fear 'unprecedented' privacy threat.

"So who cares if you’ve got haemorrhoids or athlete’s foot?", asks the Telegraph in Patient confidentiality? Not if the price is right – the answer they give is "more people than you might think". It's all that Jeremy Hunt's fault, the Secretary of State for Health, Jeremy Hunt plans to give anonymised patient medical records to private firms.

"Anonymised patient medical records"? Anonymised? Oh yeah? Mr Hunt might believe that but he's not a professor of IT. Martyn Thomas is, and he told the Public Administration Select Committee that "anonymised research data" is an oxymoron (para.4) – if the data's anonymised it's no use for research and if it's any use for research then it's not anonymised.

He is not alone in that belief, please see for example The rush to ‘anonymised’ data by Professor Ross Anderson.

"Anonymised data" must join "secure website" in your list of count-your-fingers-after-shaking-hands phrases.

Bang goes medical confidentiality. Secrecy. Privacy.

You were warned. By Stephan Shakespeare. Health data is "open data" or PSI (public sector information), he says. PSI belongs to everyone and processing it will boost the economy.

Not just Mr Shakespeare – Professor Sir Nigel Shadbolt, too. He's told you that he wants to mix your health data and travel data with anything you've put in your midata personal data store, and give the whole lot to apps-writers to improve your life.

For further information on the state destruction of medical confidentiality in the UK, please visit medConfidential. They provide a form you can use to opt out of HSCIC sales of your medical data.

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:
Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise.

The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app.

With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.

Monday, 19 August 2013

GDS and privacy

Yesterday's Sunday Times:
Google: we are beyond British law

The internet giant says the High Court has no authority to rule over a landmark UK privacy claim ...

“They don’t respect privacy and they don’t consider themselves to be answerable to our laws on it” ...

Last week Google’s privacy policies came under fresh attack in America after it said that its 425m Gmail users could have no “reasonable expectation” that their messages would remain confidential. The admission came to light in a court filing.

In its submission to the High Court, Google’s lawyers argue that any information gleaned from the search engine is not “private or confidential”. This means that the company is under no obligation to hold it in confidence, they say.
You know where you are with Google. No "reasonable expectation" of confidentiality/privacy.

Similarly, you know where you are with the UK Cabinet Office. Francis Maude, the Minister in charge, told the Information Commissioner's Conference:
Sharing data is a key enabler in our ambition to see public services provided digitally by default ...the census is another area where I want to bust the myths around the complexities of data sharing ... we aim to find effective ways of using and sharing data for the good of everyone ...
The provisions designed to limit data-sharing in government are no more than "myths", in his eyes, and will be swept away by Mr Maude's modernisation plans – spearheaded by the Government Digital Service (GDS).

You know where you are with GDS. Ex-Guardian man Mike Bracken, executive director of GDS and senior responsible owner of the pan-government Identity Assurance Programme (IDAP) has told you:
Andrew Nash, Google’s Director of Identity, ran us through the current issues facing identity.He explained how Google aim to grow and be part of an ecosystem of identify providers, and encouraged the UK Government to play its part in a federated system. The UK ID Assurance team and Google agreed to work more closely to define our strategy – so look out for future announcements. Andrew also took the opportunity to walk the Minister through the Identity ecosystem.
Which brings you back to Google and the "reasonable expectation" of privacy – there is none.

The Privacy and Consumer Advisory Group (PCAG) have worked hard to devise nine privacy principles. And ex-Guardian man Mike Bracken has asked for comments on these principles. But you have to ask yourself whether his heart is in it. PCAG is only an advisory group and GDS can ignore their suggestions.

GDS were asked to produce a version of the nine principles with numbered paragraphs to make it easier to refer to them when submitting responses to the consultation exercise. GDS agreed that this would be a good idea. That was on 20 June 2013. Two months later, and no further action has been taken since.

When GDS held their revivalist The Future is Here event back in January 2013, they got everyone to book their place through Eventbrite, a Californian firm of event organisers. A Californian firm of event organisers who now have all the contact details of 300 civil servants "working across Government and its agencies to deliver our digital ambition statement". A marketing man's dream. So much for GDS and the "reasonable expectation" of privacy.

There has been at least one submission made in response to the PCAG consultation. Compiled by Mark King, it is published in full by the great Philip Virgo. Mr King's submission is masterly and suggests that even if GDS were to agree to the nine principles our "reasonable expectation" of privacy would still be disappointed.

These are the dog days of August, no-one can be expected to respond to consultations while we are all in the doldrums. But come September, if you have any desire to protect your reasonable expectations, it could be worth making the effort to respond.

GDS and privacy

Yesterday's Sunday Times:
Google: we are beyond British law

The internet giant says the High Court has no authority to rule over a landmark UK privacy claim ...

“They don’t respect privacy and they don’t consider themselves to be answerable to our laws on it” ...

Last week Google’s privacy policies came under fresh attack in America after it said that its 425m Gmail users could have no “reasonable expectation” that their messages would remain confidential. The admission came to light in a court filing.

In its submission to the High Court, Google’s lawyers argue that any information gleaned from the search engine is not “private or confidential”. This means that the company is under no obligation to hold it in confidence, they say.
You know where you are with Google. No "reasonable expectation" of confidentiality/privacy.

Friday, 9 August 2013

Cyber security is a hangover in Vegas

DEF CON was founded in 1992 or 1993 by Jeff Moss (no relation) and is "one of the world's largest annual hacker conventions, held every year in Las Vegas, Nevada ... Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be 'hacked' ...".

Not to be confused with Black Hat Briefings, which was founded in 1997 by Jeff Moss (no relation) and is "a computer security conference that brings together a variety of people interested in information security. Representatives of government agencies and corporations attend, along with hackers. The Briefings take place regularly in Las Vegas, Barcelona, Amsterdam, Abu Dhabi and, occasionally, Tokyo. An event dedicated to the Federal Agencies is organized in Washington, DC ...".

Would you like to attend DEF CON? One young lady who attended this year gave an interview to BuzzFeed magazine that gives you a hangover just to read it: "... But I had a good time. It’s always a good time. As long as you remember most of it. Or maybe you don’t want to remember. It just kicks your ass. But once a year? It isn’t the worst thing for your liver".

She was interviewed because she was the only ovine who had appeared on the Wall of Sheep and was prepared to talk about it. The Wall of Sheep is where the DEF CON organisers display the logon IDs and passwords of everyone at the conference who has foolishly allowed themselves to be hacked.

The way our young lady put it, "... at past Def Cons, I didn't really have to worry about it, because someone else was always there to take care of it. When we would get close, he’d say turn stuff off, don’t let any of your wireless devices accept any open Wi-Fi or anything. Turn off Bluetooth, anything that connects to you. So I had someone watching out for me before, but since this was my first one on my own, I didn't take precautions".

"This 28-year-old graphic designer from Utah agreed to tell her story on the condition that we preserve her anonymity — or what remains of it", say BuzzFeed. Not a lot: "I got my alert on my cell phone [saying] that I was using too much data. I knew something wasn't right, so I started making changes when I could. I left on Saturday, so I spent most of that night and the next day cleaning up my accounts that may be associated. I totally got owned. It's just such a rookie mistake".

We might take more care of our livers but we, too, would "totally get owned" by hackers if the occasion presented itself.

Anyway, DEF CON is the nice conference and, in light of the Edward Snowden revelations, Jeff Moss (no relation) asked the feds to stay away this year. Which they did. They went to Black Hat instead, where General Keith Alexander, the Director of the NSA [National Security Agency] and Commander of the DOD's [Departent of Defense] US Cyber Command was the keynote speaker.

The general would probably have stayed away from DEF CON this year even if Jeff hadn't asked – he was keynote speaker there last year.

Presumably the feds and the hackers attend these events to size each other up. Maybe there's a bit of trading – you tell me how you did x and I'll show you how I do y. Who knows? One thing is clear, though – the rest of us haven't got a clue. Or a chance.

Hypothesis: when we hear that such-and-such website is secure, or this mobile phone operating system or that slab telecommunications facility, we might as well forget it. None of it is secure. Not for the general public. And don't you believe anyone who tells you otherwise.

Cyber security is a hangover in Vegas

DEF CON was founded in 1992 or 1993 by Jeff Moss (no relation) and is "one of the world's largest annual hacker conventions, held every year in Las Vegas, Nevada ... Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be 'hacked' ...".

Not to be confused with Black Hat Briefings, which was founded in 1997 by Jeff Moss (no relation) and is "a computer security conference that brings together a variety of people interested in information security. Representatives of government agencies and corporations attend, along with hackers. The Briefings take place regularly in Las Vegas, Barcelona, Amsterdam, Abu Dhabi and, occasionally, Tokyo. An event dedicated to the Federal Agencies is organized in Washington, DC ...".

Would you like to attend DEF CON? One young lady who attended this year gave an interview to BuzzFeed magazine that gives you a hangover just to read it: "... But I had a good time. It’s always a good time. As long as you remember most of it. Or maybe you don’t want to remember. It just kicks your ass. But once a year? It isn’t the worst thing for your liver".

Wednesday, 7 August 2013

Toe-curling: GDS PR Blitz

The launch of the Government Digital Service's PR campaign on the BBC and in the Guardian was noted here three weeks ago on 14 June 2013.

Last week a new front was opened up in the Times newspaper with an opinion piece by Rachel Sylvester, Geeks in jeans are the Treasury’s new heroes. Are they geeks? Are they in jeans? Are they the Treasury's new heroes? Precisely what have GDS achieved so far? What is the outlook for all their outstanding projects? Ms Sylvester left her readers none the wiser.

Yesterday, again in the Times, the PR campaign went out of control. Laura Pitel wrote Jordan Hatch: boy wonder civil servant with a plan to save £4m:
He has no university degree, no A levels and wears cargo pants to work. Meet the teenage civil servant who is going to save you £4 million ... Jordan Hatch is the poster boy of the Government’s digital revamp ... Bringing a 17-year-old on to the team was seen as the embodiment of a new, more adventurous way of thinking ... the lack of formal qualifications betrays [?] a talent for IT that began when he was barely out of nappies ... Baroness Lane Fox of Soho, recently secured him a role as young digital adviser to the European Commission ...
This ruthless exploitation of Mr Hatch extends all the way to Sir Bob Kerslake, head of the home civil service, and it smacks of desperation:

Toe-curling: GDS PR Blitz

The launch of the Government Digital Service's PR campaign on the BBC and in the Guardian was noted here three weeks ago on 14 June 2013.

Last week a new front was opened up in the Times newspaper with an opinion piece by Rachel Sylvester, Geeks in jeans are the Treasury’s new heroes. Are they geeks? Are they in jeans? Are they the Treasury's new heroes? Precisely what have GDS achieved so far? What is the outlook for all their outstanding projects? Ms Sylvester left her readers none the wiser.

Monday, 5 August 2013

midata and your money

WHAT'S NEXT POST LAUNCH OF THE MIDATA INNOVATION LAB?

Good question.

That's the title of an interview with Dan Bates, director of the midata Innovation Lab (mIL), published in Ctrl-Shift News, where space is so tight that there isn't room to remind the reader that Ctrl-Shift is one of the 22 Founding Partners of mIL.

"I am proud that we have set the bar high by bringing the mIL to life in just seven weeks from project kick-off", says Dan, too young perhaps to remember that "project kick-off" was 91 weeks ago on 3 November 2011 when the Department for Business Innovation and Skills published Government, business and consumer groups commit to midata vision of consumer empowerment.

mIL has several "learning streams of activity", we learn during the interview, and a "project heartbeat". mIL is an "enabler" and "we have made it easy to get involved". It is a "potential consumer blockbuster" but, before that happens, Dan needs more organisations to sign up.

What kind of organisations? Answer: "these organisations will be trail-blazers who have the humility to acknowledge no-one as yet has all the answers, and thus share and learn, whilst at the same time having the vision and boldness to be the first-movers that accelerate the personal data market".

It's not easy to find organisations like that and Dan's boss, Professor Sir Nigel Shadbolt, has been reduced to trying to buy them in:


As well as bold humble visionaries, there are "experts involved in the mIL", Dan wants it to be "transformative" and he wants to "kick start a collective inflection point in business". midata is all about apps. What kind of apps? According to Dan, "really interesting" ones: "I want some really interesting apps and services to come out of the mIL".

You wouldn't fund a project for 91 weeks, would you, based on breathless promises of really interesting transformative apps that will kickstart a collective inflection point?

You just have. And there's no end in sight.

midata and your money

WHAT'S NEXT POST LAUNCH OF THE MIDATA INNOVATION LAB?

Good question.

That's the title of an interview with Dan Bates, director of the midata Innovation Lab (mIL), published in Ctrl-Shift News, where space is so tight that there isn't room to remind the reader that Ctrl-Shift is one of the 22 Founding Partners of mIL.

"I am proud that we have set the bar high by bringing the mIL to life in just seven weeks from project kick-off", says Dan, too young perhaps to remember that "project kick-off" was 91 weeks ago on 3 November 2011 when the Department for Business Innovation and Skills published Government, business and consumer groups commit to midata vision of consumer empowerment.