Will continuing concerns over Facebook privacy change user behavior?

The changes Facebook made to its privacy practices and, in particular, default settings and additional personal information about Facebook users that is made public, continue to draw a lot of attention, and not in a positive way. Among the latest news item is an article from Wired that describes how some technology-savvy web marketers are taking advantage of the new Facebook default privacy settings to harvest information about Facebook users and people in their online friend networks. It’s not entirely clear how many of Facebook’s hundreds of millions of registered users have taken action to change their privacy settings since the new practices went into effect a month ago, but anyone who has not is exposing the majority of their profile information not just to users on their own friends lists, but to all the friends of their friends. Even for a user who takes action to restrict the visibility of their information from methods such as web searches, if an outsider know the user’s email address, that is enough to get to core profile information that Facebook now treats as public.

Concern among Facebook users has apparently also resulting is spike in activity to delete Facebook accounts, including through the use of third-party services like Seppukoo and Suicide Machine. Use of these services to remove Facebook accounts has reached sufficient levels to prompt Facebook to start trying to block access from these services (primarily through blocking IP addresses), although Facebook also reportedly sent a cease-and-desist letter to the creators of Seppukoo.com, claiming that the third-party access to Facebook from Seppukoo violates Facebook’s terms of service and may be prohibited by various computer use and intellectual property laws.

Stepping behind a sociological lens for a moment, what may be more interesting than the debate between Facebook, its users, and privacy advocates may be the extent to which the heightened attention on user privacy will actually result in a shift in behavior among users. An academic research in the U.K. featured by the BBC this week argues that the decision by social networking users to publish more and more of their personal information online effectively reduces privacy for everyone, in part by diminishing expectations of privacy. The idea here is that from a societal perspective privacy norms are just that, norms, rather that the most or least restrictive interpretations, so when a greater proportion of people opt for looser interpretations of privacy, the societal norm shifts in that direction. This fairly straightforward idea touches on one of the hardest aspects associated with managing trust (online or otherwise), since there are few hard and fast rules about what does and doesn’t constitute trustworthiness. Instead, trust from personal or organizational perspectives is highly subjective, making the establishment and maintenance acceptable levels of trust an elusive goal.

HHS plans to test re-identification of “de-identified” health data

In a special notice posted yesterday on FedBizOpps, the HHS Office of the National Coordinator for Health IT is getting ready to put a contract out to fund research on re-identifying datasets that have been de-identified according to HIPAA Privacy Rule Standards. As noted previously in this space, academic researchers working at Carnegie-Mellon and at UT-Austin have already reported on efforts to successfully identify records ostensibly anonymized, although to be fair neither of these specific research examples were based on HIPAA de-identified data. What’s most intriguing about this solicitation notice is that ONC has one of the leading experts on the subject, Latanya Sweeney, sitting on its Health IT Policy Committee. Sweeney’s doctoral research included work with anonymized medical records which, she discovered, could be positively identified a majority of the time simply by correlating the medial records with other publicly available data sources that included the demographic information stripped out of the health data. The research to be funded by ONC will focus on data that has been de-identified according to current HIPAA standards, which basically require the removal of 18 specific identifiers and any other information in a health record that might otherwise uniquely identify the individual in question. Specifically:

  1. Names.
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers.
  5. Facsimile numbers.
  6. Electronic mail addresses.
  7. Social security numbers.
  8. Medical record numbers.
  9. Health plan beneficiary numbers.
  10. Account numbers.
  11. Certificate/license numbers.
  12. Vehicle identifiers and serial numbers, including license plate numbers.
  13. Device identifiers and serial numbers.
  14. Web universal resource locators (URLs).
  15. Internet protocol (IP) address numbers.
  16. Biometric identifiers, including fingerprints and voiceprints.
  17. Full-face photographic images and any comparable images.
  18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

It’s not clear at this point what the outcome of such research might be, assuming some level of “success” in re-identifying health data. One mitigation might be an expansion of the list of fields that need to be removed to effectively de-identify someone. A more significant response might be an acknowledgment that true anonymization of health data to the degree sought (and one could argue assumed) under current law and policy simply isn’t possible without more extensive alteration of the original data.

Looking ahead for 2010

We launched this blog a year ago today, as an adjunct to our SecurityArchitecture.com website. It took us a few months to hit our stride, but in the past few months we’ve become not only more consistent in getting our observations and opinions posted, but also identified some key security and privacy topics to keep track of, and established a few recurring themes as well. Most of these were not just timely during 2009, but are likely to continue to be areas of interest in the coming year and beyond, so if you return to this space during 2010 here are some of the things you’re likely to see.

    • Continued attention and increasing pressure on the U.S. government to commit more resources to cybersecurity and, possibly, consolidation of information security oversight and budgetary authority within the executive branch.

 

  • More emphasis on securing data at rest, in transit, and in use, with relatively less emphasis on system and network security as environment boundaries become less and less well defined due to increased levels of information exchange, inter-organization integration and cooperation, and use of hosted services like cloud computing.

 

 

  • Movement in the direction of proactive security, instead of the reactive posture that dominates security programs in both private and public sector organizations today. With any luck this will manifest itself in less security-by-compliance and more testing and validation that implemented security measures are effective.

 

 

  • Without diminishing the importance of guarding against insider threats, a resurgence in intrusion detection and prevention, in conjunction with efforts to achieve greater situational awareness to combat increasingly sophisticated and persistent threat sources.

 

 

  • A steady stream of breaches and other incidents to highlight the importance of backing up appropriate security and privacy policies with the means to enforce them.

 

 

  • Creative approaches and new solutions proposed to address trust among connected entities, including areas such as claims-based identity management, federated identity approaches, stronger identification, authentication, and authorization assertion models, and means to negotiate, establish, maintain, and revoke trust among different entities with widely varying trust requirements in terms of regulations, standards, and risk tolerances.

 

 

GAO weighs in on need for consistent data classification

In the wake of the recent release of the Report and Recommendations of the Presidential Task Force on Controlled Unclassified Information, the Government Accountability Office on December 15 released a report on Managing Sensitive Information that addresses many of the same issues raised by the task force. The GAO report focuses specifically on the fact that a multi-agency report containing sensitive-but-unclassified (“SBU”) information about U.S. nuclear facilities was published on a publicly available Government Printing Office website. While a number of factors contributed to this inadvertent disclosure, the GAO report highlighted the lack of consistent data classification terminology among different federal agencies involved as a significant problem, and recommended that the agencies working with this information create an interagency agreement regarding the designation, marking, and handling of sensitive information. The presidential memorandum that created the task force on controlled unclassified information (ironically issued just three weeks after the nuclear site information was published) noted some 107 different classification schemes in use among various federal agencies for sensitive-but-unclassified information or its equivalent. In the case of the nuclear facility report, problems with document designation included the use of an international sensitivity designation that has no legal standing in the United States, and the subsequent recommendation that the document be labeled sensitive but unclassified despite the apparent lack of understanding of the meaning and implications of a SBU designation among both executive agencies and legislative offices, leading to what GAO called an incorrect determination that the material could be published. Unfortunately, this incident is just one among many cases of inappropriate disclosure where the problem lies not in malicious intent, but in a lack of awareness and understanding of relevant security policies and the actions needed to follow them.

3 major 2009 privacy trends to watch next year

As the result of a highly unscientific review of big developments on the privacy front in 2009, here are 3 major trends from the past year that we predict will continue to draw attention in 2010.

  1. Increasing likelihood of a federal law on disclosure of data breaches involving personal information. During 2009 there was significant movement on national data breach notification laws in the 111th Congress, including the Data Accountability and Trust Act in the House of Representatives, and two bills in the Senate voted out of the Judiciary Committee, including the Personal Data Privacy and Security Act. Versions of both of these bills were introduced in previous Congressional sessions, but none progressed as far as these have, making passage of a national data breach law in 2010 a feasible proposition. The enhanced privacy provisions in the HITECH Act may have provided a preview of how this sort of legislation will look, with personal health information breach disclosure rules having gone into effect.
  2. Continuing divergence of privacy protections in the U.S. versus the European Community. While domestic trends included strengthening of privacy protections in some important contexts such as health information, a series of developments abroad served to widen the existing divide between E.U. and U.S. privacy approaches. E.U. additions this year including designation of IP addresses as personally identifiable information, mandatory opt-in for the use of cookies, and stronger penalties in the U.K. for misuse of personal data in violation of Data Protection Action §55. European Community privacy protections have long been viewed as stronger than those in the U.S., due in large part to a fundamentally different philosophy focusing first on the privacy interests of individuals, and defaulting to rules favoring information protection rather than disclosure.
  3. Escalation of privacy concerns as the primary obstacle to achieving widespread information exchange. This issue is most notable in health care, but also surfaced e-commerce, consumer credit markets, and even national security contexts such as terrorism information, where information sharing imperatives may be sufficiently critical to warrant moving ahead without fully addressing security and privacy issues. A tangential trend is the increased awareness of personal privacy control through highly publicized events late in the year such as Facebook’s changes in privacy policy and practices and the Supreme Court’s decision to hear an appeal of a case involving expectations of privacy in the workplace.