The changes Facebook made to its privacy practices and, in particular, default settings and additional personal information about Facebook users that is made public, continue to draw a lot of attention, and not in a positive way. Among the latest news item is an article from Wired that describes how some technology-savvy web marketers are taking advantage of the new Facebook default privacy settings to harvest information about Facebook users and people in their online friend networks. It’s not entirely clear how many of Facebook’s hundreds of millions of registered users have taken action to change their privacy settings since the new practices went into effect a month ago, but anyone who has not is exposing the majority of their profile information not just to users on their own friends lists, but to all the friends of their friends. Even for a user who takes action to restrict the visibility of their information from methods such as web searches, if an outsider know the user’s email address, that is enough to get to core profile information that Facebook now treats as public.
Concern among Facebook users has apparently also resulting is spike in activity to delete Facebook accounts, including through the use of third-party services like Seppukoo and Suicide Machine. Use of these services to remove Facebook accounts has reached sufficient levels to prompt Facebook to start trying to block access from these services (primarily through blocking IP addresses), although Facebook also reportedly sent a cease-and-desist letter to the creators of Seppukoo.com, claiming that the third-party access to Facebook from Seppukoo violates Facebook’s terms of service and may be prohibited by various computer use and intellectual property laws.
Stepping behind a sociological lens for a moment, what may be more interesting than the debate between Facebook, its users, and privacy advocates may be the extent to which the heightened attention on user privacy will actually result in a shift in behavior among users. An academic research in the U.K. featured by the BBC this week argues that the decision by social networking users to publish more and more of their personal information online effectively reduces privacy for everyone, in part by diminishing expectations of privacy. The idea here is that from a societal perspective privacy norms are just that, norms, rather that the most or least restrictive interpretations, so when a greater proportion of people opt for looser interpretations of privacy, the societal norm shifts in that direction. This fairly straightforward idea touches on one of the hardest aspects associated with managing trust (online or otherwise), since there are few hard and fast rules about what does and doesn’t constitute trustworthiness. Instead, trust from personal or organizational perspectives is highly subjective, making the establishment and maintenance acceptable levels of trust an elusive goal.
In a special notice posted yesterday on FedBizOpps, the HHS Office of the National Coordinator for Health IT is getting ready to put a contract out to fund research on re-identifying datasets that have been de-identified according to HIPAA Privacy Rule Standards. As noted previously in this space, academic researchers working at Carnegie-Mellon and at UT-Austin have already reported on efforts to successfully identify records ostensibly anonymized, although to be fair neither of these specific research examples were based on HIPAA de-identified data. What’s most intriguing about this solicitation notice is that ONC has one of the leading experts on the subject, Latanya Sweeney, sitting on its Health IT Policy Committee. Sweeney’s doctoral research included work with anonymized medical records which, she discovered, could be positively identified a majority of the time simply by correlating the medial records with other publicly available data sources that included the demographic information stripped out of the health data. The research to be funded by ONC will focus on data that has been de-identified according to current HIPAA standards, which basically require the removal of 18 specific identifiers and any other information in a health record that might otherwise uniquely identify the individual in question. Specifically:
It’s not clear at this point what the outcome of such research might be, assuming some level of “success” in re-identifying health data. One mitigation might be an expansion of the list of fields that need to be removed to effectively de-identify someone. A more significant response might be an acknowledgment that true anonymization of health data to the degree sought (and one could argue assumed) under current law and policy simply isn’t possible without more extensive alteration of the original data.
We launched this blog a year ago today, as an adjunct to our SecurityArchitecture.com website. It took us a few months to hit our stride, but in the past few months we’ve become not only more consistent in getting our observations and opinions posted, but also identified some key security and privacy topics to keep track of, and established a few recurring themes as well. Most of these were not just timely during 2009, but are likely to continue to be areas of interest in the coming year and beyond, so if you return to this space during 2010 here are some of the things you’re likely to see.
In the wake of the recent release of the Report and Recommendations of the Presidential Task Force on Controlled Unclassified Information, the Government Accountability Office on December 15 released a report on Managing Sensitive Information that addresses many of the same issues raised by the task force. The GAO report focuses specifically on the fact that a multi-agency report containing sensitive-but-unclassified (“SBU”) information about U.S. nuclear facilities was published on a publicly available Government Printing Office website. While a number of factors contributed to this inadvertent disclosure, the GAO report highlighted the lack of consistent data classification terminology among different federal agencies involved as a significant problem, and recommended that the agencies working with this information create an interagency agreement regarding the designation, marking, and handling of sensitive information. The presidential memorandum that created the task force on controlled unclassified information (ironically issued just three weeks after the nuclear site information was published) noted some 107 different classification schemes in use among various federal agencies for sensitive-but-unclassified information or its equivalent. In the case of the nuclear facility report, problems with document designation included the use of an international sensitivity designation that has no legal standing in the United States, and the subsequent recommendation that the document be labeled sensitive but unclassified despite the apparent lack of understanding of the meaning and implications of a SBU designation among both executive agencies and legislative offices, leading to what GAO called an incorrect determination that the material could be published. Unfortunately, this incident is just one among many cases of inappropriate disclosure where the problem lies not in malicious intent, but in a lack of awareness and understanding of relevant security policies and the actions needed to follow them.
As the result of a highly unscientific review of big developments on the privacy front in 2009, here are 3 major trends from the past year that we predict will continue to draw attention in 2010.