Posts filed under 'News coverage

Apr 4, '14

Today I gave a talk at the Open Data Institute on a catastrophic failure of anonymity in medical research. Here’s the audio and video, and here are the slides.

Three weeks ago we made a formal complaint to the ICO about the Department of Health supplying a large amount of data to PA Consulting, who uploaded it to the Google cloud in defiance of NHS regulations on sending data abroad. This follows several other scandals over NHS chiefs claiming that hospital episode statistics data are anonymous and selling it to third parties, when it is nothing of the kind.

Yesterday the Department of Health disclosed its Register of Approved Data Releases which shows that many organisations in both the public and private sectors have been supplied with HES data over the past year. It’s amazing how many of them are marked “non sensitive”: even number 408, where Imperial College got data with the with HESID (which includes postcode or NHS number), date of birth, home address, and GP practice. How officials can maintain that such data does not identify individuals is beyond me.

Mar 14, '14

Three NGOs have lodged a formal complaint to the Information Commissioner about the fact that PA Consulting uploaded over a decade of UK hospital records to a US-based cloud service. This appears to have involved serious breaches of the UK Data Protection Act 1998 and of multiple NHS regulations about the security of personal health information. This already caused a row in Parliament and the Deparatment of Health seems to be trying to wriggle off the hook by pretending that the data were pseudonymised. Other EU countries have banned such uploads. Regular LBT readers will know that the Department of Health has got itself in a complete mess over medical record privacy.

Feb 8, '14

On January 23rd we had a conference call with the NHS Information Centre and a couple of its software suppliers about anonymisation. LBT readers will have followed how your GP records are to uploaded to the new central database care.data for resale unless you opt out. Any previous opt outs from other central systems like SCR will be disregarded (even if you wrote saying you opted out of all central systems), along with opt-outs from regional systems.

We’d been told that if you opted out afresh your data would be uploaded only in anonymised, aggregated form; after all the Prime Minister promised. But I persisted. How will the NHS work out doctors’ bonuses in respect of opted-out patients? Doctors get extra payments for meeting targets, such as ensuring that diabetic patients get eye tests; these used to be claimed by practice managers but are now to be worked out centrally. If the surgery just uploads “We have N patients opted out and their diagnostic codes are R1, R2, R3, …” then officials might have to give doctors the benefit of the doubt in bonus calculations.

It turned out that officials were still dithering. The four PC software vendors met them on January 22nd and asked for the business logic so they could code up the extraction, but officials could not make up their minds whether to respect the Prime Minister’s promise (and human-rights law) or to support the bonus calculation. So here we had a major national programme being rolled out next month, and still without a stable specification!

Now the decision has been taken. If you opt out, all your clinical data will be uploaded as a single record, but with your name, date of birth and postcode removed. The government will simply pretend this is anonymous, even though they well know it is not. This is clearly unlawful. Our advice is to opt out anyway while we lobby ministers to get their officials under control, deliver on Cameron’s promise and obey the law.

Feb 5, '14

Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?

The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.

As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.

Update (2013-03-07): This post was mentioned on Bruce Schneier’s blog, and this is some good discussion there.

Update (2014-03-03): The slides for the presentation at Financial Cryptography are now online.

Feb 4, '14

If you listen to Radio 4 from 0810 on BBC iPlayer, you’ll hear a debate between Phil Booth of MedConfidential and Tim Kelsey of NHS England – the guy driving the latest NHS data grab.

Tim Kelsey made a number of misleading claims. He claimed for example that in 25 years there had never been a single case of patient confidentiality compromise because of the HES data kept centrally on all hospital treatments. This was untrue. A GP practice manager, Helen Wilkinson, was stigmatised as an alcoholic on HES because of a coding error. She had to get her MP to call a debate in Parliament to get this fixed (and even after the minister promised it had been fixed, it hadn’t been; that took months more pushing).

Second, when Tim pressed Phil for a single case where data had been compromised, Phil said “Gordon Brown”. Kelsey’s rebuttal was “That was criminal hacking.” Again, this was untrue; Gordon Brown’s information was accessed by Andrew Jamieson, a doctor in Dunfermline, who abused his authorised access to the system. He was not prosecuted because this was not in the public interest. Yeah, right. And now Kelsey is going to give your GP records not just to almost everyone in the NHS but to university researchers (I have been offered access though I’m not even a medic and despite the fact that academics have lost millions of records in the past), to drug firms like GlaxoSmithKline, and even to Silicon-Valley informatics companies such as 23andme.

Jan 8, '14

The next three weeks will see a leaflet drop on over 20 million households. NHS England plans to start uploading your GP records in March or April to a central system, from which they will be sold to a wide range of medical and other research organisations. European data-protection and human-rights laws demand that we be able to opt out of such things, so the Information Commissioner has told the NHS to inform you of your right to opt out.

Needless to say, their official leaflet is designed to cause as few people to opt out as possible. It should really have been drafted like this. (There’s a copy of the official leaflet at the MedConfidential.org website.) But even if it had been, the process still won’t meet the consent requirements of human-rights law as it won’t be sent to every patient. One of your housemates could throw it away as junk before you see it, and if you’ve opted out of junk mail you won’t get a leaflet at all.

Yet if you don’t opt out in the next few weeks your data will be uploaded to central systems and you will not be able to get it deleted, ever. If you don’t opt out your kids in the next few weeks the same will happen to their data, and they will not be able to get their data deleted even if they decide they prefer privacy once they come of age. If you opted out of the Summary Care Record in 2009, that doesn’t count; despite a ministerial assurance to the contrary, you now need to opt out all over again. For further information see the website of GP Neil Bhatia (who drafted our more truthful leaflet) and previous LBT posts on medical privacy.

Dec 31, '13

We had a crypto festival in London in London in November at which a number of cryptographers and crypto policy folks got together with over 1000 mostly young attendees to talk about what might be done in response to the Snowden revelations.

Here is a video of the session in which I spoke. The first speaker was Annie Machon (at 02.35) talking of her experience of life on the run from MI5, and on what we might do to protect journalists’ sources in the future. I’m at 23.55 talking about what’s changed for governments, corporates, researchers and others. Nick Pickles of Big Brother Watch follows at 45.45 talking on what can be done in terms of practical politics; it turned out that only two of us in the auditorium had met our MPs over the Comms Data Bill. The final speaker, Smari McCarthy, comes on at 56.45, calling for lots more encryption. The audience discussion starts at 1:12:00.

Nov 22, '13

Your medical records are now officially on sale. American drug companies now learn that MedRed BT Health Cloud will provide public access to 50 million de-identified patient records from UK.

David Cameron announced in 2011 that every NHS patient would be a research patient, with their records opened up to private healthcare firms. He promised that our records would be anonymised and we’d have a right to opt out. I pointed out that anonymisation doesn’t work very well (as did the Royal Society) but the Information Commissioner predictably went along with the charade (and lobbyists are busy fixing up the new data protection regulation in Brussels to leave huge loopholes for health service management and research). The government duly started to compel the upload of GP data, to join the hospital data it already has. During the launch of a medical confidentiality campaign the health secretary promised to respect existing opt-outs but has now reneged on his promise.

The data being put online by BT appear to be the data it already manages from the Secondary Uses Service, which is mostly populated by records of finished consultant episodes from hospitals. These are pseudonymised by removing names and addresses but still have patient postcodes and dates of birth; patient views on this were ignored. I wonder if US purchasers will get these data items? I also wonder whether patients will be able to opt out of SUS? Campaigners have sent freedom of information requests to hundreds of hospitals to find out; so we should know soon enough.

Nov 8, '13

Yesterday the heads of “MI5″, “MI6″ and GCHQ appeared before the Intelligence Security Committee of Parliament. The uncorrected transcript of their evidence is now online (or you can watch the video).

One of the questions fielded by Andrew Parker (“MI5″) was how many terrorist plots there had been over the past ten years. According to the uncorrected transcript (and this accords with listening to the video — question starts at 34:40) he said:

I think the number since… if I go back to 2005, rather than ten years… 7/7 is that there have been 34 plots towards terrorism that have been disrupted in this country, at all sizes and stages. I have referred publicly and previously, and my predecessors have, to the fact that one or two of those were major plots aimed at mass casualty that have been attempted each year. Of that 34, most of them, the vast majority, have been disrupted by active detection and intervention by the Agencies and the police. One or two of them, a small number, have failed because they just failed. The plans did not come together. But the vast majority by intervention.

I understand that to mean 34 plots over 8 years most but not all of which were disrupted, rather than just discovered. Of these, one or two per year were aimed at causing mass casualties (that’s 8 to 16 of them). I find it really quite surprising that such a rough guess of 8 to 16 major plots was not remarked upon by the Committee — but then they were being pretty soft generally in what they asked about.

The journalists who covered the story heard this all slightly differently, both as to how many plots were foiled by the agencies and how many were aimed at causing mass casualties!
(more…)

Nov 3, '13

Three of our clients have been acquitted of tampering with curfew tags after the Ministry of Justice and G4S were unwilling to have an independent forensic team examine their evidence. This brings to five the number of tag-tampering prosecutions that have been withdrawn or collapsed when the defence says “Right, prove it then.” I reported the first case here.

The three latest matters were high-profile terrorism cases, involving three of the nine men tagged under the new Terrorism Prevention and Investigation Measure (TPIM) – a kind of national-security ASBO handed out by MI5, and which had already been criticised by David Anderson QC, the government’s independent reviewer of terrorism legislation, for low standards of proof. Unlike a normal ASBO which a court gives “on the balance of probabilities”, you can get a TPIM if the Home Secretary declares she has a “reasonable suspicion”.

The Ministry of Justice should perhaps, when they let the tagging contracts, have read our 1994 paper on the John Munden case, or the post here about the similar case of Jane Badger. If you’re designing a system one of whose functions is to provide evidence, you’d better design it to withstand hostile review. “Trust us” doesn’t cut it in criminal trials, and neither does “I’m afraid that’s commercially confidential.”


Calendar

April 2014
M T W T F S S
« Mar    
 123456
78910111213
14151617181920
21222324252627
282930  

Posts by Month

Posts by Category