Big Data

*** UK ALERT *** NHS England leaflet misleads patients about opt out

Sometime in January 2014 you may have received a leaflet via junk mail, entitled ‘Better information means better care‘ (2MB PDF file). It may not be clear from the leaflet that a significant change in what is done with your medical records is about to happen.

Unfortunately, NHS England – the commissioning body that now runs the NHS in England – decided not to include an opt out form with the leaflet and the information in it says you should “speak to your GP practice” if you want to stop your or your family’s confidential medical information being uploaded and passed on.

This is misleading.

You do not have to speak with your doctor or book an appointment. The choice to keep your medical records private is completely down to you; all you need do is inform your GP of your choice, which you can do simply by writing a letter or dropping a form into your surgery.

To make things more straightforward, medConfidential is providing both a form and a letter for you to use. You can use either one of them. Click on one of the links below to download a copy. Print it off, fill in your details, sign it and send it to your GP or drop it into the surgery reception for their attention:

Opt out form (PDF)

Please do take a few moments to e-mail this PDF to your family, friends and colleagues, or send them the link to our download page – www.medconfidential.org/how-to-opt-out – or share it on social media. You might even print off copies of the form (it conveniently prints double-sided and folds to fit in a DL envelope) to give to others who may not have heard about what’s going to happen to their medical records, and won’t know what they can do.

Opt out letter (PDF)

Opt out letter (MS Word)

Opting out will not affect the care you receive and you can change your mind at any point and opt back in if you like. If you have any specific concerns, we recommend you speak with your GP.

As you will see from the letter, there are TWO codes that your doctor will need to add to your record – one to prevent identifiable information being uploaded from your GP practice and one to stop the Health and Social Care Information Centre from passing on identifiable information about you that it gathers from anywhere else, e.g. hospital records, clinics or testing laboratories.

Remember, the choice is yours. You don’t need to justify it but if you want to keep your medical records private and confidential you do need to act now.

Source: MedConfidential


Refuting NHS England’s response to Guardian story “NHS patient data to be made available for sale”

When medConfidential refutes something, we provide proof or evidence. We don’t use weasel words or mere assertion, we provide you the links to check out for yourself that what we say is correct.

Following the front page story in the Guardian today, NHS patient data to be made available for sale to drug and insurance firms, NHS England have posted a terse but incredibly carefully-worded response on their website.

In it, NHS England’s Chief Data Officer, Dr Geraint Lewis says:

“It is vital, however, that this debate is based on facts, and that the complexities of how we handle different types of data are properly understood. Patients and their carers should know that no data will be made available for the purposes of selling or administering any kind of insurance and that the NHS and the HSCIC never profit from providing data to outside organisations.”

You will note that Dr Lewis has not – because he cannot – refute the fact that insurers will be able to get hold of patient information extracted by the care.data scheme. And there are plenty of ways an insurer could profit from care.data without “selling or administering” insurance – tuning its premiums, for instance.

NHS England’s own ongoing application to the Health and Social Care Information Centre (HSCIC) to massively expand the uses and users of care.data makes it quite clear that “Examples of additional customer organisations may include:

  • Universities and other academic research organisations
  • Commercial companies
  • Think-tanks
  • Medical charities
  • Medical Royal Colleges
  • Information intermediaries

And the Information Governance assessment of this ‘care.data addendum’ quite clearly states, at the bottom of page 5:

“Access to such data can stimulate ground-breaking research, generate employment in the nation’s biotechnology industry, and enable insurance companies to accurately calculate actuarial risk so as to offer fair premiums to its customers.”

this_is_file_name_848(We’ll leave it up to you to decide how “fair” the insurance companies are likely to be.)

And to Dr Lewis’ point about the NHS and HSCIC ‘not profiting’ from providing our data to companies outside the NHS, we can only say… why then do you publish a price list for accessing our medical information?

NHS England and HSCIC can call it ‘cost recovery’ or whatever they like; sophistry seems to be their standard approach. But most normal people’s understanding of the word ‘sell’ involves money changing hands in a transaction, which is clearly what’s happening here.

Whatever the value these extremely powerful bodies are putting on our medical information – and in this case it’s clearly not much – this is not the sort of behaviour that patients expect of the people and institutions that should be guardians of our data. Not by a long way.

Source: MedConfidential


The internet is not dead. It’s undead and it’s everywhere.

afterglowBy Rasmus Fleischer

A few days ago at Transmediale in Berlin, I took part in a panel discussion under the fuzzy title “After the revolution(s): Internet freedoms and the post-digital twilight”. What follows is an attempt to summarize my input to that panel.

# # #

“The revolution is over”, stands as a motto for this year’s Transmediale. I guess that I share the feeling, but I think the statement is wrong. Instead of talking about some revolution in the past, I think we should talk about the ongoing counter-revolution and to situate that in history.

When thinking about the direction in which the internet is developing, we must go beyond the simplified opposition of “old times” versus “new times”. In order to do that, we must periodize the history of the internet. When trying to do that, I have come to regard year 2007 as a turning-point. That was when the counter-revolution took over. And on its flags, the counter-revolutionary forces had written words like: social, share, mobile, stream, access, open…

For now, we don’t need to name these counter-revolutionary forces. Although it is obvious that the counter-revolution on the internet is largely about centralization and monopolization, it would be wrong to reduce this process with a few giant corporations. The monopolizing tendency has been a much broader thing and has also ruined the potential in projects like The Pirate Bay and Wikileaks. If such projects initially had the ambition to set examples, to be copied and multiplied, they were caught in a dynamic where they seemed to have no alternative but to stage a new riot every week, or to fade away. Or take the Pirate Parties, which have tended to monopolize internet-related issues which are then re-encoded in the language of rights, endlessy re-enacting the immanent contradictions of liberal ideology: copyright vs. privacy, privacy vs. transparency, etc. etc. Nowadays, I feel that the very concept of “internet freedom” is caught in the same kind of double-bind, making it increasingly hard to use. And this feeling of mine is probably just another aspect of the counter-revolution.

Hito Steyrl is to the point: “The internet is not dead. It’s undead and it’s everywhere.” It feels awkward, she writes, “obviously completely surveilled, monopolized, and sanitized by common sense, copyright, control and conformism.”

But there was never any digital revolution in the past. If we could ever talk about a digital revolution, it could only mean the third industrial revolution, which has been going on for decades and which is definitely not about to end. But as an industrial revolution, that is simply an acceleration in the continuous process of minimizing the need for human labour in the production of commodities. That process is driven by the competition over profits on the market, and the current crisis is only intensifying that competition, pushing all kinds of corporations towards Big Data and threatening to eliminate those who fail to live up to the new standards of data mining.

But during this long process, during the third industrial revolution, there has been times when the uses of digital technologies has tended to break away from this industrial logic. There were a few interesting years in the 1990s, before the dotcom bubble. And there were a few interesting years after the dotcom crash, in the beginning of our century. These two episodes in the history of the internet were indeed no revolution. But these times saw the multiplication of autonomous innovation, and of new forms of collective practice which where not easily integrated in any economy, and not very suited for data mining.

I think it makes more sense to talk about a digital counter-revolution than to talk about a digital revolution. But the current counter-revolution did indeed react against something, against a subversive or revolutionary potential which were building up in the years following the dotcom crash.

If the internet tended towards a decentralized or even revolutionary direction between 2001 and 2007, this must somehow be related to the financial dynamics in global capitalism. The afterglow of the dotcom bubble began in one crisis, but ended with the onset of the next crisis. How come? In the very beginning of this century, capital fled from the dotcom sector. For capitalism as a system, the dotcom crash revealed a serious threat of deflation, but central banks injected enormous amounts of stimulative liquidity, credits which rushed towards other sectors, most notably housing, building up a new and even larger bubble. However, on the internet of 2001-2007 there was a relative lack of venture capital. The dotcom crash had revealed a surplus of bandwidth, of hardware and of highly skilled hackers. Many of these hackers which had been working in the dotcom sector were no longer employed (or working as consultants effectively on part-time), meaning that they had free time to experiment with available resources. Out of the early 00’s recession grew a boom for free software and file-sharing. Innovation tended to be about new protocols (from RSS to bittorrent) rather than new platforms. The new standards for sociality on the www – the blog, the wiki, the threaded forum – could all be run DIY on simple servers with open-source software.

The afterglow of the dotcom bubble, in other words, allowed for a certain degree of autonomous innovation on the internet. It resulted in a net characterized with a plurality of interfaces: the older duality of horizontal hypertext (HTTP) and hierarchical folders (FTP) was complemented by various kinds of feeds and flows, not to forget the tag clouds and the virtual realities, as well as the search engines.

This amounted to a plurality of speeds: many degrees of fast and slow communication could co-exist in the everyday use of the net. We don’t have that plurality anymore. Since 2007, time on the internet is being homogenized.

The counter-revolution is slowly abolishing hypertext as well as folder hierarchies, in favour of a new monoculture. Today’s undead internet has a universal interface based on only two functions: the search and the feed.

The search is there for you when you already know what you’re looking for. When you don’t know, you can always get fed by your feed, the singular and personalized home feed, whose function is to homogenize time, synchronizing our attention at one singular speed. What could a concept like “internet freedom” posibly mean in such an environment?

Of course I agree that decentralization is the way to go. But by now it should be obvious, that they way to go is not to build decentralized copies of Facebook or Twitter. We need something else, and we can’t say what it is without lots of more experimentation. But who will do all this experimentation? The hacker surplus do not exist any more. The skilled hackers are now employd to develop platforms and apps which conform to the new monoculture and with the new standards of data mining. Some years ago, young programmers in Sweden where swarming to promote P2P file-sharing in solidarity with the Pirate Bay – soon after, they were all employed by Spotify.

I don’t know if we are now entering a second dotcom bubble to be followed by a second dotcom crash. But to me, it’s clear that the counter-revolution began when venture capital once again began to rush towards the internet.

/ Rasmus

PS.

By the way, as we talk about Transmediale and crisis. Isn’t the concept of “Art Hack Day” basically a way of administrating austerity in art institutions? You can fill an exhibition with artworks without having to paying the artists, while covering it up with glossy language about spontaneity. Maybe I’m wrong, but I wrote down some notes about that as well.

Note: Money will do everything.
We need to do everything for money.
Lend, spend, inflate!


Big Data + Big Pharma = Big Money

by Charles Ornstein

Need another reminder of how much drugmakers spend to discover what doctors are prescribing? Look no further than new documents from the leading keeper of such data.

IMS Health Holdings Inc. says it pulled in nearly $2 billion in the first nine months of 2013, much of it from sweeping up data from pharmacies and selling it to pharmaceutical and biotech companies. The firm’s revenues in 2012 reached $2.4 billion, about 60 percent of it from selling such information.

The numbers became public because IMS, currently in private hands, recently filed to make a public stock offering. The company’s prospectus gives fresh insight into the huge dollars – and huge volumes of data – flowing through a little-watched industry.

IMS and its competitors are known as prescription drug information intermediaries. Drug company sales representatives, using data these companies supply, can know before entering a doctor’s office if he or she favors their products or those of a competitor. The industry is controversial, with some doctors and patient groups saying it threatens the privacy of private medical information.

The data maintained by the industry is huge. IMS, based in Danbury, Conn., says its collection includes “over 85 percent of the world’s prescriptions by sales revenue,” as well as comprehensive, anonymous medical records for 400 million patients.

All of this adds up to 10 petabytes worth of material — or about 10 million gigabytes, a figure roughly equal to all of the websites and online books, movies, music and TV shows that have been stored by the nonprofit Internet Archive.

IMS Health says it processes and brings order to more than 45 billion health care transactions each year from more than 780,000 different feeds around the world. “All of the top 100 global pharmaceutical and biotechnology companies are clients” of its products, the firm’s prospectus says.

Dr. Randall Stafford, a Stanford University professor who has used IMS data for his research, said the company has grown markedly in recent years through acquisitions of competitors and other companies that host and analyze data. As the pharmaceutical industry has consolidated, he says, IMS has evolved by offering more services and expanding in China and India.

“They’ve been trying to beef up their competitiveness in some areas by making all of these acquisitions,” he said.

IMS has especially expanded its database of anonymous patient records, which can match patients’ diagnoses with their prescriptions and track changes over time, Stafford said.

IMS sells two types of products: information offerings and technology services. The information products allow pharmaceutical companies to get national snapshots of prescribing trends in more than 70 countries and data about individual prescribers in 50 countries.

IMS’s prospectus offers examples of the questions companies are able to answer with its data, including which providers generate the highest return on a sales rep’s visit, whether a rep drives appropriate prescribing and how much reps should be paid.

IMS Health’s data collection and sales have been controversial.

Several years ago, three states passed laws limiting the ability of IMS and companies like it to collect data on doctors’ prescriptions and sell it to drugmakers for marketing purposes. Their intent was to protect physician and patient privacy and to reduce health care costs by reducing marketing of brand-name drugs. Once a drug loses patent protection and becomes generic, promotion essentially ceases.

IMS and other companies sued, and the U.S. Supreme Court ultimately ruled in their favor, finding a First Amendment right to collect and sell the information. (ProPublica and a group of media companies filed a legal brief supporting IMS on First Amendment grounds.)

ProPublica has sought to purchase data on individual providers from IMS and some of its competitors but was told by each that it could not buy the information at any price.

Instead, reporters obtained data from Medicare on providers in its taxpayer-subsidized drug program, known as Part D, which fills more than one in every four prescriptions nationally. The data is now on Prescriber Checkup, where anyone can look up individual doctors and compare their prescriptions to peers in their specialty and state.

ProPublica has found that in Part D, some of the top prescribers of heavily marketed drugs received speaking fees from the companies that made them.

Physicians and privacy advocates have argued that prescription records could be used to glean information about specific patients’ conditions without their permission. In addition, physicians have argued that they have a right to privacy about the way they choose drugs — but aren’t asked before pharmacies sell information about them.

Stafford said those concerns have parallels to recent revelations about mass surveillance by the National Security Agency.

“It’s part of a larger dialogue, which things like the NSA scandal have brought up,” he said. “There’s a lot of data out there that people don’t necessarily know about. … We’re living in a time where people can accept some loss of privacy, but they at least want to know how their privacy is being compromised.”

In its prospectus, IMS cited several challenges to its growth, including data-protection laws, security breaches and increased competition from other data collectors. The filing notes that the United Kingdom’s National Health Service in 2011 started releasing large volumes of data on doctor prescribing “at little or no charge, reducing the demand for our information services derived from similar data.”

Until 2010, IMS Health was a publicly traded company. At that point, it was acquired for $5.2 billion, including debt, by private-equity groups and the Canadian pension board.

Bloomberg News, citing confidential sources, reported last fall that IMS’s owners may seek to value the company at $8 billion or more.

IMS Health declined to comment for this story, citing the regulatory quiet period before the public offering takes place. No date has been set.

Source: ProPublica


Monsanto’s scary new scheme: Why does it really want all this data?

via @nofunctionart

Imagine cows fed and milked entirely by robots. Or tomatoes that send an e-mail when they need more water. Or a farm where all the decisions about where to plant seeds, spray fertilizer and steer tractors are made by software on servers on the other side of the sea.

This is what more and more of our agriculture may come to look like in the years ahead, as farming meets Big Data. There’s no shortage of farmers and industry gurus who think this kind of “smart” farming could bring many benefits. Pushing these tools onto fields, the idea goes, will boost our ability to control this fiendishly unpredictable activity and help farmers increase yields even while using fewer resources.

The big question is who exactly will end up owning all this data, and who gets to determine how it is used. On one side stand some of the largest corporations in agriculture, who are racing to gather and put their stamp on as much of this information as they can. Opposing them are farmers’ groups and small open-source technology start-ups, which want to ensure a farm’s data stays in the farmer’s control and serves the farmer’s interests.

Who wins will determine not just who profits from the information, but who, at the end of the day, directs life and business on the farm.

One recent round in this battle took place in October, when Monsanto spent close to $1 billion to buy the Climate Corporation, a data analytics firm. Last year the chemical and seed company also bought Precision Planting, another high-tech firm, and also launched a venture capital arm geared to fund tech start-ups.

In November, John Deere and DuPont Pioneer announced plans to partner to provide farmers information and prescriptions in near-real time. Deere has pioneered “precision farming” equipment in recent years, equipping tractors and combines to automatically transmit data collected from particular farms to company databases. DuPont, meanwhile, has rolled out a service that analyzes data into “actionable management strategies.”

[…]

More on Salon:Monsanto’s scary new scheme: Why does it really want all this data?

Related


Big Data, Big Pharma, Big Privacy Catastrophe

qqxsgMedical privacy

By Michael Fertik

Companies are actively, aggressively targeting you using your own personal data, without your knowledge or permission.

That’s not good for your privacy, but it’s hardly news – except when it’s the healthcare industry.

Yesterday, news broke that healthcare companies are identifying all manner of pertinent medical details about you without setting eyes on your medical chart.  How?  Personal habits – all gleaned online and aggregated into detailed, invasive profiles using data mining algorithms.

The news is alarming: Big Pharma companies figuring out what patients might be interested in an obesity drug based on clues that imply a couch-potato existence, others finding participants for a study using clues based on data mining, people getting called at home by medical telemarketers who know more than a few sensitive details about their health.

Is it a violation of HIPAA?  Amazingly, no – all of these very personal details are inferred based on probability (likely accurate but probability nonetheless), not by talking to your doctor illegally.  Yet it’s clearly an overstep into an ethically gray area.  And that’s why the question of consumer protection is one that should weigh heavily on everyone’s minds.

Right now, it’s recruiting patients for a drug study that one could argue might help that person and countless others.

Right now, it’s making others aware of new medicines that may work for their particular conditions.

Yet it doesn’t take a privacy advocate or a confirmed cynic to make that very short leap from these semi-benign approaches to other, more detrimental uses of personal health data.  Perhaps it’s a large Fortune 500 company that would much prefer to hire a workforce full of hale and healthy individuals who won’t drive up their premiums.  (Goodbye, older workers, disabled employees, people with imperfect BMIs, workers with chronic but manageable diseases!). Maybe it’s the spouse who picks up the phone and learns from a telemarketer that his wife is pregnant or that her husband is worried about early signs of dementia.  In fact, that has already happened – Target was able to market to a pregnant teen before her own father even knew she was expecting a baby, all thanks to her shopping habits.

In the age of social media, we have become so comfortable with free apps and services that personal inertia has replaced our concern, even outrage, on how companies use this data.

If understanding that companies can now legally skirt HIPAA – your lawful protection for medical privacy – and use information not just to target you but to perhaps discriminate against you, then I don’t know what will shatter our complacency when it comes to personal privacy.

What do you think?

Source: Forbes


Privacy Implications of the Internet (or rather Data) of Things

[…]

1. Unlawful Surveillance

The Internet-connected modules installed on various objects, such as cars, toys, and home appliances, can be used for unlawful surveillance. The Internet-connected modules will allow criminals to receive far more information than they currently can. For example, criminals may be able to monitor children through cameras installed in their toys, monitor people’s movements through Internet modules installed in their shoes, and monitor when a person enters or leaves his/her home by connecting to an Internet-connected door lock. Such threats are not merely speculative. Yoshi Kohno, an associate professor at the University of Washington, has found “real vulnerabilities” in several Internet-connected modules installed in cars, medical devices, and children’s toys.

Moreover, in 2013, the Federal Trade Commission (FTC) filed a complaint against TRENDnet Inc., a producer of wireless cameras that can be installed wherever people need a video feed. The wireless cameras produced by TRENDnet can send motion-captured video to computing devices, such as iPhones or laptops. The complaint stated that TRENDnet failed to provide reasonable and appropriate security for the wireless cameras, which resulted in hacking attacks. The hackers posted Internet links to compromised feeds for nearly 700 wireless cameras. The FTC described the outcome of the hacking attacks as follows:

“Among other things, these compromised live feeds displayed private areas of users’ homes and allowed the unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities. The breach was widely reported in news articles online, many of which featured photos taken from the compromised live feeds or hyperlinks to access such feeds. Based on the cameras’ IP addresses, news stories also depicted the geographical location (e.g., city and state) of many of the compromised cameras.”

Subsequently, the FTC entered into a settlement agreement with TRENDnet. As a first-time offender, TRENDnet was not sanctioned with any financial penalties, which otherwise can amount to $16,000 per violation. Pursuant to the terms of the settlement, TRENDnet cannot misrepresent its software as “secure” and should receive an independent assessment of its security programs once a year over a course of 20 years. The complaint against TRENDnet was FTC’s first action against a seller of Internet-connected everyday products.

The TRENDnet incident indicated the need to regulate the Internet of Things. As a response to the incident, the FTC will hold a public workshop in November 2013 in Washington. The purpose of the workshop will be to explore consumer privacy and security issues posed by the Internet of Things. Jeff Chester, executive director of the Center for Digital Democracy, stated in relation to the workshop and FTC’s action against TRENDnet: “The FTC is trying to get ahead of the curve here as our lives are further transformed by the ubiquity of digital data collection and gathering.”

2. Active Intrusion in Private Life

The Internet-connected modules will allow criminals not only to passively monitor their victims, but also to actively intrude in their private lives. The reason is that many of the Internet-connected modules are installed in objects that can be remotely controlled. For example, a criminal may be able to remotely stop the refrigerator, start the heater, and unlock the door.

Security researchers have already found security vulnerabilities allowing criminals to hack various devices connected to the Internet. Daniel Crowley, a consultant with security firm Trustwave Holdings Inc., has recently hacked an automated toilet made by a Japanese company. Crowley was able to make the hacked toilet flush or play music.

Seungjin Lee, a security researcher and doctoral student at Korea University in Seoul, stated that he can take over a Samsung TV set by using virus-laden emails or websites. The hacked TV set beams images of what is happening in front of it to a computing device located elsewhere. The hacked TV set can send images even when it appears to be turned off.

Hacked and remotely controlled household appliances may cause severe distress for the victims. For a victim of hacking attack on Internet-connected household appliances, the attack may resemble the phenomenon “poltergeist.” Popular in folklore studies, the poltergeist phenomenon refers to the unexplained appearance of noises or movement of objects.

3. Data Profiling

Data profiling can be defined as “the gathering, assembling, and collating of data about individuals in databases which can be used to identify, segregate, categorize and generally make decisions about individuals known to the decision maker only through their computerized profile (Belgum, 1999).” The anonymized information submitted by the Internet-connected modules can be used for a creation of detailed profiles of the users of those modules. In turn, the profiles can be used for targeted advertising.

The term “targeted advertising” refers to placing advertisements in such a way as to reach consumers based on various behavioral, demographic, and psychographic attributes. For example, consumers who put a large quantity of milk products in a refrigerator that has been programmed to sense what kinds of products are being stored inside will receive more advertising about milk products than consumers who do not put any milk products in that refrigerator.

The targeted advertising may constitute a threat to personal autonomy. The consumers may not want to receive ads related to their preferences. For example, a consumer who has recently decided to reduce the consumption of chocolate may not want to receive online advertisements related to chocolate despite the fact that he/she used to eat a lot of chocolate in the past. However, the company collecting data from the Internet refrigerator of that user may decide that the user has a high potential to buy chocolate and will therefore send him/her many advertisements related to chocolate.

Profiling can be based on anonymized data. For example, a company may collect non-personally-identifiable data from all users of Internet refrigerators. The collected data may include only statistics related to the preferences of the users. In this regard, it should be noted that most data protection legislation does not apply to anonymized data. This means that a person whose anonymized data is collected for profiling has no means to find out about the profiles created on the basis of his/her data.

4. Conclusion

The trend toward using ever more Internet-connected modules is evident. The Internet of Things has drawn a lot of attention from the media, the industry, and research institutions. This is not without a reason. The Internet of Things may soon touch every aspect of our lives. According to International Data Corporation (IDC), the Internet of Things connectivity drive will create a market worth up to $8.9 trillion by 2020.

However, the promise of the Internet of Things should be weighed against the potential threat to security and privacy. This article has shown that Internet-connected modules may be used not only for passive monitoring, but also for an active intrusion in the private life of people. Moreover, the targeted advertising based on information collected through Internet-connected modules may drastically infringe on personal autonomy.

The aforementioned privacy threats demonstrate the need for regulating the Internet of Things. By decreasing the privacy risks, such a regulation will allow the Internet of Things to fully bloom into a paradigm that will improve various aspects of people’s lives. In this context, Elgar Fleisch, deputy dean of ETH Zurich, stated: “People will use a technology if the perceived benefit is larger than the perceived risk.”

It should be noted, however, that too much regulation may hinder innovation. As Adam Thierer, a senior research fellow at the Mercatus Center at George Mason University, states: “All new technologies and innovations involve risk and the chance for mistakes, but experimentation yields wisdom and progress. A precautionary principle for the Internet of Things, by contrast, would limit those learning opportunities and stifle progress and prosperity as a result.” Therefore, striking the right balance between regulation and innovation is of an utmost importance for the future development of the Internet of Things.

Internet_of_You

References

  1. AbiResearch, “More Than 30 Billion Devices Will Wirelessly Connect to the Internet of Everything in 2020,” May 9, 2013. Available at https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne .
  2. Belgum, K., “Who Leads at Half Time? Three Conflicting Versions of Internet Privacy Policy,” Richmond Journal of Law and Technology 6 (1999): 8.
  3. Clearfield, C., “Why the FTC Can’t Regulate The Internet of Things,” Forbes, September 18, 2013. Available at http://www.forbes.com/sites/chrisclearfield/2013/09/18/why-the-ftc-cant-regulate-the-internet-of-things/ .
  4. Davis, W., “FTC To Examine Whether ‘Internet Of Things’ Poses Privacy Concerns,” MediaPost, June 4, 2013. Available at http://www.mediapost.com/publications/article/201797/ftc-to-examine-whether-internet-of-things-poses.html .
  5. Dembosky, A., “FTC targets ‘internet of things’ amid privacy fears,” September 4, 2013, Financial Times. Available on http://www.ft.com/cms/s/0/1eb3b2ca-15ac-11e3-b519-00144feabdc0.html#axzz2jWj4qWX1 .
  6. FTC Complaint against TRENDnet INC. Available on http://www.ftc.gov/os/caselist/1223090/130903trendnetcmpt.pdf .
  7. Hersent, O., Boswarthick, D., Elloumi, O., “The Internet of Things: Key Applications and Protocols,” John Wiley & Sons, 2011.
  8. Howard, B., “Internet of Things” May Change the World,” National Geographic, 30 August 2013. Available on http://news.nationalgeographic.com/news/2013/08/130830-internet-of-things-technology-rfid-chips-smart/ .
  9. Kerr, D., “FTC and TRENDnet settle claim over hacked security cameras,” cnet.com, 4 September 2013. Available on http://news.cnet.com/8301-1009_3-57601430-83/ftc-and-trendnet-settle-claim-over-hacked-security-cameras/ .
  10. Metz, R., “More Connected Homes, More Problems,” MIT Technology Review, August 13, 2013. Available on http://www.technologyreview.com/news/517931/more-connected-homes-more-problems/ .
  11. Rubin, P., Lenard, T., “Privacy and the Commercial Use of Personal Information,” Springer 2002.
  12. “Six Technologies With Potential Impacts on US Interests Out to 2025,” National Intelligence Council, April 2008. Available at http://www.fas.org/irp/nic/disruptive.pdf .
  13. “The Internet of Things Business Index: A Quiet Revolution Gathers Pace,” the Economist Intelligence Unit, 2013. Available at http://www.arm.com/files/pdf/EIU_Internet_Business_Index_WEB.PDF .
  14. “The Internet of Things Is Poised to Change Everything, Says IDC,” BusinessWire, 3 October 2013, Available at http://www.businesswire.com/news/home/20131003005687/en/Internet-Poised-Change-IDC .
  15. Yadron, D., “Hackers Expose How Connected Toilets, Heaters and Lightbulbs Are at Risk,” July 31, 2013, Wall Street Journal. Available at http://online.wsj.com/news/articles/SB10001424127887323997004578640310932033772 .
  16. Zhou, H., “The Internet of Things in the Cloud: A Middleware Perspective,” CRC Press, October 29, 2012.

Source: Privacy Implications of the Internet of Things


Browsers talk too much

ku-xlarge

The Digital Advertising Alliance and the Interactive Advertising Bureau are working to develop standard technology that allows consumers to opt out of online tracking when methods other than traditional cookies are deployed.

While the move appears aimed at protecting user choice, privacy researchers worry it’s also an effort to legitimize alternative techniques for identifying consumers, inviting controversial practices like “browser fingerprinting” to become more common.

[…]

Tawakol and Ingis both said the new technology, which is still under development, would allow companies to use alternative approaches that are sometimes called statistical or probabilistic tracking, while remaining in compliance with industry privacy standards. That includes providing notice, transparency and opt-out options, Tawakol said.

Statistical approaches include identifying a particular web browser by its unique combination of plugins, settings, fonts and other characteristics. Privacy researchers call it browser fingerprinting, a term Ingis rejects because the technique doesn’t provide a 100 percent positive identification, just a high statistical likelihood.

A 2010 study by Peter Eckersley at the Electronic Frontier Foundation found that the average browser that supported Flash and Java carried 18.89 bits of identifying information. His three-year-old survey found that 94.2 percent of the browsers with that functionality were unique, or able to be fingerprinted. But researchers say the technology is rapidly improving.

[…]

Ad groups prepare for “cookieless” future, develop opt-out tool for alternative tracking

Panopticlick

With panopticlick you can test how rare or unique your browser configuration is, based on the information it will share with sites it visits. Panopticlick gives a uniqueness score, letting you see how easily identifiable you might be as you surf the web.

1892725-panopticlick

Notes from Carsten (via cypherpunk mailinglist)

  • The database is not a representative database, because most users, who know something about the project and visit it, use a privacy-friendly browser configuration.
  • Old entries in the database were not deleted. Firefox 3.5.3 has one of the best ratings in this database. But nobody uses this old browser version any more. You will be unique with this user agent in real life.
  • It is easy to manipulate the database. You can call the page with your preferred browser multiple times and your preferred browser will be higher rated.

Entropy

The term “Entropy” is used to gauge how identifiable an object is. EFF defines entropy as:

A mathematical quantity which allows us to measure how close a fact comes to revealing somebody’s identity uniquely. That quantity is called entropy, and it’s often measured in bits.

More entropy means less identifiable. every Web browser provides enough unique information to tell one from another. Besides user accounts, IP addresses, and cookies; there is something called a User Agent string that can be used to further reduce the entropy of Web browser applications:

Our experiment to date has shown that the browser User Agent string usually carries 5-15 bits of identifying information (about 10.5 bits on average). That means on average, only one person in about 1,500 (210.5) will have the same User Agent as you.

On its own, that isn’t enough to recreate cookies and track people perfectly, but in combination with another detail like geo-location to a particular ZIP code or having an uncommon browser plug-in installed, the User Agent string becomes a real privacy problem.

What’s My User Agent?

What’s My User Agent?” allows you to view details about your user agent, along with other information your browser sends to the website.

Making changes

  • Use NoScript, it blocks sites from detecting plug-ins, fonts, and cookies.
  • Use a Tor browser in an isolated environment like Qubes, Whonix, Tails, … in transparent mode.
  • Use a popular Web browser. It decreases the likelihood of being unique among other browser fingerprints.
  • If you use Firefox, use about:config to change some of the settings to non-unique nonsense.

More Information