With Barack Obama about to take office, the privacy issues related to the digitilization of health records are being heavily debated; see this New York Times article and Slashdot discussion. Most of the controls being mentioned are legal and relate to two areas. The first considers how data may be aggregated and used (this is purely legal), and the second considers the security controls that must be implemented to prevent confidential data from being stolen (this is a combination of law of technology). The technological protections considered here are passive and relate to an organization's responsibilities to prevent raw data from being accessed (e.g., by laptops being lost or stolen or by an external attacker breaking into the organization's database). A third area that is more often ignored relates to technological solutions that enforce appropriate use of the confidential data. This starts with the simple and well-known requirement of access control; only those with a reason to look at a certain piece of data should be able to do so. However, it also extends further to more advanced controls.

In order to illustrate what I mean, let us consider for a moment the issue of ensuring that conflicting medications are not prescribed to the same patient. One way to achieve this is to provide a patient's doctor with access to a list of all of the medication that they are taking. This may make sense, but it may also suffice to have the doctor input the medication he or she wishes to prescribe and then wait for an automated response saying that this medication can be prescribed or should not be, based on the other medication taken by the patient. In many cases this is enough and it reveals much less information. (Note that although it makes sense that a patient's primary physician should have access to all of their medical history, this is not necessarily the case for others. For example, I don't think that someone's dentist needs to know that they are suffering from depression, unless there is the chance of a medication clash. If such a clash can occur, then as I have described above, it can be prevented without actually providing access to the raw sensitive data.)

It is my belief that active technological controls like the above should be considered more. Strict regulations regarding the use of medical data are essential. However, they are not enough! We can use technology to ensure that even those who are willing to break the law will have a hard time getting to data (unless they really need access to the raw data in order to carry out their job).

In 1999, David Brin wrote a book entitled The Transparent Society. His main thesis is that the increased surveillance by governments on their citizens is not going to go away. Stated differently, the fight for our privacy by preventing surveillance is futile. Rather, he suggests that we should enforce far stronger controls upon those observing us. More specifically, we should force our observers to be transparent by observing them back. This will then prevent them from misusing their power. It is a very interesting read and is highly controversial. You are unlikely to agree with everything he says, but he definitely has some interesting points to make.

So, why am I writing about this today? First, I happened to hear him speak at the IBM T.J. Watson research center this week while I was visiting there. More importantly, the transparent society may be beginning. The inclusion of cameras into cellphones means that ordinary citizens have cameras with them all the time. They are now using these to document misbehavior by officials. The observed are now beginning to observe back! For two recent examples of this phenomena, see the videotaping of a police officer pushing over a cyclist, and a general discussion here.

When will people learn that you can't remove obvious identifiers and then expect that the result is anonymized data that won't breach anyone's privacy? Google (YouTube) will release "anonymized" data to Viacom as part of a court order regarding copyright infringements; see here.

If you have a short memory, here are two recent examples of what can be done to anonymized data. First, AOL released a huge amount of search keywords (in anonymized form), but it was quickly shown that the result was very far from anonymous. Second, Netflix released anonymized data for the Netflix prize, which too was completely deanonymized.

In short, data is not easily anonymized, and don't trust anyone who says that it is. In this specific case, the claim is that the data is not being released to the public, just to Viacom. So, what's the problem (I won't dignify this claim to even bother answering).

Have you thought lately about how much information you give up while browsing the Internet? Here are some examples:

• Have you used an online translation tool? Did you think about the fact that the document you translated contains confidential information (personal or work oriented)?
• Have you searched the web to understand your illness better? Did you think about the consequences if your employer has access to these search words (and s/he probably does)? 
• Have you researched your confidential new project by searching the web? Did you think about the fact that your computer ID (which may contain the name of your company) is freely available and linked to these searches?
• Did you search the web for self-help articles about difficulties in your marriage or with your kids? Did you think about the fact that your kids and spouse can easily see what you searched for (because the keywords are by default remembered by Google "for your convenience")?
• Do you remember that it's not difficult to actually find your true identity through your search words (remember AOL two years ago)?

The above are just a few examples, and I haven't even started on the amount of information we consciously put up on social networking sites. We are a society that is concerned about privacy while freely giving it up, sometimes consciously and sometimes without realizing it! If you really want to get frightened, then think about the ramifications of someone linking all of the above together in order to build a detailed profile about you. Who would do such a thing? Well, potential employers may (they are already searching MySpace and Facebook to see what you say about yourself there).

So, what should you do? That's already a difficult question. One possibility is to use an anonymous routing service like TOR. Otherwise, you can just be a bit careful:

• Try not to use social networking sites beyond a minimum, and if you must, keep in mind that a future employer may be looking (your kids may also have a look at what you posted, next year or in 20 years time).
• Clean up your search history and set the defaults on your browser to not remember your searches. (You can also disable automatic fill-in).
• Be careful about what you search for at work. This includes your personal searches (that you don't necessarily want your employer to know about) as well as searches that may give away confidential company information.
• Before you use any online service, make sure that you are not transferring confidential information to an outsider that has no interest in protecting it.

These are just a few short ideas. The main lesson is to be aware. If you don't watch out for your privacy - at least minimally - then you can't expect to have it.

It has been reported that the passport records of the Presidential candidates Hillary Clinton, John McCain and Barack Obama have been breached; see CNN. This is making a lot of noise and shows that data that is considered confidential (and in this case protected by the Privacy Act) can be accessed, seemingly without too much difficulty. However, the main point of the story is not whether someone accessed the Presidential candidates' records. Rather, the question we really need to be asking is would we ever know if our own personal records were accessed? We live under the illusion that our private medical and other records are actually kept private. But is this the case? The unfortunate truth is that the "ordinary person" will usually never know if a breach of this kind is carried out against them.

Just to conclude on a chilly note: when someone doesn't get a job, do they know if it's because they weren't good enough, or perhaps it's because of an error in their private medical files that says that they have a serious heart condition. Since they are never told, they may not even know that the error exists!