Author: Joseph Lorenzo Hall

Joe Hall here.

Google appears to be trying to better measure household and end-user internet traffic, similar to how Nielsen measures cable and television watching habits (“Google Screenwise: New Program Pays You To Give Up Privacy & Surf The Web With Chrome”).  In a new program, called Screenwise, Google will pay individuals a token amount ($5 up front plus $5 every three months) to install a browser extension that monitors what web sites you visit and how you use those sites.  For households, Google has a router device that will presumably capture all the household internet activity, and it pays a bit better ($100 up front plus $20 per month).

This leaves me with a ton of questions:

• While the browser extension will measure web traffic (port 80, in geek speak), will the router appliance measure all internet traffic?
• Does the router appliance have a way of “seeing” into encrypted sessions using HTTPS, such as when you visit your bank? (It could do this by asking individuals to install a certificate on their machines that would allow the appliance to pass through encrypted client sessions as if it were the client and then re-encrypt the content when passing back to the user… otherwise known as a man-in-the-middle (MITM) attack).
• Just what is the router capturing?  I doubt it, but is it also sniffing wifi, cellular signals, etc.?
• What are the specific terms of service and privacy policy for screenwise? How long will such information be kept? Is it associated with personally-identifiable information or is demographic information enough?
• Don’t these prices seem exceedingly low for the amount of information the user is giving up? I would most certainly price my detailed web surfing logs an order of magnitude or two ($50-500) higher than this.
• I wonder how they’ll avoid gaming… for example, I only rarely use Chrome as I prefer the control I get from FireFox. If I sign up and only use Chrome once in a while, do I still get the incentive?
• Will this information be combined with other Google information, now that Google can share data about your activities across all of their products?
• Will this also capture data when Chrome is in it’s private browsing mode (incognito)?  That seems very unwise.

Joe Hall here.

An intriguing story flew past my Twitter stream, that begins:

“MINNEAPOLIS (WCCO) — Detailed medical information discovered on the back of a first-grader’s school drawing sent Minneapolis school officials scrambling.

Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White.” –(“Recycled Medical Records Used As Scrap Paper At School”)

Long story, short: Ms. White’s records that she voluntarily gave to a law firm representing her after a car accident were donated by a paralegal to Ms. Kane’s daughter’s elementary school.  These records, and those of presumably many others, were found by school officials after being used as scrap paper and have since been secured, probably waiting disposal (or, cynically, placed in escrow until the new team of lawyers Ms. White might hire to sue her old lawyers get a chance to look at them!).

Ms. White expresses concerns that we see often in cases of privacy breaches, especially medical breaches: “It’s got my account number, my birth date, my job … I’m outraged. I am embarrassed. I don’t want anyone to know my personal information.”

What recourse does she have?  Likely, the only thing she can do is hire another law firm to sue the first law firm; that is, there’s no federal health privacy issue here. Because the law firm is not a “covered entity” under the federal law and accompanying regulations known as the Health Insurance Portability and Accountability Act (HIPAA), the responsible enforcement agency, the department of Health and Human Services, can’t seek corrective action.  In fact, you may be surprised how little HIPAA and HHS can do in situations like these. Our friends at the World Privacy Forum keep a very useful FAQ about HIPAA and also point out how medical identity theft, where people use medical information about others to obtain services or make fraudulent claims, is on the rise and an increasing concern for patients.

What can you do? Be vigilant, as always. Make sure you monitor and understand your health insurance claims information and that you let your health care providers know if you suspect funny business. Of course, if a law firm you hire screws up this bad, find a new one and teach the old one a lesson with a good old fashioned legal malpractice lawsuit.

Updated on 11/22 to make clear that Ms. White can sue the original law firm for malpractice. –JLH