ILI Student Blog

Category: Uncategorized

  • Repost: DEA directs agents to cover up the sources of information used to investigate Americans

    This story courtesy of Akiva Miller:

    “Reuters reported yesterday that the Drug Enforcement Administration (DEA) has been starting criminal investigations of drug-related offenses based on information obtained from  from intelligence intercepts, wiretaps, informants and a massive database of telephone records – information that usually cannot be used in criminal investigations not related to national security matters. The DEA agents were directed to “recreate” the investigative trail to effectively cover up where the information originated. This practice violates defendants’ constitutional rights to a fair trial. http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805

    This Reuters context piece helps explain how this practice differs from the NSA Surveillance program, and is a far worse violation of civil rights: http://www.reuters.com/article/2013/08/05/us-dea-sod-nsa-idUSBRE9740AI20130805

    Meanwhile, USA Today reported that the Justice Department is now reviewing the DEA’s techniques:  http://www.usatoday.com/story/news/nation/2013/08/05/justice-dea-special-operations-shield/2620439/

    This revelation exposes how surveillance practices are going beyond the narrow realm of national security needs and are increasingly being employed against Americans for ordinary law enforcement purposes – the very realm where civil rights are vital safeguards against agency violation. Now that unlawful surveillance has been exposed in the fairly controversial area of drug enforcement, one can imagine the reaction if it turns out other agencies are using similar tactics: How would businesses react if the IRS were illegally obtaining their phone records, and then started a “random” audit on its secret surveillance target? Or how would gun rights supporters feel if the ATF Bureau were listening to phone conversations and arresting unregistered gun owners claiming “reliable informants” had led them to their targets? It wil also be interesting to see how this will affect the convictions of drug-related charges who may have been victims of these tactics. ”

     

  • Both sides to the NSA surveillance debate

    Position 1: Snowden is a whistleblower and what the government is doing is illegal: http://www.whistleblower-insider.com/the-simmering-storm-over-americas-secret-surveillance-court/

    Position 2: Snowden leaked classified documents improperly, and in fact, there are many controls and restrictions governing surveillance: See this talk by  Robert Litt (General Counsel of the Office of the Director of National Intelligenceat) at a recent a Brookings event http://www.c-spanvideo.org/program/GovernmentInte

  • ACLU’s revelations on License Plate Readers

    http://www.aclu.org/blog/technology-and-liberty-national-security/police-documents-license-plate-scanners-reveal-mass

     

    26000 pages of law enforcement data reveal: low hit rate, lots of variation across states and cities with regard to data retention policies.

  • Why trying to RFID track school kids may not work

    Possibly, because the idea is faulty. Something which this program in Texas is experiencing. Though, they seem to be replacing RFID with hundreds (!) of surveillance cameras. And why? To enjoy more federal funding.

    See the following link

     

  • Battling Big Brother, comments from Personal Democracy and Freedom, 2013

    I was invited to be a panelist at this year’s Personal Democracy and Freedom (PDF) conference held here in New York City. The panel was titled, “Battling Big Brother” and the idea was to comment on the degree to which individuals may be caught up in collateral damage from government collection and mining of data for the purpose of national security. I great question, indeed!

    I wanted to make a few comments on that panel, and thought I’d reproduce some of them for this blog below.

     

    I’m sure by now everyone is familiar with the hype around collecting and mining big data for individual patterns. And it’s not going to shock anyone to state that government, just as with private sector (e.g. facebook and google) have great interest in doing this.

    As far as commercial interests are concerned, from what I see, these often focus on advertising — how can content providers effectively identify their visitors in order to present them with relevant ads? On one hand, the consumer benefits are obvious. Think of all the free online services and mobile apps that we use every day — they are likely supported by advertising. On the other hand, there are privacy concerns when people are tracked, and other personal characteristics inferred, without their consent (e.g. target pregnancy girl). Moreover, there may be economic consequences from price discrimination which may also be seen as unfair. E.g. when those of higher income receive greater discounts than lower income people.

    Public interests of big data include, among other things, law enforcement and national security. But they have an advantage that private sector doesn’t in their ability to link many more kinds of disparate data sources and make more important inferences. They can combine CCTVs, drones, and of course, data collected from the private sector like phone records, emails, search engines, and network traffic from ISPs. I think we can all agree that the benefits of preventing bombings, and cyber attacks using these big data sources are large. What is of debate is how state agencies go about that and what tradeoffs we are willing to accept (e.g. PRISM and Verzion phone metadata collection).

    I now want to talk for a few minutes about two recent news stories that I think are relevant to this discussion. The first is this week’s supreme court decision to allow DNA collection at the time of arrest for a violent crime. Ostensibly, this is done to because of the strong force of recidivism: the notion that a criminal caught for one crime may have committed some other, unresolved crime. The novelty — and risk — is that DNA is thought to be a better detection mechanism than fingerprints because it’s more difficult to conceal one’s DNA at a crime scene. But again, consequences occur when we feel that the government is overstepping its authority — when they suddenly have access to data we don’t think they otherwise should.  What interests me most about the ruling, however, is the question: does DNA collection really work? I think there is a legitimate issue of whether law enforcement is more effective when they can obtain this information. I think this is important because if many more criminals are caught who would otherwise not be, then it becomes a discussion of tradeoffs. However, if there is no measurable effect, then the policy seems strictly bad.  Similar questions can — and probably should — be asked of other forms of government data collection and surveillance: unless  there is clear evidence of the effectiveness, where is the justification?

    The other story is one authorizing military commanders to engage in what’s called ‘active defense.’ i.e. to hit back at attackers who conduct cyber attacks on military systems. The benefits of this style of defense have been debated (at least) in the IT security community for many years, and it’s interesting to see acknowledgement of this kind of behavior by the military now. Perhaps this is due to reportedly dramatic increase in espionage from China.  There have also been calls by private companies (e.g,. those victimized by loss of IP) to engage in the same kind of behavior. What is not clear, however, is what force of retaliation is suggested, and what kind of collateral damage may be caused by this.

    Now, to the question of what can individuals do? On one hand there are a host of privacy enhancing technologies and practices that individuals can employ: when searching online, you can use duckduckgo; when looking to browse anonymously you can use TOR; when purchasing groceries, you can use someone else’s loyalty card number; you can choose not to register a DC metro card; etc, etc. This makes us very empowered as consumers. However, on the other hand, at some point, you *will* leave a digital trail. You will need to go outside (where you’re likely to be captured on CCTV); you will need to buy something with a credit card, or take out a loan (adding to your credit profile); make a call on your cell phone; or you will simply forget to use one of those PETs.  And so I’m quite conflicted regarding the extent to which individuals really have any power to control their digital trails at all.  To me, the persistence and ubiquity online tracking and surveillance as an unstoppable force and that while we may be able to redact some entries from the mountains of data files we leave, I don’t see any practical solution to avoiding creation of those files to begin with.

    PDF Program: http://personaldemocracy.com/conferences/nyc/2013/program

  • comScore and their privacy litigation woes

    I recently had a chance to learn about and speak with folks from a company called comScore. Essentially, this company offers free stuff to consumers in exchange for tracking all their web browsing activity. And they can get very detailed information about one’s buying habits. This can be very good for research, and potentially socially useful in other ways (advertising, etc).

    However, collecting that much personal browsing information about so many consumers (millions) seems very very risky. I’ll even go so far as to suggest a ticking timebomb of liability because of the concern of a data breach (i.e. some one hacking into the company stealing all this information). As it turns out, that liability is coming from consumer concerns that the company collected and sold data without the consumers’ consent. (now, I’m not really sure how people would be unaware of that, given that this is the company’s business model).

    I’ve examined privacy litigation in previous work (here: http://ssrn.com/abstract=1986461) and based on our work, that the class was certified in this current laswuist suggests bad news for comScore. We found that class certification was very strongly correlated with settlement. I don’t know how big the class will finally be, but if it does get into the millions, multiply that by the statutory damages from their ECPA and SCA claims and yikes!

    See: http://www.paulhastings.com/publications-items/blog/post/caveat-vendor/2013/04/10/certification-of-privacy-class-harbinger-of-things-to-come-#page=1

  • Tumblr

    By: Hannah Baker

    Link: http://techcrunch.com/2013/02/18/tumblr-is-not-what-you-think/

    Discussion: This post by Adam Rifkin on techcrunch.com discusses Tumblr, one of the newer social networking/blogging websites. According to a quoted survey, Tumblr is now the most-used social networking site among both the 13-18 and the 19-25 age groups. While the survey’s informality and small sample size make its conclusions less than certain, there can be no denying the increasing popularity of Tumblr, especially amongst teenagers.

    But, I can’t be the only one who has been frustrated by trying to read anything on Tumblr. The search is poor, the comment threads are impossible to follow, and the “reblogging” mechanism can make it difficult to figure out who originally posted any particular picture or piece of information.

    What I found most intriguing about the Techcrunch.com post was its suggestion that Tumblr’s technological limitations may be a feature rather than a bug. Rifkin suggests that the problems people have in searching Tumblr is a bonus for many of its users, who want to be anonymous without necessarily gaining a large audience of unknown anonymous internet people. They want a personal page, like a Facebook page, but without Facebook’s corresponding public visibility.

    Rifkin’s idea can be extended to some of Tumblr’s other seeming problems. Conversations and comment threads are difficult to follow, giving people the freedom to comment without complete accountability even to their online personas, yet without having to resort to complete anonymity.

    I like the suggestion that privacy can be protected, not by deliberate privacy controls such as those offered on Facebook, nor by complete anonymity, but by less-than-perfect design. Whether or not Tumblr’s poor search system and lack of a good commenting system are deliberate, they function to protect the users’ privacy, to the point where better technology might be bad for the site.

    This raises the larger question of whether better technology will always take off if it leads to a decrease in privacy. On the one hand, older, more private forms of technology seem generally to be abandoned. Few modifications to a cell phone will give a call the total privacy that comes when calling from a payphone, but payphones are now few and far between. Kindles and other e-readers are becoming increasingly popular, even though the readers’ notes and highlighting may be collected and seen in a way that is impossible with a physical book. On the other hand, Tumblr’s new popularity– despite the fact that, as Rifkin describes, it is a terrible platform by most standard metrics– may point in a new direction.

  • Will Electronic Medical Record Incentives cover HIPAA Reforms?

    By: Katrina Henderson

    President Obama’s 2009 stimulus plan set forth billions of dollars worth of incentives for medical health providers in order to urge them to begin using electronic medical records (EMR). The plan hoped to encourage health care providers to streamline medical care, due to the fact that EMR systems are both more efficient and accurate than paper records. The use of electronic records helps to reduce paperwork, eliminate handwriting errors, coordinate patient care, eliminate unnecessary tests and procedures, as well as provide direct access to health records.

     

    Since this stimulus plan was put in place, the switch to electronic medical records has been quite large. By early 2012, the U.S. Department of Health and Human Services had already spent 25.9 billion on electronic health information systems. Recent research regarding family doctors, which are the largest group of primary care physicians, suggests that in 2011, about 68 percent of family doctors were using electronic health records. This percentage shows the use of such records has doubled between 2005 and 2011. Many health care providers still have concerns regarding these records. The first regarding EMR system is the cost of implementation and training. The second concern is patient privacy and who has access to this protected health information.

     

    When it comes to privacy, the Health Information Portability and Accountability Act (HIPAA) attempts to mitigate any concerns by enacting rules to protect patient privacy. These rules, most recently tweaked by the HIPAA Omnibus Rule, create safeguards, which Covered Entities, and now their Business Associates, must implement in order to better protect patients’ personal health information. The over 500 pages of the Omnibus Rule are quite a lot to grasp. Included within the rules are four final rules, which (1) modify the HIPAA privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), (2) incorporate increased penalty structure within the HIPAA Enforcement Rule, (3) replace the “harm” threshold with a more objective standard under Breach Notification for Unsecured Protected Health information, and (4) prohibit most health plans from the use or disclosure of genetic information for underwriting purposes.

     

    The Rule became effective on March 26, 2013. Covered Entities and Business associates still have 180 days past the effective date to become compliant with the Rule’s provisions. It is too soon to tell whether or not the new rules will be effective in terms of increasing health information privacy. For now the questions many health care providers and the U.S. Department of Health and Human Services may be asking are how much will compliance with these new rules cost and will the government incentives be enough to cover those expenses. It does not seem as though expansion of the use of EMR systems will slow due to the fact that physicians will be assessed a penalty for not adopting an EMR system by 2015. However, there may be a push for more guidance and financial assistance with implementation and compliance measures, especially by the newly liable Business Associates.

     

    References:

    http://health.usnews.com/health-news/news/articles/2013/01/15/many-more-doctors-using-electronic-health-records

    http://www.healthit.gov/patients-families/benefits-health-it

    http://www.medicalrecords.com/physicians/meaningful-use-government-incentives-information

  • HIPPA

    By: Carey Shenkman

    In Florida it is now harder for surviving spouses to obtain health records of diseased loved ones, a victory for more uniform federal healthcare privacy. Indeed, this case is particularly significant given the historical context of HIPAA, which broke significant ground when it was passed. At the same time, the law, since passing, has raised some fears by critics about the expanded federal role in health insurance reform.

    In Opis Management Resources v. SecretaryFlorida Agency for Health Care Administration case ruled that HIPAA (the Health Insurance Portability and Accountability Act of 1996) trumps a Florida statute § 400.145 governing access to health records. The bar set by HIPAA is higher than that in Florida. Under HIPAA, medical records for a diseased party may only be released to a designated “personal representative.” Under the superseded Florida law, several parties including spouses, attorneys, guardians, and other enumerated parties may make such requests.

    This case was an important decision for intersecting issues of federalism and privacy. The rationale of the 11th Circuit Court of Appeals rested largely on the Supremacy Clause and express preemption language in HIPAA. HIPAA provided that the statute “shall supersede any contrary provision of State law,” providing for limited exceptions. The Court of Appeals rejected the State’s argument that the Florida law supplemented, rather than conflicted with, the federal law. The Court held that “The fatal flaw in the State Agency’s argument is that the plain language of § 400.145 does not empower or require an individual to act on behalf of a deceased resident.” Instead, the statute allows what the court called “sweeping disclosures” without requirements for authorization for the individual making the request. The Court also held that 400.145 is not limited in the same way as analogous federal law or regulation.

    Particularly with the complex grid of state-level and federal regulations on privacy, this type of conflict is not an issue that will go away. We already see the potential for state-federal conflict in other privacy spheres, such as through issues of police investigations (such as through video or online surveillance) and commercial use of information. Scholar Michael Hail asserts that state courts are in a way ahead of the curve of their federal counterparts, calling them “more advanced in dealing with judicial policy.” Citing a Georgia Supreme Court decision Pavesich v. New England, Hail writes how the state was at the forefront of crafting a right to privacy. States can serve as laboratories for policy experimentation, but this inevitably leads to conflicts as Opis Management reveals.

    In a sense, as journalist Michael Doyle points out, cases like these are beneficial for healthcare providers themselves who are caught in the middle of conflicting regulatory frameworks. Indeed, nursing home operators cheered the decision in Opis Management.

    Sources:

    http://www.mcclatchydc.com/2013/04/10/188184/florida-and-federal-court-clash.html#.UYPlvbXP168

    http://cdn.intechopen.com/pdfs/13676/InTech-Federalism_privacy_rights_and_intergovernmental_management_of_surveillance_legal_and_policy_issues.pdf

    http://www.ca11.uscourts.gov/opinions/ops/201212593.pdf

    http://www.urban.org/UploadedPDF/NICHOLS.pdf

  • Information Privacy and Health Care

    By: Michael Lucien

    Information privacy in the healthcare context is a very tricky issue.  On one hand, individuals stand to benefit greatly from a more efficient system of storing and transmitting medical information.  On the other hand, health information is among the information that we are the most concerned about falling into the wrong hands.  As such, while many other industries have been quicker to use cloud computing for day-to-day consumer services (examples include: stock trading, online banking, email, social media, many online purchases and even online movie rentals), the healthcare industry has been particularly reluctant to follow suit.  A large part of the hesitation on the part of the healthcare industry stems from regulation-imposed liability from HIPAA.

     

    The aversion to adopting new technology appears to be changing due to two separate happenings.  First, the American Recovery and Reinvestment Act requires that healthcare agents begin migrating patient records and other data to cloud computing by 2015.  Albeit a far off deadline, this has provided some motivation for the industry to modernize.

     

    The second, and perhaps more important happening was the proliferation of Business Associate Agreements (BAAs) under the finalized HIPAA rules as modified by the Department of Health and Human Services.  It was discovered that in earlier versions of the rules, liability only extended to Covered Entities (usually the originators of health information).  The finalized rules make clear that liability should also extend to Business Associates, essentially anyone that in in the course of business with the Covered Entity deals with the protected information.  This development lead to the birth of the BAA.  These are agreements between the originator of the information and the Business Associate that extends liability.  In lieu of these agreements, Business Associate liability would fall to the Covered Entity.   Needing the business of the Covered Entities, Business Associates including could vendors have begun to accept BAAs is droves.  What new innovations lie ahead in the healthcare industry remains to be seen.  What is clear is that thee course for increased efficiency has been paved and consumers stand to benefit.

     

     

    Sources: http://www.healthtechzone.com/topics/healthcare/articles/2013/05/02/336675-healthcare-ready-embrace-cloud.htm

     

    http://www.forbes.com/sites/danmunro/2013/05/01/hipaa-support-widens-in-cloud-vendor-community/