Blog

Earlier this year, Facebook filed a patent application claiming a method for identifying camera signatures based on features extracted from uploaded images, including faulty pixel positions in the camera and metadata available in files storing the images. The patent also claims a method for making inferences about the users associated with the cameras. For reference, the abstract of the patent application is included below:

Images uploaded by users of a social networking system are analyzed to determine signatures of cameras used to capture the images. A camera signature comprises features extracted from images that characterize the camera used for capturing the image, for example, faulty pixel positions in the camera and metadata available in files storing the images. Associations between users and cameras are inferred based on actions relating users with the cameras, for example, users uploading images, users being tagged in images captured with a camera, and the like. Associations between users of the social networking system related via cameras are inferred. These associations are used beneficially for the social networking system, for example, for recommending potential connections to a user, recommending events and groups to users, identifying multiple user accounts created by the same user, detecting fraudulent accounts, and determining affinity between users.

The “fingerprinting” of cameras claimed in the patent poses several privacy concerns. Although Facebook states that the claimed process could be used as a means of “identifying multiple user accounts created by the same user, detecting fraudulent accounts, and determining affinity between users,” the process also significantly diminishes the ability of individuals to anonymously take and upload photos online. Currently, individuals have several means to protect their privacy through the removal of geolocation and other metadata before uploading their photos to online services such as Facebook. The process claimed by Facebook in this patent application would essentially override the ability of users to remove metadata and protect their privacy by identifying data directly from the camera—such as lens scratches or flawed pixels.

Though technical solutions could be used to maintain anonymity even if Facebook’s patent application goes through—including, for example, an application that randomly includes flawed pixels or minor lens scratches to photographs before they are uploaded without diminishing overall picture quality—we should nonetheless question whether the benefits introduced by this new patent application outweigh the privacy risks.

References:

https://www.google.com/patents/US20150124107

http://www.imaging-resource.com/news/2015/09/18/facebook-wants-to-be-able-to-fingerprint-a-single-im

http://venturebeat.com/2015/09/18/facebook-files-patent-for-using-a-photos-camera-signature-to-connect-you-with-other-users/

http://www.geek.com/news/facebook-developing-way-to-fingerprint-the-camera-you-used-to-take-a-photo-1634542/

http://thenextweb.com/facebook/2015/09/22/facebook-seeks-patent-on-process-that-would-id-your-camera-and-images/

The FDA has just determined that the New Drug Application combining schizophrenia medication Abilify with a chip / ingestible sensor, is sufficiently complete to allow for a substantive review. The technology essentially allows the patient to log his medication and communicates with doctors and caregivers notifying them when the medication was taken. While the chip itself had been previously approved, the approval was limited to placebo pills in the past. This is the first time it is combined with an existing medication.

The company behind this device is California based Proteus Digital Health, whose investors include Oracle and Novartis. The digital pill is aimed at solving the known problem of medication adherence and the resulting unnecessary escalation of conditions and therapies. Patients who don’t take their prescription medication as prescribed (about 50% of them), cost the U.S. health care system an estimated $290 billion in avoidable medical costs each year. According to Proteus, “this is a problem with the product, not the patient.” They believe that providing the right technology to individuals who deliver and receive healthcare, can be the basis of a more effective health system “focused on daily care and new information-based business models.”

Proteus’s “digital pill” includes a patch worn on the torso and an app on a Bluetooth-enabled mobile device. The chip in the pill is about the size of a grain of sand and is made mostly out of silicon, but also contains small amounts of copper and magnesium. Once the pill reaches the stomach and is ingested, the magnesium and copper in it reacts with the acid in the stomach to create a small electrical charge that can be read from the surface of the skin through the detector patch. The technology not only allows doctors to know if/when patients have taken their medications but can also allow them to better assess if a person is responding to a given dose, or if that dose needs to be adjusted. Earlier releases of the technology suggest that sensors on the chip also detect heart rate and can estimate the patient’s amount of physical activity, though it is not clear if these features are included in the most recent application.

While medication adherence is in fact a serious problem with serious costs, it is hard not to think of the privacy implications such devices can have down the line. Similarly to all health apps, there are novel privacy issues in play. The FDA may very well have assessed their safety issues, but it surely is not the appropriate body to assess the privacy risks. As with all new technologies, the privacy debate is more likely to escalate later in the process, but this can be especially problematic given the time and costs of going through the FDA approval process and getting specific patents granted and approved. It would arguably be more efficient to engage in the discussion earlier, paralleling the idea of “privacy by design” instead of retro-actively fighting for changes in finalized versions of specifically approved and patented technologies. It is hardly a stretch to imagine digital pills being used to extract a lot more data than simple medication adherence information, and marketers viewing them as data gold mines that can be used to infer all sorts of information.

The extent to which these devices will be covered by HIPPA is not clear and can depend on the players in question and the exact data transmitted, for instance whether data falls under Protected Health Information. Perhaps the FTC guidelines on mobile app disclosures can be a starting point for the discussion, at a minimum providing a framework for developers to think through the design and functionality of the products in light of privacy issues.

References:

http://www.proteus.com/press-releases/u-s-fda-accepts-first-digital-medicine-new-drug-application-for-otsuka-and-proteus-digital-health/

https://iapp.org/news/a/digital-pill-closer-to-approval/

http://www.ft.com/intl/cms/s/0/decece84-57b1-11e5-a28b-50226830d644.html#axzz3lSyzOqE8

https://www.washingtonpost.com/national/health-science/smart-pills-with-chips-cameras-and-robotic-parts-raise-legal-ethical-questions/2014/05/24/6f6d715e-dabb-11e3-b745-87d39690c5c0_story.html

http://www.forbes.com/sites/singularity/2012/08/09/no-more-skipping-your-medicine-fda-approves-first-digital-pill/

https://gigaom.com/2013/05/01/company-behind-digital-pill-with-embedded-chip-raises-62-5m/

The summer news provided the Privacy Research Group with quite a bit of discussion. The one topic that provoked the liveliest debate was the recent hack and public release of data from Ashley Madison. The site is designed to be a dating app for extra marital affairs and was recently hacked by the “Impact Team.” They claimed that the site is a “prostitution/human trafficking website for rich men to pay for sex.”[1] The Impact Team sought to frame its hack as one that held the moral high ground by seeking to shut down Ashley Madison.

Because of the nature of the site and its professed purpose, Americans have spent the last few weeks debating the role of morality in deciding who is entitled to privacy protections. While most are likely sympathetic to the argument that everyone is entitled to privacy, there must be a line on which information is worth protecting. For instance, child pornographers should and likely do not have an expectation of privacy because of their illegal and immoral activities.

In an excellent piece on Daily Nous, several philosophers attempted to answer some outstanding questions regarding moral judgment and vigilantism that have been raised in the aftermath of the release of data.[2] Jonathan Ichikawa argues that the Ashley Madison customers are victims of an illegal attack, regardless of their indiscretion. Just as society should not victim blame for other crimes, users of Ashley Madison are victims in this unfortunate scenario. He also reminds readers that there are understandable reasons to use a site such as Ashley Madison. For instance, some are in open relationships or “are closeted LGBTQ people who need discretion.”[3]

In another post, Hallie Liberto compares hackers who expose corporate wrongdoing to the hackers of Ashley Madison.[4] She ponders why the reaction to hackers exposing corporate illegality should differ from the reaction to the Impact Team. While there may be some legitimate open relationships, people who wish to cheat on their partners are likely breaking significant promises, deceiving partners to stay in a relationship longer, and potentially undermining sexual consent. She argues that the reason society tends to treat these two similar hacks differently is because of the nature of how society treats sex and sexual assault. According to Liberto, society treats these topics as private to the detriment of open discussion.[5] Without the open discussion, the Impact Team has been cast negatively.

Society will continue to grapple with these ethical questions. There will be many more hacks of morally questionable websites, and it is important to have a vigorous debate about the moral and ethical boundaries of privacy.

[1] Rhiannon Williams, Ashley Madison Hack: The Depressig Rise of the ‘Moral’ Hacker, The Telegraph, (Aug. 20, 2015), http://www.telegraph.co.uk/women/womens-life/11814054/Ashley-Madison-hack-The-depressing-rise-of-the-moral-hacker.html.

[2] Philosophers on the Ashley Madison Hack, Daily Nous, (Aug. 24, 2015), http://dailynous.com/2015/08/24/philosophers-on-the-ashley-madison-hack/.

[3] Id.

[4] Id.

[5] Id.

April 22, 2015

Government (Finally) Takes a Concrete Step to Fight Identity Theft: Medicare Cards No Longer to Include Social Security Numbers

President Obama recently signed a bill to stop the printing of Social Security numbers on Medicare cards.  The bill, entitled the Medicare Access and CHIP Reauthorization Act of 2015, is focused on overhauling the way that doctors are paid for treating Medicare patients.  However, it also includes a provision mandating that Social Security account numbers must not be “displayed, coded or embedded on the Medicare card.”  Importantly, the bill provides $320 million over four years to pay for this change.

Private insurers long ago abandoned the use of social security numbers to identify individuals based on fears of identify theft and fraud.  In fact, the federal government forbids private insurers who provide medical or drug benefits under contract with Medicare from putting Social Security numbers on insurance cards.  Medicare itself, however, has not yet discontinued the practice.

Passage of the bill illustrates how a problem can have a seemingly simple fix (like removing a number from a card), yet nevertheless require a mammoth effort over countless years.

Staggering Potential for Identify Theft and Fraud

Medicare currently uses social security numbers as the primary means of identifying beneficiaries, and the numbers are placed on the front of each card it issues.  And that is a lot of cards.  Medicare currently covers approximately 50 million people.  An additional 4,500 people reportedly sign up for Medicare each day.  It is expected that 18 million additional people are will qualify for Medicare in the next decade, bringing Medicare enrollment to 74 million people by 2025.

Government’s Slow Response to Calls for Change

Consumer advocates and government officials had long argued for the change.  In 2004, the Government Accountability Office began urging officials to curtail the use of Social Security numbers as identifiers.  In 2007, the White House’s Office of Management and Budget called for federal agencies to stop collecting and using Social Security numbers within two years.  A year later, the inspector general of the Social Security program called for an immediate remove of the numbers from Medicare cards based on the risk of identify theft.  Nevertheless, the Department of Health and Human Services (which supervises the agency that administers Medicare) did not respond to calls for change.

Congress finally acted in response to the rash of recent cyberattacks, including the data breach at health insurer Anthem, and the proliferation of electronic health records.

Changing Cards Will Be Neither Simple Nor Quick

The switch to cards without the Social Security numbers might sound like a simple fix, but the budgetary and logistical challenges are enormous.  The agency that administers Medicare depends on 200 computer systems and pays over a billion claims every year from 1.5 million health care providers.  Accordingly, the bill gives Medicare officials up to four years to start issuing cards with new identifiers, and four more years to reissue cards that current beneficiaries hold.

Exact details of how Medicare beneficiaries should be identified are yet to be worked out.  In addition, some worry that even the $320 million provided in the bill will not be enough to complete the switch.