Last week, during a keynote speech to the National Health Information Network Forum here D.C., Health and Human Services (HHS) Secretary Leavitt announced key privacy principles for electronic health information exchange, called The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. Leavitt hopes these principles will guide the actions of all health care related entities that participate in networks that electronically exchange patient health information. The principles in the new Privacy and Security Framework include: Individual Access; Correction; Openness and Transparency; Individual Choice; Collection, Use, and Disclosure Limitation; Data Quality and Integrity; Safeguards; and Accountability.

In tandem, HHS’s Office of Civil Rights also published new HIPAA Privacy Rule Guidance as part of a “toolkit� to implement the new framework of principles. The guidance provides some important clarifying information on how the Privacy Rule governs covered entities involved in electronic health information exchange. For example, the guidance clarifies that covered entities must enter into business associate agreements with HIEs and RHIOs when these entities are exchanging information on behalf of a covered entity (e.g. exchanging data for treatment purposes). The guidance also clarifies that personal health records offered to consumers by covered entities are covered by the HIPAA Privacy and Security Rules. However, the guidance merely encourages covered entities to adopt stronger privacy and security policies for electronic personal health information consistent with the principles in the new framework.
(more…)

There has been lots of discussion in Internet neutrality circles this week about Monday’s Wall Street Journal article claiming that Google, in seeking to enter caching deals with ISPs, is departing from its stance in favor of Internet neutrality. Google and a number of commenters (here, here and here) by now have explained why the article is off base.

Like so many arguments in the Internet neutrality debate, the article is based on fundamental misconceptions about what Internet neutrality, properly conceived, would require. In effect, the article takes aim at an exaggerated, straw-man version of Internet neutrality. But maybe it offers a “teachable moment.” Specifically, clear thinking about this issue requires recognition that:

(1) a neutral Internet does not require some kind of utopian “equality of results,” in which the resources of different speakers have no impact on the prominence and technical sophistication of their communications or services; and
(2) a neutral Internet does not in any way preclude or conflict with the use of caching and content delivery networks (a la Akamai).

(more…)

Writing critically about child pornography and Internet related issues makes any columnist twitchy. Words must be precise, ideas and intent clear, and even then such writing is more like tap dancing through a minefield than it is an editorial undertaking. As a result, the subject of child pornography and those chosen to police it are given little journalistic scrutiny.

Enter Christopher Soghoian, a columnist for CNet who writes the “Surveillance State” blog. Soghoian has stepped up to the plate and taken on what he calls an Internet “sacred cow,” the National Center for Missing and Exploited Children (NCMEC).
(more…)

Guardian, an FBI system for sharing counterterrorism information, suffers from numerous data integrity and management problems, according to a recent Inspector General’s (IG) report. As a result of spotty oversight and noncompliance with internal rules, the report concluded that Guardian consistently holds inaccurate, outdated, and incomplete records. Out of the records the IG examined, 61 percent did not comply with the FBI’s internal standards. Moreover, the report found the overwhelming majority of threat information held in Guardian had no nexus to actual terrorism.

The report’s conclusions have significant implications for civil liberties. There is an increasing trend towards sharing information among federal, state, and local law enforcement and intelligence agencies. One outcome of the trend is a huge influx of baseless threats into databases designed to aid terrorism investigations; these records then require analysis to ensure they are accurate and relate to credible threats. Yet the IG report indicates that FBI officials repeatedly fail to follow rules intended to make the system more reliable. The potential for false inferences and mistakes is amplified when systems like Guardian share information that is inaccurate or outdated with multiple agencies, some of which doubtlessly have less stringent safeguards than those of the FBI.

Guardian is an automated system the Bureau developed to collect, store, and assign responsibility for follow-up on terrorism-related tips and reports. Employees of the FBI and other government agencies, including the Department of Defense, can query Guardian to gather intelligence. The FBI’s Counterterrorism Division (CTD) set internal procedures for using Guardian. In this report, the IG for the Department of Justice audited the FBI’s oversight and implementation of these policies.

The IG report found that CTD’s procedures are often not followed. Of the examined records, 30 percent were incomplete, hampering the accuracy and search capability of Guardian’s records. Timeliness of records also affects accuracy, and the IG report discovered that 28 percent of low-priority threats were not assessed during the 30-day period established under the CTD criteria. This indicates that potentially baseless threat reports lay unresolved in the system longer than necessary, increasing the risk that users could take action based on unfounded suspicions.
(more…)

We’re heading into flu season, though we don’t yet know exactly when, where, or how hard the disease will strike. As the New York Times reported, this year Google may be able to help us predict outbreaks as much as a week to 10 days before the Centers for Disease Control and Prevention can. Google Flu Trends compiles individuals’ searches on flu-related terms from across the U.S. and creates visuals that show their volume and geographic source. As it turns out, those trends are closely correlated with actual outbreaks reported by the medical establishment.

Good news for syndromic surveillance, but is it good for privacy? Google Flu Trends assures us that its data “can never be used to identify individual users�. Perhaps. We would all rest easier if Google would be more transparent about how it assures that identification won’t happen. And such assurances are getting harder to back every day.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule includes guidelines on how to “de-identify� health data to protect personal privacy while enabling it to support social goods like improving the quality and safety of health procedures, public health, and medical research. But the Privacy Rule hasn’t kept up with the times, even though the authors’ intention was that it should evolve. For one thing, it doesn’t apply to Google… or a host of other companies and organizations that now access and use personal health data.
(more…)

On Election Day last week, the legal community was momentarily distracted from the momentousness of the election by the possibility that the Supreme Court Justices might utter profanities in the hallowed chamber. Sadly, they restrained themselves. But the lack of “f-bombs� (as the Solicitor General called them) didn’t take away from the intrigue surrounding the oral argument in FCC v. Fox – the amusing but important case that challenges the Federal Communications Commission’s regulation of one-time or “fleeting� expletives on broadcast television.

It hasn’t been clear why the High Court decided to take this case in the first place. The key question before the Justices is whether the FCC violated the Administrative Procedure Act’s prohibition against agency action that is “arbitrary and capricious� when the Commission – reversing decades-long policy – suddenly began fining television stations for airing fleeting expletives during daytime and primetime hours.

(more…)

During all the US election news, I missed a good story in the International Herald Tribune on the country of Macedonia’s push toward E-Government:

A lucrative annual permit to haul freight across the border between this Balkan country and Greece used to cost Macedonian truckers as much as €2,500 in bribes per vehicle.

But that changed two years ago, when the Ministry of Transport and Communications adopted a computer system to electronically assign licenses. Now truckers pay only about €100, or about $127, in application fees for a cross-border license. And the annual two-week period for license applications closed in October with no sign of the angry crowds of truckers who used to picket outside government offices here.

“We trust the system – we trust the computer,” Blagoja Voinov, who owns a dozen 40-ton trucks, said through a translator.

I visited Macedonia to speak on promoting E-Government in 2004 via a program sponsored by US AID. At that time, there was a big discussion about the old guard civil servants who had no use for E-Government not so much because it assured them bribe money, but because it outdated their skills as bureaucrats. This is an obstacle that exists in Europe and North America at a more subtle level, but something that will need to be recognized if we are to succeed in promoting E-Government and E-Democracy.

I am glad to see that progress was made on some fronts in Macedonia. Now we need to see what we can learn from their experience.

What does Obama’s big win yesterday augur for CDT’s work on Internet policy?

Well, about a year ago the Obama campaign issued a very thoughtful position paper on technology and innovation. It does an excellent job identifying the key issues, and CDT stands ready to provide counsel and input to the new administration as it gets into the details. We look forward to the opportunity to have a productive working relationship with the Obama administration on matters relating to the Internet, innovation, and free expression.

In terms of specific areas where CDT sees an opening for progress, I would emphasize at least three.

–Using technology to make government more accessible and user-friendly. The Obama campaign was incredibly successful in harnessing online social networking and other Internet tools to inform and involve voters and supporters. Hopefully the Obama Administration can use the lessons it has learned to improve the way citizens interact with government.

–Preserving the Internet’s open character. The Obama Administration can be expected to place a high value on the Internet’s unique openness to independent innovation and speech. This should be true domestically, where the open architecture of the Internet should be protected against encroachment by either government or private actions. And the Administration should seek to promote Internet openness in other countries, perhaps including through support of efforts like the Global Network Initiative that CDT recently helped launch.

–Protecting citizen’s privacy. CDT is hopeful that the Obama Administration, together with the next Congress, will take an active interest in trying to update and modernize privacy protections for the digital age. The goal should be to provide citizens with more control over how their personal information is collected and used. This will require working to tighten privacy laws, and also to improve technology-based tools that can empower Internet users.

This isn’t a comprehensive list; CDT earlier set forth its broad platform for a new Administration and Congress. And of course the new Administration will have lots of priority issues to grapple with, starting with the ongoing economic turmoil. But based on Obama’s platform as a candidate, CDT is optimistic that key Internet and technology issues will be in the mix.

Ineffective oversight has led to “numerous, significant vulnerabilitiesâ€? in the system that safeguards electronic protected health information (EPHI), according to a government report released last week. In addition, the report found that the agency charged with oversight of HIPAA’s Security Rule had not conducted a single compliance review nor levied any civil penalties at the time of publication. The report also warned that poor enforcement has placed confidentiality of EPHI at “high risk.â€?

No wonder nearly two-thirds of Americans distrust the privacy of electronic medical records.

The Inspector General (IG) for the Department of Health and Human Services (HHS) issued the study on implementation of HIPAA’s Security Rule. The findings were alarming in what they suggested about the integrity of American medical records. The report also reinforced CDT’s repeated calls for stronger enforcement of the HIPAA Privacy and Security Rules.
(more…)

The Election of the Century is just a day away. Lots of things are on the electorate’s mind, but we here at CDT hope the next president – whomever he is – devotes considerable attention to one last major issue: global Internet freedom.

What is Global Internet Freedom?

Whether you call it global Internet freedom, digital human rights, or something else, it’s the idea that governments around the world will not interfere with the free flow of information and ideas on global communications networks, particularly the Internet.

It’s the idea that governments will respect, regardless of the medium of communication, the universally recognized human rights of freedom of expression and privacy enshrined in global documents like the Universal Declaration of Human Rights.

It’s the idea that governments won’t directly or indirectly (for example, by putting pressure on technology companies) block, take down, or otherwise engage in censorship of online content, and access users’ personal information, conduct electronic surveillance or persecute cyber dissidents and citizen journalists.

However, many governments are successfully remaking the Internet into a tool of government control. They recognize that the Internet has become a global communications medium that fuels both economic growth and democratic reforms. The global Internet’s inherent openness and lack of central control is particularly threatening to authoritarian countries and those with weak rule of law and poor human rights records. Such countries want to harness the Internet’s economic power while limiting the personal freedoms the medium bestows, and are making significant strides to do so.
(more…)