The US government today agreed to loosen the sway it has long held over the Internet Corporation for Assigned Names and Numbers, the private, non-profit body that oversees administration of the Internet’s addressing system. Allowing an 11 year old and much revised “Joint Project Agreement” between the Commerce Department and ICANN to lapse, the two signed an “Affirmation of Commitments” in which ICANN agreed to create international review teams to assess its transparency and accountability, its protection of the security of the domain name system, its approval of new domain names and domain names using non-Latin characters, and its management of a database identifying the owners of domain names.

CDT is pleased to see this reaffirmation of the bottom-up, private sector led model for governance of the domain names system. We’re also pleased to see that this new document describes ICANN’s role solely in terms of the technical management of the domain name system and does not speak more broadly of other Internet issues that should be outside ICANN’s purview.

The big remaining questions of accountability are how can we create a system whereby anyone – a government, a business, an individual — can appeal the decisions of the ICANN Board and by what standard will such appeals be judged. Those key questions could not have been answered at this time, but they do need to be answered.

CDT was involved in the process by which ICANN was created in 1998 and has been involved in the debate over its role and accountability ever since. In June of this year, we issued detailed recommendations on ICANN’s future, in which we spelled out how an appeals process would work without governmental intervention.

Alex Howard put together a fantastic write up of our panel discussion last week about the progress that has been made nine months into the implementation of the HITECH provisions of the American Recovery and Reinvestment Act of 2009. You can check out video from the event here and Alex’s write up for SearchCompliance.com here.

Netflix recently announced winners of the one-million-dollar “Netflix Prize” and its plans for a new competition, creatively dubbed “Netflix Prize 2.” Although details of this second contest still haven’t been made public, the New York Times has reported that competitors will be challenged to “model individuals’ ‘taste profiles’,” based on a dataset that will hold “demographic and behavioral data,” including information about members’ ages, gender, ZIP codes, genre preferences, as well as their rental histories and movie ratings.

The announcement of Netflix Prize 2 illustrates the continued blinders that companies have about the ease with which individuals listed in supposedly anonymized datasets can be identified. The ostensibly anonymized dataset released to the public for Netflix Prize was limited to the video rental histories of 480,000 Netflix subscribers, the ratings (1-5 stars or “no rating”) that subscribers gave each movie, and the date that subscribers rated each movie. As law professor and CDT Academic Fellow Paul Ohm has pointed out, between 2006 and 2008, researchers Arvind Narayanan and Vitaly Shmatikov showed that if you know just a little information about a friend (or enemy’s) movie-viewing habits, using the Netflix Prize database you can likely uncover every movie your friend ordered through Netflix and how she rated it.

Add demographic and behavioral data into the mix and how do you even take seriously claims that the data has been and will remain de-identified?

Netflix is far from the only company releasing easily de-anonymized data under pretenses that the sets’ contents are unidentifiable. From the user identifications that came out of AOL’s infamous data release to Latanya Sweeney’s use of Massachusetts residents’ ZIP code, birth date, and gender – all found in public voter rolls – to identify individuals whose “anonymized” hospital records had been publicly released, the pretense of anonymization is time and again revealed as false. Companies need to own up to the privacy risks inherent in releasing such data and find more comprehensive and robust methods for truly de-identifying their data and protecting their customers.

CDT recently hosted the “Implementing Health IT: Progress and Promise” panel at the National Press Club. The event focused on the progress that has been made nine months into the implementation of the HITECH provisions of the American Recovery and Reinvestment Act of 2009. A short video recapping the highlights of the panel discussion can be found here.

Moderated by Leslie Harris, CEO and President of CDT, and sponsored by Gemalto, the panel included renowned experts from the field of health IT:

Deven McGraw is the Director of the Health Privacy Project at CDT, where she focuses on developing and promoting policies that ensure privacy in health IT. She also serves on the Health IT Policy Committee, a federal advisory committee established in the American Recovery and Reinvestment Act of 2009.

John D. Halamka, MD, MS, is the Chief Information Officer at both Beth Israel Deaconess Medical Center and Harvard Medical School. At Beth Israel Deaconess, he is responsible for information technology serving two million patients. Dr. Halamka is also co-chair of the federal Health IT Standards Committee and a practicing emergency physician.

Jamie Ferguson, a nationally recognized expert on health information interoperability, is the Executive Director of Health IT Strategy and Policy for Kaiser Permanente. He also serves as co-chair of the Clinical Operations Workgroup of the Health IT Standards Committee.

Peter Basch, MD, FACP, is the Senior Fellow for Health IT Policy with the Center for American Progress and serves as the Medical Director for Ambulatory Clinical Systems at MedStar Health, an eight hospital not-for-profit health system in the Baltimore-Washington corridor. In 2007, he received the HIMSS Physician IT Leadership Award. Dr. Basch practices general internal medicine in Washington, D.C.

Recently, CDT was asked to testify about the ways that technology can be used to improve financial oversight during a 2009 congressional session that saw “bank bailouts,” “housing markets” and “economic stability” become commonly used buzzwords. While TARP and mortgages aren’t our usual area of expertise, we have a lot to say on how Congress can ensure that the databases supporting these endeavors can help the government be more transparent and protect privacy at the same time.

The Troubled Asset Relief Program – or TARP – has been in the news a lot lately, as the program designed to strengthen the financial sector comes under scrutiny from the media and the public to figure out whether or not the program is actually working. Unfortunately, there hasn’t been an effective way to track TARP funding, in part because so many agencies are involved in distributing the money. One of the bills we discussed, H.R. 1242 (and companion bill S. 910), would create a centralized database for TARP information. It’s surprising that a program of this size doesn’t already have a way to consolidate the information around it’s expenditures, but not even the oversight committee has an easy time tracking the dollars. TARP funds are distributed by 25 agencies, using incompatible and outdated systems to track spending. The H.R. 1242 database would not only centralize this information for easy access, but would require almost real-time updates to the information.

We believe that the database needs to be made public in order to allow the media, watchdogs, and citizens to see how TARP money is being spent. A good example to follow is the Recovery.gov website, which pulls together information from the 28 agencies distributing Recovery Act funds. The site allows users to sift through stimulus contracts in useful ways and, though not perfect, it is an incredibly important step in keeping the public in-the-know. The lack of a similar site for TARP has made it difficult for the public to understand the program – so it’s a perfect opportunity to make a government database public.

Another bill we talked about in our testimony, H.R. 932 looks to improve technology for oversight on housing issues by linking location information to mortgage information, making it easier to track foreclosures, abusive lending practices, and vacancies. Currently, land parcel information is kept by counties, but centralizing them would allow regional analyses of the housing crisis and regional responses. Of course, if regional geo-databases are created, they may not fall under the privacy protections imposed on the federal government. In that case, it will be vital to ensure that the databases are subject to privacy and security protections. The financial information that can be correlated to land parcels is both personally identifiable and sensitive, as financial information is defined as sensitive by almost all definitions.
(more…)

Last week we learned that Humana — and possibly some other Medicare plans — inappropriately used enrollees’ personal data to send them letters saying they could lose their benefits and services due to the impending health care reform legislation in Congress. The Centers for Medicare and Medicaid Services (CMS) called on all plans serving Medicare beneficiaries to stop such communications and launched an investigation into whether Humana’s use of the personal data violated any federal laws.

Some reacted by accusing CMS of trying to squelch the “free speech” of private health plans – but whether Medicare has the right to place some limits on communications from its contractor plans is only one of the issues implicated by this activity. Humana — in using enrollees’ names and addresses to facilitate communications — arguably committed a violation of the HIPAA Privacy Rule. The Privacy Rule sets forth very specific rules governing how health plans (and other health care entities) access, use and disclose an individual’s protected health information (PHI), which includes mere demographic data like names and addresses. We do not see how the Privacy Rule permits plans to use enrollee personal data for this purpose.
(more…)

CDT published an article in iHealthBeat yesterday, calling on the U.S. Dept. of Health and Human Services (HHS) to take charge on privacy issues. In the iHealthBeat article, CDT points out that HHS should take full advantage of the opportunities before it to establish strong rules in favor of privacy and meaningful enforcement. CDT also urges HHS to enhance communication and coordination on privacy issues within its subagencies and other federal agencies.

The American Recovery and Re-investment Act of 2009 (ARRA) makes a significant taxpayer investment in health information technology (health IT). A new generation of improved privacy protection is critical to preserve patient trust in a system of digitized health records. In ARRA, Congress provides HHS with numerous opportunities to strengthen privacy in health care, such as through rulemakings and staff appointments.

There is some evidence of improvement in both the coordination and regulation areas.
For example, the HIPAA Privacy and Security Rules were previously enforced by two different offices within HHS, but both are now enforced through the Office of Civil Rights (OCR). HHS should grab this opportunity to ensure better compliance and enforcement with the Privacy and Security Rules. To do so, OCR will have to coordinate closely with the HHS Office of the National Coordinator (ONC), which oversees the national strategy for the electronic health information exchange.

In the area of regulation, HHS took some positive steps forward in its recent breach notification rulemaking. HHS granted an exemption to notification of data breaches in instances where the data was protected through strong encryption or destruction standards, but HHS declined to extend the same exemption to limited data sets. However, HHS also included a “harm standard” which allows health care companies to decide for themselves whether to notify patients of a breach if they determine the breach does not pose a ‘significant risk’ of financial, reputational or other harm to patients. This harm standard undermines the incentives for health care companies to encrypt data in the first place.

(See CDT’s recent blog post on the HHS harm standard for more information.)

As the iHealthBeat article points out, there are still a lot of chances for HHS to establish and implement patient-oriented health privacy rules. Through ARRA, Congress laid the groundwork for effective system-wide stewardship of patient data – but this promise will not be realized without strong leadership from HHS.

Recently, CDT’s Gregory Nojeim provided wrote a guest blog post on the American Constitution Society’s blog. Greg discussed the expiring provisions of the PATRIOT Act and examined current legislation in the Senate. Check out the post here at ACS’s blog. Thanks again to ACS for the opportunity.

Today is One Web Day — a day to acknowledge the many ways in which the Internet has made and will make the world a better place. Some will engage in service projects to get more people online. Some will educate each other regarding the policy issues that will determine how online society develops. Some will organize group action to improve the Net. Some will just have a good time with friends.

This morning, the local DC celebration of OneWebDay included a panel presentation on Capitol Hill during which many “bold ideas” for the future of Internet were discussed. Everyone in the room seemed to share a certain optimism that the Net can help use deal with the challenges of health care, education, providing employment opportunity and more.

Because CDT Fellow David Post wrote the book about Jefferson’s moose (In Search of Jefferson’s Moose — Notes on the State of Cyberspace), we particularly like the “Moosical” that Mario Tosto published in honor of One Web Day.

CDT is celebrating by inviting you to read and sign “A Call to Defense and Celebration of the Online Commonwealth.” We think that would be a great way to celebrate this inspirational day.

FCC Chairman Julius Genachowski this morning ushered in a new phase of the long-running Internet neutrality debate. Over the past few years, the FCC has established some basic principles in a “Policy Statement.” It has issued Notices of Inquiry on network practices and held public meetings on the topic. And it has accused Comcast of violating the Policy Statement, resulting in a pending lawsuit. But now, the FCC will seek to adopt actual rules.

Genachowski’s speech touched on many themes that CDT has been stressing for a long time. (CDT issued this statement shortly after the speech was publicly released.) It is great to see that the FCC’s Chairman shares our perspective to such a remarkable degree. For example:
(more…)