It's past time for us to get serious and apply HIPAA-style protection to the storage and transmission of PII, without exemptions.
Companies like Facebook will complain loudly that they won't be able to survive, but that is not our problem. If we pass legislation with teeth, they will need to change their business model. That would be the point.
Zoom has allegedly HIPAA-compliant BAAs with users in the health space. If any PHI data is making it over to Facebook without a similar agreement from Facebook, Zoom is in for some trouble.
IP address, telephone number, city and other identifying information is ALL considered PII.
I work with (adjacent industry) HIPAA protected data, which is considered PII by virtue of knowing Bob Smith is in the system. If they're under a BAA and sending that information to Facebook they're in violation.
If one of my sub-processors did this my lawyer would be livid. But hey, it's Silicon Valley, don't harsh their buzz man.
I understand stalking involves more than taking notes and selling them though. The other person has to feel threatened or such. Now maybe you can/make the case that you feel threatened by Facebook, and maybe you can sue them individually (good luck), but I doubt you can make the case most people feel this way.
Depending on the specifics they may not be. I live in a Condo tower and my mailbox isn't visible from the street, so if you decided to take notes on me as I read my mail you'd be trespassing.
The specific scenario isn't the point - but the fact that a semi-obvious scenario could be incorrect sorta is. Regulations are complex and tech has a terrible history of playing fast and loose with regulations so it's not like an imposition of regulations would be inappropriate or unwarranted - there are good and bad apples, and the bad apples spoil the bunch.
Being in a public area in a private business doesn't afford you that privacy. The trepassing charge would be possible if a security guard asked the person to leave.
Kaiser Permanente will contact google analytics and doubleclick as you navigate their website, even when checking test results and contacting your doctor.
Had a briefing with our company lawyer a while back and any information can be considered PII when paired with other information. Eg that you bought 7 foo’s is not PII, but that you bought 7 foo’s on Tuesday might be if that can then be looked up in the purchase history and you were the only one who bought 7 on Tuesday.
I don't know "how unique" it needs to be. I'll ask if I get the opportunity.
It just has to be correlatable if I understood it correctly, but I don't know if unique or not. To me it sounded like if there's only a small number of possible people it could identify (say 4) then its potentially PII, however I have no idea where the line is drawn. Clearly if k is 1, its PII. If k is 2, it probably is too. If k is 1000, its probably not. But at what point does it stop being PII? I have no idea!
The legal person basically said "its complicated, anything can become PII when combined with something else, even if neither on their own are PII". The bottom line is does some combination of information identify a person, then its PII (its in the name really!), but unfortunately that means there is no clear simple list of things that are or aren't PII, it really depends on each individual case.
Her advice was to think carefully about any data stored about or for users and to avoid storing it if possible, and if not possible, think carefully about whether or not it could identify a user in some way. Its not a very satisfying answer, I know. It also doesn't answer your question :(
Most users of Zoom aren't choosing it–it is being chosen for them. Both of my children's schools (preschool and elementary) started using Zoom this week, so it is either use Zoom or they do not get to participate.
Except Zoom web version doesn't work: the incoming/outgoing audio is garbled (tested with Chrome, they do not support Firefox). This is in part because they were obviously too good for WebRTC native audio and instead gutted ffmpeg and compiled it to WebAssembly (I wish I was kidding but I'm not: https://webrtchacks.com/zoom-avoids-using-webrtc/).
> This is in part because they were obviously too good for WebRTC native audio and instead gutted ffmpeg and compiled it to WebAssembly (I wish I was kidding but I'm not: https://webrtchacks.com/zoom-avoids-using-webrtc/).
Not a Zoom apologist I—I am also deeply creeped out by the fetish for covert data exfiltration in a platform that is so widely used in these quarantine days—but, as far as the tech goes, the story you linked seems to say that they do use WebRTC as of September 2019.
Agreed! Been meaning to write something like that but a complete story probably needs second-sourcing all the bits, experiments, etc. Regrettably, the trend is clear.
How do you use it? I had to join a Zoom meeting and tried to use the webpage first but it tried to make me install a client. After the MacOS local web server debacle I will never do that. I figured the safest thing was to use the iOS app but wasn’t thrilled at the idea. I assume if there actually is a web client the process to access it is extremely user hostile. Is it a hidden link or something?
Zoom is obviously an extremely scummy company and I’d rather stay away from it entirely. Unfortunately they must be dumping cash into marketing because it’s now the biggest thing in video conferencing. It’s a shame, they now seem to have network effect going for them.
There is some shadow pattern where you need to refuse to install the app (or make it seems like the installation didn't work) and it will eventually give you a link to the web client. I'm not sure whether there is a reproducible way to get there.
This did work for me but I had to install Chrome, it told me to install a "modern, updated browser" in the most recent Firefox and Safari. I assume they are abusing some anti-user capability in Chrome but I trust it more than any Zoom client.
Click "no" on the invite when it asks to open zoom (instant if you dont have it installed) and underneath there is a link that goes to the web version.
They're not sending your name and address. They're sending the IDFA, device ID, of your device to Facebook. The fact that Facebook can link that device ID to your identity is on YOU. You logged into Facebook in their app to make that connection.
This uses unnecessarily accusatory wording. But it is also both unhelpful and just flat out wrong - Facebook gets data fed from a lot of sources - it can start stitching up that data into a picture of you without you ever creating a Facebook account.
note the reason hippa exists has nothing to do with protecting individuals; it was drafted to protect the insurance companies. it is absolutely not that health data is somehow "private" enough to warrant some special protection for the persons themselves
Insurance companies have incentives to get better data than their competitors, so they can offer less expensive coverage to lower risk people and leave the competing insurance companies with all the higher risk people. Until the competitors do the same thing. Then you're all just offering less expensive coverage to most of your customers and making less money. (That also tends to cause trouble for higher risk patients because insurance companies could more accurately predict ahead of time that they'll incur high costs and then charge them unaffordable premiums.)
If the health data they would otherwise use for that is "private" then that isn't allowed, so providing insurance is riskier, will have fewer competitors, and commands higher premiums.
It was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.
Is the protected from fraud and theft part somehow incorrect?
You're now talking about a different section of the same act. There are some separate provisions in there to fight insurance fraud, but that doesn't really have a lot to do with privacy for medical records, except to the extent that having somebody else's medical records might make it easier to commit insurance fraud against their insurance policy.
The quote explicitly says that the act covers “how PII ... should be protected from fraud and theft.” HIPAA is ostensibly about protecting patient privacy and data. It’s certainly possible that the insurance industry went along with it because they figured it would help them keep their patient data proprietary, but that most certainly wasn’t the goal of the legislation.
What do you think "fraud and theft" mean in this context? Sick people aren't great fraud targets, they're frequently unable to work and have already lost what money they had to medical bills. The "fraud" is insurance fraud, for which the PII would be things like your name and policy number (i.e. what's needed to file a fraudulent claim against your policy) rather than your actual medical records. And the parties most interested in having access your medical records are the insurance companies themselves, as already mentioned. There is a fairly large financial incentive for a shady insurance company to use patient medical records to poach low risk patients.
In your proposed scenario, I find hard to believe the insurance companies won't form a cartel, keep the prices on the low risk customers, and price out the high risk customers. Somehow I don't believe the explanation.
Forming a cartel is a violation of antitrust laws and requires no one to form an insurance company that defects from the cartel in order to make higher profits for themselves. Passing a law against the practice requires neither.
I disagree with this — more regulation will make it harder to innovate.
For example, I’ve met several founders who wanted to enable tele-medicine years ago but decided against it because “the lawyers cost more than the engineers”, and walking-on-eggshells destroys morale & iteration speed.
I’m not arguing to de-regulate heath data — my point is that we should selectively apply regulation.
It’s likely a great thing to regulate self-driving cars. But please keep the lawyers away from my niche online forums, 3rd-party clients for social apps, blogs, video games, calculators etc...
If a company can't 'innovate' without sharing users' data with third parties or treating it recklessly through lax security (or uploading database dumps to publicly-accessible S3 buckets) then that company doesn't deserve to be in business.
It doesn't take a suite of lawyers to enforce that, either. Health care is gigantic mess of bullshit in the US especially, because of the multiple different 'stakeholders' - customers, insurance companies, brokers, "networks", hospitals, doctors, etc., and every mistake is a gigantic lawsuit waiting to happen. It's a disaster however you cut it.
As for personal data for some arbitrary startup, any argument that "innovation" depends on being able to be careless or cavalier with that data is just ridiculous. Be careful with it. Store it properly. Only collect what you need, and delete the rest. Expunge data you no longer need. Never send it to any third party without asking the user, and provide clear information about where and with whom the data is processed and stored at rest.
There, now you're being careful with user data and you can still "innovate" decent products, as long as your business model isn't user-hostile from the start.
The problem they point out is that well intentioned businesspeople who want to provide you a useful service and store your data correctly are priced out.
If you want to deal with medical data of any kind, you need a lawyer. Full stop. It doesn't matter how good your intentions are, or how many "best practice" blog posts you follow. You need to hire a lawyer, and lawyers are incredibly expensive.
> Be careful with it. Store it properly. Only collect what you need, and delete the rest.
This is great advice, but that's not how laws work. Congress won't pass a law that says "store it properly". They are going to pass a law that describes how you can and cannot store data in 600+ pages of legalese. And no matter how properly you think you're doing things, you have to have a lawyer to know you're actually doing it properly.
Said another way: regulation always adds cost and barriers to entry. These affect the "good" business just as much as the "bad" business.
Not every business has to be viable for a startup. I'd rather a company that can't afford a single lawyer not have access to my personal information. If that means pricing them out of it through regulation, then so be it.
Regulation exists to protect citizens at scale. “Don’t use the business” isn’t how we’ve built society, rightfully so. If you believe the regulation to be onerous, fix it.
One is not entitled to do whatever one wants to generate a profit, at the detriment to uneducated or unsophisticated citizens, or society as a whole.
We are trading the personal information of billions of people for the ability for tech startups to iterate quickly, who will for the most part decide on a freemium business model revolving around mining and selling private data
And may be trading away our ability of choice in the future and being stuck with a monopoly.
Nobody talks about regulated industries with duopoly or monopolies that everyone has to deal with. Tech industry is exotic ain't?
Big companies will still find a way to track you. That won't change. You can pull up a list of all the privacy focused laws released recently and you can still see Facebook and all their products working fine but you never hear about someone who wanted to bootstrap an idea and couldn't invest much upfront to deal with slow expensive law system.
We don't need more regulations. We need more selective punishments proportional to the damage and presence. Not a lame fine that is not proportional to what companies are profiting from . And if you know anything, Facebook is the one lobbying for privacy these days. They are pushing for some of the requirements they are already compliant with to be put into law .
> The problem they point out is that well intentioned businesspeople who want to provide you a useful service and store your data correctly are priced out.
Then the way to do this is to simplify laws and their understanding. A company shouldn't need a large legal team just to figure out if they are doing something legal or not. It kinda sounds ridiculous when you think about it. That you have to hire a bunch of lawyers to figure out if you are a criminal or not. That clearly means things are too complex. I get that there are places this should apply to, but not small businesses and startups.
You can have regulation that is both easy to understand and effective. There is also letter and spirit of the law. We should never let the letter hinder the spirit.
I completely agree with you. The legal system is entirely out of reach for the average citizen, and this is something we should fix.
However, us wanting things to be a certain way doesn't change how things are. If Congress passed a "Data Protection Act" it would be indecipherable, full of technical illiteracy, and heavily influenced by the richest lobbyists (Facebook and Amazon, anyone?).
This is my objection. I would love for a real data protection act to be legislated. But Congress has its own agenda and ineptitudes. Do you really trust the people who wrote the Patriot act to protect your sensitive information?
Congress would write a law with general objectives, and leave the regulatory work to an exec branch agency. The regulations generally either reference or draw inspiration from NIST.
HHS uses NIST stuff to guide HIPPA. IRS is more prescriptive, but everything in IRS 1075 is still based on NIST stuff.
You have to separate the political puffery from reality. The Federal government is very good at establishing effective regulatory frameworks. They fall down with the long-term maintenance of regulations, as it's often difficult to keep the legal mandate up to date.
If you don't store any data you won't need any lawyers. You don't need to store a single byte of data on your users or customers to provide a service or software using that data.
> If you don't store any data you won't need any lawyers.
Wrong. HIPAA applies to any business that transmits and/or has access to PHI. You don't need to be storing data on your own hard drives to be subject to these laws.
This is exactly my point. You are thinking like an engineer, and Congress is not. You cannot assume anything. You need to hire a lawyer, or you are opening yourself up to serious liability.
I worded that poorly. How about this: If you don't own, manage, solicit or control any servers having access to PHI or PII you don't have any risk of being liable.
Put all of that on the client, do your best to protect it but ultimately make it the clients responsibility.
I still haven't seen any lawsuits or regulation targeting software in that sense, apart from DRM.
There is no distinction between client vs server when it comes to the law. The same organization created and operates both and is liable as a data processor in both situations.
This is again the difference between engineer vs policymaker.
As far as I understand it, Microsoft has no responsibility for PIIs e-mails going through the Outlook e-mail client. Maybe the US is different, but at least in Europe, the GDPR is clear that software vendors have no responsibility in data being processed locally when it's deployed and run by others.
Oracle has no liability for the data stored in their database.
If you have no way of touching the data, your servers (self-managed or otherwise) aren't touching data in any form, you have no legal liabilities wrt data (apart from agreements of course).
>The problem they point out is that well intentioned businesspeople who want to provide you a useful service and store your data correctly are priced out.
I think pricing out the odd well-intentioned business person is a good tradeoff for avoiding the "move-fast and break things" snake-oil salesmen.
>Said another way: regulation always adds cost and barriers to entry.
This is innovation in the wrong direction... against our privacy and consent for the benefit of a company whom I may not want to give this data to and whom didn't clarify that's what was happening. It's corporate malfeasance, and if you think it should be unrestricted "innovation" then you're probably on the creepy side of the Big Brother-like data-gathering monster.
>I’ve met several founders who wanted to enable tele-medicine years ago but decided against it because “the lawyers cost more than the engineers”, and walking-on-eggshells destroys morale & iteration speed.
Thankfully so - I wouldn't want my telemedicine to rely on eg. some random unsecured Mongodb instance.
Why disagree with this, it actually will cause innovation. How, if someone is able to figure out the way to navigate the laws easily, they will then sale their solution as a service.
So when a FB, Goog or MS can figure it out, they will add it to their stuff. Also a group like EFF would make a tool to verify since it would mean that their existing tools would just be checking the server instead of each thing like Privacy Badger and their other apps do.
It was really easy to innovate the car (look, I made this out of hard pointy steel, who cares if anyone else dies). Until you had to actually made them safe, do you think society would be better off going to the old methods? Innovation is for a purpose, a lot of the stuff we see now seems to be to innovate for the purpose of innovations sake and then sell it to someone who cares.
Also do you really think people won't invest if their current methods don't work, so startup culture wouldn't die. Just system of having people who don't care about privacy not actually think things through ethically first.
Oh, BS. My wife is a medical practice management exec, I I do some IT consulting in the space. There is absolutely no end of telemedicine solutions and have been forever (I implemented an early one in the mid-90s). There is absolutely no end of new and innovative health care startups. Those 'founders' you talked to are the problem, not the solution: people who want to bitch about being required to do the right thing, pretend they're doing an 'Atlas Shrugged' by not putting in any effort, rather than innovate around doing the right thing.
The regulations that you likely hit when investigating tele-medicine previously are likely more closely related to why nearly no site will let anyone create an account unless they check a box confirming that they're over 13 and COPPA[1] is a pretty intense set of rules that, IMO, are way waaay overkill.
That said, regulations might make it difficult for companies, but they're there because companies have abused data in the past at the expense of customers. So, I guess, it's too bad - regulations benefit me, they don't strangle businesses, they impede it - and it's an impediment that can be overcome if the business is useful enough to people.
If the only way your business can survive is carte-blanche regulations around privacy and security, and you fall over the instant that's threatened, one: maybe your business doesn't deserve to survive, and two: maybe you didn't build a very good business.
Niche online forums and all the examples you list there survived (and indeed thrived) in the days before rampant data collection, I have no doubt they'd evolve and survive once again.
It makes it harder to innovate in anti-social directions, and may catch some useful things in the crossfire. But on balance, slowing the rate of "innovation" for these companies that want you to shovel all data everywhere into their gaping maw? Not a problem for me.
This nonchalant attitude around "guilty until proven innocent" regulation is precisely how we wind up with America's alphabet soup of monopoly building bureaucracy.
The ethical way to preserve privacy is to change minds in a way that changes actions. Law is the threat of violent force, and should be wielded only with deep forethought about the underlying moral and practical realities.
You can develop all of these services, just don't hoard data. With no centralized serverside database you have no liabilities. P2P is a solved problem.
Better implementations of that is exactly the kind of innovation we need now.
Sounds like a false dichotomy. Some regulation has some downsides, all regulations are bad. I think you can reform regulations enabling health care innovations and introduce legistlation to stop Facebook to do mass surveillance without opt-in.
Companies like Facebook will complain loudly that they won't be able to survive, but that is not our problem. If we pass legislation with teeth, they will need to change their business model. That would be the point.