Privacy

e-health - the end of medical secrecy?

Winfried Tilanus — Wed, 20 Apr 2011 12:11:00 GMT

A simple question...

Recently somebody asked me if it would be legal for a (mental) health care professional, e.g. Robert Smith, to send a client, e.g. John, the following e-mail:

Dear John,

Thank you for submitting your homework.
I have read it and added some comments
to it. You can read the comments on the
following site:

https://secured.site.example/login?id=ao87fsadfalksdf8usaflj

Robert Smith

And as additional question: does it matter if Robert Smith omits his family name?

... with a simple answer ...

In the Netherlands this mail would be illegal in almost all cases. The mere fact that John is under treatment by Robert Smith can contain information over the medical status of John. So that information should be protected according to the Dutch law on medical secrecy (for Dutch: that is part of the 'Wet op de Geneeskundige Behandel Overeenkomst', WGBO). And an e-mail is in the Netherlands not considered to be protected enough. The professionals family name is irrelevant here: with or without name the mail will reveal the relation.

... and a lot more to it.

But looking at it on a higher level, there is something fundamental underneath this question. The whole concept of medical secrecy is based on idea that a patient can sneak into the treatment room and that whatever happens in the treatment room stays in there. The introduction of e-health and e-mental health solutions changes the concept of treatment: you do parts of the treatment at home, or any other place where you happen to be. The world is now becoming one big treatment room, smashing the idea that we can keep information nicely controlled inside the treatment room. Even when both the health care professional and client do their best to keep the content of the treatment confidential (what is quite well possible), the fact that the treatment is going on, is almost impossible to hide. And protecting the content of the treatment itself will be hard in e-health settings. It needs a lot of work and knowledge from patient too.

So does e-health mean the end of medical secrecy? That would be a cynical paradox. Medical secrecy is important to ensure anybody feels free to ask for help, whatever the problem is. E-health can also vastly lower the barriers to ask for help. Killing medical secrecy would be an undesirable by-product of e-health.

This paradox once more underlines the need to rethink the concept of privacy. We can't keep information to our selves, it is out there whether we want it or not. We need to go back to the question why we want information about ourselves to be secret. From there on we might redefine 'privacy' from centered around 'having information' to centered around 'acting on information'. It is the only way to go.

Open brief aan Gerrit van de Kamp van de politievakbond ACP

Winfried Tilanus — Sat, 26 Feb 2011 09:56:00 GMT

Beste Politievakbond, beste Gerrit van de Kamp,

Met enige verbijstering heb ik kennis genomen van de uitspraken van Gerrit van de Kamp over het inbouwen van een achterdeur in encryptie systemen. Van de politievakbond had ik meer kennis van zaken en een kritischer houding verwacht.

Er zijn namelijk een aantal redenen waarom dit een uiterst slecht voorstel is:

Het zal niet helpen om de grote vissen te vangen:
Het verleden heeft aangetoond dat, ondanks wettelijke maatregelen, encryptie zonder achterdeur altijd beschikbaar zal blijven voor degenen die daar gebruik van willen maken. Kijk bijvoorbeeld maar naar de geschiedenis van de veel gebruikte encryptieprogramma's pgp / gnupg. De Amerikaanse overheid heeft lang de verspreiding en het gebruik er van proberen tegen te houden. Dat bleek niet alleen onmogelijk, het was zelfs de beste aanbeveling voor pgp: als de overheid er zo bang voor is, dan moet het wel goed zijn. Een crimineel die echt een zware misdaad begaat, zal liever een straf voor het gebruik van illegale encryptie riskeren dan de straf voor de begane misdaden.
Daarbij bestaat er ook iets als 'ontkenbare encryptie', dat is software die de versleutelde gegevens zo opslaat dat niet aan te tonen is dat er versleutelde gegevens aanwezig zijn, of dat er meer gegevens aanwezig zijn dan de gegevens waarvoor een sleutel is overhandigd. Er bestaan dus al systemen die het mogelijk maken deze maatregel te omzeilen zonder dat het aantoonbaar is. Een crimineel hoeft dan zelfs niet de straf op illegale encryptie te riskeren.
Het maakt legale toepassingen zo goed als onmogelijk:
Stel je eens voor: je rechercheert aan een groot, gevoelig onderzoek. Gelukkig heb je een laptop, zodat je, waar je ook bent, je de essentiële gegevens bij de hand hebt. Op die manier kan je ook makkelijk nieuwe notities toevoegen aan het dossier. Natuurlijk is die laptop voorzien van sterke encryptie, je wilt niet dat als de laptop in verkeerde handen valt, de gegevens ook in verkeerde handen vallen. Zou dit nog kunnen als de producent van de encryptie software ook toegang kan krijgen tot de gegevens? Want wie zegt dat daar geen lek zit? Of zelfs als dat in overheidshanden is, wie zegt er dan dat er daar geen lek zit? En over welke overheidsinstelling in welk land hebben we het dan eigenlijk? Het legitieme nut van de encryptie neemt snel af op deze manier.
En er is nog een manier waarop dit gevaarlijk is: de achterdeur hoeft maar een keer uit te lekken en alle systemen die er gebruik van maken komen in gevaar. Dat dat geen denkbeeldig risico is, bewijst wat er met veel ADSL-modems is gebeurd: de providers willen op afstand updates of aanpassingen kunnen doen aan zulke modems. Dat bespaart de klanten veel gedoe en maakt het makkelijker om de klant een goed werkende verbinding te bezorgen. Daartoe bouwen veel fabrikanten van ADSL-modems een achterdeur in in hun modem. Het is al meerdere keren gebeurd dat iemand in staat bleek die achterdeur te achterhalen (de technieken daarvoor zijn vrijelijk beschikbaar). Daarmee verkreeg die persoon in een keer toegang tot alle ADSL-modems van dat model. Een achterdeur creëert een gigantisch veiligheidsrisico en maakt de encryptie zo goed als onbruikbaar.
Het bedreigt de democratische grondslag van onze maatschappij:
In een democratie is het niet alleen belangrijk dat de overheid de burgers beschermt tegen kwaadwillende burgers, maar juist ook dat de overheid de eigen beperkingen kent en de burgers beschermt tegen machtsmisbruik door de overheid. Dat wordt niet alleen via de stembus gedaan, maar ook door de trias-politica (de scheiding van de wetgevende, opsporende en rechtsprekende macht) en via het waarborgen van burgerrechten. Die burgerrechten beschermen de burger tegen inbreuken van wie dan ook, maar vooral van de overheid, die immers het geweldsmonopolie heeft. Zaken als briefgeheim, beroepsgeheim en verschoningsrecht zijn essentiële maatregelen voor het waarborgen van een democratie. Een overheid die niet respecteert dat burgers een privé domein hebben en maatregel op maatregel stapelt die dat privé domein verkleint, bouwt langzaam de democratie af. De geschiedenis (meer en minder recent) leert dat dat voert tot machtsmisbruik en uiteindelijk revolutie. Ik zou het waarderen als ons dat bespaart blijft.
Het voorstel is vernietigend voor het imago van de politie:
In mijn professionele praktijk maak ik regelmatig analyses van de incidenten die plaats hebben gevonden en de maatregelen die nodig zijn om de risico's te verkleinen. De praktijk heeft mij geleerd dat het grootste risico niet van hackers afkomstig is, maar van overijverige opsporingsambtenaren die zonder de daarvoor voorgeschreven procedures te volgen proberen om met dreigementen gegevens op te vragen. Dat heeft vaker tot problemen gevoerd dan alle pogingen tot digitale inbraak bij elkaar. Ik waarschuw mijn klanten dan ook niet alleen voor hackers, maar juist ook voor de politie. Veel mensen die zich bezig houden met computerbeveiliging herkennen dit beeld: de grootste bedreiging komt van de opsporingsdiensten, terwijl die opsporingsdiensten juist zouden moeten bijdragen aan de beveiliging. In mijn praktijk kan ik inmiddels zeggen dat het middel erger is geworden dan de kwaal.
Zoals ik al had laten zien, getuigt het voorstel van weinig inzicht in de digitale praktijk. Dat vind ik zeer teleurstellend voor een vakbond van politie-medewerkers. Nog kwalijker is dat het voorstel vooral machteloosheid van de politie uitstraalt. Het zegt: "Wij hebben het klassieke rechercheren verleerd en vallen daarom nu terug op een gevaarlijke en ineffectieve maatregel." Ik ga er vanuit dat juist een politievakbond niet wil dat de politie het imago van incompetent en gevaarlijk uitstraalt.

met vriendelijke groet,

Winfried Tilanus

Respect my privacy or I will blow you sky high!

Winfried Tilanus — Mon, 15 Nov 2010 15:52:00 GMT

I have been blogging before about privacy: privacy is not about what others (might) know about you, it is about something different: One of the mechanisms you use to influence how others relate to you is by determining what information others have about you. The context of the information is everything. Privacy is violated by using information in a total different context, by creating a different relation by it. So in a personal setting you might say: "I will blow the airport sky high", just to express your anger, while you know that saying that at the airport security is a bit of a different context where you relate a bit different to the people present...

So what if you say exactly that on twitter, like Paul Chambers did? Twitter is mostly used for personal messages. It is not the place where communicate to security officials. So the messages you send should be interpreted, and kept, in that context. Unfortunately that is not what happened to Paul Chambers, as everybody knows. His words where meant for the private realm, where part of the personal relations he maintained by twitter. Prosecuting him for twittering "I will blow the airport sky high", is taking his words seriously out of context and abusing those words are meant for.

Apparently there are people constantly looking on media like twitter for tweets like these. And apparently they think they should act on tweets like these. Twitter is personal and if you take that to court like this, you are violating privacy. Stop that, or I will blow you sky high.

SSL security and online psychosocial support – part 2, got SSL? you are not there yet!

Winfried Tilanus — Tue, 09 Nov 2010 04:15:00 GMT

In my previous post, I introduced Teus Hagens research on the security of SSL on sites in the Netherlands. Although it was quite shocking to discover that there are still major counseling sites that don't use SSL, the story isn't finished yet.

Even when a site has SSL, the configuration might allow insecure operations. In short several things might go wrong:

The certificate can carry a wrong name, can be expired or can be issued by an authority that is not recognized by the browser.
The configuration can allow old, broken, ciphers or it can allow too short key-lengths that allow brute forcing.
The configuration can allow old, broken, protocols.

Each of these can effectively render the SSL useless. So you would expect the admins of SSL-sites to carefully configure the SSL on their site. Unfortunately they don't. The research of Teus Hagen has shown that one third of all sites in the Netherlands has serious flaws in their SSL. In healthcare and online counseling it is even worse: of the 40 assessed sites, over half of all sites has serious flaws. Only 7 sites reach an acceptable lever of security, with only passing with an 'A'.

So, using SSL is not the whole story, it should be implemented in the right way. And unfortunately not many people are aware of this.

SSL security and online psychosocial support – part 1, no security at all!

Winfried Tilanus — Wed, 03 Nov 2010 06:41:00 GMT

In the upcoming NLUUG autumn conference on security and privacy, there will be a presentation of Teus Hagen on SSL security.

For people not very familiar with SSL a short introduction: SSL protects (or should protect, more on that in part 2) communication on the internet against eavesdropping. Basically all communications on the internet can be eavesdropped. This problem becomes a lot more urgent when using open wireless access-points or badly secured access-points. Also people with access to network equipment in the same building can easily eavesdrop the traffic. Think about your boss, your system-administrator or anybody with a bit technical skills in your home. The (correct) usage of SSL effectively eliminates the possibility to eavesdrop.

For psychosocial support sites confidentiality is very important. You don't want your boss to know about your alcohol problem. And believe me, you don't want your daddy to read over your shoulder when you chat with a counselor about him abusing you. So SSL is what you want for psychosocial support sites.

Teus Hagen wanted to see if SSL is deployed correctly in practice. If not so, the security of SSL can vastly decrease. For his paper he researches several kind of sites, including sites for psychosocial support. And because I work a lot with security in psychosocial support, I went of to compose a list of sites in the Netherlands he should test. Well: the results where shocking: More then a quarter of the sites that I thought Teus should test, didn't use SSL. No security for him to test, because there is no security at all on those sites!

I will mention some noticeable sites without SSL:

http://shginfo.nl/ This is the site of the most important organization against domestic violence in the Netherlands. In many ways they set the best-practice. They thought quite well on how they can avoid that it becomes obvious to others when somebody visited the site. But they don't use SSL.
http://www.113online.nl/ A major initiative for suicide prevention, including online counseling. SSL is available, but by default it is off.
http://www.korrelatie.nl/ general first line aid, also online, one of the major players in the Netherlands. No SSL.
http://www.kindertelefoon.nl/ the Dutch child helpline. They also offer chat and forum. No SSL.
http://www.minderdrinken.nl/ online treatment for alcohol addiction. No SSL.
http://optijderbij.nl/ Psychological/Psychiatric institution. They do a big part of the intake online, including a lot of diagnostics. All without SSL.

What struck me, when looking at the sites, was the pattern in it, or to be precise: the lack of it. Many sites were only partially protected with SSL. There were for example several sites that offered a SSL protected chat, but that had an e-mail form or a forum that wasn't protected at all. I also encountered several large organizations that operated multiple support sites. They had some of their sites protected with SSL and others not. Overall, it seems to be quite arbitrary what is protected and what not. Looks like a lack of policy. And a lack of regulation...

The Art of Violating Privacy

Winfried Tilanus — Sun, 27 Dec 2009 10:21:00 GMT

This summer, two Dutch art projects should have caught the attention of anybody trying to understand privacy. The first project was I Love Alaska, a set of 13 mini movies. These mini movies consist out of the search queries one AOL user entered during a three month period. These queries were among the queries of 650.00 AOL users publicised by AOL for research. The movies show not only the queries, but also comment (a little) on them. They tell the tale of an unhappy, maybe slightly neurotic, woman who betrays her husband but doesn't get any happier from it. The movies are quite unnerving: they don't only show facts about the woman, but also give a deep insight in her feelings. It is not only unnerving to see what can be known about somebody, it is also unnerving because by watching these movies you become part of this act of privacy violation. You aren't supposed to know this.

The second project is the expostion It Could Be You. Two artists followed during two months the online activities of a young woman named Lot. They condensed all the information they found in one exposition room. They even rebuild her apartment (based on pictures Lot posted). Finally they invited Lot for the opening of the exposition. And while Lot was very much aware of all the information she did share and did not share, she was furious about this 'stealing of her live'. She felt (and still feels) violated

Of course, these two art projects raise the question whether it is allowed to violate somebodies privacy like this, even if it is an art project. But that is not the point I want to make here. I believe these two projects can teach us an important lesson, even though the artists might not have realized it themselves:

In both projects there was no privacy violation before the artists did their project. The violation started when the information about both woman was taken out of its context and introduced in a new context. Each art project created a bunch of new relations between its subject and new people. Existing relations were changed because of it. All of this because of the new presentation of the information.

The information changed from context and that violated the privacy. The judgement of the importance of the information somebody has about us is based on the relation to that person. Taking the information into another context and so changing the relations to other people equals violating privacy.

Privacy is not about what is known about us, but about what is done with that information

The ethics of "I have no secrets"

Winfried Tilanus — Sun, 13 Dec 2009 11:49:00 GMT

Ever since I started working on my presentation at HAR2009, I kept thinking about why people put (very) private things on the internet, visible for everybody. Because of my starting point in my presentation, privacy is a function of the identity creation process and that process is always bound to a relation, I came up with the answer that people put the information about themselves online with a relationship in mind. Their exhibitionistic behaviour is caused by not overseeing what other relations might be based on that information.

Recently I came across several other views on that. They all had in common that they stated that the modern youth has an attitude of sharing. You share everything and take action when you notice the information is misused. If you still keep running into problems because of the information you shared, then you couldn't oversee what could be done with the information about you.

Thinking it over, I think these two views really are the same: in both cases we can't oversee where the information about us is going and what will be done with it. The information about us, travels faster then our ability to comprehend what can and will be done with it. Still we want to share, because the benefits of it have been proven to be bigger than the damages we experience.

And indeed, we do live in a time where the "I have no secrets"-attitude has brought us big advantages. It is a new paradigm on the value of information. Was the old paradigm that information needed to be secret and protected to be valuable, the new paradigm says information becomes valuable when it is shared and increased. In the old paradigm the ethics were based on the ownership of information. In the new paradigm of sharing information, that kind of ethics are obsoleted: the information is out there and there is hardly any owner any more, even when it comes to information about persons. So where should we base our ethics of handling information in the new paradigm on? I believe it should be the responsible use of information: acknowledge the power that comes with the information and make sure that that power is balanced. Every unbalance of power is a potential abuse. And don't put yourself in a position where abuse is a far too tempting option.

Wat neemt de inbreker eigenlijk mee?

Winfried Tilanus — Sun, 13 Dec 2009 09:34:00 GMT

Een recente discussie over disk encryptie deed me terugdenken aan wat ons een jaar of twee geleden is overkomen:

We zaten in de auto terug van een weekje weg toen de politie belde: er was ingebroken in ons huis. Oplettende buren hadden onraad geroken en de politie gewaarschuwd. Het huis was een grote puinbak, we zijn nog twee weken weken bezig geweest met opruimen. Dat waren ook twee weken van boosheid: "wat ben jij een *** om voor een grijpstuiver van ons huis zo een troep te komen maken". Uiteindelijk viel de schade mee. Er was een oude digitale camera, een computermonitor, een palmtop, wat elektrisch gereedschap, oorbellen en een laptop gestolen. Omdat we netjes verzekerd zijn, kregen we alles vergoed. Maar vooral: de laptop was voorzien disk encryptie. Met disk encryptie wordt er een kluis van je harde schrijf gemaakt. Je moet die kluis eerst met een wachtwoord openen, voordat er verder van de schrijf gelezen kan worden. Dat scheelde een boel zorgen: ik wist dat de inbreker of de heler zonder het password niets van wat op de computer stond kon lezen.

Tot mijn grote opluchting had de inbreker mijn desktopcomputer laten staan. Die was niet voorzien disk encryptie. Als mijn desktopcomputer meegenomen was, had ik de schade niet kunnen overzien. Persoonlijke mailtjes, privé foto's, alles over mijn financiën, bestanden van mijn werk, gegevens over mijn bankpassen, wachtwoorden... ik zou niet eens kunnen opnoemen wat er allemaal op stond. Welke wachtwoorden zou ik moeten veranderen? Welke pasjes zouden er geblokkeerd moeten worden? Welke foto's zouden er opduiken op het internet? Ik zou een heleboel mensen moeten waarschuwen, van zowel mijn werk als privé. En ik zou veel langer dan die twee weken bezig zijn geweest om de schade te herstellen.

Wat een opluchting kan disk encryptie toch zijn, ik wil niet meer zonder....

Update 21 jan 2010: zie ook: https://www.bof.nl/2009/12/17/tip-bescherm-je-gegevens-met-encryptiesoftware/

Security experts caught with the pants down...

Winfried Tilanus — Thu, 26 Nov 2009 12:11:00 GMT

At this years SecTor conference a security firm accommodated a 'wall of shame', a site were the details of attendees that didn't connect securely to the outside world, were published. Although this was announced on forehand (and has been done before on other conferences), it caused quite an outrage. See Andrew Hays blog for more details.

The complainers gave several arguments why this was wrong:

It was illegal.
The conference tries to interest more executives to the field, this scares them of.
The network suggested the attendees could protect themselves, but were 'lured' into it, there was a false sense of privacy.
The wall of shame was accomodated by a private firm, the conference organisers should not trust a third party with something like this.

Well I think these arguments are a bunch of crap and the bottom line is: a lot of security experts were caught with their pants down and are unable to deal with it.

Let me explain that a bit:

Bad guys don't care if something is illegal or not. Laws can't replace security.
This was a perfect showcase why network security is so important and I can't imagine a better way to educate executives.
Security experts should not be fooled by a false sense of security, they should know what is really secure and what isn't.
And once your data has been breached, you should be happy you were told it was breached: usually you have to find out the hard way. Who breached it doesn't change the fact that your data was breached at least once.

Anyway: anybody who connects while on the road, should have the security measures against exactly this attack already in place.

The reaction of the complaining security experts is very disappointing. There are only two sensible reactions to something like this: lick your wounds and make sure it never happens again or say the risk isn't big enough to mitigate it. Security experts should know better then start crying over the injustice done.

The real problem is that conferences like these are crowded with vendors of magical boxes that should mitigate exactly this problem and a lot of the visitors make their living out of implementing network security. And now they are caught with their pants down: they aren't protected themselves! So either the products they sell don't mitigate the problem they are supposed to mitigate, or their products are so user unfriendly that they don't use it themselves or they make their business out of mitigating a risk they don't really regard a risk themselves. Either way, this incident is showing there is something fundamentally flawed with the security that is sold on conferences like these. And more severe: these "security experts" aren't up to admitting it.

(old post written on 2009-10-21 for another forum)

Not logging ip's in Apache

Winfried Tilanus — Thu, 26 Nov 2009 11:50:00 GMT

Q: Well, what to do when you want to avoid police-detectives who are demanding ip-addresses in your apache logs?

A: Don't log them, use mod_removeip.

And of course the reality is harder then that: you still want to be able to distinguish different users, maybe for statistics, maybe for blocking abuse. So better use a salted hash for it. And that is exactly what mod_anonstats does. But while experimenting with I wasn't fully satisfied: can the shared memory used for the salt be swapped to disk? Why use a fake-ip, replace it with a hash to make directly visible this is not an ip. why use md5 and not sha-2? Can it be configured per virtual host? And once it crashed quite nasty. I did: "killall -9 apache2", when trying to restart apache2 right after it, it failed because the shared memory file was still open. It should protect against situations like that...

Anyway, if anybody can help out improving it, please let it know, the author of mod_anonstats is very open for suggestions. And mod_anonstats is too close to being very useful to discard it.

(Old post written on 2009-09-08 for an other site)