GAK -- Government Access to Keys GAP -- Government Access to Patients GAY -- Government Access to You At 3:03 PM 9/18/96, Lucky Green wrote:
On Wed, 18 Sep 1996, Jim Ray wrote:
I agree, and hope so. "Key Recovery," while not as Orwellian-sounding as "GAK," is a step on the path to honesty WRT the English language, though it's important to continually point out, as Tim did in his post, that *access* -- rather than just recovery -- is obviously what Mr. Freeh wants.
I'd count this likely change in terminology as a "cypherpunk victory," albeit a very small and certainly a very hard-fought one.
Nope. It is a Cypherpunk loss. The use of the term "key recovery" for GAK now fully obfuscates the distinction between accessing a backup copy by the legitimate owner (or his estate, employer, etc.) and GAK. Many PKIs will support the former type of key recovery. And for good reasons. Thanks to the brainwashers using the same term for GAK, it will now become impossible to tell from a basic description of a PKI if it supports GAK or not. Furthermore, those who oppose the latter type of key
Further, merely _asking_ your Designated Key Recovery Authority what its release policies are will of course place your name on the SPL (Suspicious Persons List). The FAA is an agency which will have nearly unlimited access to communications, under the Safe Skies and Anti-Child-Hurting Act. (Think about it--Clinton already signed a couple of Presidential Decision Directives and Congress passed various anti-terrorism acts which already give the Feds authority to wiretap and surveil more widely than before, at least legally. The Foreign Intelligence Surveillance Act (or court) allows widespread surveillance of suspected foreign agents, without any notification of local courts or of the surveillance target. Won't these many provisions allowing wide surveillance already be used almost instantaneously to force PKIs to disclose keys of all those on the SPL? "If it saves just one child.") On a related note, I read an article yesterday about the proposed new Health Data Base, with all encounters with any medical institution or any health care provider of any sort being cross-linked and cross-referenced. The privacy concerns are supposedly handled by having "security tickets" for various hospital officials, researchers (!!), insurance companies, and law enforcement. (I put the "!!" next to the "researchers" because I don't recall releasing my medical and dietary history to any so-called "researchers." While I have no doubt that many "data miners" would like access to such national data bases, and that some potentially valuable information could be gleaned, I didn't release this information for Joe Gradstudent, Ph.D. candidate to sift through.) [Here are some more details: "Mission: one-stop medical records," Robert S. Boyd, San Jose Mercury News, 1996-09-17, p. 1. "Virtually unnoticed by the public, health-care experts are preparing to create an electronic "Master Patient Index," covering every American's medical records from cradle to grave...."We can't eliminate privacy concerns, but we can minimize them," said Richard Rubin, president of the Foundation for Health Care Quality in Seattle at a planning conference here last week....David Kilman, a computer expert at New Mexico's Los Alamos National Laboratory, where the idea for the master index was born....Only people with a 'security ticket'--such as doctors, insurers, scientific researchers or police with a proper warrant--are supposed to be able to see the clinical details....Kathy Ganz, director of the New Mexico Health Policy Commission, said, "Rights to privacy are genuine concerns, but they will need to be balanced against notions of common good.""] Pretty chilling, eh? As we all know, once such medical, dietary, and genetic data bases are established, the likelihood of privacy-invading use is near unity. If the NLETS data base can be routinely accessed (it's how I got Thomas Pynchon's home address, but that's another story), imagine who will hack this data base! The tabloids will love it, as they gain access to "medical records of the stars." Hackers will suck down as much as they can and then sell the records. And such data bases will be tied to True Names, of course, thus allowing the "freezing out" of anyone who is not a True Name, who has fallen behind in child support payments, who is late on his income taxes, and so on. It doesn't matter if cash is still allowed if one cannot interact with any health care person without a proper citizen-unit data base entry. They've got you tracked even if you pay in gold dust. (Putting on my Duncan cap--not to be confused with dunce cap--I wonder what will happen the first time someone dies because a hospital wouldn't treat someone without a proper citizen-unit health care card?) P.S. I fully understand that some doctors will treat patients for cash, without reporting to The Authorities, just as some doctors will treat gunshot wounds without the mandatory reporting of same to the police. This does not mean such doctors will be easy to find. The System, if allowed to win, will win. P.P.S. Many of the things we talk about on the list are being made possible--the good and the bad--by computerization. Obviously. Burnham's "Age of Privacy" (or maybe it was "The Age of Surveillance"--my copy is not handy) made this point many years ago. We are taking the mechanization and systematization procedures the Germans used so efficiently in the 1930s and modernizing them, with every movement and every transactions tracked and recorded in data bases. Now more than ever we need "credentials without identity" and digital cash. Chaum's article about "Transaction Systems to Make Big Brother Obsolete" is now more urgent than ever. --Tim May We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On a related note, I read an article yesterday about the proposed new Health Data Base, with all encounters with any medical institution or any health care provider of any sort being cross-linked and cross-referenced. The privacy concerns are supposedly handled by having "security tickets" for various hospital officials, researchers (!!), insurance companies, and law enforcement. (I put the "!!" next to the "researchers" because I don't recall releasing my medical and dietary history to any so-called "researchers." While I have no doubt that many "data miners" would like access to such national data bases, and that some potentially valuable information could be gleaned, I didn't release this information for Joe Gradstudent, Ph.D. candidate to sift through.)
its worth noting that mapping the human genome is related to health records and privacy issues. essentially scientists have made tremendous progress in mapping out what diseases are caused by what genes. much of this is done with the power of correlating gene mutations with actual health records among the population, the more the better. science progresses on openness. there are legitimate reasons to have large databases of private records. I do believe such things could be accomplished while protecting the privacy of individuals yet giving the benefits to researchers. imagine the concepts of blinding and zero-knowledge protocols applied to health databases. it seems reasonable that this can be worked out. one interesting idea: imagine a system in which "blinding" is an accepted and basic form of interaction between patients and doctors. the patients give only a self-generated ID to the health care provider. the system is set up such that the provider can do all functions necessary to them (keeping records, billing the insurance company) through the "blinding" process. this has a lot of potential. it seems that we could take the blinding process and possibly push for it to be an accepted way of doing business. there's a lot of use for someone to do what Chaum has done for digital cash, i.e. show that all operations necessary to commerce can be supported via blinding-- taking that kind of mapping, and moving it into all other areas of human endeavor. even just rewriting his own papers to be specific to particular fields like the health arena would be a breakthrough at the moment. p.s. I fail to see why calling you "timmy" is considered an ad hominem attack. quite to the contrary, I assure you it is a term of endearment <g>
On Wed, 18 Sep 1996, Vladimir Z. Nuri wrote:
of blinding and zero-knowledge protocols applied to health databases. it seems reasonable that this can be worked out.
De-identified records are common in medical research, where applicable. The problem is that for effective epidemiological research the self-generated ID you propose must be applied in a lot of databases outside of health care. The epidemiologist wants to know when you were born, when you give birth or die or buy liquor, your income, standard of living, grade of radon contamination in your house, what Web-pages you access etc etc. (The Swedish Post is currently spending a lot of money advertising their new Web services. For full access to such sensitive data as detailed wheather maps you have to enter your name, address and Person Number - for credit information, they say - and they will send you, by snail mail, a username and password; http://www.torget.se) So in the end you haven't really gained much by creating your own ID - it will be just as useful to the State as if they had given it to you. Asgaard
(The Swedish Post is currently spending a lot of money advertising their new Web services. For full access to such sensitive data as detailed wheather maps you have to enter your name, address and Person Number - for credit information, they say - and they will send you, by snail mail, a username and password; http://www.torget.se)
Actually, they say they'll send it by Registered Mail - so there is an "authenticated" binding between userID and person. (MIT did this for accounts on MIT-AI about 20 years ago.) They will also send a copy of your Swedish credit report. Since the Swedish Post is planning to get into offering services for a fee, their requirement for a means of payment seems reasonable, though I would have thought that a Visa number would be sufficient. They refused my application without sending a copy of my credit report (and without explanation), even though I provided them with my valid Swedish personal number. I may complain in person next week when I'm in Stockholm for vacation, though it seems like a dumb way to spend a vacation. Martin.
On a related note, I read an article yesterday about the proposed new Health Data Base, with all encounters with any medical institution or any health care provider of any sort being cross-linked and cross-referenced. The privacy concerns are supposedly handled by having "security tickets" for various hospital officials, researchers (!!), insurance companies, and law enforcement. (I put the "!!" next to the "researchers" because I don't recall releasing my medical and dietary history to any so-called "researchers." While I have no doubt that many "data miners" would like access to such national data bases, and that some potentially valuable information could be gleaned, I didn't release this information for Joe Gradstudent, Ph.D. candidate to sift through.)
Don't get me wrong - I'm not disagreeing with you about how grim your points are. I just wanted to point out that information "could" be released to researchers without identifying the patient - researchers are generally interested in statistical data, such as the incidence of cancer per zip code, etc., which doesn't require your name to be released. Zip codes are sufficiently populated that this probably is of no danger to privacy. OTOH, the potential for mis-use of such records is high, and allowing access to a huge number of commercial sites, and their employees, certainly opens a lot of holes. - r.w.
Rabit Wombat wrote:
Don't get me wrong - I'm not disagreeing with you about how grim your points are. I just wanted to point out that information "could" be released to researchers without identifying the patient - researchers are generally interested in statistical data, such as the incidence of cancer per zip code, etc., which doesn't require your name to be released. Zip codes are sufficiently populated that this probably is of no danger to privacy.
Um..... Zip code 92067-1234 is my mother's mailing address. OK, it's not -1234, but there is a 9 digit zip code that is sufficient to get mail to my mother, and my mother alone. P.S. This is less than 5 miles outside the city limits of San Diego; hardly a "low population density" area. -- Marshall Marshall Clow Aladdin Systems <mailto:mclow@mailhost2.csusm.edu> "We're not gonna take it/Never did and never will We're not gonna take it/Gonna break it, gonna shake it, let's forget it better still" -- The Who, "Tommy"
On Wed, 18 Sep 1996, Timothy C. May wrote:
On a related note, I read an article yesterday about the proposed new Health Data Base, with all encounters with any medical institution or any health care provider of any sort being cross-linked and cross-referenced.
Scary. The benefits for the singular patient would be very marginal. Epidemiologic research would become easier, with lots of opportunities for the publish-or-perish academic medical crowd, but we already know that smoking etc is bad for us. The real agenda is of course to make life easier for the insurance business, our would-be employers and the State.
the master index was born....Only people with a 'security ticket'--such as doctors, insurers, scientific researchers or police with a proper warrant--are supposed to be able to see the clinical details....Kathy Ganz, director of the New Mexico Health Policy Commission, said, "Rights to privacy are genuine concerns, but they will need to be balanced against notions of common good."
The specialized software industry is currently flooding the medical community with applications for all sorts of patient-related info. It started with the small units (offices, with a single or a handful doctors etc), which are already doing a lot of their record-keeping on digital media, often with lousy security. Now the turn has come to the big hospitals, which need heavily customized implementations of the basic product they will choose. Athough most serious products have proper authentication routines (including smartcards; especially nurses seem to be totally unable to handle passwords above the my_cat's_name level), the overall availability of patient data will rise enormously with digital storage. The trend in the US is for large companies to take over more and more of the big hospitals (in Sweden almost all hospitals are owned by the 'public', with a trend towards bigger and bigger integrated 'regions') mandating larger and larger databases. So even without an outspoken decision the Grand National Health Database is worming itself upon us.
Pretty chilling, eh? As we all know, once such medical, dietary, and genetic data bases are established, the likelihood of privacy-invading use is near unity.
It certainly is. And cryptography can not do that much about it since it's primarily a problem of user integrity. Asgaard
participants (6)
-
Asgaard -
Marshall Clow -
Martin Minow -
Rabid Wombat -
tcmay@got.net -
Vladimir Z. Nuri