In the public discussions about "medical data bases" and "medical account numbers," the key issue is being missed. Namely, Why can't patients carry their _own_ medical records, and disclose what they wish to disclose to doctors and hospitals, as they see fit? Whether implemented in a high-tech version, as a "smart card," or a low-tech version, as a "dossier" (a file folder), the principle's the same. (I'll get to insurance companies in a moment.) There is little incentive (*) that I can imagine for any patient to deliberately lie on his records, as such lying usually harms himself by providing misleading information to someone who is trying to help him--I mention this because presumably one of the reasons hospitals and whatnot keep the records is fear that the records will be altered or not fully reported. Medical records appear to be a perfect example of Chaum's "selective disclosure of credentials," or even "credentials without identity." (* There is of course some incentive to lie or withold medical information if the patient deems it invasive of his privacy, or something that he does not want on records accessible to others. But in a _specific medical treatment_, for example, he gains little by denying that he had measles as a child, or that he has used IV drugs. Provided he can disclose this information without being added to a data base--e.g., by using selective disclosure of information (and not his name)--the incentives for lying are small, possibly negative.) Insurers would of course be worried about falsification of records. This can be handled in several ways. Digitally-signed statements from hospitals or test services could be required, depending on the policies of the insurers--the holder of the files, such as the patient, would be unable to fake or alter such records. Still, when one asks another party to make a "bet" about one's health, which is what insurance of course is, it's not surprising that they would want to see to independent verification of one's assertions. This is largely separable from the issue of disclosing to doctors and hospitals medical information. The comparison that is often made between credit records and medical records is flawed. Credit records are the items of data _from other people_, e.g., the persons one has borrowed from, the landlords one has rented from, etc. And with credit records, a person is often inclined to falsify or withold items (though this is also solved partly with digital signatures, though not perfectly). (There are some interesting links with object-oriented programming, with patient-objects able to maintain their own state. Not true of creditee-objects, who are not the owners of the credit worthiness judgments of others.) This could be an area where actual progress can be made. While many people, and regulators, have concerns about untraceable digital cash, it is likely that the _public_ would find it hard to buy the argument that patients being responsible for their own medical records would be a dire threat to the Republic! Thus, while carrying one's own credit record is mostly unworkable, carrying one's own medical records is completely feasible, and solves many privacy problems. --Tim May (I hope I fixed any scrambled paragraphs...my Mac crashed again (it's been crashing several times a day, what with all the various semi-incompatible versions of the Mac OS, extensions, new programs, etc., I have) and I had to recover the text of what I'd been typing from one of those dreaded--but very useful--"keystroke capture" programs.) We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."