Did you know...?

[MrFoolish]

Did you know your medical records, along with your NHS number and postcode, are about to be scraped onto a database and made available to third parties?

https://www.opendemocracy.net/en/opende ... -data-why/

You have a matter of days to opt-out.

I'm not sure what I think about this. Perhaps there's some upside for the greater good. But I certainly don't like the way it is being done stealthily whilst everyone is fussing over other problems in the world. And who would trust them to keep this information secure?

[88V8]

I don't think I'm bothered about my records being there.
What is bothersome as you say is potential hacks, my NHS number.... or is the notion of 'identity theft' just another overblown media cupstorm.....

V8

[bungeejumper]

Well, what annoys me is that Boris's lot are hardly denying their intention to sell the information to commercial companies. That will probably include insurance companies, who will be more than pleased to know what susceptibilities you've got before they give you a quote. A fair number of the companies lining up to buy are American, including Palantir, which was well into the data core of our "world-beating" Test and Trace fiasco last year. (https://www.reuters.com/article/us-heal ... KKBN27J2HL).

Is the confidentiality fear far-fetched? Certainly, the boundaries of the intended use for the data are still being kept vague, which bothers me. The gubmint insists that patient names and suchlike will be kept well separated from the raw data, and that it will not be possible for a buyer to put the two together. Somehow I'd be happier with that assurance if Dido Harding (she of the Vodafone unencrypted-data leakage scandal) wasn't in the thick of that clueless crowd. You only need to have your confidential health data leaked once, whether accidentally or deliberately, and that's it, it's public property for ever more.

https://inews.co.uk/news/nhs-digital-de ... ts-1023837. A better FT account, if you've got access, is at https://www.ft.com/content/9fee812f-697 ... b25d3dd748.

NHS Digital, which runs the health service’s IT systems, confirmed the plan to pool together medical records from every patient in England who is registered with a GP clinic into a single lake that will be available to academic and commercial third parties for research and planning purposes.

Cori Crider, co-founder of Foxglove, a campaign group for digital rights, said...... “Is it pharma companies? The health arm of Google Deepmind? If you ask patients whether they want details of their fertility treatment or abortion, or results of their colonoscopy shared with [those companies], they’re not going to want that".

The opt-out form is at https://nhs-prod.global.ssl.fastly.net/ ... -form.docx , but you need to post it to your GP surgery. There seems to be a digital form at https://assets.nhs.uk/nhsuk-cms/documen ... _224kb.pdf, but I'm not 100% sure it's the same thing. DYOR on that score.

BJ

[sg31]

Does anyone know anything about Open Democracy? I've never heard of them.

The website appears convincing but I'm skeptical of internet sources I don't know. If I have time later in the week I will have a root around. If anyone can vouch for them it will save me the trouble.

[MrFoolish]

The opt-out form is at https://nhs-prod.global.ssl.fastly.net/ ... -form.docx , but you need to post it to your GP surgery. There seems to be a digital form at https://assets.nhs.uk/nhsuk-cms/documen ... _224kb.pdf, but I'm not 100% sure it's the same thing. DYOR on that score.
BJ

Yes, the online opto-out is as clear as mud. Which in itself doesn't inspire confidence.

It also says they can ignore your opt-out decision in this case: "Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first."

Well hang on a minute... first of all they try to say you can't be identified from the gathered information, then they say they can still still use your information if they take out the information that identifies you. Make sense of that!

[onthemove]

Did you know your medical records, along with your NHS number and postcode, are about to be scraped onto a database and made available to third parties?

https://www.opendemocracy.net/en/opende ... -data-why/

You have a matter of days to opt-out.

I'm not sure what I think about this. Perhaps there's some upside for the greater good. But I certainly don't like the way it is being done stealthily whilst everyone is fussing over other problems in the world. And who would trust them to keep this information secure?

On reading your first sentence, my reaction was "finally!". I had a letter a few years ago - presumably re. the thing mentioned in the article about a previous digitsation attempt - about them wanting to digitise my records back then. I can't believe they still haven't already done it. I was rather disheartened when I heard the process was being scrapped.

I mean, if you get hit by a bus, for the paramedics and A&E to have access to your medical record there and then, is surely going to be a major benefit. You don't want the A&E doctors having to ring up your GP's surgery asking them to dig out paper medical records while the doctors are stood waiting. If they can log onto the NHS system and directly access what you're allergic to, what other treatments you might be undergoing, etc, it could make a significant difference.

My main concern would be backup in case of ransomware attack. But adequate backup processes are available, as long as we can trust the government to use them. Even keeping printouts that could enable (as a last resort) reverting back to paper-based (as now) would do.

As for the article, it has a stench of scaremongering about it. Playing tactics like telling you you've only got a limited time to do something to scare you into reacting how they want you to react. Portraying it as though the government are some evil sinister organisation separate to the NHS, which to me is nonsense. The NHS are part and parcel of the national public infrastructure which includes the government, etc. To think of your medical records in the NHS being held by some saintly entity distinct from the evil government as portrayed by the article, is nonsense.

The article also deliberately misleads. About postcodes, it leaves you, the reader, with the impression that your postcode will be given out with the data - or at least says "The ‘pseudonyms’ that will be used to obscure those bits of information are readily reversible". What it doesn't say is that the 'readily reversible' is likely to mean for someone with access to the source data, and if that's the case then "so what?".

Then lets not underestimate the enormous benefit to society that could be derived from this data if thoroughly processed. And so what if that happens to be by big pharma taking out patents on what they develop from it. The whole point of the patent system is to give industry the incentive to do the research and development. To pour in the investment money. Good on them. And patents are time limited, so the benefit reverts to society eventually. And look at it the other way, the data is available to all, not just big pharma. So if someone 'not for profit' wants to do the research, they're also able to do so.

As for payment for access. Great! That's money to the government and NHS to improve services.

In my view, access to the NHS, at all, should be conditional on agreeing that your data can be used for research and be digitised to help provide NHS services.

I find it staggering that people would expect to use the NHS, but aren't willing to play their part and allow data about their conditions and treatments, etc, to be aggregated and used for research into better future treatments and better organisation of the NHS, etc.

And clearly the NHS are at the delivery end, not primarily the research end, so absolutely I'd expect that they would allow external entities - big pharma, university research labs, etc - access to the data in order to undertake that research.

To most of us, health is probably top of our priorities. Wouldn't you want a health service and system that maximises the learning opportunities. A system that takes every opportunity to learn what we can about our health and medical care and how we can improve it for the benefit of ourselves and our families?

You ain't gonna get that by leaving everything written pen on paper, and locking it up so no-one can analyse that information.

[onthemove]

The opt-out form is at https://nhs-prod.global.ssl.fastly.net/ ... -form.docx , but you need to post it to your GP surgery. There seems to be a digital form at https://assets.nhs.uk/nhsuk-cms/documen ... _224kb.pdf, but I'm not 100% sure it's the same thing. DYOR on that score.
BJ

Yes, the online opto-out is as clear as mud. Which in itself doesn't inspire confidence.

It also says they can ignore your opt-out decision in this case: "Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first."

Well hang on a minute... first of all they try to say you can't be identified from the gathered information, then they say they can still still use your information if they take out the information that identifies you. Make sense of that!

I think people get too hung up about 'identification'.

There was some research a few years ago that claimed you could be uniquely 'identified' from just 3 data points from your mobile phone location - i.e. just record the location of your phone at 3 random moments in time, that's enough to 'identify' you.

Why do I mention this? Well, what does 'identify' mean? Clearly in the case of that mobile phone location info, it doesn't mean grab your name, address and postcode. What it means is that that data can act as an identifier that distinguishes you from other people.

Clearly, when it comes to medical conditions, it's highly likely that similar will occur. A particular combination of illnesses or conditions is also probably going to act as a unique identifier. Even if a doctor didn't know your name and address from the information, and couldn't see your face, upon reading your record they'd probably think "ah, this is the guy/gal with XYZ". They've distinguished you from other patients, and recognised that it's the same you they might have encountered before.

And this is where it gets fuzzy.

If you can individually identify - or at least distinguish - someone in one context, then it often doesn't take much additional information to then join up individuals distinguished in different contexts, and recognise that they are referring to the same physical person.

For example, if you had the mobile phone location data, distinguishing an individual (as mentioned above) and from that persons other mobile phone location data you could see where they went at what time.

You might see that at a certain time they arrived at hospital.

Well, the hospitals data collection is clearly going to keep a record of admissions and names and addresses.

So if you had access to both datasets, clearly you would be able to work out everywhere that person has been outside of the hospital, etc. The hospital dataset may promise not to disclose home address, etc. The hospital dataset may promise only to hold information about your medical treatment, where and when, etc. The mobile phone dataset may have been provided without access to 'personally identifiable information'. But put the two datasets together and you can tie together an individual from the phone dataset with an individual from the hospital dataset, and therefore potentially even figure out where they live and work from the common places the phone visits, etc.

Unfortunately, this is a reality that we're going to have to get used to. You simply cannot provide access to data for research and not run the risk that with some additional connecting data, anonymity could be lost. It's just not realistic.

[MrFoolish]

The article also deliberately misleads. About postcodes, it leaves you, the reader, with the impression that your postcode will be given out with the data - or at least says "The ‘pseudonyms’ that will be used to obscure those bits of information are readily reversible". What it doesn't say is that the 'readily reversible' is likely to mean for someone with access to the source data, and if that's the case then "so what?".

Well you say "is likely to mean" because presumably you don't actually know. Which is fair enough. Tell me if you do actually know.

But this is my problem with this. They are having a second go at bringing this out when everyone is distracted by covid. Why did it fail the first time and what has changed? Where is the proper disclosure and debate? It would be nice to know exactly what we're being signed up for.

[onthemove]

The article also deliberately misleads. About postcodes, it leaves you, the reader, with the impression that your postcode will be given out with the data - or at least says "The ‘pseudonyms’ that will be used to obscure those bits of information are readily reversible". What it doesn't say is that the 'readily reversible' is likely to mean for someone with access to the source data, and if that's the case then "so what?".

Well you say "is likely to mean" because presumably you don't actually know. Which is fair enough. Tell me if you do actually know.

But this is my problem with this. They are having a second go at bringing this out when everyone is distracted by covid. Why did it fail the first time and what has changed? Where is the proper disclosure and debate? It would be nice to know exactly what we're being signed up for.

I wouldn't worry. Most people google their symptoms and search for information about their treatment online.

I presume you're already aware of this which is already in place....

[And bear in mind that it's your ISP who is legally obliged to record this on a 12 month rolling basis. Yeh, that's the ISP's who store your password as clear text and make it visible to their call center staff (as a virginmedia employee told me when I rang up a few years ago, and I asked her outright ..."Can you see my password on your screen" to which she replied "yes")]

https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016
List of authorities allowed to access Internet connection records without a warrant:

Metropolitan Police Service
City of London Police
Police forces maintained under section 2 of the Police Act 1996
Police Service of Scotland
Police Service of Northern Ireland
British Transport Police
Ministry of Defence Police
Royal Navy Police
Royal Military Police
Royal Air Force Police
Security Service
Secret Intelligence Service
GCHQ
Ministry of Defence
Department of Health
Home Office
Ministry of Justice
National Crime Agency
HM Revenue & Customs
Department for Transport
Department for Work and Pensions
NHS trusts and foundation trusts in England that provide ambulance services
NHS National Services Scotland
Competition and Markets Authority
Criminal Cases Review Commission
Department for Communities (Northern Ireland)
Department for the Economy (Northern Ireland)
Department of Justice (Northern Ireland)
Financial Conduct Authority
Fire and rescue authorities under the Fire and Rescue Services Act 2004
Food Standards Agency
Food Standards Scotland
Gambling Commission
Gangmasters and Labour Abuse Authority
Health and Safety Executive
Independent Police Complaints Commission
Information Commissioner
NHS Business Services Authority
Northern Ireland Ambulance Service Health and Social Care Trust
Northern Ireland Fire and Rescue Service Board
Health & Social Care Business Services Organisation (Northern Ireland)
Office of Communications
Police Ombudsman for Northern Ireland
Police Investigations and Review Commissioner
Scottish Ambulance Service Board
Scottish Criminal Cases Review Commission
Serious Fraud Office
Welsh Ambulance Services National Health Service Trust

And just to re-iterate... it is your ISP who is legally required to gather and store this information as a matter of routine, about everyone in the country.

Let's hope ISPs don't talk talk to others about what you've been up to online.

To be quite honest, I'm amazed this didn't get more push back.

I can only assume that most people don't really understand what the legislation is about, and just what is being recorded and how it could be used (legitimately and not-so-legitimately if hacked).

And bear in mind there is no opt out for this one, other than not using the internet at all.

If you are using the internet, what you are looking at is being recorded. And you have no choice in the matter.

In my view, in comparison, the NHS digitising our medical records is inconsequential.

[bungeejumper]

In my view, in comparison, the NHS digitising our medical records is inconsequential.

Extraordinary. And if, as well as digitising your fully identifiable information, the government said it was going to sell it to the highest bidders? Anywhere in the world?

BJ

[ursaminortaur]

The opt-out form is at https://nhs-prod.global.ssl.fastly.net/ ... -form.docx , but you need to post it to your GP surgery. There seems to be a digital form at https://assets.nhs.uk/nhsuk-cms/documen ... _224kb.pdf, but I'm not 100% sure it's the same thing. DYOR on that score.
BJ

Yes, the online opto-out is as clear as mud. Which in itself doesn't inspire confidence.

It also says they can ignore your opt-out decision in this case: "Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first."

Well hang on a minute... first of all they try to say you can't be identified from the gathered information, then they say they can still still use your information if they take out the information that identifies you. Make sense of that!

I think people get too hung up about 'identification'.

There was some research a few years ago that claimed you could be uniquely 'identified' from just 3 data points from your mobile phone location - i.e. just record the location of your phone at 3 random moments in time, that's enough to 'identify' you.

Are you sure they weren't just referring to triangulation of your mobile phone's location by detecting the signal from your phone from three cell phone towers at the same time ? Although location information can lead to the discovery of the user's identity and sensitive information (see below) just recording the position around the city at three random times would be unlikely to provide such information - you might well just get them walking down three different streets. Getting the locations either pretty continuously or at more targeted times would be better eg 3am in the morning would likely find them at home and 3pm on a work day (once Covid has passed) would likely find most people at their work place.


Under the GDPR tracking of location data has to be handled particularly carefully as it can lead to the discovery of sensitive personal data about an individual.

https://www.livingmap.com/location-matters-geospatial-information-under-gdpr/

It is not enough to store the information without identifiers, such as a name or an ID. Daily routines give away a person’s home address and place of work easily. If a mobile device captures these movements over time, it can be enough to identify a user with location data alone.

Location carries sensitive information

Furthermore, the analysis of an individual’s location data can reveal highly sensitive information. Sensitive Personal Data is the term that’s used with GDPR to describe information that needs special protection. It includes data revealing a person’s ethnicity; political, religious or philosophical beliefs; and data concerning health or sexual orientation.

Data on places a person visits can contain information on sensitive traits. For example, frequent visits to a church, a hospital or a trade union can give away information that is not intended to be shared. The intimate nature of these personal details adds to the importance of effective anonymisation.

[AsleepInYorkshire]

https://digital.nhs.uk/services/national-data-opt-out

https://digital.nhs.uk/services/nationa ... edia-posts

May help

AiY

[onthemove]

I think people get too hung up about 'identification'.

There was some research a few years ago that claimed you could be uniquely 'identified' from just 3 data points from your mobile phone location - i.e. just record the location of your phone at 3 random moments in time, that's enough to 'identify' you.

Are you sure they weren't just referring to triangulation of your mobile phone's location by detecting the signal from your phone from three cell phone towers at the same time ?

I've just dug out the article, and I stand corrected, it's referring to 4 data points rather than 3...

https://www.bbc.co.uk/news/science-environment-21923360
"Scientists say it is remarkably easy to identify a mobile phone user from just a few pieces of location information. ...

... But a study in Scientific Reports warns that human mobility patterns are so predictable it is possible to identify a user from only four data points.

The growing ubiquity of mobile phones and smartphone applications has ushered in an era in which tremendous amounts of user data have become available to the companies that operate and distribute them - sometimes released publicly as "anonymised" or aggregated data sets.

...

Recent work has increasingly shown that humans' patterns of movement, however random and unpredictable they seem to be, are actually very limited in scope and can in fact act as a kind of fingerprint for who is doing the moving.

(...)"

[BobbyD]

And just to re-iterate... it is your ISP who is legally required to gather and store this information as a matter of routine, about everyone in the country.

Let's hope ISPs don't talk talk to others about what you've been up to online.

This however comes with an easy opt-out, use a VPN.

[BobbyD]

Does anyone know anything about Open Democracy? I've never heard of them.

Also in the FT: https://www.ft.com/content/e5fbaf09-34f ... bc6e9e3c44

IF you hit paywall use the google link:

https://www.google.com/search?client=op ... g+patients’+trust&sourceid=opera&ie=UTF-8&oe=UTF-8

[onthemove]

And just to re-iterate... it is your ISP who is legally required to gather and store this information as a matter of routine, about everyone in the country.

Let's hope ISPs don't talk talk to others about what you've been up to online.

This however comes with an easy opt-out, use a VPN.

(UK) VPN providers are subject to the act the same as ISPs.

[BobbyD]

And just to re-iterate... it is your ISP who is legally required to gather and store this information as a matter of routine, about everyone in the country.

Let's hope ISPs don't talk talk to others about what you've been up to online.

This however comes with an easy opt-out, use a VPN.

(UK) VPN providers are subject to the act the same as ISPs.

Use a non-UK VPN...

[ursaminortaur]

And just to re-iterate... it is your ISP who is legally required to gather and store this information as a matter of routine, about everyone in the country.

Let's hope ISPs don't talk talk to others about what you've been up to online.

This however comes with an easy opt-out, use a VPN.

Which just means that the VPN operator can see where you went instead of your ISP - though if you choose the country where the VPN end-point is carefully you can find some where the company may not be obliged to log that information or provide it to the government.

TOR would be better since you are routed through a number of intermediate VPNs which should at least theoretically mean that the exit nodes which can see your traffic can't see back to where you really came from and thus identify you. But even TOR is not 100% safe from governments (and university research teams).

https://protonvpn.com/blog/is-tor-safe/

Like any technology, Tor is not 100% secure, and attackers can still compromise Tor’s security. In 2014, a research team from Carnegie Mellon University gained control of enough servers in the Tor network to observe the relays on both ends of the Tor circuit and compare the traffic timing, volume, and other unique characteristics to identify which other Tor relays were part of which circuits. By putting the entire circuit together, the researchers were able to see the IP address of the user on the first relay and the final destination of their web traffic on the last relay, allowing them to match users to their online activity. (For those interested in a more technical explanation, the Tor Project analyzed the attack.) The FBI then used this attack to round up a number of criminals on the dark web as part of their Operation Onymous. Tor upgraded their relays to deal with the specific protocol used by the researchers, but correlation attacks (identifying users through the timing and volume of their traffic) are still possible.

And since you don't know who is operating the TOR exit nodes you don't want to be passing sensitive information in the clear

https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/

Chloe set up a fake website with a Bitcoin theme, downloaded a complete list of exit nodes and then logged in to the honeypot site multiple times via Tor, using a different exit node and a unique password each time.

Crucially the usernames and passwords were sent over regular HTTP rather than encrypted HTTPS so that when Tor’s layers of encryption were peeled back they were visible in the stream of traffic.

If the login attempts had gone unobserved and unabused then the total number of website visits and log in attempts recorded by the honeypot should have matched the number performed by Chloe exactly.

They didn’t.

After a month of testing there were over 600 unexplained page visits, 12 failed log-in attempts and 16 successful ones that hadn’t come from Chloe.

The passwords were not stored anywhere and were far too difficult to guess so if they were indeed stolen, they were stolen by somebody snooping on-the-wire.
.
.
.
Chloe’s research is interesting then, but not quite a smoking gun.

There is a smoking gun though, and it belongs to Dan Egerstad.

In 2007 Egerstad set up just five Tor exit nodes and used them to intercept thousands of private emails, instant messages and email account credentials.

Amongst his unwitting victims were the Australia, Japanese, Iranian, India and Russia embassies, the Iranian Foreign Ministry, the Indian Ministry of Defence and the Dalai Lama’s liaison office.

He concluded that people were using Tor in the mistaken belief that it was an end-to-end encryption tool.

It is many things, but it isn’t that.

Dan Egerstad proved then that exit nodes were a fine place to spy on people and his research convinced him in 2007, long before Snowden, that governments were funding expensive, high bandwidth exit nodes for exactly that purpose.

[XFool]

Unfortunately, this topic is now spread out across several different TLF threads, which doesn't help. The original 'main' thread was here in 'Does anyone know': viewtopic.php?f=9&t=29634

[ursaminortaur]

I think people get too hung up about 'identification'.

There was some research a few years ago that claimed you could be uniquely 'identified' from just 3 data points from your mobile phone location - i.e. just record the location of your phone at 3 random moments in time, that's enough to 'identify' you.

Are you sure they weren't just referring to triangulation of your mobile phone's location by detecting the signal from your phone from three cell phone towers at the same time ?

I've just dug out the article, and I stand corrected, it's referring to 4 data points rather than 3...

https://www.bbc.co.uk/news/science-environment-21923360
"Scientists say it is remarkably easy to identify a mobile phone user from just a few pieces of location information. ...

... But a study in Scientific Reports warns that human mobility patterns are so predictable it is possible to identify a user from only four data points.

The growing ubiquity of mobile phones and smartphone applications has ushered in an era in which tremendous amounts of user data have become available to the companies that operate and distribute them - sometimes released publicly as "anonymised" or aggregated data sets.

...

Recent work has increasingly shown that humans' patterns of movement, however random and unpredictable they seem to be, are actually very limited in scope and can in fact act as a kind of fingerprint for who is doing the moving.

(...)"

They analysed their database of activity tracks for individual phone users and then took samples at different times to determine the minimum number of such samples needed to uniquely distinguish between tracks. That isn't the same as being able to uniquely identify someone from 4 randomly selected samples. The fact that you only need about 4 should not be that surprising since you should be able to distinguish most such tracks from one another with just two data points - one corresponding to them being at home and another corresponding to their being at work.