Friday, September 06, 2013

N.S.A. Able to Foil Basic Safeguards of Privacy on Web, Including Medical Records - Yet Another Reason To Be Concerned About What You Tell Your Physician

There's already a major issue with privacy and protection of medical records in electronic form.  See the multiple blog posts at this query link:  http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy

Now this from the New York Times:

N.S.A. Able to Foil Basic Safeguards of Privacy on Web
By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE
September 5, 2013

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.  

But don't worry, your electronic medical records are secure, and will NEVER be used for political purposes by your adversaries...

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth. 

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

At least we may have gotten faster PC's as a side result of the research that supported these efforts.

... the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network. 

Might as well just send them a copy of all your communications to spare them the effort...

... Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

Hey, how about let's ALL have our medical records stored by health IT companies providing ASP (Application service provider, http://en.wikipedia.org/wiki/Application_service_provider) offsite EHR hosting services to hospitals and clinics...

From the site "techdirt.com":

Allegedly the NSA and GCHQ (UK Government Communications Headquarters) have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading ... (http://www.techdirt.com/articles/20130905/12295324417/nsa-gchq-covertly-took-over-security-standards-recruited-telco-employees-to-insert-backdoors.shtml).

Half facetiously: unless you're a real nobody, if you, say, contracted V.D. from that sexy prostitute at that Vegas Convention, you perhaps better not tell your doctor about it.

Maybe this is what it will take to get the government to start taking electronic medical record privacy, confidentiality and security more seriously.

Our legislators, like everyone else, have a stake in the game.

-- SS


2 comments:

Steve Lucas said...

Hidden in all the news concerning this issue was a little note that one email provider just wanted to eliminate any controls on their ability to read your email. It has been noted this provider uses GPS information to build profiles of customers through the use of maps and the duration of time the device is located at an address to determine work and household locations.

One device we own constantly ask to turn on the GPS locator to provide a third party location information to “better serve” me.

Troubling is the number of people who think nothing of this and provide an uninterrupted GPS trail of their everyday life.

Steve Lucas

Wayne Brown said...

I know many people who have deemed it necessary--long ago--to keep as much communication offline as possible. The amount of stealth government activity that truly goes on can be appalling I'm sure; to some, however, it's not even a surprise that they get away with doing this. Great post for awareness!