Media Influencer

helping people break out of pigeonholes since 2003

  • Author: Adriana
  • Published: Oct 15th, 2012
  • Category: Stuff
  • Comments: 3

Daily links 10/15/2012

TAGS: None

Posted from Diigo. The rest of my favorite links are here.

TAGS: None

3 Responses to “Daily links 10/15/2012”

  1. Dave Walker
    on Oct 15th, 2012
    @ 14:19 pm

    I got wind of Midata too late, and missed the consultation deadline :-( .

    While giving people access to the raw data held about them – and indeed, in some cases giving them ownership of it – is The Right Thing to do and wholly laudable, it does have some considerable problems, unless one further step is taken.

    From an institutional perspective, an organisation suddenly needs to put authentication systems and access controls in place to support not only all its workers, but all its customers. In the context of a UK Govt department, that can mean going from having to deal with a few thousands (or tens of thousands) of staff credentials and accounts, to credentials and accounts for 60 million British subjects. The attendant propensity for things to go wrong in the user and account management cycle, goes up proportionately – and with everything online, the attack vectors get more numerous. Also, big silos of information about lots of people, are juicy targets – but more on this, below.

    There’s also the important matter of policy around the management of access to my data. Specifically, if I own my data, I not only want to have access to it, I want to have control over who else has access to it, how it is segmented so that different people get to see different subsets and elements of it, and perhaps most importantly, how those people need to authenticate themselves in order to gain their authorisation to access it.

    For example, I understand that the current proposal to open up NHS patient records will involve the records being available online with no stronger authentication required to access it, than a 4-digit PIN. Also, there are mechanisms being proposed whereby PINs can be made known to individuals’ carers; and there is no detail yet about how continued assurance of that relationship is to be achieved.

    I say that’s not good enough – but even though my patient record is mine (and the NHS will have a lesser relationship with it, as a data custodian), I don’t see a means of telling the NHS that I consider their authentication mechanism inadequate and insisting that they change it.

    However, I’m in a position to assert the principle that “possession is 9/10 of the law”, as I have a server infrastructure which I own and manage, and which is permanently online. So, I can run a Mine (or similar) on it, and when the NHS puts my patient record online, I can take a copy of it, host it according to my security requirements, and send the NHS a letter to the effect that as the owner of my patient record, I wish to terminate their data custodianship relationship with me, that I will host my patient record in future, that I require them to delete all copies of my patient record that they hold, and that they can continue to have access to my patient record using “this URL and these credentials” (and they can hold the first of these, in whatever pieces of storage where they would previously hold my patient record).

    So, my record migrates to my infrastructure – and, as others do the same thing, so the NHS’ silo of everyone’s medical information morphs intos a silo of pointers to the distributed hosting of everyone’s medical information – and maybe some access credentials. This may be considered by some, to drop the security sensitivity of the information in the silo (although it depends on the policies the individual record owners apply).

    For silos of data that some people may consider sensitive and where Midata open data principles are to apply, so the silos can be drained of data by people whose records are hosted in the silo, and who move to hosting their data themselves – and as the democratisation of the ability to run a server takes hold with IPv6 adoption and (hopefully) the removal of NAT and session-terminating proxies by telcos such that a smartphone can become a server, so barriers to doing this should go away…

  2. Dave Walker
    on Oct 15th, 2012
    @ 16:20 pm

    I’ve glossed-over issues of record integrity (which are reasonably solvable, though a bit unwieldy) and threat modelling, in the above – I’ve assumed that if I own my data, I have enlightened self-interest in looking after it properly, and the nous (if not necessarily the wherewithal, currently) to do so.

    Naturally, there’s plenty of information about me that I shouldn’t own (details of my security clearance, the points on my driving licence, etc) or curate, as I might be inclined to try to change them for my benefit – but this kind of data should be carefully kept outside the realm of the Midata initiative, anyway…

  3. Adriana
    on Oct 15th, 2012
    @ 16:36 pm

    Spot on as usual. :)

    A side note, I believe Midata project aims to ‘liberate’ only transaction data, i.e. purchase history, in raw format.

Leave a Reply

© 2009 Media Influencer. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.