Tag: Big Brother

Seeing through a PRISM .. highlighting a Changing World

What’s the Issue?

In a world in which we are all increasingly dependent on electronic communication methods, the debate around PRISM opens up many issues related to the privacy of our citizens. But it is one which is not as simplistic as many are putting forward. It basically distils down to: the information which our governments have control over; the information which we freely release into open sources; and the information which is held on us outside our national boundaries. Never before have citizens had an opportunity to both influence how their information is being used, but also in controlling on how it is used.

While we are increasingly exposing our own information to the rest of the world, we are also, generally, moving towards methods which are under control of the citizen. It is thus their choice on exposing their own information. With Facebook, an individual may tell their friends, that they are on holiday, or on Twitter they may expose the football team that they support. The days when information was held within the confines of organisations bounded by network firewalls or within the confines of buildings, are now gone, and information now exists in many forms on us in a digital form such as in ISP logs, Twitter feeds,  Facebook posts, CCTV recordings, mobile phone logs, each providing a mine of information, but when cross-correlated could give a complete time-line of our lives. One can see, in the future, that our complete lives could be placed back with full multi-media showing where the have been, who we met, what we did, and even what the weather was at any given time. The key to this will be citizen control of the provision of this storyline, where individual will have full rights to define how their information is provided to others.

Is this a Big Brother Society?

The key concept of Big Brother is that our governments are spying on us, and trying to control our lives. Generally this type of activity is nearly non-existent in the UK, where DPA defines the rights of privacy of  the citizen, and where regulations such as RIPA define the context of when information from multiple sources can be used. Law enforcement professionals must thus tread a fine line, where any breaches of our rights will restrict future activities. In general, it seems that this is done well in the UK, where ISP records or CCTV records are only used within the confines of a criminal offense. Our worry would be when we open up these systems to external parties, who aim to gain some advantage of using the data. It is thus with PRISM that we see the opportunity that occurs when information is shared across judicial boundaries. Within national boundaries the usage of data is well defined within a context, but as it moves outside these, the restrictions of its usage can often be lifted.

A major difference between our Internet-enabled society and a Big Brother society is thus the move towards more citizen control of their own information. With this governments must operate within a legal framework in the how citizen data is used and how they share information across different areas. As the citizen decides on the risks that they willing to expose themselves to. Unfortunately, at present, we are in a transition phase in understanding the key risks involved with this, where users sometimes fail to understand that their information may offend their own circles-of-trust, and where social media posts can be open to those outside our trust circles.

Who’s jurisdiction are we covered by?

Another major difference in the Big Brother analogy is where a nation state has complete control of all the information held on citizens. Within our Internet-enabled world, our information is spread across the World, and often with little control over where the actual location of the information. In an age where  emails, Twitter feeds and Facebook posts are stored on systems which are outside of our national boundaries, it makes the acquisition of information difficult by law enforcement difficult, as it is controlled by a different laws and regulations. Thus the scope of any spying would be restricting to monitoring network packets that flow into the Internet. This type of monitoring, though, is becoming more difficult as cloud-based email system move towards using secure connections for their communications. Thus it is  almost impossible for governments outside the USA to actively examine email messages. At one time there was, though, a trace of activities on the host computer, where emails could be examined as the information was stored on disk drives. Increasingly, though, we exist within a cloud environment and use Web browsers to access our information, thus evidence trails our now stored within the Cloud, and often outside national boundaries. The acquisition of a laptop, these days, can release very little information on activities, apart from showing connections to remote cloud-based email systems. The one saving grace for investigators is that user names and passwords for cloud-based systems are often cached within the browser, giving them some form of access within a criminal investigation. Again, in the UK, the rights of access to this information by law enforcement professionals is carefully controlled, and the police in the UK understand the bounds for their rights to sensitive information held on computer equipment.

A more citizen focused society

It is a more citizen-focused information infrastructure that our public sector must start to adopt this type of approach, where we must start to question why things like our health and social care records are kept to with limited access from the citizen. The barriers to this are often due to a resistance from employees on changing their methods of work, and also the fact that many IT systems within the public sector were designed to restrict access from outside, and have very few access methods from the general public. The only way to change this is to start to trust external systems, and to support methods which the citizens trust in providing their identity.

Citizen-controlled information

To identify whether there was a demand for citizens to control their own data, in May 2013, Edinburgh Napier University conducted a survey on the attitudes on the access to electronic health records in the UK. With 477 respondents, 79.04% of participants said that they wanted full access to their electronic health record, while only 16.98% wanted a summary of their record, and only 3.98% wanted no access to their health record, at all. This shows that there is a strong demand from citizens to actually access their health records.  Of the reasons that citizens would most like access the main reasons were:
•    Check its accuracy (36.07%).
•    Recall key information (32.64%).
•    Add comments (15.24%).
•    Make amendments (11.45%).

There is thus a strong demand from citizens to make checks on their records, along with making their own notes on their record. When asked for who should own the health record, 60.80% reckoned that the citizen should own them, which goes against the limited access that many UK citizens have to their record today, whether it be electronic or paper-based. The two main barriers on allowing access to their health record, where identified as poor security within the health care infrastructure (55.56% quoting as a strong reason), and the cost of building the IT infrastructure to support citizen access (44.89% quoting as a strong reason).

As might be expected, the main services that users would like are to view their health record (29.52%), and, closely followed by, booking appointments on-line (29.19%). These perhaps highlight a growing requirement for citizens to interface with the health care infrastructure using electronic methods.

Figure 1
Figure 1: Who citizens would trust most in proving their identity for the access to electronic health records

If there is  a demand for online access to services, the survey prompted for the identity provider that they would most trust. For this the results in Figure 1 show that the traditional identity providers such as Facebook, Microsoft Live, Linkedin, and so on, are not the ones that users most trust to provide their identity. It can be seen that users are most keen on using a security tool that they control in some way, and one which has a strong security procedures, similar to online banking security measures. Thus it can be seen that users are demanding a higher-level of trust for the provision of their identity in the access to their health record. This is likely to be because they want to protect the security of their own record, while supporting a fairly easy method of access. A Government method of access, while trusted more than the traditional identity providers, trails behind these methods, which perhaps shows that, while trusting the identity provision, it might not be the easiest, or most controllable, method.

Figure 2
Figure 2: Who citizens would trust least in providing their identity for the access to electronic health records

When asked about the identity provider that they least trusted (Figure 2), the majority of users identified that Facebook as the least trusted (56.2%). This perhaps shows that users are becoming more educated in the understanding of trust and the way that organisations use the data gathered on individuals. Thus a provider which does not focus on identity provision, may have other reasons for proving  identity, such as determining the services that they are gaining access to, so as to push relevant advertising material to them. It can also be seen from Figure 2 that Twitter and Linkedin score highly on the least amounts of trust in identity provision, which could point to recent security problems within their infrastructure, where passwords have been compromised.

It is thus a changing landscape of trust, and it can often end up being a 1:1 relationship that users have with their trusted organisations, and which can change quickly depending on changes in the environment. If trust is comprised at any time, citizens have the power to move their information to other sources. Thus if I citizen feels that their information is being used incorrectly, they can move it to sources that they trust more. A compromise in this, as has been highlighted in within the PRISM debate, can have serious consequences on the trust that citizens have in their Internet services/providers.

So What?

4d60a-pandora27sboxWe have open-up our information systems, and digital information can now easily flow across both organisational and physical boundaries. Indeed, the Pandora’s box has been opened, where information can be used for the good of society, such as where a child is at risk, where attendance records could be highlighted from one information source, and this then correlated with social care records on the child having bruises, and with a police record highlighting a threat of violence in the family. Within each of these, there many not be a significant risk, but by aggregating together, the risk is highlighted. Thus there are great opportunities in aggregating information across boundaries, but we need to be careful with it, in the same way that PRISM highlights the risk, in that a strong governance infrastructure is required, which defines exactly the information that is being accessed and on the organisations and roles which are used to define these accesses.

The researchers within Edinburgh Napier University have been working on this problem for the past five years, and now have managed to extract a definition of a trust infrastructure, and then define the overall governance of the systems using enforceable rules.

So now let’s share …

Outline

Holistic Care
Holistic Care

After working in information sharing across the public sector for more than five years, the day is finally here when it seems a reality. For us we have been focusing on creating information sharing infrastructures with strong governance, and with a focus reducing risks and on holistic care (Figure 1). Unfortunately many barriers current exist within information sharing, especially within health and social care record, but now the Caldicott review has outlined that there need for more sharing across the public sectors. While the barriers will take a while to bring down, we can start to see a move towards citizens getting access to their own records.

The great thing about the new approach is that it will be an ‘opt-out‘, which means that citizens will have full rights, even without having to give their initial consent. This will hopefully drive forward the sharing of information between the citizen and their health and social care professionals, and also across the public. With more openness of data infrastructures within health care, social care, law enforcement and education, we need to make sure that data on us it not used for malicious purposes. One danger is that this sharing must be locked down by a known governance policy, as the sharing of information across the public sector can actually be damaging to the individual, if it is not done correctly, and within bounds.The Big Brother scenario is now possible, and must be overcome by those creating the policies, carefully defining how the data is used, and why? Overall the citizen should be at the heart of this, and have full rights to how their data is being used. We have been working within information sharing for many years, and, I must admit, we have seen a greater willingness of the public sector to share information, especially for the improvement in the health of the individual.

Barriers to Information Sharing

Barriers to Information Sharing
Barriers to Information Sharing

The barriers that we have found to information sharing are both technical and societal (as outlined in Figure 2). While the technical problems focus on legacy systems, poor access control methods (such as having to log into special portals) and the fact that most records are flat in their structure,  they can normally be overcome in these days of interconnected systems. The greatest barriers, though, are societal ones. This is highlighted by the current lack of sharing of information across the

We have done several surveys recently at dissemination events, and the major have said that they would be keen to not only see a summary of their record, but the full version. It is thus important that we plan the security of the records going on-line, as any flaw in this will probably cause the whole thing to fall apart. There will be many with vested interests in a failure of this type of initiative, so there need to be a careful management of it, and make sure that the citizen actually has some control over the access to their record. My key worry is that the initiative basically becomes a paper-based exercise, where the patient can see a paper version of their record, in the presence of their health care professional.

Integrating with citizens

Monitoring Risk
Monitoring Risk

We have done many surveys recently which focused on the barriers in integrating the general public into health and social care IT infrastructures. The two areas that most people think are the main barriers:

  • Legacy systems. This is a technical problem that can often be solved with an improved information architecture. Many health and social care systems exist within the same Cloud infrastructure, within a high security environment, and the data is thus able to be aggregated across the domains. The greatest barrier, though, is that data is also contained within isolated environments, such as within GP systems, and it is this barriers which is one of the most difficult to overcome.
  • Resistance from health and social care staff. As in many other organizations, it is the people within organizations that can be the greatest barrier, and it is key that the benefits of information sharing and the increased usage of IT systems for care, both in improving the care that they can deliver, and also provide cost savings.

In order not to disrupt the health and social system that we have, we must make sure that we create systems which take best practice, and then use information to enable and improve the system. It is difficult in these days that the postal system is still used as a conduit to send health and social care information between professionals in the public sector.

So what about Trust?

safi.re
safi.re

We have working in several project within information sharing over the last few years. In particular our early work focused on information sharing of the Police with their community partners. This focused was based on weaknesses in the sharing of information, especially around Baby P and Soham. One thing we were struck with was that the Scottish Police, in particular, actually had a very strong police on information sharing, and one that was based on single points-of-contacts (SPoCs), who were responsible for passing the information between one of the partners to the other. This approach makes perfect sense, as there is only one communication channel. While this works as a protocol in a human way, the communication often doesn’t go through an electronic channel. Our focus was then to implement an information system which mirrored the single-of-point of contacts, and defined ways of defining an information sharing policy between two domains. For this we have created the safi.re (Structured Analysis, Filtering and Integrated Rules Engine) architecture, which defines trust relationships, and then implements these with governance rules. Overall our work has been motivated by the way that a Cisco firewall works, where the Cisco ACL (Access Control Language) defines the abstraction of the firewall rules, and the implementation of them becomes the actual running rules on the system. Just like a Cisco firewall, there are static rules setup, and then dynamic rules are written for new trust relationships.

Big Data and Governance

Big Data Integration
Big Data Integration

In an increasing connected world, data is becoming a key asset, especially within a Big Data context, where data from different domains can be brought together to provide new in-sights. Most of the systems we have in-place, though, have been built to securely keep data behind highly secure environments, and have difficulty in integrating with other disparate systems. This is now a major barrier to using data in a wide range of applications. Along with this, information sharing has many regulatory constraints, which often disable information sharing across domains, but, with carefully managed information architectures, it is possible to overcome many of these problems. An important challenge is thus to support information sharing across different domains and groups across multiple information systems. In the context of this paper, a domain is defined as the governance (and possible ownership) of a set of data, which is exposed to others through well-managed services.

The problem of providing governance around trusted infrastructures is highlighted by Boris Evelson who outlines that:

Big data is such a new area that nobody has developed governance procedures 
and policies, there are more questions than answers.

A feature of any trusted infrastructure is that the owner of the data is clearly defined, and the entity can differ from the actual governance of it. For example, in a health care system, the owner of the data can be the citizen, and the governed of the data is defined by the health care provider (such as the NHS in the UK). In a full trust infrastructure, the citizen could have full rights to define who had access to their data. This paper outlines a trust and governance infrastructure known as safi.re architecture, and shows how into integrates into an information sharing infrastructure.

Slide10Within new information sharing architectures the definition of federated identity provision is likely to become a key factor, especially within application areas which span different domains, such as information sharing across the public sector, and in system which integrate with the citizen and 3rd sector organisations. The integration of trusted identity providers such as Microsoft Live, LinkedIn, Twitter, and so on, are likely to be one method which could allow wide scale adoption of services within the trust infrastructure. With the large-scale adoption of the OAuth 2.0 protocol, there are now many identity and services providers integrating their systems to support their systems into an overall trust framework. If you want to see how OAuth 2.0 works, try this link:

http://www.asecuritysite.com/id/twitter

where you should be able to login with your Twitter, Linkedin, Facebook and Microsoft account. In this way citizens can define the identity provider that they must trust, and then, as long as the information infrastructure trusts that one, the citizen is able to integrate with the system. The days of having a login for the government system, and having to remember it, are going, as we move into an era of interconnected infrastructures.

Along with this the move towards restful Web Services allows for access to data to be well managed, and implemented through Web calls which can Create, Read, Update, or Delete (CRUD) the data. For example a GP, as a role, might be define with Read access for patients within a given health trust, but the specific GP of a patient would be given Update records for a patient. The administrator of the practice might be the only one with Create and Delete rights of the patient record.

The safi.re architecture, which we have created from a number of research projects, thus  defines the trust relationships which are required to access information, such as for the credentials and attributes that are required to access any information. Based on this trust relationship abstraction, a range of governance rules are created by on the abstract. These define the actual details of the access requirements. Within a public sector type environment this type of approach will enable the real-time implementation of polices across disparate domains.

Holistic Care

Project integration
Project integration

The safi.re architecture has been used in a number of projects including with health and social care, including with the TSB-funded DACAR project with Chelsea and Westminster Hospital in London which focused on creating an e-Health Cloud within a hospital environment. This used a novel method of defining the ownership of the data, and providing rights infrastructure for the citizen (or patient) to define the rights of access to their data. This work has since been extended within a number of projects including the TSB Trusted Service project, and which has focused on integrating both digital and human trust, to provide a fully integrated and holistic care infrastructure, which integrates primary and secondary health care with assisted living.

Another important area for information sharing is within the holistic care, where information from different public sector agencies can be used to improve the care of citizens. This might relate to sharing information on a child for concerns posted within health, social care, education and policing, where concerns within just one of these domains would not be seen as a major concern, but when aggregated across several of these, it might result in the concerns being escalated to the point where an action plan is initiated. The work has thus into projects which involve information sharing for Child Protection, and which involve a multi-agency approach. As there is information held within each of the public sector agencies, it is important that accesses are well managed and controlled for the rights for the access to data.

So what is identity … and why is it so important in accessing health and social care records?

miiCard

No one thing on the Internet can be truly trusted to provide our identity, but it is something that is key to us being safe on-line. Unfortunately the identity infrastructure that we have created is based on digital certificates – known as the PKI (Public Key Infrastructure), and it is flawed as very few people actually understands how it works. When was the last time that you check a digital certificate for a secure site that you access? The user is supposed to check the creditability of the digital certificate, and make sure that it has been signed correctly.

So we need new types of systems which we can integrate with public sector infrastructures. One way is to use companies which can identify the user, such as from their email access, or from social networking activity. Google and Microsoft are very strong in providing identity through their cloud-based email system, while Facebook, Twitter and Linkedin provide identity verification for their social network infrastructure. While these companies have fairly good security infrastructures, unfortunately, through things like one-time passwords, they can be compromised. We thus integrate our work with companies such as miiCard, who provide highly credible identity checks. In the cases of access to highly sensitive information, it is companies such as this that will be required, especially in providing multiple factors in proving someones identity. A white paper on the importance of identity in accessing health care records is here.

The end game, though, is that citizens will take much more control of their own data, and thus personal storage providers, such as mydex, and personal health records, such as with Sitekit’s e-Red Book, will sure show the way for a future where the citizen will have more control of their own health. With a more citizen’s focused approach, the citizen will actually own the data, and then can define who they trust to get access to it. This type of approach overcomes many of the concerns around security and privacy. This move might actually see us progress from the electronic health record (EHR) to the personal health record (PHR).

Role, relationship, delegation and consentHere, with our research, we have taken identity one step forward, in that we have tried to understand how we can build trust infrastructures around role, relationship, delegation and consent, which are key to any scaleable health and social care infrastructure. For example, a citizen might give consent for the decision on resuscitation to a next-of-kin. This storage of the consent is likely to come from a personal storage system, rather than being resisted on a formal data infrastructure.

Conclusion … it’s just doing what we are all doing

Integrating All
Integrating All

In the past 10 years there has been a massive revolution in the way that the Internet has integrated with both our work and our social lives. Industries have been transformed, and, in most cases, could not exist in their current form. Within of Cloud Computing and mobile devices, we have never been so connected. Thus banking, oil and gas, education, and so on, have all changed through the usage of the Internet. Without email and the Web, it would be very difficult for me to teach. I communicate with my students over email, I put lecture notes on Dropbox, I put all my lectures on-line, and I run labs which are virtualised in the Cloud. So I see the benefits of the Internet, as it helps me to improve my teaching. It is thus in health and social care that professionals need to see the benefits of this new age, and start to use information to improve our lives.

And for the ownership of the data … well surely the end game is that it is our data, and we must have some rights on how it is to be used? For just now, that seems one step to far, but in this Information Age we need to start to move to a place where, at least, we can have access to it, and then move to a point that we can have ownership of it, and actually define who we trust to access it. That is a quantum leap, but it is a natural one for the future. It is a massive leap, but it will surely be worth it!