My Doctoral Journey

The summer was over and the grandkids had their backpacks loaded up. I hated to see them bent over hauling many pounds of books, and look forward to the day when they have just a Kindle and some wholesome snacks in their backpacks. The four grown children are gainfully employed, and two of them are back in school to advance themselves. Believe it or not, Pop Pop is also in the mix.

Back to School
My Doctoral Journey – Part 2
My Doctoral Journey – Part 3
My Doctoral Journey – Part 4

Tags: doctoral, e-learning, education, learning, university of Phoenix

Personal Health Records

Seems like everything is in the clouds or on the way to the clouds — our money, our music and pictures, our email, contacts and spreadsheets. What about our healthcare records?  Some say security is holding back electronic health records. I do not think so and I believe the vision is clear — that encrypted healthcare data that is authenticated and properly authorized for access will be safer than the millions of manilla folders currently guarding our sensitive information. Google.com/health made a bold move to provide a universal repository for storing health records. I was one of the early users and came to depend on it. When did I get the flu shot? What was my blood pressure at last year’s physical? What test results and medications are there?  All that and much more were provided for free by Google Health. Automatic updates were made by CVS, Medco, and Quest Diagnostics. Get a blood test and in a couple of days you can see a graph of how those results compared to the last time or to five years ago. A very nice service. The company announced last month that Google Health will be shut down permanently and all data will be deleted in 18 months.

Google says it’s shutting down the project because they got very little traction, but ReadWriteWeb reported in Google Health: Why It’s Ending & What It Means, that Google Health may have been ahead of its time and did a poor job reaching out to a now growing ecosystem of developers.  They urge that rather than shut it down, Google should put it on slow life support until the momentum builds. Many tech executives believe, as I do, that patient-centric cloud-based electronic health records are a huge opportunity. An executive acquaintance at Microsoft (yes, there is at least one person at Microsoft who will speak to me after the OS/2 wars), tells me that the company sees the opportunity as large and is committed to HealthVault, an offering similar to Google Health. Even though I am not a fan of Microsoft offerings, I decided to give it a try. Step one at healthvault.com was to login using your Windows Live credentials. That almost stopped me in my tracks, but then I remembered that I had actually setup a Windows Live account back in 2003 to try out some other offering and my account is still good. Exporting all my health data from Google was a couple of clicks and importing it to HealthVault was a bit more complicated but not bad. Now that I have all my health data in HealthVault, what can I do with it. So far, nothing.

At Google Health, you can look at graphs of all your blood tests, print out an immunization card for travel purposes, and other handy things. The HealthVault strategy is to use business partners for the applications; Microsoft just stores the data. They have quite a few partners who offer personal health records. I tried several of them and could not get any of them to work. My data is securely in Microsoft’s vault and nobody can get access to it, including me! You have to setup a unique HealthVault email address and cross-authenticate, and, and, and. I spent an hour at it and finally gave up. I am sure they will make it easier and one day when I don’t have a doctoral paper due, I will try again. Our future health will revolve around personalized medicine and it in turn will revolve around our personal health records (PHR). The key question is who will provide the PHR service for us.

It is early in the game and there are many possibilities. First movers will not necessarily be the winners. Having Google or Microsoft provide a PHR service has certain advantages but there are disadvantages. How about if your health insurance provider decides to not share information with one of the big guys? Why would they decide that? Maybe because they want to be your PHR provider. Then there is your hospital. This is a very logical provider for a PHR service in the cloud, but will they have the resource and skills to launch a user-friendly, scalable, secure cloud-based service? And if you move, will your data be able to move with you? And if you decide to go on a medical vacation to China to get a heart transplant, will your hospital allow the Chinese hospital to have access to your PHR? And there is CVS and Walgreen and Walmart. They may all want to be your PHR provider as an integrated service with their pharmacy operations. And then there is Merck and Pfizer et al. Some chronically ill patients depend on certain medications and the manufacturer will be motivated to provide a PHR service tailored to monitor, sell, and communicate about their drugs. WebMd and the many other e-health sites are logical providers based on the wealth of medical information they provide access to. And what role will the government play?

There are many hurdles. A key element is standards. The Internet works exactly the same in every part of the world because it is built on globally agreed to standards. Health records have standards too. A lot of them! I have written a lot over the years about certificate authorities for authentication on the Internet (see patrickWeb category on PKI). In theory, there could be a single central certificate authority that would issue digital signatures that could make Internet email much more secure. In theory. I participated in meetings in Washington 15 years ago on the subject. When there were a few of us in the room we made a lot of progress but when the vendors, agencies, the military, etc. weighed in the whole process fell of its own weight. Likewise one central provider of PHRs could have many advantages, but I don’t believe consensus could be reached on how to do it. I am betting on hospital systems and networks. They may not be able to provide national solutions but they certainly can provide regional solutions through use of their health information exchanges (HIE) and HIEs in turn will ultimately follow standards that will allow them to exchange data on a secure basis. Stay tuned. There will be many developments on this subject in the months ahead.

Tags: emr, Google Health, Healthcare, healthvault, hie, personal health record, phr, PKI

Fax Spam

There are many posts here in this blog about spam, in particular from a public policy point of view. I have always opposed laws to regulate spam because of a belief that they don’t work. My view has been that technology can solve the problem. This has mostly turned out to be true. Since I have been using gmail, I get almost no spam. Spam email, that is. Now a new phenomenon has surfaced — fax spam.

Yellow-Pages-USA is offering to create a Facebook page for me listing whatever services I may have to offer. They send their offer via fax. I have been using eFax for nine years and find it a very good service. I wish there were no faxes–I have not owned a fax machine since I got eFax–but sometimes they are essential. If you have to fax something to me I give you my eFax number and the fax comes into my email inbox as a PDF file. If you have to get a fax, this is the way to get it. Somehow Yellow-Pages-USA got my eFax number and has been sending me unsolicited offers on a regular basis. They request that you fax your personal information back to them to set up the Facebook page they are offering. I have faxed them several times asking them to please remove me from their list and confirm they have done so. Not surprisingly, they do not respond.

Tags: efax, fax, fax spam, ftc, spam

Privacy City

One element of privacy on the Internet is "Opt in" versus "Opt out". When you register at a web site you will often see a small box to be checked giving you the “option” to be included or not included in subsequent emails making offers to you. Opt in means you proactively choose to be included. Opt out means you are included by default and you have to take action to be removed from the list of those who will automatically receive the emails. In some cases you have to read the words very carefully to determine which case is the default. This is part of Trust. Is the site really opening up to you and making it very clear what your options are, or are they making the words a bit fuzzy and hoping you won’t figure out what the default actually is?

Citibank introduced a service called c2it back in 2000 that enabled the sending and receiving of cash via email. You simply visited the c2it site, specified which of your checking, savings, or credit card accounts you wanted the money to come from, and entered an email address for someone you want to send the money to. That person would then receive an email, was asked to enroll in c2it, and then could accept the money from you directly into their checking, savings, or credit card account. This seemed like a potentially useful service to me when I learned about it and so I enrolled. Only after I enrolled did I find out that there were fees involved. Then I discovered that incoming amounts are not credited to your account for five to six days, which is longer than if I had received a check and deposited it myself. Then I discovered that there is no fee to receive into a Citibank credit card but there is a fee if it is another bank’s credit card. I am not saying the fees are unreasonable – the competition from PayPal and other services would determine that. C2it ceased operations in 2003. If you visit the c2it site you are told that you could contact c2it for a copy of your statement by writing a letter to "Customer Service Center" in
Sioux Falls, South Dakota and provide them with your full name, e-mail address, phone number, and a copy of your social security card, driver’s license, or a telephone bill, gas or electric bill or bank statement from the last 30 days. What would they do with all that information? Probably sell it to other companies. If you have any doubt of that, just read the Citibank Privacy Notice.

Fast forwarding seven years I would have been hopeful that Citibank would become a leader in gaining our trust. Unfortunately, not the case. Who might Citibank share your personal information with? The list includes affiliates among the family of companies controlled by Citigroup as well as non-affiliated third parties, such as financial services providers and non-financial organizations, such as companies engaged in direct marketing. I can’t think of much that doesn’t fall into one of those categories. What information is it that they might "share"? Your name, e-mail address, zip code, age and income range, information you provide on applications and other forms, information about your transactions with affiliated or nonaffiliated third parties, information received from a consumer reporting agency and information received about you from other sources. I can’t think of much that is not included.

We are talking about a sweeping allowance to provide a broad and undefined amount of information about you with a broad and undefined audience. If you touch Citibank you will quickly start receiving marketing offers. Citigroup says "We may do this even if you ask us to limit disclosure of personal information about you". Not that it really matters, as they say, but how would you make a request to have your privacy respected? You would send them a "Privacy Choices Form" by U.S. mail. Mail? Yes, snail mail. This highly automated web savvy giant can transfer money in and out of any of your accounts in milliseconds but to have your privacy respected "please allow thirty days from our receipt of your privacy choices for them to become effective".

The issue is trust. It was easy to get the feeling that Citibank was not being forthcoming about their c2it offering. Citibank reminds us that it is "allowed by law to share with its affiliates any information about its transactions or experiences with you". Should the default be “check this box if you do not want this"? Seems to me that it should be opt in not opt out.

Brand used to be a feeling conjured up by how a company’s product was physically packaged or how you imagined yourself using it. Increasingly brand is a feeling conjured up by your experience on that company’s web site and from it’s privacy policy. These tie directly to Trust. Companies that have a web site that provides an end-to-end positive experience and which enhances people’s quality of life by saving them time will gain enhanced brand equity. The converse will become obvious. Web sites already have a repository of huge amounts of personal data that represent the byproduct of not just our registrations but also our surfing habits, our purchases, and our interactions with others. In the near future our medical records will be on a web site somewhere and beyond that will come real time data streamed from pacemakers and other medical instruments that are attached to our bodies. All of this data can bring significant benefits to us but only if we are able to trust the holders of the data and have confidence that they will protect it and respect our preferences about how and when it can be used.

Epilogue: This is not a story picking on Citibank. They are one of the giants and they put things in our physical mailboxes on a regular basis, so they have no place to hide. Unfortunately, most privacy policies out there resemble what I have discussed here.

Other patrickWeb stories about Privacy and Trust

Authentication Redux

The trip to New York for a board meeting last week went smoothly. Traffic was light — even within the city — and I got to the hotel lobby in much better than normal time. The one thing that went less well than it could have the check in process at the Radisson Martinique on Broadway. After a long wait line I was greeted by a person at the desk. Hoteliers actually think that guests want to be greeted by an employee and have them ask how you are today. One would think that they would realize is that the most important thing a guest wants to get to their room. I had a reservation. All the information about me is already in the reservation record and the frequent stayer record. In spite of this the hotel agent had to enter a lot of keystrokes for some reason. The only thing they did not have was authentication. They wanted to make sure I was the person I said I was. I showed them my driver’s license in the flip-up plastic window of my wallet but that was not good enough. The agent had to go to the back office and make a photocopy. No wonder the waiting line is so long.

The solution to speeding up and improving the accuracy of the authentication process is the use of biometrics. The technology has been around for decades. Pick your favorite — hand geometry, fingerprint, iris scan, face scan, or voice print. There are many working solutions available today from many vendors. None are perfect and that is why we don’t see more implementations. Rather than take a leadership approach, many institutions in effect say, "we can’t do *anything* until it is perfect. Some lawyers say that if it hasn’t been to the Supreme Court then don’t use it. The result is that we stand in line waiting for someone to photocopy what might be a stolen driver’s license.

My favorite approach is hand vascular pattern biometric a technology that originated from a conventional vein pattern recognition system. Studies show that 99.98% of the world’s adult population can use it. It is highly secure because there is no back door, such as a key or numeric password. Fingerprint devices suffer from usability because some users have faint fingerprints while iris and retina scan devices may not be appropriate for people with eye diseases. On the other hand, no pun intended, hand vascular patterns are unique to each of us and to each hand. The chance of someone being incorrectly recognized is 0.0001%. Not perfect but that is good enough for me. The best part is that hand vascular scanning does not require physical contact, compared to fingerprint scanners which require users to press a finger onto the scanner in order to capture the print. The idea of wiping your finger over something that millions of other people have wiped their fingers seems inconsistent with what people on cruise ships are told. One other subtly for increased security with hand scanning is that because of the sensor’s capability to sense the user’s temperature, there assurance that the hand is alive. Being able to establish that we are who we say we are could speed the lines at airports, hotels, sporting events, and hospitals.

Other patrickWeb stories related to authentication

Seven Wonders

The Seven Wonders of the World is an expression that is as old as I can remember but it turns out there are actually multiple lists. Recently a non-profit organization called New7Wonders decided the list needed an update and so they set about to seek nominations — almost 200 came in — and then the list was narrowed to the 11 most-voted by the start of 2006. About 100 million votes were cast "by the Internet and cell phone text messages" and the new list was announced shortly after the fourth of July (2007). As you can imagine, there is a lot of controversy surrounding the list.

The most interesting part to me is not the list per se but the process used to "elect" the winners. According to the Associated Press, "Organizers admit there was no foolproof way to prevent people from voting more than once for their favorite". A simple step would have been to not allow more than one vote from the same email address or cell phone. Of course many people have multiple phones and addresses but at least disallowing clear duplicates would be a step in the right direction. The only foolproof way to assure no duplicates would be to have some form of strong authentication. Authentication is the single most important gap in the integrity of the Internet (and mobile text messaging). If I borrow (or steal) your cell phone I can send a message as though I am you. If you put your login and password on a Post-It stuck to your desk and someone visiting your house "borrows" it, then they become you. The bottom line is "Who are you – really?".

There was a cartoon by Peter Steiner in the July 5, 1993 issue of The New Yorker showing a dog at a PC speaking to another dog watching from the floor. The caption was, “On the Internet nobody knows you’re a dog.” Very true and in fact nobody really knows for sure just who you are when you are online. Nor do you know who is at the other end of an IM, text message, or eCommerce transaction. Technology is available to make things different by using "digital IDs". Unfortunately, there has been a prevailing attitude that digital IDs would mean that the “government” would issue an ID that would then enable them to spy on us; read our email, track what we do on the web, or invade our privacy in some way. I have a much more positive view — that digital ID’s are not to be feared but in fact should be embraced. They represent the empowerment that can unleash the full potential of the Internet. They will allow us establish that we are who we say we are and to validate that the web server we are doing business with is really who they say they are. Security, per se, is not the issue. Authentication is.

Today we use the login ID and password as a substitute for authentication. We all use them every day but the problems with them are non-trivial. First is the password sharing problem that enables someone else to be you. Assuming you keep your password to yourself, there is another set of problems. Web sites have different rules for login Ids and passwords. Some require that you use your email ID as your login, some require you to use your social security number, others allow you to pick anything you want as long as it is at least so many characters or in other cases as long as it is no more than so many characters or that it starts with a capital letter or that it have at least two numbers in it, etc. For good reasons they all require that your ID be unique. Sorry, but jjones is already taken. The same thing is the case for the password. Some require at least so many characters, some require that a password must contain at least one numeric character, some require that it be all numeric, and others require that it contain no numeric characters. The variations are vast and the result is that you end up with a lot of different IDs and passwords. I have more than 200. Digital IDs to the Rescue. (read more)

Phishing – Part 4

"Phishing" continues to be one of the most fraudulent activities happening on the Internet. A lot of people are still not aware of phishing and, more alarming, a non-trivial number of people are being caught off guard by it and providing their personal and finananical information to perpetrators of fraud . According to the Anti-Phishing Working Group, there are nearly 1,000 web sites which use "social engineering and technical subterfuge" to steal consumers’ personal identity data and financial account credentials. I have shared some examples of phishing attacks I have seen personally (see the PKI category of patrickWeb). Basically, phishing attacks are emails which "spoof" the identity of eBay, Citibank, or other legitimate organizations; i.e. . they make the email look as though it had come from the legitimate organization. In the earlier days of phishing attacks, you could see telltale signs such as misspellings or grammatical errors. However, the phishers are getting more sophisticated — and perhaps using spell checkers and grammar checkers.

This week I received an attack that looked and sounded quite legitimate. The following is the email I received, what actions I took, and what I learned about validating such emails. (read more)

Phishing Update

In the Inside ID Conference report I mentioned "phishing" as one of the types of fraudulent activity that is happening on the Internet. There was a news story about phishing in the past few days — it is clearly on the rise and something to be quite careful about. I have personally received three phishing emails this week and it is clear that the perpetrators are getting very clever. In addition to the basic fraudulent attempts to get personal information from others, the emails use"spoofing". Spoofing is a technique — unfortunately not hard to do — whereby the "from" address is modified to make it look like it came from a legitimate source. Here are the three emails I received and some advice on how to deal with them. (read more)

Privacy And Trust – Epilogue

Another dimension of Trust has to do with standards. Because of standards, the Internet is the only thing I know of that works the same everywhere. Most things work differently in different parts of the world. The side of the road we drive on, the side of the car we drive from, the width of the railroad tracks, the plugs that we put in the wall; all work differently around the world. But not the Internet; it works exactly the same in every corner of the world. There are a lot of debates during the process while Internet standards are being developed but once published as a standard every vendor has an obligation to implement the standard. Most do. (read more)

Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb

Privacy And Trust – Part 8

In “Too Secure?”, I described how a financial services company insisted that I use the fax machine to send them a document. Let’s contrast that process with how it might have worked using a public key infrastructure approach with the five security functions described in the last part of the Privacy And Trust series. We’ll look at each of the five elements. (read more)

Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb