[LINK] The "health" record security model

Karl Auer kauer at biplane.com.au
Tue Nov 13 17:30:00 AEDT 2018


On Tue, 2018-11-13 at 15:16 +1100, Jim Birch wrote:
> I'm not being rhetorically obtuse.  I want explicit information:
> risks, likelihood estimates.

Can you provide the same for the putative benefits? Come on - explicit
information please!

> The reason I ask is I believe that this argument is
> taking place in a mythological zone where the government is some kind
> weird evil entity single mindedly set on subjugation of the good
> people of the land.

Not at all. Th following is FACT: The plan is to:
 a) default all citizens into the database
 b) collect all the data in one place
 c) keep it there for a hundred years
 d) make it available to commercial interests
 e) provide warrantless access to law enforcement
 f) provide warrantless access to Government agencies
 g) provide NO control over their data to those citizens

Doesn't any of that trigger your "what could possibly go wrong?"
circuits?

Given the enormous and frankly obvious risks that the above poses, any
putative benefits had better be pretty bloody good. Sadly the pro lobby
has yet to offer ANY clear examples of where this system would
unambiguously improve the lot of Australians seeking medical help, and
certainly no examples that even begin to outweigh the level of harm
that the system *certainly can* and *probably will* cause.

If I've missed one, do tell.

The potential benefits as so far presented are nebulous and vague. The
potential harms are starkly plausible and range from damage to some
individuals right up to damaging entire classes of people. Some of the
harms have already been seen with other systems - witness Alan Tudge's
abuse of CentreLink data, and indeed the entire robodebt debacle.

Hundreds of thousands of people will have read access to this system.
Their access will in most cases be effectively anonymous. There is ZERO
chance that they are all good people; some WILL misuse the data they
have access to. As they already do in other contexts - witness recent
stories about police giving out info from police databases.

Our current Government, benign or not, has a poor track record of being
able to secure or manage data. The Centrelink debacle, the Census
debacle, the MHR system itself failing just because a lot of people
wanted to opt out at the same time - all the way down to selling filing
cabinets full of confidential papers. And is there anyone who doesn't
have an ATO horror story of some stupid error that took a year to fix?

Whether I love them or loathe them, I wouldn't trust the Austraklian
Government with anything confidential of mine, and that's BEFORE you
look at the potential for active misuse.

>   That's a silly narrative, even if it is currently a standard part
> of the groupthink.

Now who's being perjorative? For a start it's not a "narrative"; this
is not some sort of political attempt to peddle a lie. I wouldn't care
if this was invented by the left right or the middle, it's a bad, bad
system for reasons I have clearly argued. If you don't like it, argue
back, but don't put it down as "narrative" and "groupthink".

> If you are seriously running a narrative that Australia is an evil
> state, check out the competition.

I'm not running any "narrative". But I think it is pretty stupid to put
a tool that could all too easily be used for harm in the hands of every
government for the next hundred years or more.

> I previously ask for an example of harm enabled through too much
> government information

I don't see that it's about too much information per se. It's about the
intimate nature of the information, the fact that it is all in one
place and the fact the the people it is about, in the most intimate
ways possible, have little to no control over the content.

> My approach to this would be to ask for solid quantifiable facts.  So
> what explicit risks do you see?  How likely?  How serious is the
> harm?

I've given examples already. I've given more below. I'm tired of being
asked for them. Respond to those. Preferably with an equally long list
of equally likely benefits. And try to compare apples with apples. No
amount of money saved or additional convenience for doctors outweighs a
risk that leaves ruined lived behind.

> (Most importantly from my point of view how does it weigh up the the
> potential benefits of the shared health record but as you have
> claimed that benefits are nonexistent or negligible we can leave that
> out for now.)

No, I have claimed that the potential benefits of the system, or at
least those I have read about, do not outweigh the almost certain harms
that it will bring. I don't count the benefits as negligible, but I do
count them as lesser. But I absolutely concur that the system may bring
some benefits. I just haven't heard of any very convincing ones yet.

> I'm hearing what appear to me to be a lot of lot of fluffy and
> unsubstantiated claims around here.

Which is exactly how I feel about the pro camp!

> A list of what you think are actual risks with a real
> chance of happening would help.

For goodness' sake! Are you actually reading what people write?
Specific risks have been described again and again in this debate.

- failure to seek medical help because problem socially unacceptable
and details may be leaked (e.g. youth pregnancy, mental illness, STDs)

- failure to seek medical help because illness or related behaviour is
criminal, and details may be given to law enforcement (e.g. drug
users) 

- failure to seek medical help because contact details or clues to
location may be leaked (e.g. a battered wife) esp. if abusive partner
is in Government employ

- actual harm caused by actual leaks in each of the above cases where
medical help HAS been sought

- damage to others by people abusing their legitimate read access to
the system (e.g., leaks of information about high-profile people)

- blackmail of others by people abusing their legitimate read access to
the system

- systemic abuse by organised crime using compromised or paid people
with legitimate access to the system

- abuse by vested interests such as insurance companies seeking to find
out more about policy holders' status

- abuse by third parties compromising legitimate users to get
information about e.g., domestic abuse victims

- abuse by legitimate users to get information about persons of
interest to them for whatever reason

- abuse of poorly secured systems (you can see these by the dozen in
any hospital, in any doctor's surgery) by persons without legitimate
access to retrieve information to cause all sorts of harms including
the above

- abuse of poorly secured systems by persons without legitimate access
to upload deliberately harmful information to a target's record

- abuse by persons with legitimate access to upload deliberately
harmful information to a target's record

That's just the easy ones, with relatively few victims, though even
there it is not hard to see hundreds or thousands being affected,
especially by the first four, which tend to affect entire classes of
people.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A





More information about the Link mailing list