[MyData & Open Data] [globalpriv-discussion] Catalonia to sell "anonymised" medical records

Thu Apr 2 15:30:42 UTC 2015

On Thu, Apr 02, 2015 at 02:39:36PM +0000, Whitley,EA wrote:
> One model to consider is the UK's ADRN (http://adrn.ac.uk/) - which is for administrative data sharing (rather than healthcare data) and essentially involves:
> 
> A trusted third party does the linking between various data sets and the removal of key identifiers.
> This linked-and-with key-identifiers-removed data set is then available for use by accredited researchers on approved research projects in a secure environment.  Any data that is due to be removed from the secure environment must then pass through statistical disclosure control mechanisms before it is released.

this sounds like an attempt to adjust existing practices to new legal
constraints? the "trusted 3rd party" how is the trust ensured? 
 - heavy fines in case of incidents?
 - cryptographic proofs?
 - legislation that has rarely if ever been enforced?

most security failures happen when old assumptions about an environment have
changed, it seems this to be the case. from a threat modelling point of view,
it is clear, that the ones who are least privileged are the "researchers being
fed with data by the 3rd party". i guess that was previously an attack vector
that has now much reduced significance in such a setting. but i think as a
security person, not only about a single attack vector, but as a prudent
attacker about all of them, and the cheapest of all. so in this case, i still
see a very juicy attack surface at the 3rd party and also at the data source
supplying the 3rd party.  as most such systems, this only creates a 2-class
system, with privileged data handlers, and unprivileged users. i applaud the
reduction of threat from the users, but i am not fooled that the other two
principals in this setting are still cause for concern. a good system, would
remove the privileges also of these other two principals.

it is also interesting to see how this is a cost issue, i mean the secure
handling of the data at the privileged principals. the price of defending is
usually much higher than the attack, even irans atom program has been
sabotaged through an airgap. if the data is valuable enough, you will surely
encounter an attacker or insider who will only spend a fraction of your
defense costs and walk out with the jewels. out of embarrassment and
business-continuity, we'll never even know about this. 

i'm sure the adrn model is very good if looked at it from a
statistician/government point of view, i'd wager also adversaries like it,
until the other 2 prinicipals shed their privileges.

a proper privacy respecting solution, would keep all the data firmly in the
the control of the datasubjects, who on an individual basis could opt-*in*
statistical computations based on zero-knowledge protocols and cryptographic
multiparty computations, combined with complete financial and criminal
liability for everything that is not covered by mathematical proofs.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt