Saturday, 24 May 2008

Warning, warning! Google Health may be injurious to your privacy

Now I'm sure that the good people at Google have no intention of harming a soul with their brand new product Google Health, a free online medical record storage facility.

However, before you plunge into another commitment to supply or store personal details on the world wide web, think of the implications of storing your most personal details out there in hyperspace.

Robert Merkl commenting at Core Economics last Tuesday gave us
one scenario:

I’d have to strongly disagree with your statement that there’s no extra privacy implications.
If your doctor gets broken into, maybe a few hundred medical records get stolen. If Google Health gets hacked, millions of health records get stolen.
Furthermore, because it’s all electronic, it’s in a much more easily searchable form.
Here’s a for-instance. Say you’re an intelligence agency, looking for somebody in a large organization to blackmail. With the old system, there’s no way in the world you could burgle every doctor every member in that organization has visited.
Now, let’s rerun our hypothetical with everybody’s medical records on Google Health. Your crack team of hackers breaks in and gets you full access. You do a search for STDs, abortions, mental illnesses, etc. etc. etc on the entire organization, until you find somebody to blackmail.
And, yes, in this case it is entirely plausible to imagine such a technically-adept attacker as an intelligence agency.
Back when I was in the CS department at Melbourne, there were some people doing work on computer security. You might want to consider having a chat to some of them at some point. You may never use internet banking again…

Google Health's own
privacy policy also gives pause for thought as it does not completely rule out selling-on some medical data from the site and handing personal data on to law enforcement agencies or third-parties etc:

Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law.

The current Google Health
medical advisory board has some interesting CVs on it as well.
I'm not sure that having a history with RAND or Wal-mart, or indeed being a super accountant, is going to make me feel confident in this product.

One of the first entities to 'utilise' this new site will probably be that digital superspy,
Server in the Sky.

No comments: