Michael Zimmer, a new media commentator and blogger, that I had not heard of before now has gotten access to the HealthVault team. He just wrote a new post called “Designing for Privacy: Microsoft HealthVault” that is worth reading from start to finish.
There are several interesting things about his post. First, he details several specific technical measures that Microsoft claims that they will be undertaking in order to protect the privacy of its users. Here is a brief summary, and my impressions:
- HealthVault will use HTTPS only : Pretty obvious first step.
- “Bluntly targeted” ads : What does this mean? Whatever Microsoft wants it to.
- HealthVault tracking cookie will expire with each session or 90 days : This is probably the most exciting point here, since we can test this.
- HealthVault will destroy search history after 90 days : Bold Claim. It would be great if this was true.
- HealthVault will submit to audits : By whom? Again, this means little without being able to gauge the neutrality of the auditors, or to what standard they would be auditing.
- HealthVault will allow “apps” to access data, but will show users a log of exactly what apps or people accessed the data : This seems like a good idea, but I am dubious to see if this can remain useful. A potential deluge of access means that users will cease to pay attention.
Michael obviously has at least a clue about the concepts of privacy and security. At least he uses terms like “https” and “cookies” in relevant ways. It is ironic that Michael gives the following caveat
“I must note that I haven’t been able to verify these technical claims, and my research in this area is only beginning — many other harms could remain even if all the above are fully implemented.”
That is the kind of thing technical people say when they know they do not have the full story. Compare this to the response that Dr. Deborah Peel has, to what was probably the similar technical information:
“Microsoft is setting an industry standard for privacy”
I like Michaels conservative approach to these kinds of claims. It should be noted that he has ties to Micorsoft, he is the Microsoft Fellow at the Information Society Project at Yale Law School. His association with Microsoft explains how he got access. I hope he continues to use that access to generate similarly good posts.
Probably the most important thing we have now is some objective technical standards that we can watch. If anyone feels like testing out the HealthVault cookie content and expiration to see if it squares with what Michael was told, give me a buzz. I would be happy to post or link to your results.
-FT
Just to be clear, Microsoft is a funder of the Information Society Project (ISP) at Yale Law School, and their grant pays for my fellowship there. I can safely say that I have not personally felt any pressure or influence by Microsoft on my scholarship (or my blog posts).
Also, I don’t know if my being the “Microsoft Fellow” actually granted me any special access. The invitation I received from Robin Bender Ginn, from MSFT’s PR firm Edelman, seemed quite generic, identifying me as a “recognized technology privacy leader,” was sent to my blog e-mail (not my Yale account), and didn’t mention the relationship between ISP and MSFT. It honestly felt like the kind of invitation they probably sent to a dozen like-minded scholars/bloggers, but I don’t really know.
Keep up the good work!
Thanks for commenting…
If they contacted you as a blogging security expert then perhaps they would also talk to me. Feel free to pass on to Robin, that I would be happy to discuss my issues with HealthVault with Microsoft directly. Some of my concerns, including my ideals about software licenses that respect freedom, I am sure they will not be able to address. (That is the kind of issue only Bill himself can address). However, many of my other concerns can be addressed by a proprietary company and I would welcome a friendly chat with them…