Google admits to reading your emails, claims you should expect it.

[Janx]

Forgot to address this:



At its most basic level, "privacy" in the sense we are discussing here is the legal right to restrict and control access to information of a particular kind. Nothing more, nothing less. Each of the recognized forms of it- Priest/penitent, Attorney/Client, Doctor/Patient, husband & wife have certain commonalities but also unique boundaries.

The privilege belongs to the person disclosing the information to the second party- only that person can legally disclose the information to a third party.

And not everything disclosed to the second party is covered- only such information as is vital for the proper functioning of the relationship is protected. So if you tell your Lawyer about your medical conditions, or your Doctor about your legal woes, those would not necessarily be privileged communications.

That we live in the digital age doesn't change any of this.

To my eye, except for husband/wife being a longer term/intensive data share, the other examples are simple data transfers.

The doctor/priest/lawyer knows what I tell tell them. They seldom give their own private information. They may give me advice or info that is contextually related to the info I gave them.

in the husband/wife scenario, along with conversations about where I hid the money, the spouse is inherently observing and learning oodles of data points (the kind Google would love to collect). the spouse is learning things about me that I may or may not have intentionally disclosed to them.

Aside from legal definitions (which Danny will know about), the data flow pattern is relevant as is the context and content.

The lawyer might not be able to deny having met with me (don't know), though he can refuse to disclose the content of our discussion.

The doctor is definitely in position to not confirm or deny seeing a patient, as that would violate HIPPA (knowing I saw a proctologist tells where the secret lump is). Even spouses have to sign extra papers to grant permission to disclose to their partner.

Whereas, is the wife required to keep private the boxers/briefs answer? Is her husband human? Male?

What data is insiginificant and thus not protected, what is significant and should be protected?

 

[Dannyalcatraz]

The lawyer might not be able to deny having met with me (don't know), though he can refuse to disclose the content of our discussion.

Client or patient ID is something on the penumbra of privacy- most MDs and lawyers will at least ask for a subpoena before disclosing that info. HIPPA tries to make it clear that patient ID is priviliged.

 

[Umbran]

Google may be using the data it gleaned from emails to target ads to the email users. If they are, that is a potential violation of HIPPA...even if it is completely automated. In a very real & legal sense, Google IS sharing your data with someone else.

Not a lawyer, but in a technical sense, I think you may be incorrect.

Item #1 depends upon unique identifiers. That's something rather specific in computer parlance, and rather easy for Google to *not* do, so I suspect they are not stupid enough to do it.

#2 depends upon them obtaining uniquely identifiable health information relating to an individual. Google *doesn't* do that. Google does not determine you have a bladder control issue, and then say you need to see ads for catheters. They merely note that the word "catheter" has shown up in your e-mails, so they guess you might be interested in them, and show you ads for them. Maybe you have a bladder control issue, maybe your grandpa does. Maybe your cat does. Maybe you're a medical student asking about draining abdominal abscesses. Google does not know and does not care. Google doesn't take your health information. They may take guesses at your interest in health products, which isn't the same thing.

#3 is about disclosing personally identifiable health information to others. Google doesn't tell advertisers who it showed ads to, specifically. If I recall correctly, Google doesn't tell *itself* who it showed them to. That sounds counter-intuitive, but it is actually not at all difficult in a technical sense. After showing you the ad, Google can't tell if it did so or not. The fact that the ad was shown to *someone* is kept, but not to whom it was shown.

And, for those who are curious, you can opt out of the targeted ads in your Google privacy settings.

So, I don't think Google has a legal issue here. What they have is a potentially massive PR issue - public opinion and the law are not strongly correlated.

 

[tomBitonti]

Speaking technically, rather than legally, it's a yes and no problem.

I am, at this moment (well, a few moments ago), writing code to parse emails to extract a link to login to a portal to download a patient file and then parse that file into my system for my client to use.

(Lots of additional text omitted.)

All to my limited understanding:

That seems to be a necessary processing of the email to perform a requested function.

As an analogue, when an email is sent, the "To" information must be processed to deliver the email to the intended recipient. (Assuming the intended recipient is encoded in the "To" field. If the information were in a different field, the state would apply to accesses to that field.)

If an email encodes a request to perform a file download, with the file information being embedded in the content of the email, then retrieving the file identifier is a necessary part of processing the email -- as intended by the email sender.

While examples could be crafted to put the necessary processing right in the middle of the fuzzy boundary between necessary and unnecessary accesses, this particular access seems clearly necessary.

A similar example would be retrieving a web page and having an intermediary scrape a listing of HREFs from the page to enable the intermediary to more quickly process those links. That is a functional use of the page information necessary for processing the page.

Scanning an email to determine what medical condition I might have so to provide that information to a pharmaceutical company seems to be rather on the other side of the fuzzy grey line (of what are acceptable accesses).

Thx!

TomB

 

[Janx]

Scanning an email to determine what medical condition I might have so to provide that information to a pharmaceutical company seems to be rather on the other side of the fuzzy grey line (of what are acceptable accesses).

In this narrow scenario, if my program is parsing emails to get your name/identifier and prescription so as to place an order on your behalf so it shows up at your house on me, then my program "knowing" that data is inherently authorized by virtue of you doing business with my client.

So in the EDI world (electronic data interchange), programs pass data from company A to B via Company C all the time. But there's agreements and implied inherent necessity. While all 3 parties are sitting with copies of your data that they are required to retain per HIPPA, nobody is authorized to use it for anything but the express business of serving the patient's work order.

We enter a grey area on what kind of statistics we can computer like co-morbidities and how many treatments to cure the patient.

Some of that stuff is legitimate, because I can compute it without the PHI. Looking at how many anti-depressant meds were ordered in July isn't looking at your PHI data. But there is some verbiage in HIPPA on how far that analysis can go, to which I'd need to consult my lawyer before I enabled such a report.

 

[tomBitonti]

#2 depends upon them obtaining uniquely identifiable health information relating to an individual. Google *doesn't* do that. Google does not determine you have a bladder control issue, and then say you need to see ads for catheters. They merely note that the word "catheter" has shown up in your e-mails, so they guess you might be interested in them, and show you ads for them. Maybe you have a bladder control issue, maybe your grandpa does. Maybe your cat does. Maybe you're a medical student asking about draining abdominal abscesses. Google does not know and does not care. Google doesn't take your health information. They may take guesses at your interest in health products, which isn't the same thing.

Extra text omitted.

This is a careful dicing of the issue, and (I think) not a valid one.

Google could run a number of sophisticated queries based on keywords and supply the results separately to a company, which then did a number of trial mailings to determine the quality of the individuals selected by each query, finding the best query, then periodically retesting the query to increase its accuracy. This could be done with a lot of blinds, so that the keywords and individuals were only known to google, and the company supplied their advertising data back through google, completing the blind.

Whether this constitutes "obtaining uniquely identifiable health information" becomes a messy semantic issue.

I imagine whether this works as a way to enable access to content will depend a lot on how the laws are written, but I would hope this type of maneuver doesn't / wouldn't work. If it did, much of privacy control could be rather easily sidestepped. That is, I would hope that the laws are written to broadly prevent access to personal information, regardless of the quantity of detail which was extracted from the information.

Thx!

TomB

 

[Dannyalcatraz]

Not a lawyer, but in a technical sense, I think you may be incorrect.

Item #1 depends upon unique identifiers. That's something rather specific in computer parlance, and rather easy for Google to *not* do, so I suspect they are not stupid enough to do it.

#2 depends upon them obtaining uniquely identifiable health information relating to an individual. Google *doesn't* do that. Google does not determine you have a bladder control issue, and then say you need to see ads for catheters. They merely note that the word "catheter" has shown up in your e-mails, so they guess you might be interested in them, and show you ads for them. Maybe you have a bladder control issue, maybe your grandpa does. Maybe your cat does. Maybe you're a medical student asking about draining abdominal abscesses. Google does not know and does not care. Google doesn't take your health information. They may take guesses at your interest in health products, which isn't the same thing.

#3 is about disclosing personally identifiable health information to others. Google doesn't tell advertisers who it showed ads to, specifically. If I recall correctly, Google doesn't tell *itself* who it showed them to. That sounds counter-intuitive, but it is actually not at all difficult in a technical sense. After showing you the ad, Google can't tell if it did so or not. The fact that the ad was shown to *someone* is kept, but not to whom it was shown.

And, for those who are curious, you can opt out of the targeted ads in your Google privacy settings.

So, I don't think Google has a legal issue here. What they have is a potentially massive PR issue - public opinion and the law are not strongly correlated.

This is pretty speculative at this point, clearly, and- as stated, I'm not a litigator- so I freely admit that I could be way off base.

Some thoughts:

1) "unique identifier" may have different but overlapping meanings to progmammers and the law. We won't know which is the key until this all snakes its way through the system.

2) the fact that they target you with ads based on the content of your email may be legally sufficient to be held liable. All that you have to do to violate HIPPA is obtain the data and use it in a way not intended by the person whose privacy is in question. That the process is automated and impenetrable to human eyes will probably not sway a judge- Courts generally don't let corporations do via automation what they can't do by human agency.

3) Google's software is operating in some way in concert with advertisers' software for commercial purposes. The advertisers may no be aware of any of the data. Their software may not even know anything beyond their ad got sent to someone. All that means is that the advertiser may be shielded from liability. Google still used private patient data in a way violative of the patient's privacy rights.

That the data isn't retained- and whether it is or not has not been revealed*- is probably immaterial. The violation- however ephemeral- has still occurred.







* and my gut says it is retained and or shared & retransmitted in some form for some non-trivial time. Otherwise, why would I keep getting ads based on one-time communications?

 

[Janx]

Hopefully my info-dump on the nature of data handling and privacy in the medical/insurance industry is enlightening to the topic. Here's some other "did you know" info:

The dairy industry has a wierd mix of very primitive tech and high tech businesses. One such major client has higher security standards than HIPPA requires. Meaning, it's harder to hack a milk ordering system/data than a medical one in some instances.

The credit card industy has some of the most robust security and practices for protecting your data. To which, folks who object to the whole NSA thing or license plate camera trail recording should take a few lessons.

If an agent accesses your records, it is recorded. If the agent is not actively working on a call/ticket regarding you while accessing your record, notification is sent to the InfoSec officer and you are fired. Do not pass Go. Do not get to plead with your vice president who you slept with at the last x-mas party to get some leverage on.

As some one who works with data, it is VERY valuable to record everything in the event of future need (breach, CYA, evidence). It's amazing even to me that it may be possible to do real time analysis to detect a crime as it happens or terrorists working on a plot. There's too much data.

But if we do record it and retain it, it is very easy after the fact, to take one data element (terrorist's cell phone # we got off his body) to then query the data to find who that phone called, and then back track who those people are, then where they went in the DMV licence plate DB and so on.

We can't do that if we don't record and retain data. But that's not the same as spying on you while you snuggle your spouse while watching pirated porn via the Kinect on your xbox.

The credit card company practices give a clue how to handle it. Go ahead, record everything. But nobody gets to look at it without a warrant. Lock the data down so who and what is queried is audited, and you can pretty much make sure that Officer Cuckold isn't snooping on his ex-wife's boyfriend when he has no business doing so.

 

[Umbran]

2) the fact that they target you with ads based on the content of your email may be legally sufficient to be held liable. All that you have to do to violate HIPPA is obtain the data and use it in a way not intended by the person whose privacy is in question. That the process is automated and impenetrable to human eyes will probably not sway a judge- Courts generally don't let corporations do via automation what they can't do by human agency.

I'm going based on the wording presented. "(2) obtains individually identifiable health information relating to an individual;" Without context, a lone word (like "catheter") does not comprise health information. Without metadata about who used the word, it is not individually identifiable. So, for example, if Google treats your sent and received e-mail equally, there's no way to tell if the interest is yours or someone else's. All they know is that the keyword appeared.

3) Google's software is operating in some way in concert with advertisers' software for commercial purposes.

I believe this is incorrect. If someone knows better about Google's operations than I, please correct me.

Google advertisers do not use their own infrastructure. The advertiser submits an image and link to Google, along with information about when the ad should be shown. This is stored by Google, and the ad is served up from Google's servers. At the end of the month, the advertiser receives a report about impressions. Google does not send a query to the advertiser's computers. That would be slow, and would fail if that company's servers were down. If Google did do this, it would be anonymized ("I want an image for case #3"), which Google would then insert into the page for them. The advertiser does *not* get a direct link to you.

* and my gut says it is retained and or shared & retransmitted in some form for some non-trivial time. Otherwise, why would I keep getting ads based on one-time communications?

Well, for one thing, if you haven't deleted the e-mail, the word is still there! If you deleted it less than 30 days ago, it may still be sitting in your trash, still not completely deleted.

Beyond that, for search criteria and page visits, I think the standard way is through browser cookies. I don't know if Google sets browser cookies based on e-mail content. So, there's a file on your own machine that says, in essence, "Keyword X got mentioned". When it needs to, Google asks your machine what keywords got mentioned in this browser, and your browser tells Google. The transaction is still between you and Google. In the basic case, it doesn't connect that keyword to you, personally, only to the browser.

If you're using a Google account (which can be construed as attaching it to a PID), you can opt out of this. Beyond that, Google's privacy policy states they won't share sensitive information without permission (and I expect their lawyers have been over that with a fine-toothed comb). If you're not using a Google account, there's no PID to attach the cookie to anyway. You can use the "private mode" of your browser (all the major ones have them) to not keep information beyond the one session for either case.

 

[Umbran]

Google could run a number of sophisticated queries based on keywords and supply the results separately to a company, which then did a number of trial mailings to determine the quality of the individuals selected by each query, finding the best query, then periodically retesting the query to increase its accuracy. This could be done with a lot of blinds, so that the keywords and individuals were only known to google, and the company supplied their advertising data back through google, completing the blind.

What Google *could* do is not material. We do not convict people for crimes they could commit - only the ones they do commit.