Privacy & Security
From Capsil Wiki
Disclaimer: This Wiki is a work in progress and it has not yet been evaluated through a process of external review. No responsibility is accepted for errors or omissions or for any loss or damages which may result from the use of the information contained in the Wiki.
As sensor systems become more and more pervasive and truly start to operate in the background unobtrusively, issues of human privacy become a major concern. Radio Frequency Identification (RFID) has been leading the charge in the deployment of 'intelligent' network nodes being widely disseminated and many of the privacy issues brought about by RFID are common to body sensor network nodes. Many examples of body sensor networks treat privacy through security mechanisms i.e. encryption and data protection throughout the hardware and software layers.
Fundamentals of Freedom
A popular dictionary defines privacy as: "The quality or condition of being secluded from the presence or view of others. The state of being free from unsanctioned intrusion: a person's right to privacy". The commonly accepted definitions of Privacy that are built in to much legislation use the concepts of a person’s right to be free from unreasonable search and seizure and intrusion. It also states that the protection of personal information is a fundamental right. The United Nations Universal Declaration of Human Rights  which is exactly 50 years old, enunciates the fundamental right to privacy and can be viewed at www.un.org/overview/rights.html . In summary it affirms;
- The right to dignity and freedom.
- People shall not be subjected to arbitrary interference with privacy and home.
- The right to freedom of movement and residence within the borders of the state.
- It also states that people shall have the right to freedom of thought conscience and religion and the right to practice and change if so decided ones faith.
(Note: This last point may not seem relevant to a treatment of wireless sensors however the concern here is that many see technology as a barrier between the physical and spiritual worlds as a slide away from traditional spiritual values into a materialistic irreligious society. People will refer to the Book of Revelations and cite “The Mark of the Beast”.)
OECD Guidelines on Privacy
The Organisation for Economic Cooperation and Development (OECD) released Guidelines for Data Protection and Privacy  in 1980 which was based on the US initiated Fair Information Practises (FIPS)  policy. These Guidelines were reaffirmed in 1998 as still relevant and form the basis of much legislation worldwide. Its key pillars are:
- 1. There must be no personal-data, record keeping systems whose very existence is a secret.
- 2. There must be a way for a person to find out what information about the person is in a record and how it is used.
- 3. There must be a way for a person to prevent information about the person that was obtained for one purpose being used for other purposes without the persons consent.
- 4. There must be a way for the person to correct and amend a record of identifiable information about the person.
- 5. Any organization creating, maintaining, using or disseminating records of personally identifiable data must ensure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.
These five key principles form the basis of much privacy legislation world-wide and all wireless sensor network systems must at a minimum comply with these guidelines.
The are major issues around privacy raised and ethics raised by the evolution towards a so called ubiquitous computing society and as the evolution progresses, these issues become more important. In fact privacy/ethics will be a fundamental barrier to adoption unless handled proactively, as presently technology has been outpacing policy.
Privacy Concerns of Wireless Sensor Networks
There are a number of recurring themes that constantly come up in the privacy arena regarding the proliferation of intelligent wireless devices such as RFID and sensor networks. These are listed below. It is imperative that policy and legislation protect these areas and provide assurance to consumers. However unfortunately one generally arrives back at the point of trust i.e. "how do I know that you are doing what you say, so I trust you..." and this is the toughest challenge of all.
- Surveillance - The "Big Brother" scenario - Because wireless technology uses radio waves which are invisible to the human eye it is possible to have devices implanted in areas that are hidden. Examples are beneath floors or in ceilings, behind walls etc. These readers can be gathering individual data, unknown to the individual.
- Association - The concern is that a person could be associated with for example a product e.g. an ECG monitored patient could be associated with a particular heart medication and be the victim of agressive marketing. Or an AIDs patient may suffer social exclusion based on the medical condition.
- Profiling - Arises out of association, the concern here is that complete profiles of a person may be built up, i.e. likes, dislikes, health status, political allegiances etc. A major concern is that this information could be used for subterfuge purposes i.e. blackmail.
- Data Sharing "One Big Database" - The question arises as to the boundaries of a wireless sensor network. Where does the data sharing end and who owns the data once it passes multiple boundaries? Who has my information sitting on their database and how are they using it? Despite assurances from the service providers, the consumer has the dilemma - how do I know that the data is not being shared with agencies that I have not given consent to? The answer of comes down to 'trust' and this is one thing consumers very often dont have when it comes to government or retail type organisations!
- Labour Impact – Wireless sensor technologies are poised to transform manual processes such as found in healthcare environments and provide a higher level of automation. This could imply the reduction of labour forces in certain areas or perhaps the redeployment of labour forces to other areas. This will be a very sensitive topic, particularly where labour unions are strong as in parts of Europe.
Not Everyone is Enthusiastic About this Technology
With the above concerns in mind, many groups have sprang up that lobby and campaign against the ubiquitous deployment of wireless technology. As RFID systems have been ahead of commercial wireless sensor networks they have been in a way the lightning rod for a lot of potential privacy issues that wireless sensor networks will encounter and the issues are almost identical (actually they will be tougher as we move to truly ubiquotous networks!). A leading lobby group against this technology is called CASPIAN (Consumers Against Supermarket Privacy Invasion And Numbering) . They refer to RFID devices as spychips and are concerned with personal information being used in an unauthorised manner. Quoting from their website (spychips.com)... "We do believe, however, that these technologies pose serious risks to consumers, and we have called on the world's shoppers to reject them. CASPIAN hopes to see both technologies (RFID and supermarket loyalty cards) ultimately fail in the marketplace as a result of consumer opinion. In the long run, outright market failure would offer more effective consumer protections than temporary legislative band-aids. (What the legislature grants, the legislature can easily take away, limiting the field of consumer espionage to itself."
This gives a flavour of some of the difficulties in the privacy debate and shows the need for it to be handled proactively and not 'bolted on' once the technology is being deployed i.e. as an afterthought. The area of healthcare is one where the 'hearts and minds' debate can be easier to argue i.e. people would be willing to trade off some privacy if their wellbeing or quality of life was improved. However for normally healthy people, the arguement can be lost if for example as a result of remote monitoring, a persons home is broken in to and medication stolen or if information on a sensitive medical condition is disseminated or if the person is the recipient of an agressive marketing campaign.
Global Policy and Legislative Efforts
European Union - Directive 95/46/EC 
In May 2000, the Information Society Technologies Advisory Group (ISTAG) commissioned the creation of four scenarios  “to provide food for thought about longer term developments in Information and Communication Technologies”, with the intent of exploring the social and technical implications of ambient intelligence. Among other things, the scenarios suggested a set of “critical socio-political factors” that were considered crucial for the development of ambient intelligence, including the issue of security and trust. ISTAG said that “a key aspect is management of privacy: more open systems tend to lower privacy levels [where] technological developments are outpacing regulatory adjustments
The ISTAG vision “trust and confidence enabling tools for the management of privacy within an ambient intelligence context” became a major focus of the “Disappearing Computers” component of the EC’s Fifth Framework Programme (FP5) and provided a point of departure for structuring IST research under the Sixth Framework Programme (FP6).
The governing policy in Europe regarding personal data is "Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data". The directive was implemented in 1995 by the European Commission. The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence," subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.
Scope of Directive
Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a)
This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b)
The responsibility for compliance rests on the shoulders of the "controller", meaning the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (art. 2 d)
The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject.
Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose and proportionality.
The data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)
Data may be processed only under the following circumstances (art. 7):
- When the data subject has given his consent
- When the processing is necessary for the performance of or the entering into a contract
- When processing is necessary for compliance with a legal obligation
- When processing is necessary in order to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject
- The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn't being processed in compliance with the data protection rules. (art. 12)
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b)
- Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. *The data must be accurate and, where necessary, kept up to date.
- Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified.
- The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed.
- Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6)
- When sensitive personal data (e.g. religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8)
- The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)
- A decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used.
- Supervisory authority and the public register of processing operations
Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge complaints about violations to the supervisory authority or in a court of law.
The controller must notify the supervisory authority before he starts to process data. The notification contains at least the following information (art. 19):
- the name and address of the controller and of his representative, if any;
- the purpose or purposes of the processing;
- a description of the category or categories of data subject and of the data or categories of data relating to them;
- the recipients or categories of recipient to whom the data might be disclosed;
- proposed transfers of data to third countries;
- a general description of the measures taken to ensure security of processing.
This information is kept in a public register.
Transfer of personal data to third countries
Third countries is the term used in EU legislation to designate countries outside the European Union. Personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.
The European Commission has set up the "Working party on the Protection of Individuals with regard to the Processing of Personal Data," commonly known as the "Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.
The Working Party negotiated with U.S. representatives about the protection of personal data, the International Safe Harbor Privacy Principles(11) were the result. According to critics the Safe Harbor Principles do not provide for an adequate level of protection, because it contains less obligations for the controller and allows the contractual waiver of certain rights.
Implementation by the member states
EU directives are addressed to the member states, and aren't legally binding for citizens in principle. The member states must transpose the directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states have enacted their own data protection legislation
There is currently no federal law applicable to the collection and processing of personally identifiable information gathered through the use of wireless technologies. However many states are proposing legislation based on the FIPs guidelines. Examples include California, Virginia, Missouri and Maryland. The Electronic Privacy Information Centre (EPIC) has reported  survey opinion data that indicate that Americans want total transparency around how their information is used and collected and that consent must be obtained. They also do not trust self regulation and want the ability to view the data that is retained at any time. They also state that many are extremely or very concerned about the privacy implications of RFID technologies.
The United States has no comprehensive privacy protection law for the private sector. A patchwork of federal laws covers some specific categories of personal information (Privacy Act, COPPA, HIPAA, CAN-SPAM act PATRIOT act etc). These include financial records, health information, credit reports, video rentals, cable television, children's (under age thirteen) online activities, educational records, motor vehicle registrations, and telemarketing.
The Health Insurance Portability and Accountability Act (HIPAA) 
Regarding medical information and data handling, the The Health Insurance Portability and Accountability Act (HIPAA), applies in the United States. The act is roughly broken in to two sections one of which protects health insurance coverage for workers and their families when they change or lose their jobs. The second, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.
A good treatment of the HIPAA Act is given here Health_Insurance_Portability_and_Accountability_Act, and the full text of HIPAA is given  however some fey features include;
- The Privacy Rule - The Privacy Rule took effect on April 14, 2003. It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. ALL FIPs principles apply including the individuals right to request information on his or her personal information being held, ensuring that the accuracy of this maintained and the right to change personal details (such as contact numbers). Also included were provision for a complaints process in instances where the individual believes the Privacy rules are not being honoured, a sort of Ombudsman process. However this has been reported as being woefully inefficient and beaurocratic.
- The Security Rule - The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications.
- The Unique Identifiers Rule (National Provider Identifier NPI) - Effective from May 2006, all covered entities using electronic communications (e.g., physicians, hospitals. The NPI replaces all other identifiers used . The NPI is 10 digits (may be alphanumeric), with the last digit being a checksum. The NPI cannot contain any embedded intelligence; in other words, the NPI is simply a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "subparts" such as a free-standing cancer center or rehab facility.
- The Enforcement Rule - The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations.
Other Applicable Laws in the United States
Interoperability Between Health Information Systems - Health Level 7 (HL7)
The Health Level 7 (HL7) organisation  was founded in 1987 as a not for profit organisation to produce a standard for hospital information systems exchange. HL7, Inc. is a standards organization that is accredited by the American National Standards Institute (ANSI); it became accredited in 1994. It is an international community of healthcare subject matter experts and information scientists collaborating to create standards for the exchange, management and integration of electronic healthcare information. HL7 is now adopted by ISO as a centre of gravity in international standardization and accredited as a partnering organization for mutual issuing of standards. The name "Health Level-7" is a reference to the seventh "application" layer of the ISO OSI Model. The name indicates that HL7 focuses on application layer protocols for the health care domain, independent of lower layers. HL7 effectively considers all lower layers merely as tools.
The basic idea of HL7 is to provide a common messaging format for health information systems to communicate with each other i.e. to provide a 'language' that all systems understand. EDI in the retail is a simple messaging system for the interchange of trading information such as Advanced Shipping Notice and Order Transactions. HL7 aims at a area it defines very structured and semantic messaging schemes. However unlike EDI, HL7 is very detailed and semantically structured. Typically healthcare information systems will be incompatible and not communicate with each other as very often they have 'grown up' in the organisation seperately. So when the situation exists where data is needed to be exchanged, the different systems esentially speak a different language. HL7 is designed to define a common language and enable disparate systems to communicate effectively. HL7 will be very important for the proliferation of Electronic Medical Records if a truly nationwide solution (and even trans-national solution) is to be realised. HL7 will be very important for wireless sensor networks also, as when the amount of intelligent devices producing healthcare information grows as it will, a common framework will be needed to maximise the promise of these networks. As with an emerging technology, there are many different approaches in many academic/research settings at present that are essentially trying to do the same thing. HL7 will be an important component in developing a common standard system for interoperability. For example, there is very little point in having a sensor network system that can not communicate its data with physicians, caregivers, medical records etc in a secure and reliable manner.
An example HL7 Message is shown here.
Applicable Policy Concerning Wireless Technologies
In January of 2005, the EU set up a Working Party  on the protection of individuals with regard to the processing of personal data. This working party has produced a paper that focused on RFID technology and data protection and looks at ways manufacturers and those who use such devices can achieve legal compliance. The working party identified a number of circumstances where Rdata protection and privacy implications. These include where RFID is used to store personal data. The paper also provides guidelines on the application of the EU data protection legislation to RFID devices and tips on compliance.
In summary, these are:
- If information neither contains personal information nor is combined with personal data, then the provision of the data protection Directive does not apply.
- When devices contain personal-data, there must be an in-built technical security mechanism to safeguard the privacy of the individual. Examples include encryption and authentication protocols (e.g. ISO/IEC 9798). Authentication Keys such as DES and ECC can be used in bots symmetric and asymmetric key distribution schemes.
- Compliance with the data protection principles by data controllers
- Data controllers must have a legal ground for processing the data - these are contained in Article 7 of the Directive.
- The individual must be provided with information in relation to the data controller, what processing is being undertaken and their rights of access;
- Entitlement for the individual to have access to all the information a controller has on that individual;
- Obligation on controllers to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction.
Essentially the policy document is just rehashing the directive and all the principles apply.
- ↑ http://www.unhchr.ch/udhr/
- ↑ "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data". http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
- ↑ "Fair Information Practice Principles". US Federal Trade Commission. http://www.ftc.gov/reports/privacy3/fairinfo.shtm
- ↑ http://www.spychips.com
- ↑ http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
- ↑ http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf
- ↑ http://epic.org/privacy/rfid/rfidtestimony0704.html
- ↑ http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf
- ↑ http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf
- ↑ http://www.ftc.gov/ogc/coppa1.htm
- ↑ http://www.hl7.org/
- ↑ http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf