Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. T.
Speaker 2
0:16 – 2:18
Welcome to CDT's tech talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski and it's time to talk tech. CDT is a nonpartisan organization, but let me speak for myself by saying it was a pretty repulsive first week for the current administration if you love civil liberties. One of the many awful executive orders the president signed stopped the application of privacy act provisions to non US persons. CDT's president and CEO was part of the team at the Department of Homeland Security that helped develop the policy this executive order removes, And she'll be joining us to address why we are opposing the president's actions. We'll also hear from the author of our body our bodies, our data about the huge market out there for personal health data and who is really benefiting. Here's a hint. It's not the patients. Hopefully, you have read the recent impassioned post from our president and CEO about the president's executive order that ended a policy of applying some privacy act provisions to non US persons. Well, it was so impassioned because Nula was one of the leaders that helped develop and implement the policy while at the Department of Homeland Security, and she is also someone who immigrated to the country. It very much resonated with her on a personal level. The order essentially makes it so that non US citizens or persons, such as people applying to immigrate to the country, cannot request to see the official records the the US government holds on them. Nuala O'Connor returns to Tech Talk to share more about this. Welcome, Nuala. Hi, Brian. Thanks for having me. Oh, always a pleasure. Of course, you always gotta have your boss on. Right? So so first, because this is so wonky for people, but you did a great job of breaking down what it really means. Tell us what this executive order changes. Thank you so much, Brian. So the privacy act indeed
Speaker 0
2:19 – 4:26
before this week was the province of wonky government lawyers and folks who cared about bowels of buildings in Washington DC full of file cabinets and and and lots and lots of paper mostly. But really the privacy act is the comprehensive federal privacy law in The United States governing what your US government knows about you. So, you know, The US as you know is criticized around the world for not having comprehensive sectoral approach, meaning different sectors of industry are covered by different laws. But the federal government has long been covered by a comprehensive law dating back to 1974, really, and the creation of the first mainframe databases and the ability of the government to collect and process and store a lot of information about you, the citizen, or you, the citizen, or you, the visitor or immigrant or a legal permanent resident of this country. What the privacy act requires is is basic privacy fundamentals. The right to know what your government has about you. The right to see it in limited but real circumstances, things that aren't classified or or top secret, etcetera, and be able to obviously correct it if the files are wrong. This is incredibly important if you are applying for citizenship or applying for some kind of legal status or immigration status or refugee status. And again, you know, the cases I've seen where people have lost these documents in in harrowing situations, sometimes you just need to see the file in order to get a copy of your own birth certificate or or other documents. So it's but it's an important principle on a not only on a personal level, but on a on a comprehensive kind of legal level that there should be no secret government databases. This is an age old principle of privacy law and frankly of fairness, and it's an important check and balance on government power. And so to say we're gonna cut off people's ability to see what the government has about them and to create essentially secret or or opaque databases is a pretty scary thought around not only here in The United States, but around the world.
Speaker 2
4:26 – 4:53
So just to clarify that Americans, an American citizen or as we say a a person, and I guess in the legal terms, has the right to look at what the government has about us. But this applies to a non US citizen. I know is not the right term. It's persons in the legal sense, have the right to see what the US government is holding about them. Is that something that other countries allow? You know? Because I could feel as though some people would think
Speaker 0
4:54 – 9:42
reciprocity here or something like that. You've nailed it. And so what's different about US law, what has been different is that, interestingly, The US was one of the first countries to go on record to have some of these rights for their own citizens. This is the privacy act of 1974. Privacy law spread kind of like wildfire across Europe and and the rest of the world through the eighties and the nineties. Most of the European data protection laws actually date from after The US privacy law but include rights for all persons. So an important principle here is many privacy laws around the world treat all persons the same regardless of their citizenship. The US privacy act historically and on the face of the statute only provides rights to US persons. And so you're right. You're struggling we're struggling over the language. A US person is a US citizen or a legal permanent resident, an LPR. An LPR is also known to all of us as a green card holder. Why Brian mentioned earlier I care so much about this is I was a green card holder for almost half of my life. The first, half of my life till I went off to college, I was a green card holder living legally in The United States. My parents waited a long time for their visas from Ireland, and they will tell you all about that story sometime. But, you know, they feel very strongly about legal immigration and, the treat the fair treatment of citizens and immigrants to this country. I care about the dignity of all persons regardless of their citizenship, and I believe that our laws should treat humans with dignity under these principles. That's a principle that's ensconced in other nation's laws that the US Privacy Act does not frankly reflect the greatest, extent possible, but a number of us working in the federal government. And really, I'd I'd love to take all the credit for this. The many of these policies predate my time at the Department of Homeland Security. Members of our team at DHS had worked at justice and had implemented these kinds of policies really because it's more efficient. And when I let me talk about what policy I'm talking about. What it means is we applied privacy act principles to all persons regardless of citizenship, going above and beyond what the law required, but really out of a sense of fairness and a a sense of fair play and equality for all human beings. Also, operationally, it's just easier. If you've got one database that has people who are US citizens or persons and non US citizens or persons, to figure out who is a citizen, who's not a citizen when they make an application to see their file, frankly, is is kinda difficult. It's additionally burdensome. You'd have to require more information about the person making the request or you'd have to bifurcate the systems. And we all know how strapped US federal agencies are for for money and resources in the IT space. Asking them to build a whole separate system to house information about non US persons or US persons and provide different systems and different processes to all the employees working on those requests would actually been a huge burden on the US government. So you've got all these com what I would call commingled or combined systems. Also, you've got a huge system, INS, the Immigration and Naturalization Service among them and chief among them, where people change status. So suddenly, you've got a person who wasn't a US citizen who now is. You're gonna have to go and find their file legally, physically, or digitally and yank them out of the system and put them in a different system. That just seems like a big pain in the tush, frankly. So so operationally and in terms of cost savings and if I'm being flippant, but in terms of real cost savings and efficiency for federal government employees and resources, it makes more sense. And, oh, by the way, it's also the right thing to do and it respects the human rights and dignity of all persons in the system. And, oh, by the way, it also puts us on parity with the rest of the world in passing these laws. So for lots of good reasons, but esoteric and really operational, it was the right thing to do. It was the easy thing to do. It was kind of a no brainer. I had tremendous support from Tom Ridge, our secretary of homeland security at the time, and the whole team at the privacy office at DHS. And again, building on a history of that kind of positive treatment of visitors and residents in this country, it's simply the right thing to do. What this order last week did is undo all that work. Undo all and walk back all of those positive strides made by folks, both political and career employees of the federal government, in trying to do the right thing for for legal permanent residents and visitors to this country. So it's an incredible disappointment. Frankly, that news is overshadowed by much even even more, you know Of course. Incredible news and and and shocking news about treatment of of visitors and and immigrants and refugees to this country. And I'm sure we will cover some of those issues in future podcasts.
Speaker 2
9:43 – 9:50
That We've have we've have a lot to cover now in our first week. So we'll pick them off, you know. A very technical but very important
Speaker 0
9:50 – 10:38
signal that it sends about how we're gonna treat people coming to this country. And then I could go on and on on on, you know, how I feel about the importance of immigrants in in the social fabric and in the history of The United States. But more imminently, it also sends a very disturbing signal to our friends, not only in Europe but around the world as we try to negotiate cross border data flows and global treaties on the use of information on the free flow of goods, services, data, and people. And so while, you know, there was a lot of kind of shock and and and awe in the privacy community on on Thursday and Friday when this came out, about the privacy shield and about the current status of the agreements. It does not imminently undo or, you know, immediately undo privacy shield or any of the existing agreements,
Speaker 3
10:38 – 10:39
but it does send an important signal. It sends a
Speaker 0
10:41 – 10:53
signal that this administration believes in the principle that that US persons are entitled to a different treatment under this law, which on the face of the law is not inaccurate. But it sends a very concerning signal that we are not
Speaker 2
11:01 – 11:40
treatment of all persons under private law. Is a truly nonpartisan issue. You were under a Republican president, and it continued under a Democrat. So it seems strange that this is now getting hacked. The great thing is you did such an eloquent job of running through that. I have no questions. She actually ticked them all off from, you know, why are secret databases bad to the business perspective to privacy shield. So that's great. Any last thoughts from you on this? Or in general, you know, the week, you know, would we be remiss, as you said, to really it's been gosh. Has it only been ten days? Maybe a few more, you know, kind of what we've seen and what it means for
Speaker 0
11:40 – 12:34
beyond this issue, civil liberties, especially the the digital rights that we advocate for. We're very concerned about the treatment of all people at the border. And while it is true that that that our rights at the border are are quite limited, that the rights of the of a state of any state to decide who comes and goes into the country, and to assess threats is real. We're gonna fight hard any excessive intrusion into people's daily digital lives, whether through their cell phones, whether through their social media postings, whether through, you know, the the things that they have on their person when they arrive at the border. This is a an issue of basic human dignity and c CDT stands for the rights of the individual regardless of nationality or country of origin or personal, attributes or, or status. And this is just the beginning of this
Speaker 2
12:34 – 13:47
fight. Well, thank you, Nuala. If you haven't already read Nuala's post, please visit cdt.org. We've also created a medium account for Nuala, so check that out. And, she's gonna be writing a lot more. So visit that. We're gonna see some wonderful things. Always a pleasure, Nuala. Thank you, Brian. There's almost no information about you that is more personal than medical data. This could be as simple as your weight or blood pressure, but also includes the prescriptions you take or STIs you've had in the past. All of this information might be useful to you your doctor, but it's also extremely valuable to businesses in the medical space such as healthcare providers and drug companies. In his new book, Our Bodies, Our Data, Adam Tanner takes a look at the multibillion dollar industry that is built on our medical data and explores why the true goal of more patient data, improved medical care is mostly eluding us. I'm thrilled to welcome Adam to Tech Talk. Thanks for joining, Adam. How are you? Good. Good. Nice to be with you. So tell me a bit about the book. What was it that what's it about? I mean, I kinda gave an intro. And what what motivated you to write it?
Speaker 1
13:48 – 14:50
I have been researching, the business of personal data for the past five years or so. This is the commercial side of data gathering that occurs about us. And this is largely about companies trying to sell us things. I wrote a book that came out in 2014 called What Stays in Vegas. And that book was initially I was thinking, well, I'll put in some information about medical data. The topic of medical data and how our information is sold, was so complicated that I put the topic largely aside to produce a second book, which is Our Bodies, Our Data. And what I've discovered in doing years of additional research is that there is this vast hidden opaque trade in our most inter intimate medical secrets that starts at the doctor's office and continues throughout the system whenever we receive health care. And it it's a trade that we don't know about and we have no say about. But I think it's something that we should we should know about and we should discuss it and discuss it and decide as a country and as a society whether this is something that we want or whether we wanna change the rules
Speaker 2
14:51 – 15:11
to strengthen privacy protections. So tell us tell me a bit, about what is exactly out there. You touched on it a little bit, and certainly, we all have that experience of going to our our doctor and feeling as though there's some sort of electronic record. But you kinda touched on it. There's a much bigger train. What is your trail of data? What is out there?
Speaker 1
15:11 – 16:41
So in recent decades, medical information about about us has been digitized, put into computers. Now this can be very good. It means that different providers can see our medical records when treating us. It means that we can easily send a prescription from the doctor's office to the pharmacy. All of that is good. But there's a side of that that we don't know about it or understand that's happening. And that is the information from the doctor's office, from the electronic medical record system, can be sold to, commercial third party companies that have nothing to do with your treatment. Now, it doesn't list your name. It is anonymized. It means your name is removed, your address, and a few other pieces of information. But it is gathered with other medical information about you over time. So it means it's not only stuff from the doctor's office. It's also information that the pharmacist is collecting about you, what prescriptions you get. It may be the results of your blood tests or urine tests. It may be hospital exit records. And also, it may be information from your medical claims on your insurance. Mhmm. All of that is put together into this dossier about you that these third party companies gather. And collectively, that's a multibillion dollar industry. The problem over time, though, is a dossier that has years of information about you may be revealing because it has not only all of these specific conditions and when you have these issues, it has the names of your doctors. It has your date of birth. It has your gender. It has other identifying clues
Speaker 2
16:41 – 16:58
that outsiders may be able to piece together and figure out who you are. So then in reality, you know, anonymized data is kind of a loaded word. It's kind of de identified data that may not be too hard to reidentify. Is that what you're saying? I think so. What has happened is with computerization becoming,
Speaker 1
16:59 – 18:07
ever more commonplace, with computers becoming stronger and with data storage becoming much cheaper, what was a strong level of privacy twenty years ago may no longer be a strong level of privacy today. And that's the issue that I'm raising. If you can easily put together these dossiers on patients, you may have some insights into who they are. And let me give you an example of how that might work. Sure. I'm talking to you now from Fairbanks, Alaska. I'm teaching here at the university for a year. If I receive medical care here, it would be paired into my file with my previous place of residence, which was, Cambridge, Massachusetts, and perhaps with earlier stuff that I had from Serbia. I lived in Belgrade, Serbia and worked as a correspondent there. So those three city pairings, if you knew the date of birth, the gender, and the the region where I was, that might be enough to identify you, identify me or identify other people who had similar city pairings that were unusual. So that's just one example of how you would be able to see into the data and maybe reidentify.
Speaker 2
18:07 – 18:30
Yeah. I know. That's a great great example because it wouldn't it seems to me pretty easy to identify Adam from that, you know, if they just know a little bit about you and can kind of piece that together. So expand on this a little bit. It's a multibillion dollar industry. Why is this information so valuable? How is it being used? And what are the companies or, you know, the different business models that are built off of it?
Speaker 1
18:30 – 20:42
So one aspect that, is allowed in this data gathering is to have doctor identified information. So companies are very, pharmaceutical companies are very interested into what doctors prescribe what medications because, of course, the doctors are the gateway to sales of drugs. If they don't prescribe them, these drugs will not be sold. So, data miners gather this information and sell it to the pharmaceutical companies that says, doctor Jones on Main Street in this town, he prescribed a thousand of these pills a month, for company A, but very few for company B. Now, if you work for company B, you may then send a salesman and say, Doctor. Jones, let me give you some free samples. Let me take you out to lunch. Let me say, Doctor. Jones, let me give you some free samples. Let me take you out to lunch. Let me explain to you the virtues of our product. So they have this super micro level information on individual doctors and their prescription habits. Sometimes the information can be used in a very real patient specific way. So if you have a blood test on Thursday, that may reveal whether or not you have some serious medical condition, that information may be sold, to the drug company that will say, patient Jones, a patient, Doctor. Jones is a patient who has tested positive for this disease. They could send someone to the doctor's office on Monday to say, oh, I understand you have a patient with this disease. Let me tell you about our great new medication that deals with this disease. And then, patient with this disease. Let me tell you about our great new medication that deals with that. The doctor hasn't even seen you yet. You arrive Tuesday, and the doctor has on his mind this great new drug, which could be a great solution to your problem. It may be a more expensive one because they have not talked about the generics or other possible cures. So these are some of the kinds of ways that doctor identified information is used. Wow. Also, nowadays, there's direct advertising, for drug companies to consumers. And that's existed already for a couple of decades, using this information to figure out what kind of patients have what kind of problems. And another way, they use the information about us to market to us. That's interesting. Now, isn't some of this data protected under HIPAA? Or is it the fact that this is,
Speaker 2
20:43 – 20:53
you know, anonymized or de identified data, does that remove that from protection? And HIPAA, I'm gonna mess up exactly what the acronym stands for, but it's the health privacy law.
Speaker 1
20:55 – 21:31
So basically, you're correct. The the rules on transferring data between medical providers are called HIPAA. They date back twenty years ago. They say that if your information is anonymized, if your name is removed, certain other bits of information about you are removed, then that information is not data about you. So it may reveal that you have a terrible medical problem, that you have a chronic disease of some kind. But once it's an anonymized to those rules set twenty years ago, then it can be freely traded without you knowing about it and without you having a say in that trade.
Speaker 2
21:32 – 22:11
Interesting. So let's get back to, I mean, this has kind of freaked me out. Well done. That's definitely made me think about my health data and my, actually, doctor's appointment tomorrow. I I work, I go through one of those kind of fancy concierge ones where it's all about, you know, making appointments online, getting your results, you know, via an app. So a lot to think about there. But you did raise this a little bit. There are certainly good uses for this data. But, you know, certainly in your book, you make the case that they aren't really being fully realized. Why is that? How can how can we make it so that patient data, health data is actually used to improve our health?
Speaker 1
22:12 – 23:39
Well, so the the the what I call the patient data paradox is that we would like to have the fullest access to our medical information and make that available to our doctors to to treat us if and when we have any issues. We don't have that comprehensive dossier about our own medical, history from dating back years, whereas commercial providers are building a much better version of that behind the scenes. They've been more successful in pairing together information from different providers. So if you go to CVS today and Walgreens tomorrow, they can gather that information. It's very difficult to do that as a consumer today. Even though people have been working at this for the last half century, there's far more money in the field of buying and selling drugs than helping patients. And that's part of the reason for that. Another reason is that the different systems, the electronic medical record systems, speak different languages in effect. So if you go to one doctor and he uses one system, it may not be comparable with, a colleague across the town who uses a different system. It's akin to one system speaking Japanese and the other German. They just don't speak the common language. And combining the data from the two systems doesn't work well. All of this is despite the fact that the US government has spent more than $30,000,000,000 in, in recent years encouraging the, adaptation of electronic medical record systems by doctors.
Speaker 2
23:48 – 24:20
Information, that remains quite elusive. Yeah. It sounds like it it might be difficult to change doctors and, you know, have all your data follow you from one doctor to the other and and all that sort of stuff. So is there advice, you know, average citizen, someone who, you know, cares about their health, wants to have more control of their health data? I mean, for whatever reason it is, whether it's to just get better better care or if it's just, you know, privacy concerns. Do you have any advice on how, you know, if it's if it's our body and our data, how we can take better control of it?
Speaker 1
24:20 – 25:46
So as an individual, at this point, it's much harder to do. Now in nonmedical data, there are things you can do. You can use certain Internet browsers that are more privacy sensitive. You can use different email addresses. You can you can take care in in the kind of information you share. Largely, you don't have that choice in the world of medical data. You could choose a doctor based on what electronic medical record system they use and whether or not that system shares the data. You could go to pharmacies that do not share data or try to pick an insurer that does not share the data. And there are some that do, and there are some that don't. But that would be quite hard and quite cumbersome given the way health care works in this country. A much better system would be for the rules to be changed to empower patients to be able to decide what happens to their information. So if you said that health information is information about a person, whether or not it's anonymized, that would give you the choice as to what happens to your information. I should mention that to your information. I should mention that there's a lot of great medical researchers that are doing important work to try to solve disease and come up with new insights on health. Doctor. Right. Doctor. But I think we should have a choice. The same as you have a choice of whether or not you want to donate to charity. You're not obliged to give your money on set intervals to certain charities. You have that choice. I think similarly, you should have the choice whether or not to donate your information
Speaker 2
25:46 – 26:10
to medicine and if so, to whom. That's a great point. And of course, everyone should exercise their choice to donate to the Center for Democracy and Technology. We're a great nonprofit. So I'll put the plug in there. But more importantly, you should definitely all check out Adam's new book, Our Bodies, Our Data. Hopefully, this excited everyone about it. Pick up a copy. Adam, thank you so much for joining Tech Talk. This was truly informative.
Speaker 1
26:11 – 26:13
It's great to be with you. Thanks very much.
Speaker 2
26:19 – 26:42
That's it for this episode of Tech Talk. Be sure to check out Nuala's post at cdt.org and follow CDT across social media platforms to keep up to date on how we are addressing the flurry of activity from the new administration. It's definitely a time we all need to stand up for our civil liberties, and CDT has never been more committed to advocating for everyone's digital rights. I'm Brian Wasilowski. Thanks so much for listening.