19 December 2017

Product Lifetimes

What is a lifetime in relation to a product warranty under the Competition and Consumer Act 2010 (Cth)? The Australian Competition and Consumer Commission (ACCC) has reminded people that 'lifetime' refers to the consumer - put simply, the human animal - rather than to the shorter period of flourishing of a snail, gnat or other non-human animal or to the lifetime of electronic kit.

The ACCC reports that it has accepted a court-enforceable undertaking from consumer electronics manufacturer Belkin to honour claims under its lifetime warranty policies for the lifetime of the original purchaser.

It comments
 During 2016 and 2017, Belkin supplied certain products with a “lifetime warranty” or “limited lifetime warranty”. However, Belkin applied a policy of only repairing or replacing products under these warranties within the five years from the date of purchase.  
A disclaimer was not printed on product packaging but was referred to on Belkin’s website. Products affected by these “lifetime warranty” claims included wireless routers, switches and cables.
“Belkin has acknowledged that its lifetime warranty representations may have breached the Australian Consumer Law, which prohibits misleading or deceptive conduct and false or misleading representations about the effect of a warranty or guarantee,” ACCC Commissioner Sarah Court said. “Manufacturers must ensure consumers are not misled by warranty representations. If a business makes a lifetime warranty claim, they must be very clear about what this means with their customers.” 
In addition, Belkin has admitted that some products with lifetime warranties were likely to be non-compliant with the Australian Consumer Law because they did not include the wording required for use in any warranty against defects. 
Belkin has undertaken to correct its website and packaging to comply with this requirement.
Belkin cooperated with the ACCC’s investigation and has taken steps to resolve the ACCC’s concerns.
The specific Undertaking notes
Between about July 2016 and July 2017, Belkin made representations on the packaging of more than 130 types of its products that those products were sold with a “lifetime warranty” or “limited lifetime warranty”.
In fact, Belkin had a policy on repairing or replacing those products pursuant to the warranty only within five years of the date of purchase.
On its website, Belkin stated that these warranties applied for the lifetime of the product, which Belkin had determined to be five years, not the lifetime of the consumer. However, there was no material on or in the packaging of Belkin’s products informing consumers of this.
The ACCC considers that some consumers may have understood that a “lifetime warranty” or “limited lifetime warranty” applied for the lifetime of the purchaser, or a period longer than five years.


Presumably in response to yesterday's report on the reidentification of health data noted here, the Office of the Australian Information Commissioner (OAIC) has released a statement that it is still investigating the 2016 health data breaches but is - of course - mindful of the importance of trust.

The delay is symptomatic of the OAIC's bureaucratic incapacity (regulatory capture exacerbated by under-resourcing after the year when Attorney-General George Brandis recurrently announced that the OAIC would be abolished but failed to get his legislation through the national legislature).

It adds weight to the UNSWLJ article by Burdon and Siganto on OAIC Own Motion Investigations.

That article - 'The Privacy Commissioner and Own-Motion Investigations into Serious Data Breaches: A Case of Going through the Motions?' in (2015) 38(3) University of New South Wales Law Journal 1145 - commented
If the OAIC does not have the technical knowledge or skills to analyse the causes or methods for prevention of security breaches, or to assess technical details about how security breaches occurred, then it is not clear how the OAIC is able to conduct these investigations or assure itself that third-party expert reports are accurate, complete and based on the use of an appropriate standard of care. It is therefore difficult to determine how the OAIC can adequately say whether there has been any failure to properly protect personal information. 
Our investigation of the six OMIs suggests that the OAIC’s decisions to commence the investigations were in response to media and were perhaps motivated by an interest in raising the profile of data breaches in Australia to support the introduction of a mandatory notification scheme. Whether this is in fact correct or not, there are clearly issues with the process followed in each investigation. In all of the OMIs, an ‘on the papers’ approach was used, based on written responses to largely generic requests for information. There was virtually no second-round questioning, independent evidence gathering or confirmation of the facts as asserted by the respondents, whether directly or via third-party investigation reports commissioned by the respondents. The decision-making process used is also not clear. The change in the outcome of the Medvet investigation, after the initial outcome was communicated to the respondent, in particular raises issues as to the basis for the OAIC’s decision-making in these cases. 
We assert that these issues arise, in part, as a consequence of the limited powers, skills and resources available to the OAIC at the time. Given the OAIC’s new powers and increased accountability, these issues may be addressed in future Commissioner-initiated investigations. However, without the allocation of significant additional resources, it seems unlikely that there would be any significant change in process. Reliance on third-party investigation reports commissioned by the respondent in a future investigation may not be an appropriate resolution. 
The OAIC is right to emphasise that the problem of data breaches is likely to remain. However, the examination of the six OMIs reveals that the investigatory approach adopted can lead to the situation where the OAIC investigators are simply going through the motions. On that note, given the issues we highlight in this article, the OAIC’s data breach investigations as a body of work are unlikely to be of assistance in regulatory efforts to prevent data breaches, unless significant changes are undertaken. Such changes would herald a major policy shift regarding the role of the OAIC, characterised by the need for a supported, adequately resourced and thus proactive Australian privacy regulator. In that regard, our examination of six relatively recent OMIs sounds a warning not just as to what has happened, but also for the future.
Alas, what was past is present. The OAIC's statement yesterday reads
The Australian Information and Privacy Commissioner is currently investigating the publication of the Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets on data.gov.au. The investigation was opened under section 40(2) of the Australian Privacy Act 1988 (Privacy Act) in late September 2016 when the Department of Health notified the OAIC that the datasets were potentially vulnerable to re-identification. 
Given the investigation into the MBS and PBS datasets is ongoing, we are unable to comment on it further at this time. However, the Commissioner will make a public statement at the conclusion of the investigation. 
Realising the value of public data to innovations that benefit the community at large is dependent on the public’s confidence that privacy is protected. The OAIC continues to work with Australian Government agencies to enhance privacy protection in published datasets.
A different perspective is provided in the US World Privacy Forum report by Pam Dixon and John Emerson on The Geography of Medical Identity Theft, presented at the Federal Trade Commission Workshop on Informational Injury

The report comments
Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime. This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light.
The authors ague
medical identity theft is growing overall in the United States, however, there’s a catch. The consumer complaint data suggests that the crime is growing at different rates in different states and regions of the US, creating medical identity theft “hotspots.” Populous states such as California, Florida, Texas, New York, and to a lesser degree, Illinois, often have high consumer complaint counts, which can result from population effects. Based on data analysis of “rate per million” so as to equalize for population, strong additional patterns emerge from the complaint data. Notably, a large cluster of southeastern states emerge as a regional hotspot for medical identity theft, with steady growth patterns. Medical identity theft hotspots have also occurred in a dispersed mix of less populous states. 
In addition to documenting geographic and growth patterns, the complaint data also documented significant and heretofore largely unreported patterns of harm related to debt collection resulting from medical identity theft, including debt collections documented to be one to three years in duration. 
The documentation of debt collection impacts on victims of medical identity theft is new information, and needs to be added to the understanding of how medical identity theft impacts victims of the crime. Although impacts and modalities will be discussed in detail in Part 3 of this report series, this report touches on this research as it represents a significant adjacent finding.
Their  recommendations include:
• The Department of Health and Human Services should facilitate the collection of follow up information from those affected by medical data breaches, specifically including data to document medical debt collection activity post-breach. 
• Policymakers and law enforcement agencies should take regional and state hot spots suggested by the data into account when planning resources for medical identity theft deterrence, prevention, and remedies. 
• Healthcare providers and related stakeholders need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy. These risk assessments need to include specific plans for handling patient debt collection practices, and specific procedures that will prevent debt arising from medical identity theft to be passed to a collection agency. 
• Patients, medical data breach victims, and other identity theft victims should be aware of states where medical identity theft is more active. 
• The Consumer Financial Protection Bureau should monitor medical debt collection practices more closely and address abuses.

18 December 2017

Reidentification of Australian Health Data

Recalling past items on health data sharing (eg here and here) and restrictions on reidentification (eg here) it is interesting to see a solid Australian study of reidentification.

 'Health Data in an Open World' by Chris Culnane, Benjamin I. P. Rubinstein and Vanessa Teague comments
With the aim of informing sound policy about data sharing and privacy, we describe successful re-identification of patients in an Australian de-identified open health dataset. As in prior studies of similar datasets, a few mundane facts often suffice to isolate an individual. Some people can be identified by name based on publicly available information. Decreasing the precision of the unit-record level data, or perturbing it statistically, makes re-identification gradually harder at a substantial cost to utility. We also examine the value of related datasets in improving the accuracy and confidence of re-identification. Our re-identifications were performed on a 10% sample dataset, but a related open Australian dataset allows us to infer with high confidence that some individuals in the sample have been correctly re-identified. Finally, we examine the combination of the open datasets with some commercial datasets that are known to exist but are not in our possession. We show that they would further increase the ease of re-identification.
The authors note
In August 2016, pursuing the Australian government’s policy of open government data, the federal Department of Health published online the de-identified longitudinal medical billing records of 10% of Australians, about 2.9 million people. For each selected patient, all publicly-reimbursed medical and pharmaceutical bills for the years 1984 to 2014 were included. Suppliers' and patients' IDs were encrypted, though it was obvious which bills belonged to the same person.
In September 2016 we decrypted IDs of suppliers (doctors, midwives etc) and informed the department. The dataset was then taken offline. In this paper we show that patients can also be re-identified, without decryption, by linking the unencrypted parts of the record with known information about the individual. Our aim is to inform policy about data sharing and privacy with a scientific demonstration of the ease of re-identification of this kind of data. We notified the Department of Health of these findings in December 2016.
Access to high quality, and at times sensitive, data is a modern necessity for many areas of research. The challenge we face is in how to deliver that access, whilst still protecting the privacy of the individuals in the associated datasets. There is a misconception that this is either a solved problem, or an easy problem to solve. Whilst there are a number of proposals (Australian Government Productivity Commission, 2017), they need further research, development, and analysis. 
One thing is certain: open publication of de-identified data is not a secure solution for sensitive unit-record level data.
Our motivation in this work is to highlight the challenges and demonstrate the surprising ease with which de-identification can fail. Conquering this challenge will require open and transparent discussion and research, in advance of any future releases. This report concludes with some specific alternative suggestions, including the use of differential privacy for published data, and secure, controlled access to sensitive data for researchers.
Our findings replicate those of similar studies of other de-identified datasets:
• A few mundane facts taken together often suffice to isolate an individual. 
• Some patients can be identified by name from publicly available information. 
• Decreasing the precision of the data, or perturbing it statistically, makes re-identification gradually harder at a substantial cost to utility.
We first examine uniqueness according to basic medical procedures such as childbirth. We show that some individuals are unique given public information, and show also that many patients are unique given a few basic facts such as year of birth and dates of childbirth.
Although the data is only a 10% sample, we can quantify the confidence of re-identifications, which can be high. We use a second dataset of population-wide billing frequencies, which sometimes shows that the person is unique in the whole population.
We then examine uniqueness according to the characteristics of commercial datasets we know of but do not have. We find high uniqueness rates that would allow linking with a commercial pharmaceutical dataset. We also explain that, consistent with the ``Unique in the shopping mall,” (de Montjoye, Radaelli, Singh, & Pentland, 2015) financial transactions in the dataset are sufficient for easy re-identification by the patient’s bank.