So there is a lot in the news right now about our devices eavesdropping into our private conversations.
This problem snapped into vivid focus the other day, when I got a Facebook advertisement about a very detailed specific medical procedure. And it just so happens that in just over a week, I’m going in for that specific medical procedure.
Now let me be clear – the only people on earth who know about this procedure in detail are me, my doctor, and my wife. All of the information exchanged on this topic has been via in-person conversations. I have not Googled the procedure, or talked about it anywhere in writing. This is a very clear example (as if we needed another one) of our phones eavesdropping into our private conversations, documenting that information, then selling it advertisers for a profit.
I believe this specific instance could also be illegal.
HIPAA and your personal medical information
HIPAA, or the Health Insurance Portability & Accountability Act of 1996, was designed to protect the flow of our Protected Health Information (PHI). PHI includes “health status, provision of health care, or health care payment that can be linked to any individual.” This PHI information was taken from me (by listening in to conversations from my smartphone) and used without my knowledge, authorization or consent. This is, I believe, potentially illegal in accordance with federal wiretap laws. If a hacker were to take PHI from my doctor’s office, there would be severe financial penalties for that practice. They would also be mandated by law to inform me within a specific period of time that my PHI had been taken without my consent.
The question is, does Facebook have a responsibility to protect my PHI? Are they a HIPAA compliant organization?
1. I believe that Facebook has the moral responsibility to protect any and all information that comes from and belongs to me. Notice that I didn’t say they have a legal responsibility. That battle is being fought in the current legal battlefield, and it’s not going well for us. To quote one of Facebook’s lawyers in a news article, “There is no invasion of privacy at all, because there is no privacy.” Here I will reference a rather excellent documentary that is currently on Netflix called The Great Hack, which includes interviews from some insiders / whistleblowers who discuss what information Facebook (and other organizations) are gathering without our knowledge. This information is harvested, then sold to organizations like the now defunct Cambridge Analytics organization, who uses AI (artificial intelligence) and big data analytics to bring together (aggregate) and make sense of (correlate) this information. What organizations like Cambridge Analytics do with this information could be considered diabolical – the information is sold to anyone with enough money, to modify our behavior. Probably the most well publicized use of this information was the targeted ads in the 2016 election, used to sway voter attitudes and behaviors. There are certainly other instances where this has worked, such as Brexit. There is no doubt whatsoever that this tactic works quite well – so well, in fact, that the techniques are classified by some as “weapons grade” technology. It is well known within the Infosec community that nation states such as Russia and China use this technology to great effect to sway the West.
2. Facebook is not even supposed to have any of my PHI. How, then, did it provide the very detailed medical advertisement that I received (a screenshot of which is above)?There appear to be no restrictions preventing it from harvesting and using ANY OF your most personal information. In fact, there are very few limitations around what information can be taken from us, without our explicit consent. This is a gray area, though – do you read every End User Licence Agreement (EULA) when you install an app on your phone? You may have given away your rights to privacy, as a payment for that “free” Facebook app.
Currently in the news is strong evidence that tools like Amazon’s Alexa and Apple’s Siri are harvesting audio from your most personal, intimate moments. If your iPhone is near your bedside (and most people’s iPhones are), it is probable that someone at Apple has already recorded and listened to intimate moments with your significant other. Are you ok with strangers listening in on your bedroom and quantifying that information, to try and shape future behaviors for profit? And how could this information be used against you to anyone who has enough $ to buy that information?
Here is a very practical example, using three separate data sets:
- A man checks in at a Starbucks in Camp Hill, PA on the Facebook app
- iPhone geolocation data (pulled from a selfie she took) determines you were there with your Facebook spouse
- Later that evening, Siri overhears that you had a romantic bedroom activity
Here, I’ll map it out for you:
So now, what kind of ads do you think will show up in your Facebook feed, to try and capitalize on your positive experiences?
You’re laughing. This is pretty far fetched, right? No, not so much. Studies have shown people can be easily manipulated in this way. Welcome to the world of Big Data, where everything we do is gathered and analyzed to turn a profit.
Dwight Schrute and Pavlov’s Dog
This only works, because humans are so easily hacked. I’m reminded of Season 3 Episode 15 (Phyllis’ Wedding) of the American TV show, The Office. In this episode, Jim plays a prank on Dwight by recreating Pavlov’s experiment. Jim plays a sound on his computer, followed by offering Dwight an Altoid mint. This repeats several times, until Jim plays the sound, and Dwight automatically reaches his hand out to Jim. Jim then asks Dwight why he is reaching out, and Dwight is confused and does not know why he is doing this. His mind has easily been hacked. With Social Media, our minds are being hacked every day – and we can’t seem to get enough of it. In a way, our arm is reaching out for the Altoid mint – and we don’t even realize it.
Batman versus Facebook
In the fantastic movie Batman The Dark Knight, Batman faces off against the diabolical Joker (played by Heath Ledger, in perhaps the greatest super-villain performance in the history of all comics movies). In the leadup to the final battle, the Joker must be tracked down before he kills innocent people who are trapped on some boats. Yeah, I know, I totally oversimplified the plot, sorry. To track the Joker down, Batman uses a vulnerability to hack into all the cell phones of the citizens of Gotham City, and uses their audio information as a type of sonar. When Batman asks his chief technology nerd Lucius Fox (played by Morgan Freeman) to monitor the system and find the Joker, Fox is dumbfounded at how technology is being used in such an unethical way. He agrees to help, out of obligation to stop the Joker… but resigns his employment out of protest, vowing to never again use this information in such an unethical way, without consent of the data owners.
What a futuristic sci-fi usage of our cell phones! Be honest – part of you wanted to cheer for Lucius when he took a stand and resigned at the unethical use of technology. And yet our phones are being used in a similar manner, and instead of outrage, we happily lap it up and beg for more. That Facebook app on your iPhone is not free – you are paying for it with your valuable personal information. For organizations like Facebook, it’s an incredible bargain. Where is Morgan Freeman’s moral compass now? We need Morgan Freeman!
Wrapping it Up
This blog does not have a simple answer… or any answer at all. I’m outraged that SOMETHING took my personal medical information without my consent, then SOMEONE used that information in an attempt to change my behavior. There is so much debate about what that SOMETHING is that took my information – was it an application on my phone, such as Siri, Alexa or Facebook or the Apple IOS? Who was that SOMEONE who aggregated & correlated (brought together and made sense of) the information, then used it to shovel a targeted advertisement onto my Facebook feed? Was it Cambridge Analytica (or some other similar service? Was it Facebook, or some other advertiser?
We are living in the proverbial Wild Wild West of digital privacy right now, I hope and pray that a new Sheriff comes to town soon to get a handle on this mess. It’s a guarantee that things will only keep getting worse, until that Sheriff arrives. You and I may collectively be the Sheriffs that have had enough, and take a stand for change – but before that happens, we have to give a crap.
To quote the great political scientist Zach de la Rocha, “if we don’t take action now, we’ll settle for nothing later.”