jm + ross-anderson   5

Can we have medical privacy, cloud computing and genomics all at the same time?
Today sees the publication of a report I [Ross Anderson] helped to write for the Nuffield Bioethics Council on what happens to medical ethics in a world of cloud-based medical records and pervasive genomics.

As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the care.data catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically?

We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.
ethics  medicine  health  data  care.data  privacy  healthcare  ross-anderson  genomics  data-protection  human-rights 
february 2015 by jm
Health privacy: formal complaint to ICO
'Light Blue Touchpaper' notes:
Three NGOs have lodged a formal complaint to the Information Commissioner about the fact that PA Consulting uploaded over a decade of UK hospital records to a US-based cloud service. This appears to have involved serious breaches of the UK Data Protection Act 1998 and of multiple NHS regulations about the security of personal health information.


Let's see if ICO can ever do anything useful.... not holding my breath
ico  privacy  data-protection  dpa  nhs  health  data  ross-anderson 
march 2014 by jm
Why dispute resolution is hard
Good stuff (as usual) from Ross Anderson and Stephen Murdoch.

'Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?
The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.
As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.'
finance  security  ross-anderson  emv  bitcoin  chip-and-pin  banking  architecture  verification  vvat  logging 
february 2014 by jm
"Security Engineering" now online in full
Ross Anderson says: 'I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.'
security  books  reference  coding  software  encryption  ross-anderson 
february 2013 by jm
Chip and PIN is broken
Ross Anderson's lab demo an attack on TV whereby any Chip-and-PIN debit card can be used in conjunction with a MITM device, with a PIN of "0000", verified online, and producing a receipt saying "PIN Verified". thoroughly hosed
security  banking  money  chipandpin  crypto  ross-anderson  from delicious
february 2010 by jm

Copy this bookmark:



description:


tags: