back to article Microsoft to Aussie gov: Privacy rules stifle e-Health

Microsoft has told the Australian government that its focus on storing electronic health records within Australia’s borders “could have a detrimental effect” on security. The Microsoft statements come in a submission to the government’s inquiry into the legislation needed to introduce PCEHRs – personally controllable …

COMMENTS

This topic is closed for new posts.
  1. Medium Dave
    WTF?

    I'd like to think...

    ...that the usual Aussie bluntness will kick in, and Redmond will be told to go pound sand: We live in strange and disturbing times, however...

    1. Bango Skank
      Coat

      Nicky to Balmer "fuckorf ya bastard"

      Yes, one hope Nicky Roxon will tell them to fuck off, but then on a practical note she is very keen on letting patients keep their own EHR data which probably means that it will be all over the web anyway.

  2. Anonymous Coward
    Unhappy

    nobody loves me everybody hates me

    You're assuming that the govt. cares if our personal data is accessed by the US. I would be willing to wager that they don't.

  3. James Henstridge

    If a company with a US operation would be obliged to hand over patient records to the US government while simultaneously being required to keep them private by the Australian government, then I would have thought the solution is simple: don't bid on the contract.

    If you can't guarantee security of the records, then perhaps they shouldn't be in your custody in the first place.

    1. Arctic fox
      Headmaster

      RE:"If you can't guarantee security of the records,...................

      .................. then perhaps they shouldn't be in your custody in the first place."

      I, of course, agree. I think however that the issue is in fact much bigger than just MS. All the major cloud providers are US owned (AFAIK) and it is only just dawning on them how much business the Patriot Act may cost them. Public record keeping of all kinds (not just medical) would be, potentially, a very lucrative market for a cloud provider. What the paranoid patriots in the States have achieved is to give governments all over the face of the planet a powerful motivation for building their own local cloud based resources or hiring in such resources as long as they are not American. Furthermore, let us say that you are a major private company with key IP in an area of tech where some of your main rivals are American. Such a company would likely think twice before hiring cloud services from a US company when a little bit of discrete lobbying by one of their well heeled US rivals with access to the best senators/congressmen that money can buy could result in the company's commercial secrets being blown.

  4. Mark 65

    MS

    Microsoft need to look up the term disingenuous. It has everything to do with security - by keeping them within the confines of your own legal system you can ensure that some numpty like MS losing or revealing them when inappropriate gets absolutely smashed. How on earth is forcing sensitive private data to stay onshore under your legal system rather than ending up in the third World a WTO breach? This is about the first thing I am totally in agreement with that the Government has done and I hope they tell them to "go get fucked".

  5. Anonymous Coward
    Anonymous Coward

    re Mark 65, MS

    It is because Uncle SAM wants to know about every wart, pimple, rash and other unmentionables of everyone in the world.

    Why?

    Because that person might just become the next Shoe bomber.

    The US is paranoid and is a total control freak. US Law is constructed so that US companies that operate overseas HAVE to comply with US Gov directives. If the FBI/CIA/DHS/{insert black hat agencey here}/FDA/DEA/etc etc want your details AND an US Company looks after them, they have to comply irrespective of whatever local law(s) they might be breaking.

    Ok?

    Should be a Black helicopter post but I'll settle for Anon.(not that that will stop them from getting to know about what I just had for brekkie if they really wanted)

    1. The BigYin

      @AC at 07:17

      You have more chance of winning the lottery than of being the victim of a terror attack.

      Terrorists are scum, not going to argue that, but why make the 99% suffer just because 1% are arseholes? Oh, wait, that's policy isn't it? The 1% screw the world over and the 99% pay for it (including bonuses for the 1%).

      Anyway, back on point. Any freedom one loses in the "fight against terror" is a victory for the terrorists. Maybe it's because I'm a Brit but I think the only response to a terrorist is two fingers and total defiance.

      If you want to "protect yourself", put down that burger and go for a walk. You're less like to peg it from heart disease (a greater risk than terrorism) and more likely to be able to outrun the bastards if you have to. Also, talk to your children and help them not fall into the 1%-arsewipe category.

    2. John G Imrie

      I just had for brekkie

      Cornflakes,

      Coffee, white no sugar.

      Thank you,

      Your friendly CIA operative.

    3. Mark 65

      I understand that the US political class is full of tossers. I also know and understand how they control their companies to data-mine for them. However you have not explained how a country protecting the data of its citizens against a company or country that will abuse that data is a WTO closed market issue. That is simply disingenuous bullshit.

  6. The BigYin

    Ha ha ha ha!

    Yes, because MS has such a good reputation for security.

    If the data specification is an open standard, fully documented and can be fully implemented without infringing patents.

    If MS full implement the spec as written and without undocumented features.

    If the crypto/other measures are open, fully documented and can be fully implemented without infringing patents.

    If the crypto is implemented if code that is fully open, documented and can be updated without infringing on patents/copyrights/trademarks.

    That's just for starters and it's a lot of "ifs".

    It would be far, far better for the Oz government to say "We want to solve *that* problem, lets hire someone to do it and request that all the tools be 100% open/free". Why 100% open/free? If the first contractor screws it up or goes bust, another competent entity can be hired in to carry on.

    Also, they the HELL would I want my *extremely* personal data being held in the USA where is can be used and abused under laws which grant me no recourse? You want to do business in Oz/EU/Anywhere? Be beholden to local laws and shut-up.

  7. Anonymous Coward
    Anonymous Coward

    Huh, a law that halfway makes sense.

    Were I the Aussie govt. I'd summarily drop these marketeers and for that matter any american or american-owned companies from the bidding for "sensibility reasons". If the usoa govt complains they can repeal their patriot act first, then we'll think about it, maybe. Really no need to let companies with mob tendencies "protect" my citizens' private and sensitive data by, er, taking it across the border.

  8. Christoph
    WTF?

    Just what they need

    If there's a major disaster that brings down communications, where better to keep the health records of the disaster victims than on a different continent?

    And it's interesting that they specifically state that if a company has any presence whatever in the US then US law overrides local law in any other country they operate in. I wonder what the US reaction would be if the reverse applied?

    What is the EU position on the clear statement that almost any EU personal data held in the EU can be grabbed at will by the US despite all EU privacy laws? So it doesn't even have the pathetic 'protection' of data that's deliberately transferred to the US under a privacy agreement.

    I note also that this means that any company with a US presence can be legally required to hand over its trade secrets for distribution to its US rivals.

  9. Andy 18
    Black Helicopters

    Couldn't agree more

    The EU has legislation about personal data that say all personal data from or passing through the EU must be handled to the same level of security/privacy as data held in the EU. Almost no US companies (or outsourced call centres for that matter) comply with that one either.

    One day an enterprising lawyer will realise and we'll have a nice bonfire of the outsourcers. The NoTW invaded privacy actively, but there isn't much difference in the final result between going through someone's bins for personal information and leaving personal information insufficiently protected on the internet.

  10. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    The Microsoft Document is a hoot!

    Some examples:

    "2.3 Specifically Microsoft submits that:

    a) healthcare information stored in a PCEHR (PCEHR Information) will not necessarily be better secured and protected simply by virtue of data being held within Australia’s territorial boundaries, as compared to storage repositories and portals located outside of Australia that are operated under security and privacy systems that are world’s best practice;"

    And

    "4.5

    <SNIP>

    Microsoft has implemented and maintains state-of-the-art technical and organisational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. "

    I think the key word there is "intended"

    http://www.theregister.co.uk/2009/10/19/microsoft_danger_sidekick_where_art_thou_data/

    http://www.theregister.co.uk/2011/06/30/microsoft_cloud_uptime/

    http://www.theregister.co.uk/2011/09/09/microsoft_cloud_outage/

    ... And speaking of state-of-the-art technical and organisational measures, internal controls etc., how about these these classic snafus in their own document management?

    "4.4 Microsoft considers that these concerns, whilst understandable, can be addressed through the adoption of a risk-based approach to data storage for the PCEHR system. In this regard, Microsoft refers the Government to the process used by the Australian Prudential Regulatory Authority (APRA) in regulating the storage of data by banks and financial institutions (discussed in section Error! Reference source not found. below)."

    "5.1

    As referred to in section Error! Reference source not found. above, the Draft Bill contains, or envisages that the PCEHR Rules will effectively create a new category of personal information which must not be held and cannot be taken outside of Australia."

    "5.2 APP 8 deals with the cross-border disclosure of personal information.

    <SNIP>

    Microsoft’s view is that these safeguards relating to cross-border transfer of personal information, in particular the requirement that the outsourced service provider agrees to comply with Australian privacy law, together with a risk-based approach similar to that adopted by APRA (discussed in section Error! Reference source not found. below), could apply equally to PCEHR information being held or taken outside of Australia."

    Then what they don't say is more chilling than what they do say

    "4.5

    <SNIP>

    Loss of control of data stored off-shore

    It is not the case that an entity loses control of its data when it is stored other than in Australia. As one example, Microsoft’s proposition in relation to customer data held in its cloud is that the customer “owns” and will always retain the ability to access, control and recover that data."

    "Access, control and recover" - I really wish "delete" was explicitly mentioned in that list.

    Consumer choice is, of course, paramount...

    "2.3

    <SNIP>

    d) the PCEHR system has, at its theoretical core, the concept of giving to individuals control and access to their healthcare data. The blanket nature of the Local Operator Restriction and the Data Holding Prohibition severely limits this right. Consumers should have the ability to personally control their PCEHR by choosing to have their PCEHR Information held by an entity not located within Australia’s territorial boundaries if they believe that entity can provide to them a service that meets their individual needs;"

    I wonder how long it will be before identically worded messages arrive from "grass roots" entities insisting on their need and preference to store their personal data overseas?

    http://wiki.linux-delhi.org/cgi-bin/twiki/view/OpenStandards/MsNgoLobby

    Then there is the barrier to trade stuff

    "7.2 Microsoft acknowledges and applauds the Australian Government’s commitment to an open global trading system that enables the lawful participation of corporate entities from other nations in the Australian economy.

    <SNIP>

    Microsoft is not aware of any law of the United States of America that would prevent an Australian company from providing healthcare repository or portal services to citizens of the United States of America."

    But why would any American - whose personal data is already just a National Security Letter away from seizure without due process - care if their data is stored somewhere else?

    s/healthcare repository or portal/gambling/ and what do you get?

    http://www.theregister.co.uk/2004/11/11/us_gambling_wto_rumble/

    http://www.theregister.co.uk/2007/12/21/antigua_us/

    http://www.theregister.co.uk/2008/09/26/gambling_domain_seizure/

    The best thing the Australian government could do would be to legislate to impose unlimited fines on any company that allows such data out of the country without due Australian process - thus providing an incentive for truly local businesses to provide such a service. If the multinationals really want the business they can put their lobbying money where their mouth is and buy a change to American laws - because it is AMERICAN laws that are causing the problem.

  12. gerryg
    Black Helicopters

    In other news (actually, not metaphorically)

    http://order-order.com/2011/11/25/russian-tv-newsreader-gives-obama-the-finger/

  13. This post has been deleted by its author

  14. DigiGuy

    DigiGuy

    I hope the Aussie government can see through this. We do not need our private information/data held by an overseas company and/or country where we would have no real control over this data. The opinion of a company such as Microsoft (a twice convicted monopolist ) should be one of the first opinions discarded as they have proven many times over that they have not the slightest care for anything at all, except for their bottom line.

  15. Peter Fairbrother 1

    It is not unusual for US law and US Courts to claim jurisdiction anywhere in the world, eg they do this over the taxpaying requirements of US citizens.

    Microsoft's statement is probably true in terms of US law, but it isn't quite as straightforward as it might seem.

    I imagine it goes something like this: Suppose a US Government demand fopr data is made, and a Court order is made. The US branch office cannot obtain the data themselves, and they ask the UK office. The UK office says no.

    What can a US Court do to enforce the order? A very long story, but in the end, nothing substantial. So while they may claim jurisdiction, it doesn't mean much.

    To address the wider issue, what Microsoft are _really_ upset about is clouds. First, some law:

    -*-

    Data Protection Act, Schedule 1 part 1, principle 7:

    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

    Data Protection Act, Schedule 1 part 2 section 11: Interpretation of the seventh principle,

    Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

    (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

    (b) take reasonable steps to ensure compliance with those measures.

    -*-

    Another bit of law, about the WTO, but I don't have details to hand - if measures are taken by one country for the purpose of providing data security, they are not actionable under the WTO, even if they restrain trade etc.

    -*-

    And what it comes down to is this: Microsoft say that encryption and their "best practices" provide better security against unauthorised processing than let's say only keeping the data in a local office.

    (the data controller is the only person capable of granting authorisation, as the requirement to follow the principles is upon him and no-one else, that's DPA section 4(4) I think offhand).

    Which, if Microsoft were correct about the US Government's ability to demand data, would be immediately obvious nonsense - rather than the slightly-less-obvious nonsense it is.

    (a UK data controller is required by law to protect personal data in his control against the US government as well as spammers and identity thieves. He's also required to protect it against the UK Government, who if they want it must get it through him).

    It's long past time that the UK (and EU/EEA) Information Commissioners gave clear guidance that personal data cannot be stored in clouds. Full stop.

  16. Anonymous Coward
    Anonymous Coward

    Microsoft not required

    and not particularly desirable for healthcare.

This topic is closed for new posts.

Other stories you might like