The San Francisco Chronicle has posted a story about the Kansas BTK killings that brings to light the privacy issues with family-wide medical records.

[Detectives] learned that Rader had a daughter who had attended Kansas State University, and they reasoned that at some point she must have used the medical clinic, said Wichita police Lt. Ken Landwehr. “It was suggested that she probably had a Pap smear,” he said. Federal law requires that labs keep Pap smears for five years, principally in case of legal challenges over diagnoses.

The prosecutors obtained a subpoena and a court order for the daughter’s specimen to compare with BTK’s DNA. An exemption in the Family Educational Rights and Privacy Act allows law enforcement to obtain a student’s health data with a court order.

“It was obviously good detective work,” said Nola Tedesco Foulston, the prosecutor in the case.

At the same time, said George Washington University law professor Sonia Suter, “it is so troubling to think that somebody would have a sample taken for her medical welfare that is then used to implicate her father.”

I remember reading about the BTK case, but never heard this side of the story. It certainly begs the question of prior-consent. Should it be required from one member of a family to release their own identity evidence that could implicate another? And that is just the beginning of what looks like an ethical quagmire.

I really like this quote from a man in New York:

As things stand in some states, lab analysts who discover a potential suspect in this way may not be permitted to share that information with investigators. Such a policy, said William Fitzpatrick, a New York state district attorney, “is insanity. It’s disgraceful. If I’ve got something of scientific value that I can’t share because of imaginary privacy concerns, it’s crazy. That’s how we solve crimes.”

Imaginary? According to US federal compliance requirements for personal identity information, as conveniently documented in HIPAA, privacy concerns are very real and very regulated.

The details of the BTK case remind me of a college philosophy professor of mine who once explained that he gave up practicing law after he grew frustrated trying to defend people against law enforcement officers who flagrantly and repeatedly violated individual privacy. Apparently he thought arguing the case for people after they had experienced a violation was ineffective compared with trying to explain ethics to students. Or maybe he just thought it less stressful.

The Supreme Court has repeatedly held that authorities may not conduct searches for general law enforcement purposes without individualized suspicion. Although convicted criminals have a diminished right to privacy, searching a database for unknown kin might violate that principle, said Jeffrey Rosen, a George Washington University law professor. “The idea of holding people responsible for who they are rather than what they’ve done challenges deep American principles of privacy and equality,” he said. “Although the legal issues aren’t clear, the moral ones are vexing.”

The article is definitely worth a read; really brings forward the underlying challenge of good/fair governance that plagues compliance and control objectives.

Edited to add (May 9, 2008):

The LA Times published an article on this topic titled “California takes lead on DNA crime-fighting technique“.

Funny title. You would think it would be a crime in America to take your DNA without your consent. It is not, and the Times apparently thinks this development makes California a “leader” in fighting crime:

The policy, which takes effect immediately, is designed to work like this: The state’s crime lab will tell police about DNA profiles that come up during routine searches of California’s offender database and closely resemble, but do not match, the DNA left at a crime scene. (Previously, the state refused to tell police about these partial matches.)

The lab will then perform calculations and tests to determine the likelihood of a biological relationship between the person found in the database and the unknown offender believed to have left DNA at the crime scene.

When such partial matches do not surface or fail to produce a lead, a more customized familial search can be done in which computer software scans the database proactively for possible relatives. The software measures the chance of two people being related based on the rarity of the markers they share.

So, California is the first state to require a “customized familial search” and supposedly has a set of safety measures — family DNA privacy is violated only after all other leads run dry. The LA Times does not give any details other than to say they exist. Not very convincing.

Consider, for example, the following comment on a Washington Post story about the same:

The secret use of Ms. Rader’s DNA is reprehensible, and certainly would not pass a constitutional challenge. However, to make it very clear, we do need a federal law that would ban the use of DNA taken from a non-suspect for a specific purpose from being used WITHOUT CONSENT for different purposes having to do with other people. Additionally, in the Rader case, has anyone considered that this is simply laziness by the police force? Dennis Rader was already the prime suspect; why did they not obtain DNA from the suspect himself — a cup, tissue, straw, cigarette, utensil, etc? As with fingerprints, that is not prohibited by the 5th Amendment.

Excellent insight.

Incidentally, the new law in California is backed by Jerry Brown, a former governor who defeated Ronald Reagan in the 1966 election. He is known for things like opposition to the death penalty, opposition to the Vietnam War and hosting a populist talk-show radio program on Pacifica Radio in Berkeley. Not exactly the sort of guy you would expect to be in this anti-privacy position.

The LA Times article quotes Brown to give his perspective:

Brown said the new approach was justified by violent crime plaguing the state. He emphasized that it would be used only when all other leads had been exhausted.

“We have 2,000 murders a year in California — that is 10,000 since the Iraq war started — and that is a lot of killing,” Brown said. “When you see it and see the victims and have to go to funerals, it is pretty serious stuff.”

I can understand if a suspect search is done in terms specific to that person (e.g. tall, dark, light, fat, wearing x, y, z) but searching through a family’s private records without their consent appears to be a step backwards in terms of security and safety of the public. I suspect (no pun intended) that there are better methods to explore that would reduce violent crime without significant loss of privacy. I fear bad management of this provision and expanded access to DNA data will do more damage than good.

The Associated Press tells a moving story about a bald eagle who has struggled with survival after a violent attack by humans:

Part of Beauty’s beak was shot off several years ago, leaving her with a stump that is useless for hunting food. A team of volunteers is working to attach an artificial beak to the disfigured bird, in an effort to keep her alive.

“For Beauty it’s like using only one chopstick to eat. It can’t be done” said biologist Jane Fink Cantwell, who operates a raptor recovery center in this Idaho Panhandle town. “She has trouble drinking. She can’t preen her feathers. That’s all about to change.”

Cantwell has spent the past two years assembling a team to design and build an artificial beak. They plan to attach it to Beauty this month. With the beak, the 7-year-old bald eagle could live to the age of 50, although not in the wild.

The odd thing to me about this heroic effort to me is how it compares to the treatment of Eight Belles after the horse won a second prize for its owners $400,000 in the Kentucky Derby. I have refrained from commenting on the horse until now because I was hoping to hear more from the owner perspective, but his latest statement concerns me even more than before:

“We have photos 50 to 70 yards from where this happened and the horse had her ears up and she was happy,” Jones told Reuters in a telephone interview on Monday.

“If this horse had anything going on with her at the time, she didn’t know it. If the horse never had a clue, there’s no way the jockey could have had a clue.”

About a quarter-mile after finishing second to Big Brown in the $2 million Derby, Eight Belles collapsed on the Churchill Downs track with two shattered ankles and was put down by lethal injection.

Compare/contrast. Innovation to save a life versus…?

If the horse was happy and did not know only moments before that she would break her legs…why not spend some of her winnings to find a way to survive the injury and help other horses prevent similar injuries or recover from them as well?

I do not claim to understand animal science or medicine, but I see the bald eagle story as inspiring while the Derby incident feels like the opposite. Why did the horse have to be put down immediately? Conventional wisdom seems to suggest that horses can survive fractures, and the owners must have health insurance. I am sure any number of experts will be called upon to explain the death, but think of the eagle and imagine a different ending for the prize money:

The hoof is a bit like a fingernail, and the onus is similar to a human trying to get around — fast — just on the middle toe of the foot.

That’s why a horse’s leg has to be repaired quickly and the horse has to put weight back on it quite soon. Otherwise, there’s just too much pressure on the leg that doesn’t have a partner, especially if that’s a foreleg, McIlwraith said.

Horses using just three legs will develop laminitis, a condition that doesn’t have a human equivalent.

It is not easy, clearly, to save a horse’s life. Science is helping but I guess the question is what would motivate a race horse owner to save an injured young horse or even give it up for adoption instead of euthanize immediately?

I was just listening to a presentation of how the SIEM deployment at Société Générale did not work adequately. It is not hard to figure out the vendor they used, so I’ll leave it alone here, but you might want to look it up if you own one or are considering a purchase.

Researching some of the control/compliance mistakes brought me to a site called innovation Creators where a consultant had a few blistering comments, attacking both the WSJ and Société Générale management:

Derivatives trades may be complex bets, but they do result in real money flowing back and forth. That real money comes out of real bank accounts. Eventually, the CFO has to notice. Something like

“Holy Crap!, we have 500 Million more Euros than we thought we would”

And, when your bets start to get into the Billions of Euros, if you are betting exchange traded futures, real margin calls start to happen. If you are betting OTC derivatives, other banks, with half way decent internal controls, start calling you up and asking for more collateral.

The SocGen CFO and the head of Treasury should have noticed.

Some good questions raised by the author, and useful insights, albeit a bit condemning of human error. I am most curious about how the SIEM implementation will change now, or whether they will abandon the current vendor and seek out one of the market leaders to help fix their controls.

A story in The Register discusses an infrastructure compromise in Poland orchestrated by a motivated teenager:

Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz’s tram network was hacked, even by these low standards, is still a bit of an eye opener.

Problems with the signalling system on Lodz’s tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.

The youth, described by his teachers as an electronics buff and exemplary student, faces charges at a special juvenile court of endangering public safety.

A “little native wit”? It actually does not sound like there was much ease, since the teen reportedly spent a great deal of time studying the system. I guess what I am saying is lets give this guy some credit. He did not just park his car on the tracks, he actually did some research and development.