Volume 10, Issue 46 December 16, 2011

Feds Scrutinizing Carrier IQ The U.S. Federal Trade Commission is investigating allegations that Carrier IQ software is being used by operators to track cell phone activity without user permission, The Washington Post

reported today citing anonymous officials.

By Elinor Mills, CNET News

Andrew Coward, vice president of marketing at Carrier IQ, told CNET he could not say whether there was an official investigation or not but said he spent Monday and Tuesday in Washington, D.C., talking to officials from the FTC and the Federal Communications Commission and answering their questions.

"Investigation is probably too strong a word," he said. "We sought the meetings with the FCC and FTC in the interest of transparency and full disclosure, and to answer their questions."

FTC spokeswoman Claudia Bourne Farrell said: "FTC investigations are non-public with a narrow exception that would not be met in this case. I can neither confirm nor deny that the FTC is investigating Carrier IQ."

The company has come under fire for its Carrier IQ software that some carriers -- including AT&T, Sprint and T-Mobile -- use to gather data from phones that can be used to diagnose problems with the network. Android developer Trevor Eckhart first complained in mid-November, calling Carrier IQ a "rootkit" that tracked the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information.

But a video he posted to the Web after that really stoked the fire. Carrier IQ says the video is confusing, showing information from the phone via an Android log file and that not all that information is logged by Carrier IQ and transmitted off the phone.

Carrier IQ says the software is designed to help carriers troubleshoot network failures and other problems, such as when calls drop or batteries get quickly depleted, and not designed to capture keystrokes or the content of messages. Outside experts say it's not a "keylogger." The company released more details in a report on Monday.

More at http://cnet.co/sIRu96

Figure of the week

27 The number of EU Member States where almost three quzrters of houselhokds had access to the internet in the first quarter of 2011.

Volume 10, Issue 46 December 16, 2011 Page 2

Health IT Law Enforcement Can Access Data Bank Without Doctors' Knowledge

The rule, a response to the expansion of the National Practitioner Data Bank, is intended to help prevent evidence tampering.

By Carolyne Krupa, amednews.com

Physicians and other health professionals no longer will be notified if someone accesses information about them through the National Practitioner Data Bank for an investigation, according to a federal rule that takes effect Dec. 23.

The rule, an exemption to the Privacy Act, is meant to prevent tampering with evidence and is limited to law enforcement agencies, said David Bowman, a spokesman for the Dept. of Health and Human Services' Health Resources and Services Administration, which administers the data bank. Law enforcement agencies are authorized to see information on adverse actions against physicians such as medical board disciplinary actions and peer review sanctions.

Such queries make up less than 1% of NPDB queries, with an average of 20 by law enforcement annually, according to the rule.

"The intent of the exemption is to protect a current or potential criminal investigation," Bowman said. "Historically, there have been very few queries by law enforcement agencies."

Some physicians question the need for the rule. During a 60-day comment period that ended April 18, an unidentified national physician organization cited concerns that the rule would "result in wasted law enforcement resources and would deny physicians due process."

Health professionals who query the NPDB on themselves now are notified of anyone who requested information about them.

Doctors can't control information sent to the NPDB, but they have the right to object to anything they believe is inaccurate, said Andrew B. Wachler, a health care lawyer who represents physicians on medical licensure and staff privilege issues.

"You may find that there's something on there that you may want to respond to -- and that reinforces an investigator's suspicion -- but it's not accurate," said Wachler, a partner at Wachler & Associates PC in Royal Oak, Mich.

More at http://bit.ly/tkipDY

As Doctors Use More Devices, Potential for Distraction Grows

By Matt Richtel, The New York Times

Hospitals and doctors’ offices, hoping to curb medical error, have invested heavily to put computers, smartphones and other devices into the hands of medical staff for instant access to patient data, drug information and case studies.

But like many cures, this solution has come with an unintended side effect: doctors and nurses can be focused on the screen and not the patient, even during moments of critical care.

And they are not always doing work; examples include a neurosurgeon making personal calls during an operation, a nurse checking airfares during surgery and a poll showing that half of technicians running bypass machines had admitted texting during a procedure.

This phenomenon has set off an intensifying discussion at hospitals and medical schools about a problem perhaps best described as “distracted doctoring.” In response, some hospitals have begun limiting the use of devices in critical

settings, while schools have started reminding medical students to focus on patients instead of gadgets, even as the students are being given more devices.

“You walk around the hospital, and what you see is not funny,” said Dr. Peter J. Papadakos, an anesthesiologist and director of critical care at the University of Rochester Medical Center in upstate New York, who added that he had seen nurses, doctors and other staff members glued to their phones, computers and iPads.

“You justify carrying devices around the hospital to do medical records,” he said. “But you can surf the Internet or do Facebook, and sometimes, for whatever reason, Facebook is more tempting.”

“My gut feeling is lives are in danger,” said Dr. Papadakos, who recently published an article on “electronic distraction” in Anesthesiology News, a journal. “We’re not educating people about the problem, and it’s getting worse.”

Research on the subject is beginning to emerge.

More at http://nyti.ms/s3P7ni

Volume 10, Issue 46 December 16, 2011 Page 3

Privacy and Security Big Brother Is Watching You as Stores Seek Better Data: Retail

Retailers have a case of Web envy.

By Ashley Lutz and Matt Townsend, Bloomberg

Brick-and-mortar stores have long wanted to track consumers the way online merchants do and are starting to figure out how. They’re using security cameras to monitor shopping behavior and tracking mobile phones to divine which stores people visit.

The technologies mean retailers from discount chain Family Dollar Stores Inc. to luxury pen-maker Montblanc can make changes on the fly -- such as deploying more salespeople in a given department and moving high-margin merchandise to parts of the store where shoppers are more likely to see it.

“It’s really a game-changing experience, and this is only the beginning,” said Rodrigo Fajardo, a Montblanc brand manager, who says a six-month-old tracking system prompted him to move best-selling items to another part of his Miami store, boosting sales 20 percent. “Before we were just working based on know-how and intuition. This is designing a retail business based on real statistics.”

As increasing numbers of shoppers migrate to the Web, retailers are using the new technology to boost sales and keep market share. This holiday season online sales may grow 15 percent to $37.6 billion, according to ComScore. That compares with the 2.8 percent sales growth to $465.6 billion for brick and mortar stores predicted by the National Retail Federation.

Online stores have advantages, including the ability to track how long shoppers linger and what they click on, said Lora Cecere, an analyst at Altimeter Group in San Mateo, California. By contrast, brick-and-mortar merchants wait for sales numbers to come in before taking action, she said.

Embracing Data

“Right now physical stores are only looking at dollars per person, dollars per store, and ignoring big problems until the numbers come in,” she said. “To compete they need to embrace this data so they have the ability to innovate.”

For years retailers have deployed security cameras, largely to deter and catch shoplifters. Now some are using the cameras to watch how shoppers behave.

3VR Inc., a security firm that made its first product for the Central Intelligence Agency, realized its cameras could be used to gather consumer data two years ago when T-Mobile USA Inc. asked if the firm could count people entering its stores, 3VR Chief Executive Officer Al Shipp said in an interview.

T-Mobile, based in Bellevue, Washington, now uses the cameras in 1,000 stores to track how people move around, how long they stand in front of displays and which phones they pick up and for how long, Shipp said.

T-Mobile USA, which is owned by Deutsche Telekom AG, declined to comment.

Facial-Recognition

3VR, which is based in San Francisco, is now testing facial-recognition software internally that can identify shoppers’ gender and approximate age. The software doesn’t identify a person; it would give retailers a better handle on customer demographics at specific stores and help them gear promotions to age and gender, Shipp said.

This year, Family Dollar Stores began testing a monitoring system using cameras in 20 stores. Designed by San Jose, California-based RetailNext, which is also working with Cie. Financiere Richemont SA’s Montblanc, the system watches how customers interact with store displays. Then it correlates the results with sales data to figure out the percentage of customers who buy something, right down to individual products.

In many cases, the data refuted conventional wisdom, according to RetailNext CEO Alexei Agratchev.

More at http://buswk.co/vg2q41

Volume 10, Issue 46 December 16, 2011 Page 4

Privacy and Security - (cont.) Announcing the Release of the Blueprint for a Secure Cyber Future

By Janet Napolitano, U.S. Department of Homeland Security

Today, I’m proud to announce the release of the Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise. The Blueprint calls for a coordinated effort across the homeland security community to respond to evolving cyber threats.

This strategy provides a framework for a cyberspace that enables innovation and prosperity, advances our economic interests, and national security, and integrates privacy and civil liberties protections into the Department’s cybersecurity activities.

Today in cyberspace, the Nation faces a myriad of threats from criminals to nation-states.

This Blueprint outlines an integrated approach to enable the homeland security community to leverage existing capabilities and promote technological advances that make government, the private sector and the public safer, more secure, and more resilient online.

Specific actions outlined in the strategy range from hardening critical networks and prosecuting cybercrime to raising public awareness and training a national cybersecurity workforce. Cybersecurity is a shared responsibility, and each of us has a role to play.

In today’s interconnected world, emerging cyber threats require the engagement of our entire society including government and law enforcement, the private sector, and members of the public.

In preparing this strategy, the Department benefited from the constructive engagement of representatives from state and local governments, industry, academia, non-governmental organizations, and many dedicated individuals from across the country. As we implement this strategy, DHS will continue to work with partners across the homeland security enterprise to implement the goals outlined in the Blueprint.

Visit our website to download the Blueprint for a Secure Cyber Future and for more information about the Department’s role in protecting our nation’s cyberspace.

More at http://bit.ly/sldpcG

U.S., European Union Officials Ink Long-awaited Passenger Data Deal

By Aliya Sternstein, Nextgov

U.S. and European Union officials on Wednesday signed an anti-terrorism accord that renews a 2007 agreement to exchange fliers' personal data, despite objections from some EU members who say the deal is excessively invasive despite added data protections.

The pact took years to negotiate because of European members' privacy concerns. The data at issue -- passenger name records -- encompasses an array of information that people register with travel agencies and airlines to book flights, including names, itineraries, phone numbers, payment methods and credit card numbers.

The new policy limits the purposes of reviewing the records to detecting, pre-empting and investigating criminal offenses, according to European Union Council officials. They added it contains a "robust data protection regime," including the stipulation that personal information "be masked out" -- rendered illegible to most users, after six months. After five

years, passenger records will be relocated to a "dormant database" with additional controls. The information, however, will remain accessible to authorities for 15 years for investigations into terrorist activity and 10 years for international crime probes.

The countries will use a technological fix to ensure records cannot be used for anything other than potential terrorist cases after 10 years, DHS officials said.

Two databases, one accessible for any future criminal cases and one for possible terrorist probes, will house the same data. The information stored in the designated crime database will be deleted after 10 years, and the duplicate information in the second database will remain open only to terrorist investigators for another five years.

Beyond enhancing privacy, the plan should help authorities identify illicit activity faster, Homeland Security officials added. Today, records shared are sometimes outdated and only dispatched 72 hours before fliers' departure.

More at http://bit.ly/vCXdvj

Page 5 Volume 10, Issue 46 December 16, 2011

New Reports and Papers

Regulation of Transborder Data Flows Under Data Protection and Privacy Law

By Christopher Kuner, University of Copenhagen

Abstract

Transborder data flows have become increasingly important in economic, political, and social terms over the 30 years since the adoption, in 1980, of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. A fundamental change in the business and technological environment for data processing is also taking place, driven by developments such as the increased globalisation of the world economy; the growing economic importance of data processing; the ubiquity of data transfers over the Internet; greater direct involvement of individuals in transborder data flows; the changing role of geography; and growing risks to the privacy of individuals.

Despite these fundamental changes in the data processing landscape, and the growth in the regulation of transborder data flows in numerous countries, there has been little attempt so far to conduct a systematic inventory of such regulation at a global level; to examine the policies underlying it; and to consider whether those policies need to be re-evaluated. This

Blue Cross & Blue Shield of Rhode Island Electronic Health Record Program Delivers Better Health, Lower Costs

Three-year pilot laid the groundwork for patient-centered medical homes by providing physicians with the tools necessary to provide more integrated and higher quality care

Blue Cross Blue Shield

Blue Cross & Blue Shield of Rhode Island (BCBSRI) today announced results from a multi-year pilot program designed to increase the use of electronic health records (EHRs), transform the way healthcare is delivered, improve members’ health and help moderate healthcare costs. Results of the pilot, which ultimately became the foundation of BCBSRI’s patient-centered medical home model, demonstrate clear value in using health information technology to improve quality of care. Highlights of the pilot include the following:

Lower monthly healthcare costs that averaged between 17 and 33 percent less per member than those receiving care at non-participating practices

Improved healthcare quality, with a 44 percent median rate of improvement in family and children’s health, 35 percent in women’s care and 24 percent in internal medicine

Successful EHR implementations for 79 local physicians

"A recently published New England Journal of Medicine study showed that EHRs improve quality of care for patients with diabetes by reducing unnecessary testing, helping to prevent adverse events and improving patient care coordination as compared to practices that use paper-based methods," said Dr. Gus Manocchia, senior vice president and chief medical officer at BCBSRI. "We have believed for some time that using EHRs makes it easier for us to help members manage chronic conditions. Unfortunately, a lot of local practices just don't have the resources to implement these types of record systems, which is what prompted us to establish the pilot program. We are grateful that so many local primary care physicians agreed to partner with us in this effort to improve the quality of care received by their patients."

More at http://bit.ly/rOi9ND

study is designed to describe the present status of transborder data flow regulation, and to provoke reflection about its aims, operation, and effectiveness, now and in the future.

Introduction

Transborder data flows have become increasingly important in economic, political, and social terms over the 30 years since the adoption, in 1980, of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (hereinafter the ‘OECD Guidelines’ or ‘the Guidelines’). Personal data are now crucial raw materials of the global economy; data protection and privacy have emerged as issues of concern for individuals; and confidence in data processing and privacy protection have become important factors to enable the acceptance of electronic commerce.

The international transfer of increasing amounts of personal data and the growth of electronic commerce have resulted in economic growth and efficiencies that have had a positive impact around the world, while at the same time subjecting the privacy of individuals to risks that could not have been imagined thirty years ago.

More at http://bit.ly/s8uQHg

Volume 10, Issue 46 December 16, 2011 Page 6

Reports and Papers - (cont.) Social Network Websites and Social Movement Involvement

By Elizabeth Schwarz, University of California

Abstract

The Middle East revolutions in early 2011 brought attention to the involvement of online social networks in social movement activity.

Using data from a survey of attendees fielded at the U.S. Social Forum (USSF), a national meeting of social movement participants, this research examines individuals who learned of the social movement event through social network websites (SNSs), such as Facebook or Twitter.

Specifically, the study focuses on attendees’ offline protest activities and organizational memberships, while controlling for individual factors and other ways of hearing about the forum.

Results show that learning of the USSF through SNSs significantly impacts attendees’ organizational memberships and the number of offline protests attended.

Findings suggest activists should consider using SNSs to

supplement more traditional social networks and information channels.

Introduction

The Middle East revolutions in early 2011 set off widespread speculation about the role of the Internet, and particularly online social network tools such as Facebook and Twitter, in facilitating social movement activity (Mejias 2011).

On February 5, 2011 a New York Times article headline announced, “Facebook and YouTube Fuel the Egyptian Protests” (Preston 2011).

A February 1, 2011 CNN.com article headline proclaimed, “Google, Twitter, help give voice to Egyptians” (Gross 2011). However, not everyone holds such enthusiastic views of social network websites (SNSs) and instead they downplay the role of online social networks in the revolutions (Mejias 2011).

Demonstrating a more moderate view, recent writings on the Middle East revolutions place the accomplishments of the revolutions squarely on the shoulders of the people of the Middle East while arguing that SNSs are important as well (Tufekci 2011; Zhuo, Wellman, and Yu 2011).

More at http://bit.ly/taNAuj

KLAS: Cloud Computing Must Mature For Providers to Adopt

CMIO

Market researcher KLAS spoke with 97 providers to develop a general sense of healthcare professionals’ perceptions of cloud computing and found that those utilizing other technologies were skeptical of web-based data storage even though 58 percent said that they were considering cloud systems. “Fifty-eight percent of respondents are considering using cloud computing,” report author Erik Westerlind wrote.

“However, only 35 percent who expressed interest in the cloud have any solid plans to adopt it, showing that providers do not have aggressive cloud implementation timelines.

“In fact, many providers are still vetting out cloud technologies and feel that the technology is a bit premature for healthcare,” Westerlind continued.

Despite skepticism, 71 percent of KLAS’ respondents said that

they were currently using or have definite plans to use cloud-computing technologies for various services that include emailing, image archiving and general storage. Of the 55 percent that said they were currently using cloud-computing capabilities, 23 percent were using it for deploying EHRs.

Providers have been more likely to utilize private cloud services offered by health IT vendors rather than public cloud providers, such as Google and Amazon, because private clouds offer better security, privacy and control of data, the Orem, Utah-based research firm determined.

Providers are primarily considering cloud-based systems, KLAS researchers asserted, to reduce costs.

“Sixty percent of respondents perceived that cost savings would be the greatest benefit of cloud computing, particularly because they would avoid additional on-site storage and network infrastructure costs, labor costs and hardware costs,” Westerlind wrote.

More at http://bit.ly/uq5R0l

Volume 10, Issue 46 December 16, 2011 Page 7

Reports and Papers - (cont.) Towards a Cyber Security Strategy for Global Civil Society?

By Ron Deibert, University of Toronto

Cyberspace is at a watershed moment. Technological transformations have brought about an architectonic change in the communications ecosystem. Cyber crime has exploded to the point of becoming more than a nuisance, but a national security concern.

There is a seriously escalating arms race in cyberspace as governments scale up capabilities in their armed forces to fight and win wars in this domain.

Telecommunication companies, internet service providers (ISPs), and other private sector actors now actively police the internet. Pressures to regulate the global network of information and communications have never been greater.

Although states were once thought to be powerless in the face of the internet, the giants have been woken from their slumber. How exactly governments react to these problems will determine the future of cyberspace – and by extension the communications platforms upon which global civic networks depend.

Global civil society, now increasingly recognised as an important stakeholder in cyberspace governance, needs to step up to the challenge.

A constitutive moment awaits. What is required is nothing less than a serious and comprehensive security strategy for cyberspace that addresses the very real threats that plague governments and corporations, addresses national and other security concerns in a forthright manner, while protecting and preserving open networks of information and communication.

It is an enormous challenge but also a great opportunity that, if not handled well, could end up having major detrimental consequences for human rights online.

Of course, “global civil society” is not an undifferentiated whole, but an amalgam of multiple and diverse local networks.

Regardless of their differences, citizens who share an interest in democracy and human rights also share common interests in a secure but open global communications space. Those common interests can lay the basis for a civil society cyber security strategy.

More at http://bit.ly/unZ5p5

A Holistic Framework to Improve the Uptake and Impact of eHealth Technologies

By Julia EWC van Gemert-Pijnen, Nicol Nijland, Saskia M Kelders, Erwin R Seydel, & Maarten van Limburg, University of Twente; Hans C Ossebaard, National Institute for Public Health and the Environment; & Gunther Eysenbach, University of Toronto

Introduction

The impact of eHealth technologies is sometimes questioned because of a mismatch between the postulated benefits and actual outcomes. A lack of evidence about the distinct effects of eHealth technologies on health and health care is apparent. Health care professionals are often skeptical and show little support for eHealth because technology does not seem to work for them or the benefit of their patients. As a result, eHealth technologies often face adoption problems.

What could explain this mismatch? We know from research and the literature that inadequate reimbursement and legislation can slow down the pace of innovation. Investors need to have trust before they can finance eHealth projects. Apart from economic trust, a complex innovation needs

coordination and communication, especially in the case of chronic disease management, where a variety of stakeholders are involved. Introducing eHealth technologies into the health care system requires careful coordination and communication among health care professionals, patients, informal caregivers, end users, and others. This is exactly what seems so hard to realize in practice. The same goes for project management; the precise definition of scope and objectives of the eHealth technology, the casting of participants, and the timely allocation of well-defined powers (eg, recourses and opinion leaders) and responsibilities are often not well defined beforehand. In day-to-day health care practice, these components are often present only on a superficial level, or not at all. In this situation, a lack of coordination and management deeply affects the outcomes from eHealth technologies research. Conversely, post hoc analysis does not, or cannot, account for the clouding of possible effects due to these important factors.

Another cause for the supposed low impact of eHealth technologies is the peripheral position of the users.

More at http://bit.ly/uRqNX6

Volume 10, Issue 46 December 16, 2011 Page 8

Reports and Papers - (cont.) Study on Patient Privacy & Data Security

Ponemon Institute LLC

Despite increased compliance with the HITECH Act and other federal regulations, healthcare data breaches are on the rise. Many hospitals and healthcare organizations in this study believe they have insufficient security and privacy budgets, and affected patients are not always receiving the privacy care they are promised. The growing use of unsecured mobile devices and the rising rate of employee mistakes compound the problem. This study was conducted to better understand healthcare providers’ patient privacy practices and their experiences in dealing with the loss or theft of patient information, also called protected health information (PHI).

Our study found that the number of data breaches among healthcare organizations participating in the 2010 and 2011 studies is still growing—eroding patient privacy and contributing to medical identity theft.

On average, it is estimated that data breaches cost benchmarked organizations $2,243,700. This represents an increase of $183,526 from the 2010 study despite healthcare organizations’ increased compliance with federal regulations.

As the second annual study, the report examines the changes

from 2010 to 2011 that may have occurred to healthcare organizations’ privacy and data protection compliance activities, including policies, program management activities, enabling security technologies and security governance practices.1 We also look at how well these organizations are able to comply with the notification requirements mandated by HITECH and HIPAA.

In some areas, healthcare organizations are making improvements in their efforts to stop data breaches. These include having more trained and knowledgeable staff and better policies and governance. Since last year’s report, more respondents say that data breaches are being detected by employees or through audits and assessments. The percentage of respondents who say data breaches are discovered by patients has dropped from 41 percent to 35 percent.

Healthcare organizations in this study also are relying less on an “ad hoc” process to prevent or detect data breach incidents and are relying more on policies, procedures and security technologies. While those are positive trends, the study reveals respondents’ concerns about the need to invest in enabling technologies, which may be a challenge because of budgetary constraints.

More at http://bit.ly/s8qK4X

Ten Facts about Mobile Broadband

By Darrell M. West, The Brookings Institution

Executive Summary

Mobile broadband is reshaping society, communications, and the global economy. With smart phone usage surpassing that of personal computers, there has been a sea change in the way consumers access and share information. Powerful mobile devices and sophisticated digital applications enable users to build businesses, access financial and health care records, conduct research, and complete transactions anywhere.

This revolution in how consumers and businesses access information represents a fundamental turning point in human history. For the first time, people are able to reach the Internet in a relatively inexpensive and convenient manner. Regardless of geographic location, they can use mobile broadband for communications, education, health care, public safety, disaster preparedness, and economic development.

In this report, I review ten facts about mobile broadband. I show how the mobile economy is reshaping the global

landscape. Both in developed and emerging markets, there are major opportunities to create jobs, and create social and economic connections. With the mobile industry generating $1.3 trillion in revenues, it is important to understand how telephony is affecting the way people relate to one another.

Smartphones Will Outnumber Personal Computers in 2012

For the first time in history, the trend lines for installed smartphones and personal computers will cross at the end of 2012. As shown on Figure 1, the total number of IP network-enabled desktops, notebooks, and netbook personal computers in past years has exceeded that of cellular phones with a high level operating system. However, due to the high growth rate in consumer and business installations of smartphones, those devices will outnumber personal computers in 2012. Smartphone installation currently is growing at about three times the rate of personal computers. Consumers like the convenience of mobile devices. They enjoy being able to access email, the Internet, and a wide range of applications online and while on the go.

More at http://bit.ly/rMY6El

Volume 10, Issue 46 December 16, 2011 Page 9

Reports and Papers - (cont.) Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions

By Eric A. Fischer, Congressional Research Service

For more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised.

The complex federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for critical infrastructure.

More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002.

Recent legislative proposals, including many bills introduced in the 111th and 112th Congresses, have focused largely on

issues in ten broad areas: national strategy and the role of government, reform of the Federal Information Security Management Act (FISMA), protection of critical infrastructure (especially the electricity grid and the chemical industry), cross-sector coordination and information sharing, breaches resulting in theft or exposure of personal data such as financial information, cybercrime, privacy in the context of electronic commerce, international efforts, research and development, and the cybersecurity workforce. For most of those topics, at least some of the bills addressing them proposed changes to current laws. Several of the bills have received committee or floor action, but none have become law.

Three comprehensive legislative proposals on cybersecurity have been presented to the 112th Congress: S. 413, recommendations from a House Republican task force, and a proposal by the Obama Administration. They differ in approach, with S. 413 proposing the most extensive regulatory framework of the three, and the task force recommendations focusing more on incentives for improving private-sector cybersecurity. All three proposals would revise the Homeland Security Act and increase the statutory responsibilities of the Department of Homeland Security (DHS) for the cybersecurity of federal information systems.

More at http://bit.ly/uH9gCo

Business Model Innovations in Health Care

By Sophie Tersago & Ivanka Visnjic, University of Cambridge

Introduction

Health care offers indispensable services to citizens and represents an important source of employment. Health care is also a complex and, in most countries, heavily regulated sector. Government regulation – in order to ensure sufficient supply – can slow down or boost the innovative character of the sector by manipulating the parameters of organisational structure or financial flows, such as imposing a minimum bed capacity of 150 beds for hospitals, for example. In the last couple of years health care has been subject to a number of pressuring trends. An ageing population and an increasing prevalence of lifestyle diseases, such as obesity, are just some examples.

As a consequence of these trends, health care is likely to be dominated by expansion of demands in the market and subsequently increasing healthcare expenditures. Innovative solutions are required at government level as well as sector participants to ensure good quality of service, while at the

same time managing cost increases.

At the same time, health care is not the only sector going through such a turmoil (Visnjic and Neely 2011). And while governments and regulators are traditionally looking for innovative solutions at sector level as a whole, recent studies have shown that at company level, business model innovations seem to be company responses to changes in underlying market conditions. Indeed, numerous high-tech companies like Dell, and manufacturing companies operating in other sectors, such as Zara, are prominent examples of industries in which business model innovations have reshaped their industry landscapes.

And while the term ‘business model’ seems to be very popular in the business press, its academic and theoretical underpinnings are less established. One of the most prominent streams of relevant literature defines business model as the structure of the value chain, i.e., ‘the set of activities from raw materials through to the final consumers with value being added throughout the various activities’ (Amit & Zott, 2010).

More at http://bit.ly/vIdrqv

Volume 10, Issue 46 December 16, 2011 Page 10

Reports and Papers - (cont.) Protecting Privacy From Aerial Surveillance

Recommendations for Government Use of Drone Aircraft

By Jay Stanley & Catherine Crump, American Civil Liberties Union

Unmanned aircraft carrying cameras raise the prospect of a significant new avenue for the surveillance of American life. Many Americans have heard of these aircraft, commonly called drones, because of their use overseas in places like Afghanistan and Yemen.

But drones are coming to America. Their deployment has so far been held up by the Federal Aviation Administration (FAA) over safety concerns, but that agency is under strong industry and Congressional pressure to pave the way for domestic deployment.

Meanwhile, the technology is quickly becoming cheaper and more powerful, interest in deploying drones among police departments is increasing, and our privacy laws are not strong enough to ensure that the new technology will be used responsibly and consistently with democratic values.

In short, all the pieces appear to be lining up for the eventual introduction of routine aerial surveillance in American life—a development that would profoundly change the character of public life in the United States.

We need a system of rules to ensure that we can enjoy the benefits of this technology without bringing us a large step

closer to a “surveillance society” in which our every move is monitored, tracked, recorded, and scrutinized by the authorities. In this paper, we outline a set of protections that we believe would protect Americans’ privacy in the coming world of drones.

Aerial surveillance from manned aircraft has been with us for decades. One of the first aircraft the Wright brothers built was a surveillance aircraft, and it was sold to the U.S. Army.

Many common uses of drone aircraft—search and rescue, fighting wildfires, dangerous tactical police operations—are beneficial. In the 1980s the Supreme Court ruled that the Fourth Amendment does not categorically prohibit the gov-ernment from carrying out warrantless aerial surveillance of private property.

But manned aircraft are expensive to purchase, operate and maintain, and this expense has always imposed a natural limit on the government’s aerial surveillance capability. Now that surveillance can be carried out by unmanned aircraft, this natural limit is eroding.

The prospect of cheap, small, portable flying video surveillance machines threatens to eradicate existing practical limits on aerial monitoring and allow for pervasive surveillance, police fishing expeditions, and abusive use of these tools in a way that could eventually eliminate the privacy Americans have traditionally enjoyed in their movements and activities.

More at http://bit.ly/rtQVTh

FutureMedia 2012 Outlook

The Georgia Institute of Technology

Summary

Six megatrends will have a pervasive impact in the near future:

Smart Data: In an increasingly noisy world, we’ll have to sift, filter and be smarter about what matters.

People Platforms: Beyond “true personalization,” they will be socially driven platforms made of algorithms from personal and associated data that people design and tailor themselves.

Content Integrity: Pervasive mobile devices, sprawling networks, clouds ,and multi-layered platforms have made

it more difficult to detect and address our digital vulnerabilities, drawing us to trusted content sources.

Nimble Media: Media is evolving from a set of fixed commodities into an energetic, pervasive medium that allows people to navigate across platforms and through different content narratives.

6th Sense: Extraordinary innovations in mixed reality will change the way we see, hear, taste, touch, smell and make sense of the world — giving us a new and powerful 6th sense.

Collaboration: We will harness the power of many in an increasingly conversational and participatory world.

More at http://bit.ly/t180kJ

Volume 10, Issue 46 December 16, 2011 Page 11

Reports and Papers - (cont.) Recording Everything

Digital Storage as an Enabler of Authoritarian Governments

By John Villasenor, The Brookings Institution

Executive Summary

Within the next few years an important threshold will be crossed: For the first time ever, it will become technologically and financially feasible for authoritarian governments to record nearly everything that is said or done within their borders – every phone conversation, electronic message, social media interaction, the movements of nearly every person and vehicle, and video from every street corner. Governments with a history of using all of the tools at their disposal to track and monitor their citizens will undoubtedly make full use of this capability once it becomes available.

The Arab Spring of 2011, which saw regimes toppled by protesters organized via Twitter and Facebook, was heralded in much of the world as signifying a new era in which information technology alters the balance of power in favor of the repressed. However, within the world’s many remaining authoritarian regimes it was undoubtedly viewed very

differently. For those governments, the Arab Spring likely underscored the perils of failing to exercise sufficient control of digital communications and highlighted the need to redouble their efforts to increase the monitoring of their citizenry.

Technology trends are making such monitoring easier to perform. While the domestic surveillance programs of countries including Syria, Iran, China, Burma, and Libya under Gadhafi have been extensively reported, the evolving role of digital storage in facilitating truly pervasive surveillance is less widely recognized.

Plummeting digital storage costs will soon make it possible for authoritarian regimes to not only monitor known dissidents, but to also store the complete set of digital data associated with everyone within their borders. These enormous databases of captured information will create what amounts to a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets. This will fundamentally change the dynamics of dissent, insurgency and revolution.

More at http://bit.ly/vaJhc4

Benefits and Limitations of Industry Self-Regulation for Online Behavioral Advertising

By Daniel Castro, The Information Technology & Innovation Foundation

Self-regulation, in all its myriad permutations, is a vital part of today’s global economy. Diverse industries, such as health care, higher education, fashion, advertising, mining, marine fishing, professional sports, and nuclear power, have used self-regulatory processes to govern industry practices. The private sector relies on self-regulation to address a range of issues, from establishing industry standards, to developing and applying codes of professional ethics, to ensuring consumer confidence. Despite its widespread use, some policymakers are skeptical of the efficacy of self-regulation when it comes to protecting consumer privacy online. This report seeks to address that skepticism by explaining how self-regulation works and why it is essential to protecting consumer privacy in online behavioral advertising.

Types of Regulation

Regulatory styles vary considerably from country to country and industry to industry. Regulations may set market

conditions, such as price controls, market-entry conditions, product requirements and contract terms, or social obligations, such as environmental controls, safety regulations or advertising and labeling requirements. The impact of regulations on the economy depends on the nature of the regulation and how efficiently and effectively it is implemented. While regulations impose costs on firms, causing them to shift resources away from other activities to achieve compliance, these costs are often justified as a means of improving social welfare. For example, the benefits of regulations to address concerns about public safety or the environment are intended to outweigh the efficiency cost of imposing the regulations. Regulations, especially if they are performance-based, may also induce innovations that benefit consumers, producers and society. In some instances, regulations may even increase competitiveness by improving the quality of products and services and giving firms that produce these products and services a first-mover advantage. While the nature of regulations and the institutions used to create them may vary, as shown in Figure 1, the regulatory process generally consists of three stages: creating regulations, monitoring for compliance, and enforcing regulations.

More at http://bit.ly/vH48iz

Volume 10, Issue 46 December 16, 2011 Page 12

Points of View ‘Meaningful Use’ of Health Information Technology Should Be Truly Meaningful

By Jonathan Bush, athenahealth, Inc.

As all parties to the health care system search for ways to rein in costs, the U.S. government is in the process of distributing the first of nearly $30 billion in checks to eligible medical providers. These payouts are part of the Meaningful Use program, which was created under the Health Information Technology for Economic and Clinical Health (HITECH) Act to encourage the adoption and sustained use of electronic health records (EHRs).

If this program works as intended, it has the potential to improve not only patient outcomes and increase coordination among health care professionals, but reduce also skyrocketing health care costs.

But that potential will only be realized if EHRs are adopted and used in an effective and meaningful way. And without the transparency that’s required to measure whether the money is being used for the purpose Congress intended, the Meaningful Use program could end up wasting billions of taxpayer dollars.

So how does it work?

To qualify for the Meaningful Use payments, eligible physicians and hospitals must use a certified EHR platform and attest to having achieved a set of measures over a 90-day reporting period. They must prove that they’ve used their EHR to provide electronic prescriptions, record vital signs, provide patients with a clinical summary of office visits and more.

The problem, however, is a lack of transparency and accountability. The government has no way of verifying that the physicians who claim to have met the Meaningful Use criteria are actually using health information technology in any meaningful way.

Click a box, get a check. Without an audit process in place, it’s almost that easy.

While the HITECH Act has encouraged greater competition in the EHR marketplace, the current lax standards for verifying Meaningful Use could lead to enormous disparities between what physicians and hospitals are able to do with their EHRs and their actual ability to improve patient care.

There are currently 788 certified ambulatory EHR products, but all EHRs are not created equal.

More at http://bit.ly/u8u3f6

Stress Testing Health Information Management and Governance

By Linda L. Kloss, Health Data Management

In the engineering field, stress analysis is a discipline that determines whether materials and structures can safely withstand a range of forces or loads. Evidence is mounting that current structures and methods for managing health information are under stress and not adequate for the digital era. Each week brings new reports signaling systemic deficits in information stewardship, integrity, and life cycle management. Anecdotal evidence from health care organizations underscores the need for new approaches to enterprise information management (IM).

Enterprise IM and information governance are essential strengthening strategies to address a range of information stressors. This article offers a framework that can be used to take stock of which stress fields are currently under reasonable control in your organization and which will benefit from more targeted attention. It challenges organizations to approach IM and information governance from the perspective of asset management focusing on gaining real value from investments

in EHRs and other information and communication technolo-gies.

Implementing I.T. does not automatically ensure that informa-tion is complete, accurate, reliable, secure or used appropri-ately. In fact, research shows that data errors and other infor-mation- related unintended consequences may impede safe use of technology. Most health care organizations need more robust policy frameworks and formalized strategies for IM and information governance. These are important disciplines for any organization seeking to improve the safe and effective use of I.T.

Revisiting Information Management and Governance

Contemporary Information management practices rest on three key principles: Information Asset Management, Enter-prise Information Management, and Information Governance.

First, enterprise information should be managed as a valued asset on par with other critical assets (physical, human re-source, financial, intellectual property).

More at http://bit.ly/rOhiyz

Volume 10, Issue 46 December 16, 2011 Page 13

Points of View - (cont.) Stop Online Piracy Act (SOPA): Washington Vs. The Web

By Zach Carter, The Huffington Post

A month ago, Google lobbyist Katherine Oyama absorbed one of the more unusual congressional tongue-lashings in years when she appeared before a hearing of the House Judiciary Committee. Rep. Tom Marino (R-Pa.) joked that Oyama had walked into a "lion's den."

After praising representatives of drug giant Pfizer and the Motion Picture Association of America for their aggressive efforts to combat online piracy of American products, a bipartisan cadre of committee members spent much of the hearing berating Google, and Oyama personally, as corrupt, compromised and selfish.

"One of the companies represented here today has sought to obstruct the Committee's consideration of bipartisan legislation," House Judiciary Committee Chairman Lamar Smith (R-Texas) said.

"In my experience there's usually only one thing at stake when we have long lines outside a hearing as we do today, and when

giant companies, like the ones opposing this bill, and their supporters start throwing around rhetoric like, 'This bill will kill the Internet,'" said Rep. Mel Watt (D-N.C.), glowering at Oyama. "That one thing is usually money."

It's not unheard-of for corporate representatives to pay public penance on Capitol Hill, but Google seemed a strange subject for abuse: Unlike recent corporate target MF Global and congressional villain Goldman Sachs, Google's shaming wasn't preceded by massive public outcry.

So what raised the committee's ire? An extremely technical, low-profile bill that isn't being covered by cable news, but has nearly 1,000 registered lobbyists officially working on it: the Stop Online Piracy Act, or SOPA -- a bill with the power to fundamentally reshape the laws governing the Internet.

SOPA would imbue the federal government with broad powers to shut down whole web domains on the basis that it believes them to be associated with piracy -- without a trial or even a traditional hearing. It would provide Hollywood with powerful new legal tools to stifle transactions with websites whose existence worries the movie industry.

More at http://huff.to/vM4Gt9

Mandates Can't Alter Facts

By Paul Vixie, Danny McPherson, Dan Kaminsky, David Dagon, & Steve Crocker, The Hill

No one disputes or could dispute that the Internet makes crime easier. Theft of intellectual property is one such crime made easier by the Internet. Rights holders are concerned about this, and they should be.

However, the debate over what we as a society ought to do about online piracy and infringement has gone into the weeds – so much so that bills now pending before both houses of the US Congress (S. 968, PIPA; and H.R. 3261, SOPA) seek to compel American Internet Service Providers to alter fundamentally the way their connected customers access the Domain Name System.

This type of mandated filtering is not an American innovation. Strong governments around the world use DNS filtering to signal their displeasure over all kinds of things they don’t like, whether it be untaxed online gambling, or pornography, or political dissent.

That Congress is now seriously debating doing likewise may

represent a sea change in American thinking – as though we as a people can no longer decide for ourselves what is in our best interests to see or not to see on the Internet, and so we now need our government to help us.

Support for these bills is nonpartisan but hardly nonpolitical. There is, in the words of one congressional staffer, “a big push” to get this done.

But whereas many arguments on both sides of this debate are ideological, there are some simple technological issues that will weigh more heavily on the ultimate outcome.

Focusing on the single provision in this bicameral legislative package which mandates that Internet Services Providers filter the results their customers receive from the Domain Name System, it is possible to observe simply that: it will do no good and it will do much harm.

No Internet user is required to use the Domain Name servers provided by their ISP.

More at http://bit.ly/vm7RsQ

Volume 10, Issue 46 December 16, 2011 Page 14

Internet Governance Organization for Economic Cooperation and Development (O.E.C.D.) Calls on Members to Defend Internet Freedoms

By Eric Pfanner, The New York Times

As a rising tide of digital dissent raises alarms in many capitals around the world, the Organization for Economic Cooperation and Development on Tuesday called on member countries to “promote and protect the global free flow of information” online.

The O.E.C.D. , a group of 34 developed countries, urged policy makers to support investment in digital networks and to take a light touch on regulation, saying this was essential for promoting economic growth via the Internet.

“It’s really a milestone in terms of making a statement about openness,” said Karen Kornbluh, the U.S. ambassador to the O.E.C.D. “You can’t really get the innovation you need in terms of creating jobs unless we work together to protect the openness of the Internet.”

The approval of the recommendations by the O.E.C.D. council builds on a communiqué issued at a meeting in June, when the

broad outlines of the policy were drawn up. The guidelines are not binding, but are intended to work through the power of persuasion . Also, the Internet recommendations will from now on be included among the criteria for assessing candidates for membership in the O.E.C.D., which is based in Paris.

While the Arab Spring, Occupy Wall Street and other movements have shown the potential of the Internet for organizing political protest, there has also been a backlash, with a number of governments stepping up their efforts to crack down on free speech in the digital sphere.

China, which has long blocked access to Web sites deemed to be undesirable, said recently that it would step up monitoring of social media, messaging services and other forums in an effort to crack down on the publishing of “harmful information.” India has asked Internet companies and social media sites to prescreen user contributions to remove disparaging, inflammatory or defamatory content, according to Internet company executives. In Russia there were reports of a crackdown on Web-borne dissent before and after parliamentary elections this month.

More at http://nyti.ms/swdu11

Turning Government Data Into Gold

European Commission

The Commission has launched an Open Data Strategy for Europe, which is expected to deliver a €40 billion boost to the EU's economy each year. Europe’s public administrations are sitting on a goldmine of unrealised economic potential: the large volumes of information collected by numerous public authorities and services. Member States such as the United Kingdom and France are already demonstrating this value. The strategy to lift performance EU-wide is three-fold: firstly the Commission will lead by example, opening its vaults of information to the public for free through a new data portal. Secondly, a level playing field for open data across the EU will be established. Finally, these new measures are backed by the €100 million which will be granted in 2011-2013 to fund research into improved data-handling technologies.

These actions position the EU as the global leader in the re-use of public sector information. They will boost the thriving industry that turns raw data into the material that hundreds of millions of ICT users depend on, for example smart phone apps, such as maps, real-time traffic and weather information, price comparison tools and more. Other leading beneficiaries

will include journalists and academics.

Commission Vice President Neelie Kroes said: "We are sending a strong signal to administrations today. Your data is worth more if you give it away. So start releasing it now: use this framework to join the other smart leaders who are already gaining from embracing open data. Taxpayers have already paid for this information, the least we can do is give it back to those who want to use it in new ways that help people and create jobs and growth.” See Mrs Kroes video quote here.

The Commission proposes to update the 2003 Directive on the re-use of public sector information by:

Making it a general rule that all documents made accessible by public sector bodies can be re-used for any purpose, commercial or non-commercial, unless protected by third party copyright;

Establishing the principle that public bodies should not be allowed to charge more than costs triggered by the individual request for data (marginal costs);

More at http://bit.ly/u6ASEa

Page 15 Volume 10, Issue 46 December 16, 2011

Happy Holidays! The Weekly Digest will re-launch in January.

Page 16 Volume 10, Issue 46 December 16, 2011

Sites Compendium www.aclu.org

www.bcbsri.com

www.brookings.edu

www.cambridgeservicealliance.org

www.dhs.gov

www.fas.org

www.giswatch.org

www.healthdatamanagement.com

www.idrc.ca

www.itif.org

www.jmir.org

www.news.cnet.com

www.nextgov.com

www.nytimes.com

www.nxtbook.com

www.thehill.com

Book Notice Access Contested Security, Identity, and Resistance in Asian Cyberspace

By Ronald Deibert, John Palfrey, Rafal Rohozinski, & Jonathan Zittrain

A daily battle for rights and freedoms in cyberspace is being waged in Asia.

At the epicenter of this contest is China – home to the world’s largest Internet population and what is perhaps the world’s most advanced Internet censorship and surveillance regime in cyberspace.

Resistance to China’s Internet controls comes from both grassroots activists and corporate giants such as Google.

Meanwhile, similar struggles play out across the rest of the region, from India and Singapore to Thailand and Burma, a l t h o u g h e a c h national dynamic is unique.

Access Contested, the third volume from the OpenNet Initiative (a collaborative partnership of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, the Berkman Center for Internet and Society at Harvard University, and the SecDev Group in Ottawa), examines the interplay of national security, social and ethnic identity, and resistance in Asian cyberspace, offering in-depth accounts of national struggles against Internet controls as well as updated country reports.

The contributors examine such topics as Internet censorship in Thailand, the Malaysian blogosphere, surveillance and censorship around gender and sexuality in Malaysia, Internet governance in China, corporate social responsibility and freedom of expression in South Korea and India, cyberattacks on independent Burmese media, and distributed-denial-of-service attacks and other digital control measures across Asia.

More at http://bit.ly/sVArY1

Research and Selection: Stefaan Verhulst Production: Kathryn Carissimi & Lauren Hunt

Please send your questions, observations and suggestions to

sverhulst@markle.org

The views expressed in the Weekly Digest do not necessarily reflect those of the Markle Foundation.