databases – Techdirt (original) (raw)

Stories filed under: "databases"

Sen. Ron Wyden Catches ICE Illegally Collecting Americans’ Financial Data

from the everybody-still-on-board-with-abolishing-this-national-embarrassment? dept

ICE wants data and doesn’t care how it gets it. Its recently-elevated pursuit of all things not considered naturally American has increased its demands for information on… well, everybody. It works with private sector data brokers and data analysts to hoover up location info — something not strictly limited to movements at or near borders. Nor is it limited to the non-Americans ICE believes should be tracked, captured, and ejected.

ICE has also gathered information collected by American utility companies, which includes customers’ names, addresses, cards/accounts used to pay bills, and usage records. This was also accomplished via a private party: the CLEAR database run by Thomson Reuters. ICE paid $21 million a year for access. It no longer has that access, thanks to pressure applied by Senator Ron Wyden.

ICE has shut down another data collection because Wyden started asking questions. And this collection may very well have been illegal. Using only self-issued administrative subpoenas, ICE was able to obtain millions of financial records from two money transfer companies, Western Union and Maxitransfers Corporation.

The EFF has more details in this post:

Beginning in 2019, HSI [Homeland Security Investigations — a division of ICE] sent eight administrative subpoenas to these financial services companies asking that they turn over all records for money transfers over $500 to or from California, Texas, New Mexico, Arizona, and Mexico. Each administrative subpoena sought records for six-months at a time. In response, Western Union and Maxi provided 6.2 million financial records, including personal information such as names and addresses, to HSI. All of the information was entered into a database called Transaction Record Analysis Center (TRAC), which is run by a non-profit and facilitates law enforcement access to bulk financial data for 5 years.

Once again, Wyden’s pressure has resulted in a change.

According to Sen. Wyden, HSI terminated the program in January 2022 after his office contacted HSI about it.

But that’s not good enough for Wyden. His letter [PDF] wants more answers from ICE, leveraging its hasty abandonment of the program against it. It’s an illegal collection, as the EFF explains:

[T]his kind of bulk surveillance is illegal. By statute, these administrative subpoenas must seek records “relevant” to an agency investigation. Simply put, there is no way these broad requests for bulk records would turn up only documents “relevant” to specific investigations; instead it put everyone who transferred money, including U.S. persons, under surveillance.

From Wyden’s letter:

[T]he fact that HSI employees in Phoenix, AZ continued to send out these highly problematic |bulk summonses, every six months, without oversight by HSI and DHS headquarters indicates a weakness in the central supervision of this surveillance tool. Moreover, the fact that just one request fora briefing from a Senate office prompted HSI to immediately halt the flow of data suggests that the internal oversight system within DHS and HSI failed.

This is far from the only problematic aspect of this program. For one thing, the program ran for years prior to ICE’s adoption of the questionable bulk surveillance. An agreement between Western Union and the Arizona Attorney General in 2010 over money laundering allegations opened up this firehose, providing millions of transaction records from 2010 to 2019 — all of which could be accessed by federal, state, and local law enforcement agencies without any judicial approval.

According to HSI, this agreement expired in 2019. That’s when ICE took over, demanding the same production for the next two years. In 2021, ICE expanded these demands to include Maxitransfers. Those actions resulted in ICE obtaining more than 6 million financial records — something it managed to accomplish using only eight self-issued subpoenas. This is classic bulk surveillance, Wyden points out. There’s no way all six million records were “relevant” to HSI investigations.

His letter points out HSI’s February 2022 testimony resulted in members of its Congressional oversight hearing about the long-running program for the first time. And ICE’s internal oversight was bypassed as well, according to HSI’s own statements.

While HSI told my staff that the Special Agent in Charge of HSI Phoenix spoke to the HSI Assistant Director of Investigative Programs and with an attorney in the field office before issuing the first summons, no one sought legal guidance from HST or DHS headquarters and HSI never wrote or published a Privacy Impact Assessment analyzing this program. Indeed, HSI officials acknowledged that they only alerted DHS privacy officials after my office contacted HS to request a briefing about the program in January 2022.

Wyden says he’s all for engaging in legitimate law enforcement activity to stop money laundering and drug trafficking. But this ain’t it. This is an illegitimate and illegal bulk collection that was hidden from ICE’s multiple levels of oversight. It also allowed ICE to keep doing the sort of things that have many calling for it to be abolished… like disproportionately targeting minorities, low-income families, and immigrants who often utilize services like these because traditional banking options aren’t available.

If ICE wants to fight money laundering and stymie drug cartels, it needs to do better. And it needs to play by the rules.

Instead of squandering resources collecting millions of transactions from people merely because they live or transact with individuals in a handful of Southwestern states or have relatives in Mexico, HSI and other agencies should focus their resources on individuals actually suspected of breaking the law.

Hastily killing the illegal program isn’t going to stop Wyden from demanding answers. While it’s great the program is now dead, the flipside is that there’s likely another, equally-problematic program still in operation. It just hasn’t been uncovered yet.

Filed Under: clear database, databases, dhs, financial information, hsi, ice, ron wyden, subpoenas

ICE Is Also Using Utility Databases Run By Private Companies To Hunt Down Undocumented Immigrants

from the whatever-isn't-nailed-down-by-legislation-or-precedent dept

ICE has always had a casual relationship with the Fourth Amendment. Since it’s in the business of tracking foreigners, it has apparently decided the rights traditionally extended to them haven’t actually been extended to them.

Anything not nailed down by precedential court decisions or federal legislation gets scooped up by ICE. This includes location data pulled from apps that would appear to be subject to Supreme Court precedent on location tracking. ICE routinely engages in warrantless device searches — something its legal office has failed to credibly justify in light of the Riley decision. And the Fourth Amendment — along with judicial oversight — is swept away completely by ICE’s practice of deploying pre-signed warrants to detain immigrants. The agency is also not above forging judges’ signatures to send “dangerous” immigrants packing.

The latest exposure of ICE’s tactics shows it will gather everything and anything to hunt down people who, for the most part, are just trying to give their families a better shot at survival. Whatever can be had without a warrant will be had. That’s the message being sent by ICE, and relayed to us by Drew Harwell of the Washington Post. (h/t Magenta Rocks)

U.S. Immigration and Customs Enforcement officers have tapped a private database containing hundreds of millions of phone, water, electricity and other utility records while pursuing immigration violations, according to public documents uncovered by Georgetown Law researchers and shared with The Washington Post.

ICE’s use of the private database is another example of how government agencies have exploited commercial sources to access information they are not authorized to compile on their own. It also highlights how real-world surveillance efforts are being fueled by information people may never have expected would land in the hands of law enforcement.

I’m not a law enforcement professional. Nor am I a immigration and customs officer. But it beggars belief that utility records can provide evidence of illegal immigration. While I understand ICE is likely using the records to find people it has already flagged as illegal immigrants, the justification for demanding these records is nonexistent. ICE may want to match names to addresses but it’s on shaky legal ground when it demands records under the theory that utility bills may offer evidence of illegal immigration.

And yet, ICE can do this. This is the Third Party Doctrine in action. If immigrants give their names to utility companies, ICE can get this info without a warrant. It’s a “voluntary” exchange, even though there’s nothing voluntary about exchanging personal info to access the little things in life that make it worth living, like electricity and indoor plumbing.

But is it evidence of illegal immigration? There’s a lot that’s still unsettled at the point ICE obtains this information. Immigration status is ultimately handled by judges. Until then, everything else is apparently fair game, including utility bill records.

At the top of this evidentiary food chain is a private company. And that company doesn’t appear to care who accesses its database or for what reason.

CLEAR is run by the media and data conglomerate Thomson Reuters, which sells “legal investigation software solution” subscriptions to a broad range of companies and public agencies. The company has said in documents that its utility data comes from the credit-reporting giant Equifax. Thomson Reuters, based in Toronto, also owns the international news service Reuters as well as other prominent subscription databases, including Westlaw.

Thomson Reuters has not provided a full client list for CLEAR, but the company has said in marketing documents that the system has been used by police in Detroit, a credit union in California and a fraud investigator in the Midwest. Federal purchasing records show that the departments of Justice, Homeland Security and Defense are among the federal agencies with ongoing contracts for CLEAR data use.

Even if you believe immigrants shouldn’t be given constitutional protections, you have to be concerned that a private company is amassing data from private citizens and granting access to government agencies. This isn’t how America is supposed to work. But that’s the way it actually works, thanks to opportunistic data brokers and the hundreds of utility companies willing to sell customers’ data to whoever will buy it.

ICE is paying Thomson Reuters $21 million a year for access. Reuters — a company that needs to answer to shareholders — has zero interest in terminating this working relationship. On the public sector side, ICE needs to continue to justify its existence. So it has no interest in terminating contracts that enable it to apprehend and eject immigrants. The legality of its efforts is unsettled. Since no one above ICE in the governmental org chart has yet determined this is unacceptable, it will continue. And private databases like this still lie beyond the minimal protections afforded by federal privacy laws.

Until someone’s willing to step in and curb ICE’s all access pass to everything that’s just on the outside of current Fourth Amendment case law, ICE will continue to hoover up everything it can, no matter how negligible its effect on immigration enforcement. And, as long as companies can continue to demand a wealth of info in exchange for services, there will always be an endless supply of third parties only a subpoena away from handing over personal information to federal law enforcement.

Filed Under: 4th amendment, databases, ice, privacy

NY Legislators Introduce Bill That Would Seriously Curb Law Enforcement's Surveillance Collections

from the take-what-you-want-but-only-keep-what-you-need dept

A bipartisan group of New York assembly members has introduced a bill that doesn’t appear to have much of a chance at becoming an actual law. But what a bill it is. If it does receive the governor’s signature, it would drastically revamp how the NYPD (and other agencies) handle the massive amount of video and data they collect daily.

A bill introduced in the New York Assembly would prohibit the state from creating any database containing aggregate surveillance data including ALPR, audio, video and facial recognition records. Passage would not only protect privacy in New York; it would also put major roadblocks in front of federal surveillance programs.

Assm.Tom Abinanti (D-Greenburgh/Mt. Pleasant), along with a bipartisan coalition of six assembly members, introduced Assembly Bill 11332 (A11332) on Sept. 19. The proposed law would bar state agencies and departments, and contractors engaged in business with the state, from using any database as a repository of, a storage system for, or a means of sharing facial recognition functionality. I would also prohibit the creation of any permanent repository or storage system for aggregate license plate reader data records, aggregate audio surveillance recordings, aggregate video surveillance images, or aggregate driver license photographs.

In effect, A11332 would prohibit the creation of any comprehensive database storing surveillance data.

It’s an anti-haystack bill. And law enforcement loves its haystacks. The NYPD — believing itself to be a globetrotting intelligence agency — loves them more than most. Law enforcement agencies have obtained massive boosts in collection power over the years, thanks to omnipresent surveillance cameras, automatic license plate readers, and cheap digital storage. Biometric data has recently been added to the mix, promising to turn dumb cameras into suspect-spotting field agents.

The tech has advanced ahead of best practices or privacy impact assessments. The new hardware is presumed legal until proven otherwise and is often obtained and deployed with minimal oversight and zero public input.

This bill doesn’t outlaw the continued hoovering of data points/camera footage but it does ensure the massive amount collected will have to be quickly sorted into hay and needles by restricting stored collections to stuff pertinent to ongoing investigations.

The immediate local impact would be immense. But expect the feds to start inserting themselves into local legislating. This bill would make it impossible for federal agencies to accomplish their dream of connected, nationwide databases of license plate photos and biometric data.

Because the federal government relies heavily on partnerships and information sharing with state and local law enforcement agencies, passage of A11332 would hinder the creation of federal surveillance databases. Information that is never retained by the state cannot be shared with the feds.

If the bill passes unamended, law enforcement may be able to retain more than it should by making broad claims about everything in its collections being somehow relevant to investigations. If these legislators are serious about making this law do what it says it does, they will need to tack on some reporting requirements that will force agencies to go on the record about their data retention practices.

While it’s true law enforcement agencies can’t possibly know what data/footage will prove useful in future investigations, that shouldn’t be used as an argument for retaining everything collected. Legitimate privacy concerns should not be subordinated to New York law enforcement’s fear of missing out.

Filed Under: data, databases, new york, nypd, privacy, surveillance, video

Bad Info In Law Enforcement Database Turned Former Cop Into A 'Suspected Gang Member'

from the we're-from-the-gov't-and-we're-here-to-make-you-pay-for-our-mistakes dept

Law enforcement databases, while useful in investigations, are also severely problematic. Not only does the desire to “collect it all” result in databases full of information about innocent people, but very few agencies are serious about deterring database misuse. In most cases — despite the constant threat of criminal prosecution — most abusers are hit with nothing more than short suspensions for improper access.

Then there’s the problem with the humans running the systems. When mistakes are made (or information is entered for more malicious reasons) by government agencies, the consequences for those mistakenly targeted can be severe.

During a bitter, year-long legal battle that ended last month, Mr Hanson was shocked to discover his name was embedded in the police database as a “person of interest” involved in “suspected criminal activity” and “possibly associating” with Comanchero Outlaw Motorcycle Gang members.

The intelligence entry carried the highest “A1” police reliability rating. But Fairfax Media can reveal the only basis for the report was that Mr Hanson’s family car had been observed in the same street, at the same time, as “two motorcycle riders” wearing Comanchero shirts.

The appearance of Mark Hanson (not his real name) in the police database occurred after a traffic stop in a casino parking lot. The officer performing the stop jumped to several conclusions, stating that Hanson’s car was spotted “in the vicinity of several sports cars and motorbikes” on another street. In addition, the officer referred to the vehicle Hanson was driving his family in as “hotted up.”

These inferences — all of which were based on coincidental observations not backed up by any info collected by the officer — became the official police narrative, thanks to his report’s entry into the law enforcement database. From that point on, former police officer Hanson was considered to be involved in gang-related activity.

Because Hanson is a former police officer, he was able to get this corrected. Most citizens don’t have the power to make that happen. He approached police supervisors about his database entry and was given some vague assurances that the bullshit he had been subjected to because of the officer’s report might not happen again.

When Mr Hanson canvassed senior police about the revelation, the force’s Professional Standards chief inspector Gregory Jewiss confirmed that the constable had generated an “entity link” containing unconfirmed information but said there was no evidence to suggest “any malicious intent” had been involved in its creation. He added the officer would be spoken with to ensure his “knowledge” was “improved” and such linkages were “not made again”.

But the assurance that his database record had been purged did nothing to mitigate the damage already done. Hanson’s entirely fake criminal status had already made its way into the hands of other agencies with access to the database, like State Crime Command’s gangs squad and the Australian Crime Commission.

Hanson was forced to go to court to get this information excised. The removal the chief inspector assured him about wasn’t performed proactively. Having both the money and knowledge to press his case effectively was key for Hanson’s courtroom success. For most people, these two resources are beyond their reach, as was confirmed by a recent COPS (the criminal database in question) forum held by the New South Wales Council for Civil Liberties.

The forum found that while entries in the database can result in extra police attention, it is “highly unlikely” that people would ever obtain intelligence reports and there is no entitlement to amendment of the database.

Citizens have no right to correct law enforcement’s wrongs and no right to see what information has been gathered on them. They are almost completely at the mercy of the government. And the government is no less prone to errors or vindictiveness than those outside of it. The difference is that the government can do far more damage than any individual can, as it has the ability to mobilize entire agencies based on bad information.

Filed Under: databases, law enforcement, police

Kuwait Backtracks On Mandatory DNA Database Of All Citizens And Visitors

from the this-is-why-it's-always-worth-protesting dept

A few weeks ago, we reported on a move by some public-spirited lawyers in Kuwait to challenge an extraordinary new law that would require everyone in the country — citizens and visitors like — to provide their DNA for a huge new database. It seemed like a quixotic move, since the Kuwaiti authorities were unlikely to be intimidated by a bunch of lawyers. And yet Kuwait has indeed backed down, as reported by New Scientist:

> Kuwait plans to scale down, and may ultimately revoke, a law forcing all its citizens and visitors to provide samples of their DNA.

As well as the legal moves, a request from the country’s ruler, the Emir of Kuwait, that the law should be revised in a way that would “safeguard people’s privacy” seems to have led to a massive scaling-back of the plans:

> The Kuwait parliament has now agreed to change the law so that only suspected criminals will need to give their DNA.

Although taking DNA from “suspected” — not convicted — criminals is still problematic, overall, this is welcome news, especially for visitors to the country, who presumably won’t now have their DNA sampled. It’s also a reminder that public outcry, especially on a global scale, can occasionally succeed in getting really bad laws revoked, which is why it is always worth trying.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: databases, dna, kuwait, privacy, surveillance, tourists

Yes, Police Are Snooping Through Criminal Databases For Personal Reasons All The Time

from the as-long-as-zero-fucks-are-given,-nothing-will-change dept

The more journalists and other FOIA enthusiasts gain access to public records, the more we discover that a combination of access and power tends to result in abuse. Even as this abuse goes unaddressed, law enforcement agencies are striving to add more personal information to their databases, extending far past the usual “name/last known location” to encompass a vast array of biometric data.

Privacy watchdogs have been fighting against these for good reason: very little is known about the contents of these databases or the controls put in place to protect the info from inappropriate access. What is known is that these databases are misused by law enforcement officers routinely. What’s also been discovered is that this routine misuse is rarely ever punished to the extent the law allows. Warnings about possible jail time are meaningless when the usual punishment usually ranges from nothing at all to short suspensions.

The Associated Press has obtained another pile of documents from public records request that show little has changed. Abuse of access is still a common occurrence, as is the lack of meaningful consequences. There’s no almost no oversight and no federal law enforcement body holding agencies accountable for misuse of databases under their control.

No single agency tracks how often the abuse happens nationwide, and record-keeping inconsistencies make it impossible to know how many violations occur.

But the AP, through records requests to state agencies and big-city police departments, found law enforcement officers and employees who misused databases were fired, suspended or resigned more than 325 times between 2013 and 2015. They received reprimands, counseling or lesser discipline in more than 250 instances, the review found.

Unspecified discipline was imposed in more than 90 instances reviewed by AP. In many other cases, it wasn’t clear from the records if punishment was given at all. The number of violations was surely far higher since records provided were spotty at best, and many cases go unnoticed.

What was uncovered from the incomplete set of records is the expected behavior. Give someone access to a wealth of other people’s personal information and it will be used for personal reasons. Law enforcement officers have misused the databases to stalk and harass exes, look up women they find attractive, and to search for something to discredit journalists and other critics.

Violations frequently arise from romantic pursuits or domestic entanglements, including when a Denver officer became acquainted with a hospital employee during a sex-assault investigation, then searched out her phone number and called her at home. A Mancos, Colorado, marshal asked co-workers to run license plate checks for every white pickup truck they saw because his girlfriend was seeing a man who drove a white pickup, an investigative report shows.

In Florida, a Polk County sheriff’s deputy investigating a battery complaint ran driver’s license information of a woman he met and then messaged her unsolicited through Facebook.

Officers have sought information for purely personal purposes, including criminal records checks of co-workers at private businesses. A Phoenix officer ran searches on a neighbor during the course of a longstanding dispute. A North Olmsted, Ohio, officer pleaded guilty this year to searching for a female friend’s landlord and showing up in the middle of the night to demand the return of money he said was owed her.

Most abuse of law enforcement databases goes undiscovered. The systems generally have no way to tell appropriate use from inappropriate use. Officials who did agree to speak on the record noted that the usual indication of misuse tends to be complaints filed by those targeted by the illegal searches. And that generally only happens when officers perform other illegal or abusive actions, like the previously-mentioned stalking and harassment.

Any attempt to quantify these illegal searches is likely fruitless for the time being. The police haven’t shown much interest in policing themselves, and the DOJ has never floated the idea of collecting data on database misuse. Violations are not required to be reported to the FBI. That agency performs spot checks of database requests, but uses a small sampling and the audits are far from comprehensive. Even when records do exist, law enforcement agencies are reluctant to release them. Several records requests by the AP were denied.

On top of that, laws covering access to law enforcement databases vary from locality to locality, and even at the federal level, the issue of illegal vs. inappropriate still hasn’t been conclusively determined. The DOJ often displays tremendous enthusiasm when wielding the CFAA against citizens for “unauthorized access,” but seems far less willing to do so when law enforcement officers use criminal databases for personal reasons.

It’s almost impossible to deter inappropriate behavior when nearly everyone involved takes a hands off approach to the issue. Trying nothing obviously isn’t working. And the more that’s harvested by the government under the auspices of law enforcement, the more data there is available to be abused.

This is just another item in a long list of law enforcement abuses that has gone unaddressed for decades now — either internally or by the federal government. Trust is something that’s earned. Trust shouldn’t just be handed over, and that level should deteriorate as abuse is exposed, rather than remain unchanged. But that’s not what has happened over the years. Instead, law enforcement agencies benefit from a perpetual benefit of a doubt. The end result is obvious: agencies and their employees have no problem abusing trust because they’ve expended no effort in “earning” it.

Filed Under: abuse, databases, law enforcement, police, privacy, spying

Reports Shows UK Police Improperly Accessed Data On Citizens Thousands Of Times

from the trust-issues-to-remain-unresolved-for-the-time-being dept

A lot of the problem with access is the access itself. Give enough people a way to look up compromising information on nearly anyone and abuse is guaranteed. Human nature ensures this outcome.

Sure, abuse could be curbed with actual, substantial punishments for abusing this access, but as we’ve seen time and time again, the threat of firings and jail time doesn’t mean much if law enforcement officers are rarely, if ever, fired/jailed for abusing their access privileges.

The larger problem with access is the lack of strong deterrents. Access is essential to law enforcement work, but far too often, this access is used for anything but law enforcement reasons.

Big Brother Watch has released a report [PDF] detailing numerous abuses of law enforcement databases by UK police staff over the past several years.

Between 2011-2015, there were more than 800 individual UK police personnel who raided official databases to amuse themselves, out of idle curiosity, or for personal financial gain; and over 800 incidents in which information was inappropriately leaked outside of the police channels.

The incidents are reported in a new Big Brother Watch publication, which also reports that in most cases, no disciplinary action was taken against the responsible personnel, and only 3% resulted in criminal prosecution or conviction.

The report is an altogether depressing read. It shows that UK police staff can often be no better than the people they’re supposed to be protecting citizens from — like malevolent hackers, serial harassers, and mob bosses.

Safe in Police Hands? shows that between June 2011 and December 2015 there were at least 2,315 data breaches conducted by police staff. Over 800 members of staff accessed personal information without a policing purpose and information was inappropriately shared with third parties more than 800 times. Specific incidents show officers misusing their access to information for financial gain and passing sensitive information to members of organised crime groups.

A majority of these “breaches” resulted in nothing at all happening to violators.

1283 (55%) cases resulted in no disciplinary or formal disciplinary action being taken.

The breaches range from the stupid…

An officer found the name of a victim amusing and attempted to take a photo of his driving licence to send to his friend via snapchat. The officer resigned during disciplinary action.

… to the disturbing.

An officer has been suspended and is under investigation for abusing his position to form relationships with a number of females. It is suspected that he carried out police checks without a policing purpose.

Even as law enforcement agencies demand access to more data and work with national agencies to obtain additional personally-identifying information, like biometric data, they continue to handle this sensitive data with extreme carelessness.

Kent Police were fined £100,000 in March 2015 after leaving hundreds of evidence tapes and additional documents at the site of an old police station. The breach was only discovered after an officer visited the new owner of the premises and discovered them by accident. In a similar incident South Wales Police were fined £160,000 in May 2015 for losing a video recording which formed part of the evidence in a sexual abuse case. Due to a lack of training the loss went unreported for two years.

The long list of breaches listed in the report covers everything from improper access to abuse of CCTV footage to hacking into private Facebook accounts. In numerous cases, officers resigned while under investigation rather than face the consequences of their actions. This is why Big Brother Watch suggests UK police officials — and the government agencies that oversee them — need to start taking this far more seriously than they currently do. One recommendation is to prevent abusers from slipping away unscathed by leaving the force.

Where a serious breach is uncovered the individual should be given a criminal record.

At present people who carry out a serious data breach are not subject to a criminal record. They could resign or be dismissed by an organisation only to seek employment elsewhere and potentially commit a similar breach. In organisations which deal with highly sensitive data, knowing the background of an employee is critical.

The organization also suggests the government should put a few more teeth in its enforcement by attaching jail time to serious breaches — something current law only hints at, rather than requires. Big Brother Watch also recommends mandatory, immediate disclosure of breaches to the victims whose records were improperly accessed. It also recommends the Snooper’s Charter proposal to add citizens’ online activity to law enforcement databases be rejected, if only because agencies have shown they can’t secure the data they already have access to. Giving agencies with a track record of abuse access to even more potentially sensitive data — without instituting serious deterrents — is only asking for more trouble.

Filed Under: databases, privacy, searches, uk

Why The FDA Ban On Providing Health Reports Based On Personal Genomes Won't Work

from the because-DNA-is-digital-data dept

When the first human genome was sequenced — that is, when most of the 3 billion base-pairs that go to make up our DNA were elucidated — as part of the Human Genome Project, around $3 billion was spent. Today, the cost of sequencing is falling even faster than Moore’s Law, which means everyone could have their genome sequenced soon, if they wished (and maybe even if they don’t….). By analyzing the DNA, and looking at the gene variants found there, it is possible to spot predispositions to certain diseases or medical conditions, potentially allowing lifestyle changes or treatment that reduce the risk. The well-known personal genomics company 23andMe was offering this kind of service, at least on a small scale. But that stopped at the end of last year, as the company explains:

> We no longer offer our health-related genetic reports to new customers to comply with the U.S. Food and Drug Administration’s directive to discontinue new consumer access during our regulatory review process. > > At this time, we do not know the timeline as to which health reports might be available in the future or when they might be available.

According to an article in MIT Technology Review, here’s what had happened:

> in November 2013, the Food and Drug Administration had cracked down on 23andMe. The direct-to-consumer gene testing company’s popular DNA health reports and slick TV ads were illegal, it said, since they’d never been cleared by the agency.

But as that same article goes on to explain in detail, users of 23andMe are having no difficulty in getting around that ban on obtaining health-related analyses of their genomes, using third-party sites like Promethease:

> Promethease was created by a tiny, two-man company run as a side project by Greg Lennon, a geneticist based in Maryland, and Mike Cariaso, a computer programmer. It works by comparing a person’s DNA data with entries in SNPedia, a sprawling public wiki on human genetics that the pair created eight years ago and run with the help of a few dozen volunteer editors. Lennon says Promethease is being used to build as many as 500 gene reports a day.

That kind of analysis is possible because, once sequenced, DNA is essentially just digital data: very easy to upload and compare against biomedical databases storing information as digital files. Even though they are not currently allowed to analyze it, companies like 23andMe still provide customers with access to the raw genomic data, which can then be sent to services like Promethease for a basic report drawing on its DNA database.

This raises an interesting question: given that the information on SNPedia is drawn from public databases, can the FDA stop people using it to circumvent the ban on 23andMe? According to MIT Technology Review, the FDA believes the answers is “yes”, but that just won’t work in practice. Even if the FDA manages to shut down all the services like Promethease, it would be easy to write a program that searches the main public biomedical databases for exactly the same kind of information about particular gene variants found in somebody’s genome. The software could be shared freely as open source, making it impossible to prevent people from obtaining the program and carrying out such searches independently on their own computers.

It’s true that there are good reasons why the FDA might be concerned about members of the public being given medical analyses of their genome in inappropriate ways. For a start, the results are generally probabilistic, rather than definite predictions; that makes them hard for non-experts to interpret. And when it isn’t about probabilities — if it is certain that you will develop a disease, possibly a devastating one — there’s a strong argument that counselling needs to be made available when that information is given to the person affected.

Still, regardless of the extent to which the FDA’s actions are understandable, trying to stop people comparing their DNA with publicly-available information is futile. As the copyright industry has learned the hard way, once data is digital, it is essentially uncontrollable. The best thing to do is to accept that fact and move on. In this case, that means the FDA should encourage companies offering analysis to do a good job, not block them completely.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: databases, dna, fda, information, innovation, public health
Companies: 23andme

Senate Not Concerned About How Often NSA Spies On Americans, But Very Concerned That It Built Open Source Software To Do So

from the priorities,-people dept

Wired has a troubling story of how the Senate Armed Services Committee is pushing a bill that would likely kill off an open source NoSQL project that came out of the NSA called Accumulo. Like many other such NoSQL efforts, the NSA basically took some Google white papers about its BigTable distributed database setup, and built its own open source version, with a few improvements… and then open sourced the whole thing and put it under the Apache Foundation. It’s kind of rare to see such a secretive agency like the NSA open source anything, but it does seem like the kind of thing that ought to be encouraged.

Unfortunately, the Senate Armed Services Committee sees things very differently. As part of a 600-page bill that’s being floated, it actually calls out Accumulo by name, and suggests that it violates a policy that says the government shouldn’t build its own software when there are other competing commercial offerings on the market. The reasoning is basically that the government shouldn’t spend resources reinventing the wheel if it can spend fewer resources using existing code. You can see the basic reasoning behind that, but applying it here makes little sense. As the article notes, here we’re talking about software that’s already been developed and released — not a new effort to rebuild existing software. In fact, those who follow this stuff closely note that Accumulo did “break new ground” with some of its features when it was being built. To then kill it afterwards seems not just counterproductive, but could also create a chilling effect for government open source efforts, which seem like something we should be encouraging, not killing.

What’s really odd is the close interest that the Senate seems to be paying to this. The discussion is very specific, naming Accumulo and some of the competing offerings on the market. They’re specifically calling out this one product. Of course, as Julian Sanchez notes, there’s a bit of irony in the fact that the very same Senate appears to have absolutely no interest in finding out how often the NSA spies on Americans… but sure is concerned about what database it uses to store all of the information it’s getting.

Of course… all of this raises a separate issue in my mind: can the NSA even open source Accumulo? I though that creations of the federal government were automatically public domain, rather than under copyright. And, thus, putting it under a specific license might, in fact, present limitations that the government can’t actually impose on the software…. Thus, shouldn’t the software code actually be completely open as a public domain project? The government should be able set up an Apache-like setup, but one without any restrictions on the code.

Filed Under: accumulo, bigtable, databases, nosql, nsa, open source, senate, spying

Canada Post Claims Copyright Over Postal Codes, Meets Resistance

from the it's-precedent-setting-time dept

A few years ago, we wrote about the UK’s Royal Mail using a dubious copyright claim to bully a website into shutting down because it offered postal code data. In that case, the company chose not to fight the claim—and yet not long afterwards, UK officials decided to free up postal code data. Now, Michael Geist reports that a similar conflict is brewing in Canada—except this time, the company is fighting back:

Canada Post has filed a copyright infringement lawsuit against Geolytica, which operates GeoCoder.ca, a website that provides several geocoding services including free access to a crowdsourced compiled database of Canadian postal codes. Canada Post argues that it is the exclusive copyright holder of all Canadian postal codes and claims that GeoCoder appropriated the database and made unauthorized reproductions.

GeoCoder, which is being represented by CIPPIC, filed its statement of defence yesterday (I am on the CIPPIC Advisory Board but have not been involved in the case other than providing a referral to CIPPIC when contacted by GeoCoder’s founder). The defence explains how GeoCoder managed to compile a postal code database by using crowdsource techniques without any reliance on Canada Post’s database. The site created street address look-up service in 2004 with users often including a postal code within their query. The site retained the postal code information and gradually developed its own database with the postal codes (a system not unlike many marketers that similarly develop databases by compiling this information).

GeoCoder is putting forth a huge array of defenses. They point out that postal codes, as facts, should not be copyrightable, that Canada Post’s copyright claim over the database itself is questionable, that even if such copyright exists their crowdsourced database is not infringing, that free postal code data is in the public interest, and that Canada Post’s complaint represents anti-competitive copyright misuse. As such, this will prove to be a test case for a bunch of legal questions that have yet to be fully answered by Canadian courts.

Ultimately, attempting to control postal codes makes no sense. Making it harder for people to utilize them and build services around them just decimates their purpose, and speeds their path to irrelevance in a world with lots of much better and more accessible location data—not to mention a world where physical locations and permanent addresses matter less and less for many purposes. It also seems entirely unfair: since postal codes are required for all sorts of things, including most interactions with the government, how can Canada Post (a state-owned corporation) restrict access to them? All these arguments and more are likely to be raised, and could attract some interesting interveners to the case. This will definitely be a trial to watch.

Filed Under: canada, crowdsourcing, databases, michael geist, postal codes
Companies: canada post