Stahlman Award

Good news. I was recently named a Stahlman Scholar by the Vanderbilt Center for Biomedical Ethics and Society (CBES). As many of you know, my research in data privacy is driven both from technical and social perspectives (especially due to the fact that privacy is an inherently social phenomenon). A large portion of my research has focused on the development of algorithms and software to re-identify seemingly anonymous health information, as well as provably protect health information shared for secondary research purposes. That said, my work has had little in terms of the ethics or social justice concerns regarding re-identification and protection technologies. The CBES award is to support an investigation into how re-identification technologies affect the scientific community and public at large. For example, one question that this work will look into is the following. Imagine that you develop a technology that can re-identify person-specific health information in a public repository. What should you do? Should you notify the individuals whose records you have re-identified? What about the organization that posted the records? Should you publish your methods to help advise other organizations on the pitfalls associated with "protecting" their records in the same way as the organization whose records you compromised?

In a sense, this work is similar to studies in the ethical hacking community. However, the problem is quite different because in a hacking environment, we are normally talking about systems or computer security. And, when you find a "hole" in the security, you can notify the owners the affected systems and post a patch (ala Microsoft's extreme programming model). Yet, when we consider privacy and re-identification issues, we have to recognize that data is public and may be used by many people for legitimate purposes and many times the privacy vulnerability are not due to a single location's negligence. Rather, multiple organizations disclose information that in combination lead to a failure of protection in the system. Thus, none of the organizations violated the law, and none may even be accountable for their actions, but the system is still broken.