
Facebook was in talks with hospitals about a proposal to share data - WizardOfNomaha
https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html
======
marcell
The pile on continues...

(1) This is probably a project by a small "research" group at Facebook. The
goal of that group is probably to publish papers in a Psych journal or
something like that about how they were able to correlate anonymized medical
data with Facebook feed updates. Tech companies have these research groups for
prestige, they are not central to the company mission.

(2) According to the article, the project was never actually started. So it
sounds like a bit of a non-story.

~~~
craftyguy
I dislike/disagree with facebook more than most folks, but even I can smell a
dead horse being beaten.

~~~
apotheothesomai
For years privacy-minded people have complained about the lack of recognition
of privacy issues among the masses. Suddenly, story after story about aspects
of Facebook's anti-privacy practices are being read by the public. This will
lead to more stories about other data mining entities as well.

The more this keeps up, the more concrete privacy issues will be in the minds
of many.

And yet, HN is full of dismissals. I've decided that to many here, the idea of
being in an "elite", informed group is more important than the actual issues.

Given that you are not the target audience of these stories, are you really in
a position to judge whether they have reached "dead horse" status?

~~~
Joeboy
> Given that you are not the target audience of these stories

Isn't that an argument for not having HN filled with these articles?

~~~
rainbowmverse
Only if the subgroup "people who are tired of all this privacy stuff" is
representative of HN's readership. There are more people reading than will
ever comment. That's true of any community.

------
lovelearning
Although the medical data itself may be "anonymized", surely FB is in a
position to associate that data with actual people, given that they know so
much about a person's schedule, location, searches and private messages.

~~~
sveme
Deanonymization of medical data is actually pretty easy if you know a little
about your target (age group, height, a set of pre-existing medical conditions
limit the set of potential people considerably).

~~~
downandout
Just an aside...of the many things I have entered into Facebook over the
years, I am 100% certain that I have never given them my height or pre-
existing medical conditions.

~~~
froindt
There may be some other ways to link it up, at least with a degree of
confidence. It really depends on what information is shared from the medical
community and by the patient on Facebook.

A couple points of speculation:

* Facebook may possess a machine learning algorithm which can estimate weight from pictures. Getting within 5 pounds would eliminate most other people.

* Facebook could make photos of you and estimated weights into a time series, and pair up appointment dates with photos shared.

* Given enough photos with you and other people, they could probably estimate your height reasonably well. We know height distributions by age and race. If you're a Caucasian 21 year old female and consistently on average 10% shorter than the Caucasian males you're standing next to, that gives some info.

* Many people have willingly given the familial relationships to Facebook (tagging people as mom, dad, cousin, etc.) which will only help in being confident of race and the various risk factors which are higher in each race.

* Facebook knows your gender, which cuts out about half of the people. Such a basic fact would almost certainly be shared by the medical community.

* Facebook either has your birthday or could estimate it based on how you look. Again, being 98% confident of your age +/\- 3 years cuts out most people.

All these fuzzy signals added up could lead to a reasonably confident matching
up.

Anonymous data release is difficult. About 87% of people are uniquely
identifiable by their date of birth, zip code, and gender.

[https://news.ycombinator.com/item?id=2942967](https://news.ycombinator.com/item?id=2942967)

~~~
throwaway84742
Not to mention location metadata on pics taken at or near doctors offices, and
“private” messages in Messenger which they admitted they read.

------
appleflaxen
In light of this news, the fact that Zuckerberg General Hospital exists is in
some ways completely irrelevant/cosmetic, but is simultaneously kind of
hideous.

~~~
ramphastidae
I mean, I’m no FB fan at all, but why? Assuming it’s named that because he
made a donation and he’s not using his leverage at the hospital
inappropriately, isn’t it only fair to give him some credit when his
surveillance money is used for good? Similar to Bill Gates.

~~~
52-6F-62
Mild poetic irony is all they likely meant.

~~~
ramphastidae
Fair enough :) Guess I shouldn’t be reading HN too early in the morning.

~~~
52-6F-62
You’re not alone!

------
alexeiz
What's next? Facebook asks teens to share nude photos? (You know, for
science!) Wait, they already did that!

------
codedokode
> Facebook proposed using a common computer science technique called "hashing"
> to match individuals who existed in both sets

But Facebook has the source data from which hashes were generated so they can
alway reverse them.

Furthermore, if you take a hash from name and surname, it can be easily
reversed because the set of names and surnames is relatively small.

~~~
d33
Not if you use salt.

~~~
Xylakant
Even if you salt the hashes.

The problem is that the number of inputs is limited and it's trivial to
enumerate over the input values. Let's take a contrived example: We have the
data of a small, entirely made-up island where only two families live, so we
have two surnames. Let's name them Foo and Bar. Now, they have an entirely
funny tradition, they all get first names based on the order in which they
were born (1). So we have Firstborn, Secondborn. Let's also, for simplicity
assume that each couple gets exactly two children. That gives us the following
4 possible combinations of names:

    
    
        Firstborn Foo
        Firstborn Bar
        Secondborn Foo
        Secondborn Bar
    

Let's assume that there are 10 million of those people and we hash their names
with a salt, that gives us 10 million unique hashes. But to break each hash,
we only need to try at most 4 times, that's 40 million tries. Hashing speed
varies from hash to hash and the hardware, but good old md5 easily achieved a
few million hashes per second on a stock CPU in 2012. GPUs are usually around
two orders of magnitude faster (2). So in the worst case, your desktop PC
could break all those 40 million hashes in a few seconds without breaking a
sweat. Better hashes are slower, but with such a limited input space, even the
best hashes are breakable.

So no, salt's won't save you here.

(1) This is not entirely fictitious: [https://nowiknow.com/wayan-
balik/](https://nowiknow.com/wayan-balik/)

(2) See for example the hashcat benchmarks
[http://thepasswordproject.com/oclhashcat_benchmarking](http://thepasswordproject.com/oclhashcat_benchmarking)
and [https://blog.codinghorror.com/speed-
hashing/](https://blog.codinghorror.com/speed-hashing/)

~~~
d33
Doesn't it only apply if the salt is known or constant? If I passed you
hash(x) + aes(random_salt), would this attack work?

~~~
Xylakant
The salt must never be a constant, the entire point of a salt is that two
identical inputs do not hash to the same value. However, it must be stored
alongside the hash, so that you can later verify the hashed value. Many modern
password hash functions (bcrypt for example) do store the salt as part of the
hash.

~~~
d33
That's not the point. Salt is constant, but different for each entry. They can
encrypt the salt and when they share it with hospitals, those can't reverse
the hash but FB can. Doesn't it solve the problem?

------
HugoDaniel
Medical insurances might enjoy the knowledge of your fast food and
alcohol/tobacco/risky behaviors preferences.

------
NamTaf
FB seems to have (rightly) realised that this is one of those 'just because we
can, doesn't mean we should' cases, especially given the current situation.
It's a bit of a non-story, and if I squint I can see the possible academic
value in it, but given how battered FB's reputation is right now it's
definitely not the time to try something like this.

I am sure that the privacy issues could be overcome with a properly run
experiment, however there probably needs to be some rigour around that
(possibly more than what was going to be provided given FB's history).

~~~
jmull
HIPAA laws (which protect the privacy of patient health information) have some
real teeth. If Facebook was not scared off by them, their partners -- the
hospitals -- may well have been.

~~~
wonderbear
Thankfully: we still have HIPAA.

------
dschuetz
I don't understand. Why? What was the motivation to conduct such talks?
Regarding what Facebook does, according to Facebook _connecting people_ , how
does patient's medical data contributes to that? "You've been committed to the
local hospital last week, connect to people who shared that experience with
you?" It doesn't make sense at all!

~~~
polarix
It's Hard to connect with someone if they're dead.

------
HenryBemis
I can envision the many benefits of such feat, but why do I think that
suddenly ALL that data would end up on insurance companies' greedy hands?

Would FB actually ask the users if they wish to opt in to this sharing? Does
FB ever care about its 'products'? Sorry I meant to write 'users'.

------
rmykhajliw
If I were a FB owner or in this research data I'll put all my skill to
deanonmaze those HIIPA medical data because it's clearly a golden mine for
insurance companies and pharmacy. This's really easy to sell those users and
their data, because of high demand.

~~~
codedokode
It would be super easy. Facebook has both source data for a person and the
hash that was generated. So they can always reverse the hash.

------
askl56
Surely this passes into the realms of illegality?

~~~
nathanaldensr
I was wondering something similar. If Party B acquires Party A's anonymized-
but-subject-to-HIPAA data and successfully deanonymizes it, who is liable? If
the data is deanonymized, doesn't this mean the data wasn't sufficiently
anonymized to begin with and Party A has some liability? Is Party B also
liable since their goal from the start was to deanonymize the data?

~~~
leecarraher
Hopefully ICA susceptible De-anonymization techniques are no longer HIPAA best
practice. Or perhaps this is a study to prove that newer additive and
multiplicative techniques, are also susceptible to De-anonymization attacks.

------
FidelCashflow
It seems like a perfect pairing given the rise of the "fitness trackers" that
are so popular. They could build vastly better risk models for [to sell to]
the insurance companies with access to "anonymous" health history combined
with all the data that the fitness trackers collect.

------
sseth
I am curious about the "cryptographic hashing technique" being proposed. How
does that work? Is it just a hash of the name / dob / other identifying info?
Does it somehow include matching faces?

~~~
xxs
Dunno what's proposed but hashing personal data doesn't work in terms of
anonymity, due to the small space of the said data.

In the days of crypto currencies, brute forcing the hashes (imagine names, day
of birth, city) is a trivial task.

------
clickme_zsh
Facebook might have collected a lot of Data in India especially in Southern
states where they advertised blood donations camp and asked people to
volunteer.

They might have a lot of data on people by now as many of my ex-classmates
joined for blood donation drives.

People don't care about privacy anyways(At least where I live until some one
explains them the implications of it. :/ I cant prove that they collected the
volunteers data though as I didn't take part in it.

------
cmpxchg
The initial partnership was with Stanford hospitals. Many in the HN community
live in the Bay Area and may have used these medical facilities. If you are
concerned, other boards are suggesting patients can contact:

James Laflin, Stanford School of Medicine Ombudsperson: jlaflin@stanford.edu /
650-498-5744

David Entwistle, CEO Stanford Healthcare: 650-723-4000

------
chillingeffect
This reminds me of Microsoft's purchasing LinkedIn. It's as if these corporate
giants are trying to scoop up as much data about our lives as possible.

------
ggggtez
To be quippy, "hashing is not privacy". Netflix learned that the hard way too.

~~~
psychometry
What was the Netflix thing?

------
leecarraher
It could be an epidemiological study on aggregate populations for some
communicable disease. In all cases the hospital side would be bound by HIPAA
to anonymized any data they provided. Google does similar prediction studies
based on search, and it is very valuable to the CDC for allocating flu
vaccine.

------
dawnerd
Can we just put a pause on all the Facebook stories for a while? Lots of fluff
pieces with no real content making it to the homepage from outlets that are
banking off the current outrage.

~~~
pi-squared
I actually like it, it's been brewing for a while and for once news are
keeping a story for more than 3 days. I get tired constantly changing topics
and shifting focus. And of course, media has a huge revenge to get to facebook
from facebook algos deciding which ones to promote and which not and to whom.

------
lmilcin
I hope that by now everybody understands that we are the product, not the
customers.

~~~
chillingeffect
This is generally very true, especially for facebook, but there are cases of
pure altruism and fraternity, such as open and free software. Some people
really do want the world to be a better place and dedicate small or large
amounts of their life's work to improving it for the others.

Some free things are actually wholesome. So we have to learn how to
discriminate between whether something free is actually good for us.

~~~
lmilcin
Fully agree. But a large for profit company with investors has an obligation
to turn profit. There can't be really true altruism within those rules unless
what appears as altruism supports for profi goal of the company becuse they
for some reason are aligned with your goals. If you are not paying it then its
interests are not likely aligned with yours. I don't want to say for profit
companies can't do good, because they do. You just have to be constantly
vigilant that your goals and the company goals stay aligned.

------
feelin_googley
Building 8, who is responsible for this project, is under the direction of the
same person who wrote the memo about "questionable practices", incidental
deaths and "connecting people".

The previous director quit after less than two years. There are videos on
YouTube of motivational speeches for Building 8 projects. I watched one; it
felt like cult-like.

One of these Building 8 projects, Aloha - a video chat device, was set to
launch next month but they have sidelined it, for obvious reasons.

Apparently they took surveys and users did not trust FB; they were worried the
device would be used to spy on them.

Then they considered marketing it as "a device for letting the elderly easily
communicate with their families." They also considered selling it under a name
other than Facebook.

Source:

[http://www.businessinsider.com/facebooks-andrew-bosworth-
to-...](http://www.businessinsider.com/facebooks-andrew-bosworth-to-lead-
oculus-building-8-aloha-video-chat-device-details-2017-8)

------
feelin_googley
Heres an interesting "letter to Mark Zuckerberg" from a professor of health
informatics who has worked with the NHS for the last 34 years.1

It discusses the issue of "the creepy line" and how to manage it in terms of
getting _informed consent_ to use electronic patient records.

He suggests NHS has "25 years of data on 50 million people" but because
_consent_ is required they cannot extract much meaningful information from it.

He tells that in an effort to "get around" this problem, the government
proposed the concept of "implied consent".

A former shipyard worker in one of the authors workshops evaluated this
concept plainly as thus: "Clearly some London-based bollocks. Nobody implies
my consent."

1 [https://www.digitalhealth.net/2018/04/joes-view-dear-mr-
zuck...](https://www.digitalhealth.net/2018/04/joes-view-dear-mr-zuckerberg/)

