It never ceases to amaze me how the weakness of a secure system is always the people. It's common to see companies invest in "encrypted databases" and "on premises data storage" in the name of security while not spending the time and money to ensure the users can only see the information they need to see. Nobody should ever be able to just download the entire table like that.
Typically in this use case, you'd think the system would be set up such that users can only query full individual records if they work on the case itself OR limited (retracted) records for the entire population.
That's how we handle our customer database. If you work as a customer service agent, you can pull the entire record of a single customer but not more than 1 at a time and rate limited. For out data analytics team, you have access to all the records without the personal information (users are given a random unique userID. no names, addresses, emails, or phone numbers). The rationale is simple, we don't want anyone to be able to simply download our customer database and spam them.
In this case, the consequences are much worse for the people affected.
> Nobody should ever be able to just download the entire table like that.
Easily said, but even the NSA couldn't protect from an insider obtaining tons of internal documents. Nor could google prevent the theft of LIDAR sensor trade secrets.
These access issues [commonly] aren't bugs, they're laziness. Shared volumes to speed up collaboration, no granular permissions, or relying on threat of access audit to keep people in line. In most of these networks, mechanisms exist that could have limited access to those that need it.
And part of that is the technological culture of how we've been taught to share files. We still commonly rely on third parties to handle big transfers.
Often it’s a conscious tradeoff between convenience and security. Google can afford the best off the shelf data loss prevention tools as well as the budget to develop their own. The problem with having your code/assets locked up like Fort Knox is that it becomes a nightmare for your employees. Even if you just have passive systems that prompt investigations about questionable usage people tend to bristle at being spied on, particularly if you remind them of that fact.
Any Australians who might not have opted out of our government centralised health record system starting up, just a heads up that you've only got three more days to do so.
Even despite the risk and probably inevitable leaks, I think a system like this is invaluable for epidemiological research. I'm not opting out. (Besides, the Red Cross has leaked a fair portion of my medical information anyway)
I'm not an expert and I know that a healthcare system requires the handling of personal data. While this data might end up aggregated at some level, I'm not entirely sure that a registry like this is required to exist in the first place.
For me it looks far too sensitive to have it as one central database. (... all assuming that it wasn't compiled by those who leaked it.)
edit: "sensible" doesn't actually mean what I thought it does. Replaced it with "sensitive".
> While this data might end up aggregated at some level, I'm not entirely sure that a registry like this is required to exist in the first place.
Yeah, and the crazies in the German government really want to create a centralized digital registry for health data. Cases like this show what a very bad idea this is.
In a Wild Wild West sense, you are ultimately in charge of your data and your outcomes. Because it doesn't matter what kind of laws supposedly constrain your insurance company or your accountancy; nobody can unring a bell, and it's human nature for information to spread.
As a German I have to say that registers for people are a great idea!
We have had very positive experiences with labeling people. While we had to do this in an analog way the last time, the label itself really helped a lot with "dealing" with people who were a problem.
I think if we would make registers like these again, modern technology would really help us to be even more efficient the next time.
Don't see what could go wrong, especially when political leaders change etc.
> As a German I have to say that registers for people are a great idea! We have had very positive experiences with labeling people. While we had to do this in an analog way the last time, the label itself really helped a lot with "dealing" with people who were a problem.
Sarcasm aside, Bavaria passed a law this past year which allows police to use DNA evidence to infer physical characteristics about a suspect's appearance. The same law also allows police to arrest people they suspect may commit a crime in the near future.
So, this principle is still alive and well in Germany.
Whenever someone moves to Germany, they have to get registered. One of the question is about the religion (for tax purposes). I'm surprised Germany still uses this kind of registry.
Note that the registry for this is not central but managed by the towns instead. So it's very decentralized and data in this aggregated form doesn't exist. An often used trick by towns is to pretend some person didn't move away from the town, thus not decreasing the number of people who live there, thus increasing the number of various funds that are paid based on how many citizens the town has. So those registries often aren't 100% accurate.
>>One of the question is about the religion (for tax purposes). I'm surprised Germany still uses this kind of registry.
Forward thinking? Never know when they might need a list of people by religion, ethnicity, invalid status. Better to have and not use, than to need and not have it...or something :)
I think it's 1% of your income or something like that which is collected by the state for the church. (That itself is often discussed in Germany, as state and church should obviously not be mixed...)
But you can "leave" the church, it costs something like 40 Euro for the administrative action and that's it. No discussion whatsoever and you can keep your money. :-D
Well, right now it is. The original registry OP is referring to was probably not started to identify and exterminate people who were Jewish, but started for some more innocent reason and then abused when the wrong party assumed power.
I'm not totally into this right now but I think there were no such registrations in the beginning.
But as the Nazis had more and more influence laws ("Nürnberger Gesetze") were passed which required Jewish people to mark their shops and register themselves as Jewish etc. pp.
Also denunciations and more from neighbors happened, after Jews were declared "enemies" of the state, so everything came together.
edit: But potential misuse of any kind of registers by whomever is obviously the strongest point against those registers after all. Right-wing parties are always eager to have such things for obvious reasons.
You started this trollish tangent and posted like a dozen comments in it, which is effectively trolling whether you meant to or not. Could you please not do that on HN?
That argument means nothing to a radical anti-privacy person like me (e.g. prohibit any data to be concealed, except the means to authenticate oneself).
That particular problem is a great example, where I don't see any harm in revealing that information, as opposed to keeping it secret, which might cause actual harm in conjunction with the human factor.
Ignoring for a second the problems with allowing potential partners to see such data: What about if your employer sees it? Your colleagues? Your friends? Why should any of them have access to that information?
It's not special. If a funny nose was a non-visible condition, then I would be advocating against mandatory public funny nose databases too. But, that happens to be a visible condition so there's not much we can do to protect those people.
On the other hand, HIV is a non-visible condition which people could choose not to reveal if they don't want. Why should we take away that right, just because people with funny noses don't get the same luxury?
So we have two situations which both might cause harm. We have the situation where there is no mandatory public HIV reporting, which could cause harm in that it potentially allows more transmission of HIV. Then we have the situation where there is mandatory public HIV reporting, which could cause harm in that it could lead to people with HIV being ostracized. Why do you think the latter has more utility than the former? There have already been many good counterarguments in this thread but I will reiterate a few of them:
- Not every person with HIV is negligent, and to target people based on their circumstance rather than their actions could end up punishing more non-negligent individuals than negligent ones.
- People making risky decisions regarding their sexual partners or use of contraception are already not likely to check such a database even if it existed.
- Whereas the risk of transmitting HIV is exclusive to sexual partners, the risks of being publicly identified as HIV positive are far more widespread -- it could impact your career, your social status, etc.
Interestingly, I found this while searching for people killed for having HIV, which was suggested as a real threat by some other person in this thread to counter my point. I looked for "killed HIV" with DuckDuckGo.
OK, I'll give you the benefit of the doubt and assume that individuals in the HIV database wouldn't be ostracized in practice, whether now or at any point in the future. Still, they would have to live in fear of potentially being ostracized. Remember we are talking about potentially innocent, responsible people here who just happen to be HIV positive. Is the utility of making those people live in fear worth the potential of a reduction in HIV infections? Note that you haven't actually proven that such a database would actually reduce HIV infections, either.
But unsubstantiated benefits should? Furthermore I think you should take a sample of how some HIV+ individuals feel about this issue before calling these fears unsubstantiated. I suspect you will find unanimous agreement with what I'm saying.
Allright. Here's some questions then. Credit card number, expiry and code please? Also your age, sex, gender, name of any pets, road/city where you grew up in, name of your best childhood friend.
> That particular problem is a great example, where I don't see any harm in revealing that information, as opposed to keeping it secret
Really? You do not see an issue with releasing very private (_medical records) information in the open?
People have gotten killed over having HIV, and now you want to release a list of people who suffer from it?
Out of deference to the Holocaust, the US government doesn't keep demographic information on religion. As you say, the theory goes that a record of who belongs to what religion might be used to commit genocide.
But this theory isn't applied to anything else. The same government collects detailed information on everyone's race, despite the fact that race is a much more common target than religion is.
People who have HIV have a right to privacy just like every other human being. It is their responsibility to inform their potential partners. If they don't do that, then they should face consequences but let's not for a second imagine that they're all evil faceless goons who go around and using their privacy as "help" to infect other people.
I'm not sure how "HIV+ positive people must be tracked" follows from "HIV+ people can make mistakes".
By that logic, everyone's movements and personal details should be tracked by the police/government/some third-party because there's a risk, someday, of someone sexually assaulting (or committing any other crime against) someone else.
Brand everyone with QR codes that can be scanned to show a quick list of things like HIV, mental health issues, wrong political beliefs.
I'm pretty sure there's ways to design QR codes, so we could come up with a way to embed a brand of a few of the "worst" traits so you can see before you scan.
I honestly have no idea what do drunk people do, that leads to random intercourses. It is an "educated guess", that in many if not the most cases the participants know each other.
And looking people up on the Internet is a common thing nowadays.
Maybe it would be a good idea for you to actually understand the problem domain you're inventing solutions for before you start thinking up far-reaching methods to mitigate a problem using a method that is unlikely to be used the way you intend it to. Especially if said methods have the potential to impact actual people's lives in a very negative way.
General criminal statutes, such as reckless endangerment and attempted murder, can be used to criminalize behaviors that can potentially expose another to HIV and or an STD.
I know that the cdc is not Singapore but likely the same.
> One of the many interesting aspects of how the US dealt with the AIDS epidemic is what we didn’t do – in particular, quarantine. Probably you need a decent test before quarantine is practical, but we had ELISA by 1985 and a better Western Blot test by 1987.
> There was popular support for a quarantine.
> But the public health experts generally opined that such a quarantine would not work.
> Of course, they were wrong. Cuba instituted a rigorous quarantine. They mandated antiviral treatment for pregnant women and mandated C-sections for those that were HIV-positive. People positive for any venereal disease were tested for HIV as well. HIV-infected people must provide the names of all sexual partners for the past sic months.
> Compulsory quarantining was relaxed in 1994, but all those testing positive have to go to a sanatorium for 8 weeks of thorough education on the disease. People who leave after 8 weeks and engage in unsafe sex undergo permanent quarantine.
> Cuba did pretty well: the per-capita death toll was 35 times lower than in the US.
> Cuba had some advantages: the epidemic hit them at least five years later than it did the US (first observed Cuban case in 1986, first noticed cases in the US in 1981). That meant they were readier when they encountered the virus. You’d think that because of the epidemic’s late start in Cuba, there would have been a shorter interval without the effective protease inhibitors (which arrived in 1995 in the US) – but they don’t seem to have arrived in Cuba until 2001, so the interval was about the same.
> If we had adopted the same strategy as Cuba, it would not have been as effective, largely because of that time lag. However, it surely would have prevented at least half of the ~600,000 AIDS deaths in the US. Probably well over half.
> In 1986, 1 year after documenting its first case of AIDS, Cuba instituted the world's only mandatory quarantine policy for people with human immunodeficiency virus (HIV) infection. The Cuban Ministry of Health began widespread HIV testing, focused on but not limited to members of groups considered to be at high risk due to their travel or sexual histories. In 1986 alone, the ministry invested $3 million in testing equipment.1 By 1993, 12 million tests had been conducted in a country with 11 million citizens.2 Cubans with HIV infection were confined in newly constructed sanatoriums across the island and were questioned by health workers about past sexual partners for contact tracing and testing. Critics of Cuba's quarantine policy charged that it violated human rights,3 while supporters applauded Cuba's commitment to HIV control.4 In 1994, the quarantine was officially lifted. However, by 2003, half of all HIV-positive Cubans still lived in the sanatoriums.5
> Cuba's early response to HIV was unique in the world, but so were the circumstances of its quarantine. First, as an island and a Communist country, Cuba was geographically, politically, and socially isolated from North American and Western European countries that reported high HIV infection rates. Second, Cuba's Communist political culture did not recognize individual rights as an impediment to its public health measures.6 Third, compared with other resource-poor nations, Cuba had a well-developed health care system that assigned a primary care physician to all citizens and conducted routine surveillance for infectious disease, and in which universal HIV testing and contact tracing was theoretically feasible.5,7 In addition, the Cuban government prioritized HIV care and by the 1990s devoted $15 million to $20 million annually to providing antiretroviral drug therapy, intensive medical care, high-quality food, and housing to quarantined patients.8
People have rights, even when they are sick. There is absolutely no evidence to believe HIV possitive patients go around infecting others intentionally. Transmission happens during latency, when infected people do not yet show symptoms, and do not know they are infected.
A person that knows of their infection is just as likely to be a danger as a shopper on their way home with a large new steak knife. To suggest otherwise is just mindless paranoia, with possibly a homophobic twist. It’s the sort of thinking that created this mess in the first place, considering civilized societies don’t even collect such a database of HIV+ citizens.
> "It was at this time that rumors began on Castro Street in San Francisco about a strange guy at the Eighth and Howard bathhouse, a blond with a French accent. [Gaetan Dugas] He would have sex with you, then turn up the lights in the cubicle, and point out his Kaposi's sarcoma legions.
> "I've got gay cancer," he'd say. "I'm going to die, and so are you." "
then later...
> "I can recall about that same time seeing a patient who was a young Ph.D. scientist from the Peninsula [south of San Francisco], a very good-looking man with Kaposi's sarcoma who I was caring for. He had AIDS. He was sitting in my clinic on Parnassus. He was kind of impatient. I said, "I'm sorry I'm running late; I can tell you’re impatient. What's wrong?" He said, "I wish you'd hurry up; I'm going to the bathhouses."
> being the typical doctor, it just never occurred to me that he was still out there having sex. He had Kaposi's sarcoma -- AIDS, this horrible new, fatal disease. My line to him was, "Somebody must think you’re smart, because they gave you a Ph.D. How come you’re still going to the bathhouses?" He said, "There’s nothing wrong with that. I probably caught it there, and so my view is, it's there and I'm going to have sex." I said, "Are you telling the people that you're having sex with that you're HIV-positive" -- it wasn’t even called HIV then -- "that you have AIDS?" He said, "No. I figure that they ought to be smart enough to understand that there's AIDS out here, and that they can catch it. It's their responsibility as much as mine."
> In 2005 he organized a conference with Black ambassadors in Poland to protest the claims in an article in Wiedza i Życie by Adam Leszczyński about AIDS problems in Africa, which quoted research stating that a majority of African women were unable to persuade their HIV positive husbands to wear condoms, and so later caught HIV themselves. Mol accused Leszczyński of prejudice because of this article.
> In February 2006, one of his partners requested that he take an HIV test. Mol refused and published a post on his blog explaining why:
>> Character assassination isn't a new phenomenon. However, it appears here the game respects no rules. It wouldn't be superfluous to state that there is an ingrained, harsh and disturbing dislike for Africans here. The accusation of being HIV positive is the latest weapon that as an African your enemy can raise against you. This ideologically inspired weapon, is strengthened by the day with disturbing literature about Africa from supposed-experts on Africa, some of whom openly boast of traveling across Africa in two weeks and return home to write volumes. What some of these hastily compiled volumes have succeeded in breeding, is a social and psychological conviction that every African walking the street here is supposedly HIV positive, and woe betide anyone who dares to unravel the myth being put in place.
> According to the police inspector who was investigating his case, a witness stated that Mol refused to wear condoms during sex. An anonymous witness in one case said that he accused a girl who demanded he should wear them of being racist because she thought he must be infected with HIV just because he was black. After sexual intercourse he used to say to his female partners that his sperm was sacred.
> he was diagnosed with HIV back in 1999 while living in a refugee shelter, but Polish law does not force an HIV carrier to reveal his or her disease status.
> After police published Mol's photo and an alert before the start of court proceedings, Warsaw HIV testing centers were "invaded by young women".
> He died from HIV-related complications on 10 October 2008.
Sure. The extreme outlier here is the guy who has sex with you and then draws your attention to his lesions while saying "I'm going to die, and so are you".
The non-extreme non-outlier is the guy who has sex with you without saying anything.
> It’s the sort of thinking that created this mess in the first place, considering civilized societies don’t even collect such a database of HIV+ citizens.
The purpose of the database may very well be to allow the authorities to contact people with HIV when someone creates a new medicine against HIV, and so forth.
The purpose of the database is almost certainly to understand, when a new patient presents with HIV, where they got it from. Trying to answer this question is standard in the US as well.
That’s the job of doctors, not “authorities”. Does a Singapore also have databases of all MS patients on file? Or Huntington’s? Because those patients are far more desperate to learn about new treatments than HIV patients, who actually have rather good options today.
Typically in this use case, you'd think the system would be set up such that users can only query full individual records if they work on the case itself OR limited (retracted) records for the entire population.
That's how we handle our customer database. If you work as a customer service agent, you can pull the entire record of a single customer but not more than 1 at a time and rate limited. For out data analytics team, you have access to all the records without the personal information (users are given a random unique userID. no names, addresses, emails, or phone numbers). The rationale is simple, we don't want anyone to be able to simply download our customer database and spam them.
In this case, the consequences are much worse for the people affected.