I’ve done a fair bit of security work, and generally try to care about the finer details of privacy and security. However, one of the things that I’ve learned is that more often than not, no amount of digital security past a certain point is going to help, since usually the threat model isn’t an advanced technological attack, it’s a social one.
Thus far, Google has done a pretty good job of keeping private things private and public things public. I’ve spoken to people on the Google Reader team, and the main reason they haven’t added support for private feeds is their acute concern for privacy.
Today Google announced a limited trial of storing health records online. This seems reasonable and doable in a secure way, but I’m sure they’ll get lots of unwarranted flak for the long-awaited project.
However, there will and should be some warranted flak. It turns out that they’re using your regular Google account to store this information, and will provide access to it using your regular password, no doubt through yet another Google login page. I’ve heard concerns that OAuth supports phishing (from Google people), but project infighting and power struggles at Google that result in tens of login pages, all slightly (or dramatically) different, all using the same credentials supports phishing much moreso.
I strongly support patients’ rights to access their medical information, and Google is probably one of just a handful of organizations that can do the necessary coordination work and stand up to invasive organizations at scale. However, they need to stop thinking of this data as theirs, because it’s not — it’s your data. Using the same password as your email to access your health records is something that should be actively discouraged. If Google wants to present a unified interface, they should expose an API and use OAuth or AuthSub, just like any other third party that would consume the data.
Now, I may be over-reacting, but I had an interaction yesterday that suggests to me that I’m not. Someone using GTalk sent a chat request to firstname.lastname@example.org; this email address has an MX record that resolves to mail.twitter.com, and the corresponding JID resolves to jabber01.twitter.com. However, I have claimed my email@example.com address on GMail, and associated it with my primary GTalk ID (firstname.lastname@example.org). When I accepted the chat request, the response came from my GTalk account, email@example.com.
In effect, Google had done something clever, and in so doing broke the Jabber spec, ignored my own self-hosted Jabber server, and exposed my personal email address without asking my permission.
In this case, it wasn’t a big deal, I don’t care, etc. Others might, though, and I only knew that it was happening because the person on the other end of the chat was tech-savvy enough to realize what had happened. Also, email addresses and connections between them are hardly closely-guarded secrets. The thing I take away from this is that Google is being sloppy. There’s a lot going on, and it’s hard to keep track of it all. That your health records are being tied to your Google account just reeks of some power struggle where the Google account people want to bolster their product’s internal importance (or have managed to do so that they get veto power where they shouldn’t have it), and it’s simply not a pragmatic choice. There’s a reason your health records aren’t stored at the DMV, and it’s not out of convenience. Just sayin’.