I assign my undergrad students papers on unusual policy proposals, and grade those papers on the number of important relevant arguments offered, pro or con. While I ask students to take an overall position on the policy proposal, this position doesn’t influence grades.
My wife and I talked about this for a while, and it made for an interesting discussion. We both assumed that it would be possible for someone to identify people based on medical history if a serious effort was made.
I said that privacy is something to be valued, but does negative utility risk a privacy breach would pose outweigh the positive utility access to this data might represent? That is, I wouldn't want my medical records released to the general public, but could I reasonably object if some minimal privacy-protection measures were in place?
She brought up that people might shy away from needed-but-embarrassing procedures if they thought there was a chance that someone might be able to identify them and publicize the treatment after the fact. This would be especially harmful for people with depression, who have been abused, or, say, need an abortion. This effect, she argued, might persist even if steps were taken to limit access to the data (e.g. only to serious researchers), and even if the data weren't released until long after the fact (e.g. even after the patient's death).
Overall, I was more in favor of letting medical records hang out and my wife was more against it. We were able to agree that we might support an opt-out version of this type of program, if there were some minimal sanitzation of the data (enough to discourage casual snoopers, not enough to seriously skew research opportunities), and especially if there was a significant time delay (e.g. decades) between a medical procedure and its publication.
Great topic! What else do you ask your students, Robin?
The big problem here is that the interpretation of the data will not be entirely rational. Doctors that have high "success" rates under superficial perspectives of the data will be rewarded, and they will cater to those superficial perspectives in ways that undermine effective care. For example, they may refuse to treat patients with a low prospect for recovery, or encourage patients to not be treated for likely future complications.
Evaluating physician effectiveness with this data will be VERY hard to do in a way that reveals their actual skill. Amateur statisticians will have a field day with unfair criticisms of good doctors, and bad doctors will game that system relentlessly.
"Should all medical practice data be published, aside from data identifying patients?"
I say yes.
OK now we implement this policy according to the above criteria and run into the "aside from data identifying patients"And you find that to do that, you only end up with very vague aggregates...
So, I'm taking a class from Professor Hanson and he assigns a paper about medical policy. Should I write a paper that takes the conventional view or one that doesn't?
He promises that it is just the arguments that count in the grading, that he isn't biased at all to be more inclined to grade more favorably arguments he agrees with (maybe he's even given some anecdote about how he is impressed with arguments he disagrees with). Do I really believe that crap?
So 15 percent of the class is not making the conventional move. Most of them probably not the best students, some too earnest (in Hanson's class this likely interferes with getting the point too), some stupidly believing they can counter signal, and maybe one person correctly believing he or she can counter signal
What if it turned out that a good fraction of those claiming to be Native American (and enjoying benefits from that) were barely genetically distinguishable from Europeans?
In order to get native american benefits you have to be recognized by a tribe. A few tribes have "blood quantum" requirement that must be attested to by a blood test. Most require that you document direct ancestry to a person recorded on the Dawes rolls.
There has been Indian interbreeding since Columbus so of course there would be a great deal of genetic similarity. That doesn't negate the treaty history.
My great grandmother was Cherokee but I don't have her birth certificate to prove ancestry and none of the Cherokee tribes accept blood quantum tests.
Nobody is going to want to go to a doctor who says he might reveal your medical records to insurers and future employers. Obfuscation seems likely to be insufficiently reassuring - in the face of professional data mining. So: the proposal seems impractical.
The current state of the art is, for the most part, dictated by HIPAA, which mandates removing obviously-identifying information. (Like date of birth; whereas year of birth is OK.) This has worked reasonably well in the context of health information that is shared with specific parties like researchers who don't have a malicious intent.
Making medical records public is a whole different can of worms. The naive anonymization that is standard practice today doesn't really prevent re-identification if you're up against someone who can write code and can cross-reference the data with readily available auxiliary sources. (This is what I and other researchers have been going around demonstrating.)
Think of anonymization as a keep out sign rather than a secure lock. There's a lot of evidence that this might be a fundamental limitation. I would bet against the possibility of anonymizing data while preserving the level of detail that you're hoping for.
In the long run, I think society will be forced to move in the direction of lower privacy expectations (of course, that is already happening.) But for now it is going to be a constant tug-of-war.
There's a nice game theoretic formulation -- if no one had any privacy over their medical records, there would be a stable equilibrium, and society as a whole would be way better off because everyone would benefit from the availability of data. Right now we're in another equilibrium where no single party is willing to take the lead make data public, to the detriment of all.
Veering off topic here, but I'm interested in finding out if economists have studied privacy from the game-theory perspective (and potentially interested in collaboration if it turns out there's something interesting to be said). Any pointers would be very helpful. Thanks.
Seems the universe of those who have the motive and the resources to reverse anonymizing process would be rather small. Make it a crime to do so, just as it's a crime to release individual census data. I'd think the social benefits far exceed the potential.
De-anonymizing is like cryptography - you have to defeat not just current or past attacks, but the future ones as well. (A breach in someone's privacy in 10 years is nearly as bad as one right now.)
This won't fly for awhile -- too many potential skeletons in the closet relating to race, sex, etc. What if it turned out that a good fraction of those claiming to be Native American (and enjoying benefits from that) were barely genetically distinguishable from Europeans? What if blacks are found to have a higher prevalence of some socially undesirable gene? Or if women are found to have a higher prevalence of neurotic-related genes?
There's already such a big stink about these matters, and we are very far from complete open access. Look at the BiDil brou-ha-ha for instance: lots of people don't want to collect info on race even if it will prolong and improve the lives of blacks. To them, that's just a Faustian bargain.
Doesn't the U.S. Census introduce noise on the micro-level that's designed to cancel out with aggregate analysis?
I've always been a fan of the (possible apocryphal) Dutch model...leave your windows open, do whatever you want, and studiously avoid looking into other people's windows.
I am filled with contempt for the employers (or for their clients) who care that you went drinking and partying in college. I hope that with the new generation, the equilibrium is less privacy but more tolerance.
Looks like my work (on reversing anonymization) has been linked to 3 separate times on this thread :-) It's really unfortunate -- I think most of us agree that there is a huge benefit to releasing this data, and most of your students concur as well, but it is highly unlikely that the privacy issues are going to be worked around any time soon.
One compromise would be to release aggregate data on a variety of marginals deemed to be interesting/useful.
I'd be more inclined to favor something like this under a health care system that didn't require you to hire a lawyer every time you see a doctor.
My wife and I talked about this for a while, and it made for an interesting discussion. We both assumed that it would be possible for someone to identify people based on medical history if a serious effort was made.
I said that privacy is something to be valued, but does negative utility risk a privacy breach would pose outweigh the positive utility access to this data might represent? That is, I wouldn't want my medical records released to the general public, but could I reasonably object if some minimal privacy-protection measures were in place?
She brought up that people might shy away from needed-but-embarrassing procedures if they thought there was a chance that someone might be able to identify them and publicize the treatment after the fact. This would be especially harmful for people with depression, who have been abused, or, say, need an abortion. This effect, she argued, might persist even if steps were taken to limit access to the data (e.g. only to serious researchers), and even if the data weren't released until long after the fact (e.g. even after the patient's death).
Overall, I was more in favor of letting medical records hang out and my wife was more against it. We were able to agree that we might support an opt-out version of this type of program, if there were some minimal sanitzation of the data (enough to discourage casual snoopers, not enough to seriously skew research opportunities), and especially if there was a significant time delay (e.g. decades) between a medical procedure and its publication.
Great topic! What else do you ask your students, Robin?
The big problem here is that the interpretation of the data will not be entirely rational. Doctors that have high "success" rates under superficial perspectives of the data will be rewarded, and they will cater to those superficial perspectives in ways that undermine effective care. For example, they may refuse to treat patients with a low prospect for recovery, or encourage patients to not be treated for likely future complications.
Evaluating physician effectiveness with this data will be VERY hard to do in a way that reveals their actual skill. Amateur statisticians will have a field day with unfair criticisms of good doctors, and bad doctors will game that system relentlessly.
"Should all medical practice data be published, aside from data identifying patients?"
I say yes.
OK now we implement this policy according to the above criteria and run into the "aside from data identifying patients"And you find that to do that, you only end up with very vague aggregates...
So, I'm taking a class from Professor Hanson and he assigns a paper about medical policy. Should I write a paper that takes the conventional view or one that doesn't?
He promises that it is just the arguments that count in the grading, that he isn't biased at all to be more inclined to grade more favorably arguments he agrees with (maybe he's even given some anecdote about how he is impressed with arguments he disagrees with). Do I really believe that crap?
So 15 percent of the class is not making the conventional move. Most of them probably not the best students, some too earnest (in Hanson's class this likely interferes with getting the point too), some stupidly believing they can counter signal, and maybe one person correctly believing he or she can counter signal
What if it turned out that a good fraction of those claiming to be Native American (and enjoying benefits from that) were barely genetically distinguishable from Europeans?
In order to get native american benefits you have to be recognized by a tribe. A few tribes have "blood quantum" requirement that must be attested to by a blood test. Most require that you document direct ancestry to a person recorded on the Dawes rolls.
There has been Indian interbreeding since Columbus so of course there would be a great deal of genetic similarity. That doesn't negate the treaty history.
My great grandmother was Cherokee but I don't have her birth certificate to prove ancestry and none of the Cherokee tribes accept blood quantum tests.
Nobody is going to want to go to a doctor who says he might reveal your medical records to insurers and future employers. Obfuscation seems likely to be insufficiently reassuring - in the face of professional data mining. So: the proposal seems impractical.
Privacy is a very expensive privilege. People should pay into the commons for it.
The current state of the art is, for the most part, dictated by HIPAA, which mandates removing obviously-identifying information. (Like date of birth; whereas year of birth is OK.) This has worked reasonably well in the context of health information that is shared with specific parties like researchers who don't have a malicious intent.
Making medical records public is a whole different can of worms. The naive anonymization that is standard practice today doesn't really prevent re-identification if you're up against someone who can write code and can cross-reference the data with readily available auxiliary sources. (This is what I and other researchers have been going around demonstrating.)
Think of anonymization as a keep out sign rather than a secure lock. There's a lot of evidence that this might be a fundamental limitation. I would bet against the possibility of anonymizing data while preserving the level of detail that you're hoping for.
In the long run, I think society will be forced to move in the direction of lower privacy expectations (of course, that is already happening.) But for now it is going to be a constant tug-of-war.
There's a nice game theoretic formulation -- if no one had any privacy over their medical records, there would be a stable equilibrium, and society as a whole would be way better off because everyone would benefit from the availability of data. Right now we're in another equilibrium where no single party is willing to take the lead make data public, to the detriment of all.
Veering off topic here, but I'm interested in finding out if economists have studied privacy from the game-theory perspective (and potentially interested in collaboration if it turns out there's something interesting to be said). Any pointers would be very helpful. Thanks.
Seems the universe of those who have the motive and the resources to reverse anonymizing process would be rather small. Make it a crime to do so, just as it's a crime to release individual census data. I'd think the social benefits far exceed the potential.
De-anonymizing is like cryptography - you have to defeat not just current or past attacks, but the future ones as well. (A breach in someone's privacy in 10 years is nearly as bad as one right now.)
This won't fly for awhile -- too many potential skeletons in the closet relating to race, sex, etc. What if it turned out that a good fraction of those claiming to be Native American (and enjoying benefits from that) were barely genetically distinguishable from Europeans? What if blacks are found to have a higher prevalence of some socially undesirable gene? Or if women are found to have a higher prevalence of neurotic-related genes?
There's already such a big stink about these matters, and we are very far from complete open access. Look at the BiDil brou-ha-ha for instance: lots of people don't want to collect info on race even if it will prolong and improve the lives of blacks. To them, that's just a Faustian bargain.
Doesn't the U.S. Census introduce noise on the micro-level that's designed to cancel out with aggregate analysis?
I've always been a fan of the (possible apocryphal) Dutch model...leave your windows open, do whatever you want, and studiously avoid looking into other people's windows.
I am filled with contempt for the employers (or for their clients) who care that you went drinking and partying in college. I hope that with the new generation, the equilibrium is less privacy but more tolerance.
Arvind, what does it take to "work around" the privacy issues? Why can't we just implement whatever is the current state of the art?
Looks like my work (on reversing anonymization) has been linked to 3 separate times on this thread :-) It's really unfortunate -- I think most of us agree that there is a huge benefit to releasing this data, and most of your students concur as well, but it is highly unlikely that the privacy issues are going to be worked around any time soon.
One compromise would be to release aggregate data on a variety of marginals deemed to be interesting/useful.
Imagine the ability to mine this data for new side effects of existing drugs.
Do patients prescribed mianserin have longer lives on average?Is there any existing drug that incidentally delays the onset of dementia?
A comprehensive public record of such a kind after anonymization may spur some interesting research directions.