In my part of the US, I can overhear loads of PII by just tuning my VHF transceiver to various public safety frequencies. I hear drivers license numbers, medical info, all sorts. I hesitate to think that there’s a better alternative though. I’m terrified that the UK is moving to LTE rather than the current trunked radio. The amount of damage caused by comms failing in a major emergency (or even just dead zones) massively outweighs the risk of a little data loss at present. If there are more reliable communication methods that preserve privacy, then we should be using them, but I’m not sure they exist at the moment.
edit: to be fair, it should be possible to encrypt some of the traffic, but things should fail open, not closed, or people will die.
Meanwhile the rest of the world has moved on to digital, encrypted communication.
Mobile phones continue to work during a disaster as long as the base station batteries hold out and that’s with cheap base stations serving very large amounts of idiot users using the cheapest of the cheap handsets limited by regulations. Why wouldn’t you be able to make this work indefinitely with a limited amount of trained users using selected, powerful expensive handsets.
In other words, a bunch of poor excuses made by coincidentally those same people who love to profess that privacy doesn’t matter as long as it’s someone else’s privacy.
My municipality is using encrypted trunked P25 for police comms now. Seems better than LTE for reliability at least. Just a simple digital voice codec and optional encryption system ontop of the traditional trunked radio systems. Compression means you can wedge many more streams out of it too.
I have mixed feelings about the encryption though, especially with police data, generally I feel much of that data should be public with a more limited amount which should not. It's good to make public "there's a drunk driver on this street, right now", you just might not need to share their plate with the public.
That isn't PII in the sense that it's protected at that point.
It's not PII when a police officer says your name and address. It's only protected health information when someone who is governed by medical privacy laws does it, like a nurse.
I saw Balint Seeber give a fascinating talk about discovering the use of unencrypted pagers in hospitals, with messages full of personal information available too anyone with an SDR (and his particular brand of persistence to work out how to discover the modulation/encoding to get the text out.)
It's mentioned in passing in this talk description from 2011:
I'm a hospitalist (internal medicine employed by a hospital). I'm fairly certain that what they are intercepting are pages from the ER to admitting or consulting physicians.
In the US, this would be a HIPAA violation but I'm not sure of the Canadian law. We still use pages at my hospital, but no PHI, only room numbers in the ER for admissions are paged and then you log into the EMR. We use HIPAA compliant texting apps to communicate PHI.
HIPAA is such an awesome law. I have to work with it daily as an engineer, and I'm continually amazed that the US government requires so much security. Normally the US is extremely hands off when it comes to privacy and security. Congress almost never passes laws that have such far reaching scope. And HIPAA actually has teeth, with significant penalties for companies who don't comply (and of course people can sue as well over the violation).
I think aspects of it could definitely be improved. I see HIPAA violations at doctor's offices all the time - but they are usually still fairly minor, and doctors and nurses grow concerned quickly as soon as you mention a possible violation.
What about communications between the ambulance and the receiving ER? Those are unencrypted digital voice here in San Diego. I've heard names, DOBs, medical histories etc being blasted out over their repeater.
They're a lot more resilient than the cell phone network, especially if there's a mass disaster.
They tend to work better in basements or deep in buildings.
They don't get annoying amber alerts (important in Canada where they're all sent as Presidential/ICBM), constant "IRS" or "Dell" call spam from your area+exchange code (ie: lookalike numbers that seem internal to your hospital) or SMS spam.
These are excellent features if you're on-call, but must respond to anything.
Happens in Australia too, probably the easiest signals to find (i.e. strongest) using my $10 RTL-SDR besides broadcast FM. Plenty of names, emails, addresses, phone numbers, medical conditions, security alarms being triggered etc. Other interesting finds are SCADA messages, some from Pizza Hut etc. Regulations here allow reception as long as you don't take any action based on what you receive so that's nice.
Key management between emergency services remains a hard problem. Paramedics often don't have hands free to type information into a terminal, so they use radio, which means keying their handsets, and then classifying the keys for different security levels. e.g if you need to talk to SWAT and other teams, you are going to need a separate channel and key. Police have an interesting case with that as well, where techs that use or distract their hands during stops are a safety issue.
Military communications for a given mission are mainly all in the same security domain so key management is relatively easy. Co-ordinating key management for daily use between police forces, ambulance services, hospitals, fire stations, and other responders is non-trivial.
I do suspect the best possible privacy solution would be a regulation that made personal and health information acquired without explicit consent inadmissible in a civil court case, regulatory tribunal, or other government process, and heavy fines for using it for insurance and credit and licensing other decisions by regulated/protected businesses. Not so much GDPR regs, but just removing legal leverage from the data.
We still need technical security and privacy controls, but creating legal liability for the people who hold and exploit it is the real solution. Agencies can't hide behind, "machine learning," and "random checks," for targeting people. There will be some hard cases, but if you use PII/PHI without explicit informed consent and collection, use and disclosure for specific purposes, you should be handicapped legally, imo.
I upvoted you, but want you to consider how there can be dramatically worse bad actors than the government or legitimate companies (the insurance/credit/licensing stuff you mention): people end up in the hospital sometimes because someone else wants to hurt them. Simple example: spousal/partner abuse. More extreme but easily plausible in Vancouver: gang violence.
If I failed at a hit, and I can watch the POCSAG traffic and see the that the guy I tried to take out is in a coma (and not dead), and is in room 404 at Vancouver General Hospital, that's very valuable information.
I had read, and maybe I'm misguided, that the law in the US was that you could listen to this stuff as an experiment with your amateur radio license and mess around with all the decoding you wanted... It was just illegal to disclose to anyone anything you heard or read. Actually I don't think the amateur license may have had much to do with it at all, but anyway... I played with it for a minute and mostly saw automated messages about housekeeping needs, but I did occasionally see names, some kind of ID number but I don't think it was a SSN, and sometimes little "love you" notes and quite a lot of "please call me back". I got pretty bored with it pretty quickly that day.
The only thing I can think of that sounds even remotely close to what you're describing is when Congress made it illegal [0] to listen in on cellular phone calls a few decades ago but, notable, pager traffic was specifically excluded from the law.
Until listening to cellular calls was made illegal, it had always been legal (AFAIK) to receive any transmissions on any frequency (the reasoning was that the signal was being broadcasted into, e.g., your home).
I am not too surprised. A lot of emergency services use analog radio. Pretty much works with all radios, and no setup before hand unlike with encrypted radio. No need to negotiate things with other agencies either.
* In Canada, we have jurisdictional privacy law. In this case BC FIPPA. This is different than in the US where the few privacy laws that exist are mostly sectoral, such as health (HIPPA). https://www.oipc.bc.ca/guidance-documents/1466
* In Canada, only only one party has to agree to agree to record a telephone conversation.
* In Canada, it is not illegal to have a scanner and listen to phone calls even, hence the need to encrypt them faster up here. POGSAC decoding was done in the middle of the 90s with my local #2600 group. It even easier now with RTL-SDR. https://twitter.com/cqwww/status/1171113297011019781
* I've been in two states of emergency in my life. Cell phone switches go down in minutes. You want to have your amateur radio licence, an amateur radio, and battery, on standby for when this happens. Practice setting up a data connection to is, as the internet goes away quickly as well. Get your ham radio licence, it's free, and you have your call sign for life. It's a nerdy thing to have except in an emergency, where you quickly turn to hero if you're the only person in your area capable of communicating with emergency services.
I wonder how much security issues relate to the data formats that are often used to exchange medical information. I believe northern American nations mostly use HL7, while European countries tend to prefer Dicom.
HL7 was around since 1987, while Dicom is older than TCP/IP I believe. I think requirements for data exchange fundamentally changed in the last 30 years and at least Dicom is just horrible to handle.
True, you could upgrade it with putting everything in a crypt container, but that is just a quick fix.
This is a case where I fully support software engineers that say that we need to fully reimplement these formats. It is good to have standards here, but many manufacturers of medical devices have their own proprietary adaptations anyway. It shouldn't mean to throw everything learned from these formats away. Just maybe it should all be reevaluated.
HL7 is just a text format. It doesn’t say anything about how the data is transmitted (which should always be encrypted these days)
Yes, there are newer standards, specifically FHIR (OAuth authenticated API). But why switch over to FHIR when HL7v2 works really well? Everybody in the medical industry supports this standard, and it’s super easy to work with once you know what you’re doing. It’s also arguably more interoperable than FHIR, because the sending and receiving parties don’t need to fully agree on the spec (like they must for an API). For HL7 messages, there’s a layer that sits in between called an “interface engine” that can modify messages, which opens up more capability with less development and coordination.
I don't really think any replacement standard could be fundamentally much better. Sure, you could resolve the fact that DICOM is so old that it predates widespread adoption of IEEE 754 and so does its own thing there, or minor oversights in the standard. But the fact remains that the standard is a ~5000 page monstrosity designed to cover virtually anything and there's no regulatory certifying body so nothing prevents vendors from failing to properly implement the standard (which is virtually impossible to do given that it's so damn huge and also not always entirely clear). Any standard that aims to be similar in scope and lacks enforcement will, I think, inevitably lead to a horrendously inconsistent ecosystem.
HL7 is just text, if you're not sending it over SSL then it's arguably easier to decipher than a simple webpage when looking through the packets!
The current thing is called FHIR though and instead of sending text HL7v2 messages directly to a port over SSL now we can use a web service, HTTPS, and exchange JSON messages.
pole around 929.600mhz and you'll eventually find a shitload of phi in most metro areas. you'll probably also find a ton of industrial traffic, and the occasional weather and sports scores.
it's also not far fetched to think it's used as a means to broadcast to/from field operatives. most pager lines offer an smtp gateway, so a bit of "spam" could have a intended recipient anywhere in the region, or possibly country based on network.
I was just about to buy an SDR rig to play around with, so the timing of your comment is wonderful. I have been looking off and on for a year now and there are just too many choices. I have my tech license, but then I had two kids and haven't been able to go for general yet. I've been bored not getting on HF, which is where I hear all the "action" is. So what SDR would you recommend I get if I also wanted the ability to transmit HF one day?
While the findings are solid and the denial is despicable corpspeak, I fear the data is still way safer this way than letting the same kind of contractors build a "secure" app and then finding all that data neatly ordered in an open S3 bucket or MongoDB a year later.
Nobody‘s gonna put up an antenna over years collecting all this noisy stuff.
On top, my condolences for the hospital IT staff having to exchange thousands of real pagers with real doctors, and train them again over the course of several months, all for a pretty synthetic finding that took them a couple of hours.
Builders vs. breakers all again... Well, you got your attention, guys.
Going over the timeline, I find these things very odd:
> 2018-11-12: Sarah Jamie Lewis reaches out to Vancouver Coastal Health Privacy Office (VCH-P) with information about the breach.
> 2019-03-04: Sarah Jamie Lewis meets with two journalists and demonstrates the pager breach. This meeting was not recorded and this meeting is never followed up on.
> 2019-07-23: During an interview with journalist Francesca Fionda, on Open Privacy’s research into Swiss election systems, Sarah Jamie Lewis discusses the pager breach.
[...]
> 2019-08-15: Sarah Jamie Lewis reaches out to the Office of the Information and Privacy Commissioner for B.C. (OIPC), offering to help aid any investigation they wish to undertake in regards to this data breach.
They waited nine months before contacting the provincial Privacy Commissioner? They contacted journalists before the OIPC?
There is no official way for 3rd parties to make breach reports to OIPC-BC (nor is there a legal requirement for VCH to report to them) - it was only after Francesca raised the issue during a meeting with the commissioner(regarding breaches in general) we were informed they would be interested in this, and were given an avenue to contact them in a way that an investigation might be authorized.
> I've been asked why there are some big gaps in the timeline early this year, and that was mostly because I was working on the research around the cryptographic flaws in the Swiss evoting system. We get a lot done at @OpenPriv
but we are limited!
[+] [-] noodlesUK|6 years ago|reply
edit: to be fair, it should be possible to encrypt some of the traffic, but things should fail open, not closed, or people will die.
[+] [-] tinus_hn|6 years ago|reply
Mobile phones continue to work during a disaster as long as the base station batteries hold out and that’s with cheap base stations serving very large amounts of idiot users using the cheapest of the cheap handsets limited by regulations. Why wouldn’t you be able to make this work indefinitely with a limited amount of trained users using selected, powerful expensive handsets.
In other words, a bunch of poor excuses made by coincidentally those same people who love to profess that privacy doesn’t matter as long as it’s someone else’s privacy.
[+] [-] nialv7|6 years ago|reply
So, a like-to-like alternative is probably a encrypted local mesh network.
[+] [-] buildzr|6 years ago|reply
I have mixed feelings about the encryption though, especially with police data, generally I feel much of that data should be public with a more limited amount which should not. It's good to make public "there's a drunk driver on this street, right now", you just might not need to share their plate with the public.
[+] [-] dwild|6 years ago|reply
Sure the cost is higher, but the cost is for privacy. This would also allow an actual backup system, versus purely VHF.
[+] [-] auslander|6 years ago|reply
Of course there are.
https://en.m.wikipedia.org/wiki/Project_25
[+] [-] Aloha|6 years ago|reply
[+] [-] criley2|6 years ago|reply
It's not PII when a police officer says your name and address. It's only protected health information when someone who is governed by medical privacy laws does it, like a nurse.
[+] [-] bigiain|6 years ago|reply
It's mentioned in passing in this talk description from 2011:
https://2011.ruxcon.org.au/2011-talks/all-your-rfz-belong-to...
" ... and security-through-obscurity in hospital pager systems."
I'm 99% certain I saw him give that talk at Dorkbot in Sydney, which make it maybe 5 or more years earlier than that...
[+] [-] Herodotus38|6 years ago|reply
In the US, this would be a HIPAA violation but I'm not sure of the Canadian law. We still use pages at my hospital, but no PHI, only room numbers in the ER for admissions are paged and then you log into the EMR. We use HIPAA compliant texting apps to communicate PHI.
[+] [-] blaisio|6 years ago|reply
I think aspects of it could definitely be improved. I see HIPAA violations at doctor's offices all the time - but they are usually still fairly minor, and doctors and nurses grow concerned quickly as soon as you mention a possible violation.
[+] [-] jhart99|6 years ago|reply
[+] [-] marcolussetti|6 years ago|reply
[+] [-] Scoundreller|6 years ago|reply
They're a lot more resilient than the cell phone network, especially if there's a mass disaster.
They tend to work better in basements or deep in buildings.
They don't get annoying amber alerts (important in Canada where they're all sent as Presidential/ICBM), constant "IRS" or "Dell" call spam from your area+exchange code (ie: lookalike numbers that seem internal to your hospital) or SMS spam.
These are excellent features if you're on-call, but must respond to anything.
[+] [-] t34543|6 years ago|reply
[+] [-] smudgymcscmudge|6 years ago|reply
I’d like to know how they think pagers operate.
[+] [-] dmix|6 years ago|reply
[+] [-] timeimp|6 years ago|reply
[+] [-] trishmapow2|6 years ago|reply
[+] [-] dredmorbius|6 years ago|reply
https://threadreaderapp.com/thread/1171148964264992768.html
[+] [-] motohagiography|6 years ago|reply
Military communications for a given mission are mainly all in the same security domain so key management is relatively easy. Co-ordinating key management for daily use between police forces, ambulance services, hospitals, fire stations, and other responders is non-trivial.
I do suspect the best possible privacy solution would be a regulation that made personal and health information acquired without explicit consent inadmissible in a civil court case, regulatory tribunal, or other government process, and heavy fines for using it for insurance and credit and licensing other decisions by regulated/protected businesses. Not so much GDPR regs, but just removing legal leverage from the data.
We still need technical security and privacy controls, but creating legal liability for the people who hold and exploit it is the real solution. Agencies can't hide behind, "machine learning," and "random checks," for targeting people. There will be some hard cases, but if you use PII/PHI without explicit informed consent and collection, use and disclosure for specific purposes, you should be handicapped legally, imo.
[+] [-] tonyarkles|6 years ago|reply
If I failed at a hit, and I can watch the POCSAG traffic and see the that the guy I tried to take out is in a coma (and not dead), and is in room 404 at Vancouver General Hospital, that's very valuable information.
[+] [-] th0ma5|6 years ago|reply
[+] [-] jlgaddis|6 years ago|reply
Until listening to cellular calls was made illegal, it had always been legal (AFAIK) to receive any transmissions on any frequency (the reasoning was that the signal was being broadcasted into, e.g., your home).
[0]: https://en.wikipedia.org/wiki/Electronic_Communications_Priv...
[+] [-] JshWright|6 years ago|reply
A license is only required to transmit. There is no license required to receive (how would that work, anyway?).
[+] [-] anfilt|6 years ago|reply
[+] [-] pgkyc|6 years ago|reply
* In Canada, we have jurisdictional privacy law. In this case BC FIPPA. This is different than in the US where the few privacy laws that exist are mostly sectoral, such as health (HIPPA). https://www.oipc.bc.ca/guidance-documents/1466
* In Canada, only only one party has to agree to agree to record a telephone conversation.
* In Canada, it is not illegal to have a scanner and listen to phone calls even, hence the need to encrypt them faster up here. POGSAC decoding was done in the middle of the 90s with my local #2600 group. It even easier now with RTL-SDR. https://twitter.com/cqwww/status/1171113297011019781
* I've been in two states of emergency in my life. Cell phone switches go down in minutes. You want to have your amateur radio licence, an amateur radio, and battery, on standby for when this happens. Practice setting up a data connection to is, as the internet goes away quickly as well. Get your ham radio licence, it's free, and you have your call sign for life. It's a nerdy thing to have except in an emergency, where you quickly turn to hero if you're the only person in your area capable of communicating with emergency services.
[+] [-] raxxorrax|6 years ago|reply
HL7 was around since 1987, while Dicom is older than TCP/IP I believe. I think requirements for data exchange fundamentally changed in the last 30 years and at least Dicom is just horrible to handle.
True, you could upgrade it with putting everything in a crypt container, but that is just a quick fix.
This is a case where I fully support software engineers that say that we need to fully reimplement these formats. It is good to have standards here, but many manufacturers of medical devices have their own proprietary adaptations anyway. It shouldn't mean to throw everything learned from these formats away. Just maybe it should all be reevaluated.
[+] [-] josephpmay|6 years ago|reply
Yes, there are newer standards, specifically FHIR (OAuth authenticated API). But why switch over to FHIR when HL7v2 works really well? Everybody in the medical industry supports this standard, and it’s super easy to work with once you know what you’re doing. It’s also arguably more interoperable than FHIR, because the sending and receiving parties don’t need to fully agree on the spec (like they must for an API). For HL7 messages, there’s a layer that sits in between called an “interface engine” that can modify messages, which opens up more capability with less development and coordination.
[+] [-] thfuran|6 years ago|reply
[+] [-] criley2|6 years ago|reply
The current thing is called FHIR though and instead of sending text HL7v2 messages directly to a port over SSL now we can use a web service, HTTPS, and exchange JSON messages.
[+] [-] hxjfbjxbbc|6 years ago|reply
pole around 929.600mhz and you'll eventually find a shitload of phi in most metro areas. you'll probably also find a ton of industrial traffic, and the occasional weather and sports scores.
it's also not far fetched to think it's used as a means to broadcast to/from field operatives. most pager lines offer an smtp gateway, so a bit of "spam" could have a intended recipient anywhere in the region, or possibly country based on network.
[+] [-] DrAwdeOccarim|6 years ago|reply
[+] [-] phonethrowaway|6 years ago|reply
[+] [-] Uhrheber|6 years ago|reply
What did they think it relies on? Fairy dust?
[+] [-] Spastche|6 years ago|reply
[+] [-] 13of40|6 years ago|reply
Edit: Huh, I guess you might be right. https://www.beckershospitalreview.com/cybersecurity/man-s-an... (2018)
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] JunkDNA|6 years ago|reply
[+] [-] beaugunderson|6 years ago|reply
[+] [-] Jonahgay|6 years ago|reply
[deleted]
[+] [-] endymi0n|6 years ago|reply
Nobody‘s gonna put up an antenna over years collecting all this noisy stuff.
On top, my condolences for the hospital IT staff having to exchange thousands of real pagers with real doctors, and train them again over the course of several months, all for a pretty synthetic finding that took them a couple of hours.
Builders vs. breakers all again... Well, you got your attention, guys.
[+] [-] Uhrheber|6 years ago|reply
What do you think all the antennas on embassy buildings are for?
[+] [-] jimktrains2|6 years ago|reply
I think you misjudged how interested in radio some people can be. People do this to ADS-B (airplane location) all the time.
[+] [-] throw0101a|6 years ago|reply
> 2018-11-12: Sarah Jamie Lewis reaches out to Vancouver Coastal Health Privacy Office (VCH-P) with information about the breach.
> 2019-03-04: Sarah Jamie Lewis meets with two journalists and demonstrates the pager breach. This meeting was not recorded and this meeting is never followed up on.
> 2019-07-23: During an interview with journalist Francesca Fionda, on Open Privacy’s research into Swiss election systems, Sarah Jamie Lewis discusses the pager breach.
[...]
> 2019-08-15: Sarah Jamie Lewis reaches out to the Office of the Information and Privacy Commissioner for B.C. (OIPC), offering to help aid any investigation they wish to undertake in regards to this data breach.
They waited nine months before contacting the provincial Privacy Commissioner? They contacted journalists before the OIPC?
* https://www.oipc.bc.ca
[+] [-] sarahjamielewis|6 years ago|reply
[+] [-] Deimorz|6 years ago|reply
> I've been asked why there are some big gaps in the timeline early this year, and that was mostly because I was working on the research around the cryptographic flaws in the Swiss evoting system. We get a lot done at @OpenPriv but we are limited!