A Healthcare Example

Suppose cases of a new disease pop up widely and randomly across the country. Unless public health officials act quickly to identify the individuals exposed to the new infectious agent, the contagion will spread rapidly.

For this discussion, we'll assume the Centers for Disease Control and Prevention (CDC) takes the lead. The CDC must discover the chain of infection from the pattern of the reported cases. At the beginning of the investigation there is no obvious connection between cases.

It is logical to suppose that the victims acquired the disease when they shared the same location at some time in the recent past. It would be simple for the CDC to pinpoint potential locations for disease transmission if a national database contained an inventory of all individuals in every location where people congregate. This hypothetical database would help the agency notify potential victims and isolate them if necessary.

On the other hand, consider where people customarily gather. They might attend the same professional conference, fly on the same airline, worship in the same church, or join the same political rally. In all likelihood, the professional society has attendance data and will share it. On the hand, most Americans reject the idea of national databases for church attendance or political activity. Somehow, we must respect a general right of privacy while allowing selective exceptions for the common good or defense.

We will use the airline industry as an example to explain the WWN approach because airlines already have good electronic data records. Consequently, there are fewer barriers to the implementation of this example.

At the start of the investigation , the CDC has only a list of victims. Obviously, the names of the patients and their medical histories are confidential. To investigate the outbreak, the CDC must identify airline flights and airports where the victims may have passed each other and acquired the disease. The location information is not in a central, national database because there are legal, organizational, and political obstacles to a monolithic database. On the other hand, there is ample justification to share data from confidential databases if it is relevant to a serious public health issue.

The solution we offer to this problem is a procedure that finds the justification to share the information, elicits consent from the different authorities that control data, and then supervises the secure collection of just the facts relevant to this disease outbreak. In contrast, conventional encryption relies on access control lists to limit who may look at data but these conventional methods allow authorized parties to abuse their access privilege. That is why conventional methods trouble the citizens and they have good reason to fear widespread exposure or misuse of data protected conventionally.

Our solution utilizes established technology for encryption and network operations but it employs a novel protocol to facilitate cooperation between independent agents. Although the protocol is novel, it embodies sound, established social engineering as formulated in the landmark book "The Evolution of Cooperation" by Robert Axelrod. This aspect of the solution is discussed elsewhere.

Outline of the Solution

The solution is a protocol for exchanging encrypted data between agents serving in the following well-defined roles:

1. seeker — an agent who needs information.
2. provider —an agent who has information that might be provided to the seeker under the right conditions.
3. broker — an agent who assists seekers and providers without having knowledge of the seeker's needs or the provider's data.
4. authority — an agent who is able to positively identify other agents on the Internet and is trusted in that role.

Without this protocol it would be difficult to support cooperation when the seeker and/or the provider wants to conceal its activities and data holdings. Such a need for concealment is common even in so-called "open" markets where the price paid by large customers is rarely a matter of public record. In our example, the data owners have a legal and professional obligation to protect the privacy of patients and customers. Moreover, the CDC has a need for concealment too - it would be best to evaluate the disease outbreak carefully before releasing information that might panic the public.

Each of the parties in this scenario operates a secure database and local network that they do not open to the rest of the world. However, they agree to cooperate in solving problems of mutual concern through the help of the broker. The broker is not trusted with the concealed information because entrusting all the data to any one party would risk trouble. However, we will see how the broker can still play a matchmaker role.

To enable the broker find matches between what is sought and what is available, the seekers produce encrypted documents containing data searches and make the encrypted content available only to the broker. Likewise, the producers encrypt a description of the holdings that they might share and make that available only to the broker. The broker can read neither of the encrypted documents. However, the broker has a procedure to discover matches between searches in one document and information records in the other.

When the broker finds a match, it informs the seeker and provider about the existence of a match and it potential value. The broker also provides evidence from the identity authority about who is involved with the potential transaction.

The next step is up to the two parties who have the concealed information. The provider must approve the release of specific information to a specific seeker on the basis of mutual interest. If both agree, the broker enables the two parties to exchange encrypted information which they are then able to read. The broker can never read the data in its unencrypted form at any point in the matching or exchange.

The Result

If we apply the procedure just described to our example, the CDC would receive a notice from the broker that, for example, 5 individuals on the list of cases traveled on one flight on a particular date. The broker can provide neither the full names nor the flight number, because the broker cannot know this information. All the broker can do is to point to the matching items, count the items, and echo back any clear text description the other parties may have attached to classes of encrypted data. It is up to the seeker and provider — the parties with the strong data privacy issues — to agree to exchange the actual information. If they agree, the broker completes the transfer of only the matching items. The CDC can now read the items provided to it by the airline.

In the end, the method achieves the identification of specific individuals and locations that the health crisis demands, but it achieves this result without a general exposure of airline information or the particulars of the CDC investigation.