At 11:12 +1000 4/4/16, Bernard Robertson-Dunn wrote:
>If you wish to opt-out of the MyHealthRecord trials you can go to this site.
>http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
>
>A few clicks takes you to a page where you can fill in identity details
>
>That page asks for name, date of birth and Medicare number and one of
>driver licence number
>passport number
>or immicard number
>
>Would someone please confirm that all this is being done in the clear?
>i.e. it's not https
Some other questions intrude:
Firstly: Why does one have to submit to Medicare, one of the agencies within
the DHS mega-portfolio, when the health care record that you're instructing be
suppressed is managed by an agency within the Health portfolio?
If Medicare is acting purely as an outsourced service provider, where is the
assurance that the data will be merely passed through Medicare and never stored
there??
Secondly, is there sufficient justification for demanding an additional
identifier - presumably as an authenticator? (I have an open mind on that
question, but it has to be asked).
Thirdly, if a demand for an additional identifier is justifiable, then it's
completely unacceptable for a single identifier to be specified. A small
percentage, but a large number, of people do not have a driver's licence. And
it's unclear whether the equivalent ('non-driver's licence') is acceptable.
Fourthly, the whole population is subject to this nonsensical threat of an
(extraordinarily invasive and almost useless) consolidation of sensitive data
in an administrative database. But the whole population does *not* have a
Medicare Card number, because some categories of people don't qualify for one.
So how on earth can that be the sole criterion for identifying the applicant
for suppression of a medical record??
Back to the question:
The first and second pages in the workflow do both display http:// in the input
box at the top of the page.
However, that isn't conclusive evidence that the contents are transmitted in
clear.
In particular, it's possible for the browser to be programmed by the server to
transmit using https, despite http:// appearing in the window.
(I had an argument with an ISP several years ago, because they were displaying
http:// in their login window, but asserted that it was transmitted using
https, and anyway it didn't matter that the display was misleading because
consumers don't notice such things anyway).
To check whether the data really is exposed, it's necessary to use a utility to
log and display the traffic.
(But a betting man would reckon there's a very good chance it's in clear).
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916 http://about.me/roger.clarke
mailto:[email protected] http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
