The Medicus Sunday Serial: Real Privacy is the real deal
Privacy matters. The question of data protection dominates the digital landscape, with high-profile breaches at technology giants lending the impression that nothing is sacred, and nothing is safe. For privacy aficionados like Medicus AI Researcher Owen Williams, this raises an important question: In the medical and wellbeing sphere, can doctor-patient confidentiality really be transposed to the digital age?
Real Privacy by Medicus AI sets the standard for data protection, localizing private information to the user’s device to ensure that confidentiality is the first item on your prescription. Read Owen’s fascinating interview with CEO Dr. Baher Al-Hakim to find out all you need to know about this revolutionary technology, and how we are meeting the challenges of data protection on a global scale.
Baher: Owen, before you even ask any questions, I want to say thank you. I don’t know exactly what prompted you to do it, but you’ve really become a champion of privacy at Medicus. Early on, you saw it was a niche at the company, something that we were actively promoting but without a genuine “owner”, so you started owning it yourself. You really push it, alerting us when something was missed, showing us how we can do better. I really appreciate that you’ve grown into this role and I want to thank you for that.
Owen: Thank you very much! I think I look at the question of privacy from the perspective of a scientist. The privacy scene in the profession is really tightly regulated, to the extent that compliance just becomes second nature after a while. Maybe that’s why it appeals to me.
Let’s go right to the start for the first question. One of the things we have at Medicus is our Real Privacy solution and philosophy. I recently saw some of the sketches and doodles you and Mak made while developing the initial ideas for Medicus, and it was fascinating to see the process behind it. When did you realise that privacy was something we needed to be thinking about?
Baher: There were actually no plans initially. When we started thinking about the topic, I was still in Dubai, which isn’t a place that really valued the privacy of personal data at the time. It was also before the wave of highly-publicized data disasters that affected the big tech firms. I suppose I never thought it was something that would affect us as a business.
Then, two things happened to change my mind, almost simultaneously. I incorporated Medicus in Europe at almost exactly the same time as the privacy scandals at Facebook, Fitbit, and the like were gaining news traction. Talking to investors and potential clients, I quickly realised that privacy was a major concern. The first question about Medicus was always the same: “When I download it, do you have my data?”
I felt a bit uncomfortable because I couldn’t make any promises. Even if I could have done, would they have believed me anyway? Everyone was promising privacy, even the firms that got found out.
I knew I had to do things differently, the only question was how. I started talking to the team and realised that the shift to Real Privacy was a massive undertaking, as big and as complicated as anything we’ve ever done. We needed a solution that achieved the same business and product objectives, just without the data.
There was a lot of skepticism, but eventually we made a big technical breakthrough. I say “we”, although a lot of the work was actually taken on by our Head of Development, Mouhamad Kawas. I didn’t really have any technical ideas, just a theory — it was him who made it happen.
Owen: Whenever we talk to clients, Real Privacy is always one of our big selling points. There’s a phrase from our pitch to clients that I really love: “We believe that we have a responsibility to prioritize data privacy and ardently protect our users’ data in every aspect of their interaction with the technology we build”. My question is, is our solution truly unique?
Baher: I think so, I certainly don’t know of any other medical technology company that works on the same basis. The technology is definitely unique in the way we implement it. We’ve done all the relevant patent searches, submitted our own patents, and nothing to the contrary has come up so far.
Owen: We have a great solution. The question is, how do we convince anyone to believe in it? We’ve seen countless news items about one data breach or the other over the last few years, and I think mistrust in digital companies is almost hardwired into public consciousness at the moment. How can we build that trust with users?
What I really want is a way to prove the model to users. The best way to test is to turn on airplane mode and then try to use the app. It works perfectly because it does not need a constant data exchange to function. Ideally we’d get a stamp from a third party certification body that proved we mean what we say. Unfortunately, no one is really offering this at the moment, in Europe anyway, which means our solutions will have to be a little more creative.
Owen: Medicus is rapidly becoming a global company, an exciting period that leads me to my next question. How are we adapting our privacy offering to different countries, not only in terms of national laws, but also the attitudes of local people using the app?
Baher: It’s a great question, but the answer is complicated. For some clients, labs and hospitals especially, we can’t just keep data on the user side: it has to be stored on local servers. In the EU, if you have a server in Belgium, it’s okay to use it to store data from Germany or Spain. China is a different story: that data stays in China forever. It’s actually one of the reasons we have a big presence there: because the data can only be handled by the Chinese company, and not by the parent firm, even our own employees in Vienna can’t access it.
I was talking to some clients in Saudi Arabia just yesterday who are developing a unique risk assessment project, using health data and risk correlation studies. However, they told us that we have to fly our people to Saudi to train and oversee their team, solely because they can’t send any data cross-border.
It’s a logistical hassle, but in the grand scheme of things it protects data and empowers our users and our clients, and shows them how serious we are about privacy.
Once it’s on a user’s device, we don’t lock the data in, so that people can move it to a cloud if they wish. Obviously, we still encrypt the data, and it can only be decrypted by the Medicus app. So if you’re using iCloud or something similar, you’ll still have some protection if anything happens.
Owen: GDPR is the holy grail of the privacy world now, a regulation that came into effect two years ago. When that change occured, it felt like we didn’t have to alter too much to be compliant. Does that mean our model is future-proof? Or will we have to adapt ourselves at some point?
Baher: Future-proof? It’s an interesting question. Perhaps more so than other companies and their implementations, but I doubt we will be safe forever.
As the complexity of our services increases, the ways in which we handle data will have to grow too. I think the key is choice: users should be able to decide how long their data will be stored for. More than compliance, it’s a business question. The endless customization work ensuring data protection for each target company in each target market isn’t going to be the best method long-term.
In the future, we may also have situations where the different companies have different datasets on the same person. Let’s take two clients in Switzerland as an example. There we have a lab and an insurance company, but they don’t really care about the same data, so it makes sense for them to share — it improves service. You can actually move data between companies and still be compliant, but you need user consent to do so. I think we’ll need quite a lot of legal advice to do that safely, especially on how to get the consent and how to update that if the data flow increases.
Owen: I’m sure we’ll find a way. Last question now: from where you’re sitting — as a digital entrepreneur in the health sector — what would you say is the future of data privacy in the next 10 years?
Baher: I think the future is bright. GDPR sets the standard high, and a lot of countries are now following that line, and even in some states in the US, such as California. After the case of Google and Ascension, where 120 million patients had their data transferred without so much as a notification, governments are seeing the need for change. That sort of scandal could never have happened in a GDPR-compliant environment.
The shift towards local storage and local processing is becoming a bigger trend with every day that goes by. I think long-term we will see that patenting Real Privacy was a smart move: I am sure that our solution will become the top industry standard before long.
However good the protection for cloud- and server-based systems is, with enough motivation, someone will always be able to hack in. It’s too late then, you’re liable and vulnerable. That’s why our own, localized solution is so special: we can simultaneously minimize our own risk, use it as a USP, and keep our users safe in the process.
Real Privacy is what it says it is. With it, everyone wins.
Want to learn more about Real Privacy? Get in touch on email@example.com or tweet us @medicusai.