Consumer 11.0: His e-identity was stolen, or maybe not, but then again ...

The last time I told you about Walter Spencer, the Center City resident stood accused of being the cause of his own grief. I'm back today to report that he was apparently the victim of a red herring - and that the Walter Spencer mystery remains an open case.

Before I share the latest in this medical-privacy whodunit, let me bring you up to date.

Back in May, Spencer had raised questions about a drug-company mailing that suggested a breach of his privacy rights. He had received an eight-page brochure pitching the drug Abilify with the slogan, "when an antidepressant alone isn't enough."

Spencer, 60, wanted to know how the drugmaker, Bristol-Myers Squibb, had gotten his name - not because the mailing was totally out of left field, but because it wasn't.

Spencer had been on an antidepressant, Lexapro, for the last five years. But the drug had worked without a hitch ever since his doctor prescribed it for mild depression. And Spencer believed that the only people who should have known about his diagnosis or treatment were those in the health-care system - chiefly his doctor, insurer and pharmacists - who are governed by the privacy protections of HIPAA, 1996's Health Insurance Portability and Accountability Act.

Spencer said he hadn't done any of the things that Bristol-Myers or outside privacy experts suggested, such as requesting medical information from a website, buying an over-the-counter depression remedy at a store where he had a "frequent shopper" card, or calling an 800 number for information.

After several days of digging, Bristol-Myers spokeswoman Laura Hortas delivered what appeared to be the story's Perry Mason moment: Despite his protests, she said, Spencer had caused the problem all by himself.

Hortas said the drugmaker only works "with list vendors that we know commit to observing U.S. privacy law" - in this instance, with Dunhill International List Co.

Where had Dunhill gotten Spencer's name? Hortas said that on Dec. 14, Spencer visited a so-called lead-generation site, www.WinningSurveys.com. To enter a sweepstakes, she said, Spencer had agreed to provide his name, address, and other personal data, and to answer a questionnaire.

One line said: "Please provide relevant information to me on the following ailments."

Among his responses? "He selected depression," Hortas told me.

As I wrote in May, there was one problem with this story: Spencer insisted it never happened.

A retired business manager who oversaw IT systems for much of his career, Spencer is unusually privacy-conscious. He only recalls answering one survey, ever - a coverage questionnaire sent to Wall Street Journal subscribers. When he wants medical information online, he goes to the Mayo Clinic's website, he says, because its privacy policy is better than others'. For that matter, he actually reads privacy policies - a rarity in itself.

Since Spencer was adamant, I asked Hortas if WinningSurveys could verify that Spencer had entered its sweepstakes - say, by confirming that its records showed the IP address of Spencer's computer. She put Spencer in touch with John Edwards, of Vente Inc., parent of WinningSurveys.com.

The result? It wasn't a match.

I spoke with Edwards briefly last week, but he said he couldn't speak for the company. Calls to Vente's parent, Chicago's Q Interactive, went unanswered. So did a call to Q's parent, Las Vegas-based Selling Source L.L.C. Yes, this is a complicated industry.

In an e-mail statement, Hortas said Bristol-Myers is mindful of privacy and fraud risks, and took Spencer's concerns very seriously.

"As such, we have pursued Mr. Spencer's concerns and based on the information Vente has provided, are confident that Vente has appropriate validation controls to minimize the risk of this type of fraudulent conduct," she said.

Hortas again gently suggested that Spencer might be responsible.

"It is also important to consider that consumers occasionally do not remember that they opted into a website to receive information, especially when the opt-in may have occurred months earlier," she said.

I wish that I could say with confidence what happened in this case. But I can't point fingers - either at Spencer or at anyone else. And the privacy experts I consulted sounded as baffled as I am.

Could Spencer be to blame? That's increasingly hard to imagine, even if it's also hard to fathom why anyone else would enter a sweepstakes in his name - it defeats the purpose. And other clues only deepen the mystery.

Peter Eckersley, senior technologist at the Electronic Frontier Foundation, says the IP address cited by WinningSurveys.com is associated with an Internet account somewhere in the San Francisco area - a region Spencer says he hasn't visited in about 20 years.

Eckersley also found evidence that a computer using that IP address was running a so-called "open or anonymous proxy" during December - a sign that "whoever signed this guy up to the mailing list may have been taking steps to hide their real identity," he said.

Are there other nefarious ways that a name such as Spencer's, linked to a disease such as depression, might show up unbidden on a mailing list?

Technologically, the answer is yes - via at least two methods, including one that arose in pleadings in a data-mining case decided last month by the U.S. Supreme Court.

The court overturned a Vermont law that barred the sale of "de-identified" prescription-sales records to drugmakers. The data, which identify doctors but not their patients, enable drugmakers to target marketing efforts at doctors more likely to prescribe certain drugs.

In friend-of-the-court briefs, physicians groups and the Electronic Frontier Foundation both warned that the data posed privacy risks to patients, because computer scientists have repeatedly shown that supposedly anonymized data can be reconstituted.

How easy is it? "Sometimes the programming is as simple as writing a few formulas in Excel, other times some creative algorithms might be required," says Stanford computer scientist Arvind Narayanan.

Lee Tien, senior staff attorney at Electronic Frontier, calls de-identification "the escape route for HIPAA." Once the prescription data have been de-identified, he says, they are no longer subject to the law - even if someone manages to relink them.

Tien says that so far, no one is aware of the commercial use of such reidentified data. And he says that web surfing itself - even to sites with seemingly good privacy policies - may pose an equally large privacy threat.

Visit the Mayo Clinic site, for instance, and you may get computer "cookies" from ad networks such as DoubleClick and 24/7 Real Media. Those cookies allow the ad networks to follow you around the web, keep track of the pages you visit, and use the data to serve you ads on other sites.

It's a short step, and hardly a huge technological challenge, to link supposedly anonymous cookies to real identities - and perhaps eventually to send mailings to people based on their web surfing.

No one is saying that happened to Spencer. But it's a risk in all of our futures.