Main

June 19, 2020

The science

paddington-2020-06-13.jpgWhat I - and I suspect a lot of other people - would love to have right now is an online calculator into which you could put where you were going, the time of day, the length of time you expect to spend there, and the type of activity and get back out a risk estimate of acquiring coronavirus infection given various mitigations. I write this as the UK government announces that the "threat level" is dropping from "4" to "3", which tells me more or less precisely nothing useful.

Throughout the pandemic, the British government has explained every decision by saying it's led by the science. I'm all for following the advice of scientists - particularly, in our present situation, public health experts, virologists, and epidemiologists - but "the science" implies there's a single received monolithic truth even while failing to identify any particular source for it. Which science? Whose research? Based on what evidence? Funded by whom? How does it fit in with what we were told before?

Boris Johnson's government spent much of the early months avoiding answering those questions, which has led, as the biologist Ian Boyd complains to the characterization of the Scientific Advisory Group for Emergencies (SAGE) as "secretive". As the public trusts this government less and less, showing their work has become increasingly important, especially when those results represent a change of plan.

The last four months have seen two major U-turns in "the science" that's governing our current lives, and a third may be in progress: masks, contact tracing apps, and the two-meter rule. Meanwhile, the pieces that are supposed to be in place for reopening - a robust contact tracing system, for example - aren't.

We'll start with masks. Before this thing started, the received wisdom was that masks protected other people from you, but not you from them. This appears to still be the generally accepted case. But tied in with that was the attitude that wearing masks while ill was something only Asians did; Westerners...well, what? Knew better? Were less considerate? Were made of tougher stuff and didn't care if they got sick? In mid-March, Zeynep Tufecki got a certain amount of stick on Twitter for impassioned plea in the New York Times that public health authorities should promote wearing masks and teach people how to do it properly. "Of course masks work," she wrote, "maybe not perfectly, and not all to the same degree, but they provide some protection."

But we had to go on arguing about it back and forth. There is says Snopes, no real consensus on how effective they are. Nonetheless, it seems logical they ought to help, and both WHO and CDC now recommend them while mayors of crowded cities are increasingly requiring them. In this case, there's no obvious opportunity for profiteering and for most people the inconvenience is modest. The worst you can suspect is that the government is recommending them so we'll feel more confident about resuming normal activity.

Then, for the last four months we've been told to stay two meters from everyone else except fellow household members. During the closures, elves - that is, people who took on the risks of going to work - have been busy painting distancing indicators on underground platforms, sidewalks, and park benches and sticking decals to train windows. They've set up hand sanitizer stations in London's stations, and created new bike lanes and pedestrian areas. Now, the daily news includes a drumbeat of pressure on government to reduce that recommended distance to one meter. Is this science or economics? The BBC has found a study that says that standing one meter apart carries ten times the risk of two meters. But how significant is that?

I'm all for "the science", but there's so much visible vested interest that I want details. What are the tradeoffs? How does the drop in distance change R0, the reproduction number? The WHO recommends one meter - but it assumes that people are wearing masks - which, in London, on public transport they will be but in restaurants they can't be.

Finally, when last seen, the UK's contact tracing app was being trialed on the Isle of Wight and was built in-house using a centralized design despite the best efforts of privacy advocates and digital rights activists to convince NHSx it was a bad idea. Yesterday, this app was officially discarded.

The relevant scientific aspect, however, is how much apps matter. In April, an an Oxford study suggested that 60% of the population would have use the app for it to be effective.

We should have read the study, as MIT Technology Review did this week to find that it actually says contact tracing apps can be helpful at much lower levels of takeup. It is still clear that human tracers with local knowledge are more effective and there are many failings in the tracing system, as the kibitzing scientific group Independent SAGE says, but *some* help is better than no help.

"The science" unfortunately can't offer us what we really want: certainty. Instead, we have many imperfect but complementary tools and must hope they add up to something like enough. The science will only become fully clear much later.


Illustrations: London's Paddington station on June 13.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 5, 2020

Centralized stupidity

private-eye-contact-tracing.jpegAs a friend with greater experience with lockdowns might have said, when you see one coming be careful not only who you get locked down with, but where. People with strong local neighborhoods and personal relationships with independent local shops have had a vastly easier time through the last couple of months than most others.

My lifetime has seen everything progressively centralize. In the 1970s, someone living in Ithaca, New York, population about 30,000, could visit the phone company and negotiate billing with the same woman they dealt with several months previously. The guy who came to read the electric meter this month was the same guy you saw every month. And when you called the telephone operator to check on a phone number, they would confirm the address and speculate with you how to get there because they knew your town. Forty years later, if you *can* make a call to a utility company you're probably dealing with someone to whom your town is a dot they can't find on a map...

...which all brings me to this week, when a Twitter account that seemed to be from the National Health Service posted a note to the effect that we might get a message or call from "NHS" and if we did we should follow the instructions. The tweet also published the number we could expect to hear from. Because the immediate follow-up was a few people saying they would immediately block the number, I commented that the smart thing to do seemed to me to be to put the number in a phone's contacts so the call would be recognized.

But, the security folks reminded: SIM spoofing. True. Hello, phishing attacks.

Does the NHS employ no security experts?

Here are the NHS's published instructions for what to do if you're contacted. Note what's missing: a way to verify the call is genuine. Sure, they tell you they won't ask for bank details or other accounts, payment, or ask you to call premium rate numbers or set up a password or PIN over the phone. But they still miss the main point; that is, like a celebrity they still assume that because any call they make will be genuine, any call you get will be genuine. This is Ravenous Bugblagger Beast of Traal reasoning. I recommend wrapping a towel around your head.

As others have pointed out, you could quite effectively mount a denial-of-livelihood attack on someone by reporting them as an exposed contact so they are required to self-isolate for 14 days. Even 30 years ago the world contained people highly skilled at the kind of social engineering that would enable someone to pose effectively as a contact tracer. The NHS needs to do the obvious: publish a number people can call back to verify.

The press appeared to understand the possibilities, and had this exchange with the deputy chief medical officer for England, Jenny Harris:

A question about how to know if a track and trace call is genuine, one person asks. Harries says there is a lot of confidentiality and it will be unlikely you will be contacted by someone with other motives. She says it will be clear that they are genuine - they are professionally trained individuals.

I don't know how to rate the ignorant stupidity of this comment. The satirical magazine Private Eye, however, managed (see above).

This gathering of power to the center was on display elsewhere this week, as Jacob Rees-Mogg, the leader of the House of Commons, pushed to end remote participation and voting in Parliamentary debates. No one is saying that remote participation is ideal, but it *does* permit MPs to represent their constituents who shouldn't be traveling and taking health risks. Even more ridiculous is Rees-Mogg's refusal to countenance electronic voting, with replacement arrangements so absurd and time-wasting that one can only assume he fears losing control otherwise.

Contact tracing is one area where staying local makes all the difference. Anyone who lives in my little area, for example, would know to ask a senior testing positive whether they've been to the local club that (normally) provides classes (dancing, Pilates, photography), social lunches, and entertainment to hundreds of people, chiefly seniors. They know the local independent shops are community hubs as well as sources of essential items and would ask which ones the infected person uses. And they know the spot where homeless people who might struggle to find testing are often to be found selling The Big Issue. The local council, which UK epidemiologists have repeatedly said has the necessary contact tracing expertise, knows all this. Serco certainly doesn't.

We've written before about the dangers of centralizing the Net. What we've previously failed to recognize is how dangerous it can be when combined with politically convenient stupidity.

The UK government, which has been gathering power to the center ever since Margaret Thatcher disbanded the Greater London Council, is outsourcing contact tracing to Serco, which has proved so inept as to be genuinely dangerous. The result is to treat contact tracin contact tracing as if it were calls to customer service at a phone company an to mistake efficiency for effectiveness. Centralization was bad for the Internet. It's even worse for real life.


Illustrations: Private Eye explains contact tracing.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 1, 2020

Appified

china-alihealth.jpegAround 2010, when smartphones took off (Apple's iPhone user base grew from 8 million in 2009 to 100 million in early 2011), "There's an app for that" was a joke widely acknowledged as true. Faced with a pandemic, many countries are looking to develop apps that might offer shortcuts to reaching some variant of "old normal". The UK is no exception, and much of this week has been filled with debate about the nascent contact tracing app being developed by the National Health Service's digital arm, NHSx. The logic is simple: since John Snow investigated cholera in 1854, contact tracing has remained slow, labor-intensive , and dependent on infected individuals' ability to remember all their contacts. With a contagious virus that spreads promiscuously to strangers who happen to share your space for a time, individual memory isn't much help. Surely we can do better. We have technology!

In 2011, Jon Crowcroft and Eiko Yoneki had that same thought. Their Fluphone proved the concept, even helping identify asymptomatic superspreaders through the social graph of contacts developing the illness.

In March, China's Alipay Health got our attention. This all-seeing, all-knowing, data-mining, risk score-outputting app whose green, yellow, and red QR codes are inspected by police at Chinese metro stations, workplaces, and other public areas seeks to control the virus's movements by controlling people's access. The widespread Western reaction, to a first approximation: "Ugh!" We are increasingly likely to end up with something similar, but with very different enforcement and a layer of "democratic voluntary" - *sort* of China, but with plausible deniability.

Or we may not. This is a fluid situation!

This week has been filled with debate about why the UK's National Health Service's digital arm (NHSx) is rolling its own app when Google and Apple are collaborating on a native contact-tracing platform. Italy and Spain have decided to use it; Germany, which was planning to build its own app, pivoted abruptly, and Australia and Singapore (whose open source app, TraceTogether, was finding some international adoption) are switching. France balked, calling Apple "uncooperative".

France wants a centralized system, in which matching exposure notifications is performed on a government-owned central server. That means trusting the government to protect it adequately and not start saying, "Oooh, data, we could do stuff with that!" In a decentralized system, the contact matching us performed on the device itself, with the results released to health officials if the user decides to do so. Apple and Google are refusing to support centralized systems, largely because in many of the countries where iOS and Android phones are sold it poses significant dangers for the population. Essentially, the centralized ones ask you for a lot more trust in your government.

All this led to Parliament's Human Rights Committee, which spent the week holding hearings on the human rights implications of contact tracing apps. (See Michael Veale's and Orla Lynskey's written evidence and oral testimony.) In its report, the committee concluded that the level of data being collected isn't justifiable without clear efficacy and benefits; rights-protecting legislation is needed (helpfully, Lilian Edwards has spearheaded an effort to produce model safeguarding legislation; an independent oversight body is needed along with a Digital Contact Tracing Human Rights Commissioner; the app's efficacy and data security and privacy should be reviewed every 21 days; and the government and health authorities need to embrace transparency. Elsewhere, Marion Oswald writes that trust is essential, and the proposals have yet to earn it.

The specific rights discussion has been accompanied by broader doubts about the extent to which any app can be effective at contact tracing and the other flaws that may arise. As Ross Anderson writes, there remain many questions about practical applications in the real world. In recent blog postings, Crowcroft mulls modern contact tracing apps based on what they learned from Fluphone.

The practical concerns are even greater when you look at Ashkan Soltani's Twitter feed, in which he's turning his honed hacker sensibilities on these apps, making it clear that there are many more ways for these apps to fail than we've yet recognized. The Australian app, for example, may interfere with Bluetooth-connected medical devices such as glucose monitors. Drug interactions matter; if apps are now medical devices, then their interactions must be studied, too. Soltani also raises the possibility of using these apps for voter suppression. The hundreds of millions of downloads necessary to make these apps work means even small flaws will affect large numbers of people.

All of these are reasons why Apple and Google are going to wind up in charge of the technology. Even the UK is now investigating switching. Fixing one platform is a lot easier than debugging hundreds, for example, and interoperability should aid widespread use, especially when international travel resumes, currently irrelevant but still on people's minds. In this case, Apple's and Google's technology, like the Internet itself originally, is a vector for spreading the privacy and human rights values embedded in its design, and countries are changing plans to accept it - one more extraordinary moment among so many.

Illustrations: Alipay Health Code in action (press photo).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 24, 2020

Viruswashing

wizard-of-oz-crystal-ball.jpgIndividual humans surprise you in a crisis; the curmudgeon across the street turns into a tireless volunteer; the sycophantic celebrity abruptly becomes a helpfully trenchant critic of their former-friend politicians. Organizations - whether public, as in governments, or private, as in companies - tend to remain in character, carried on by inertia, and claim their latest actions are to combat the crisis. For climate change - "greenwashing". For this pandemic - "viruswashing", as some of the creepiest companies seek to de-creepify themselves in the name of public health.

In the last month, Privacy International's surveillance legislation tracker has illustrated the usual basic crisis principles. One: people will accept things on a temporary basis that they wouldn't accept if they thought they'd be permanent. Two: double that for scared and desperate people. Three: the surveillance measures countries adopt reflect their own laws and culture. Four: someone always has a wish list of surveillance powers in their bottom drawer, ready to push for in a crisis. Five: the longer the crisis goes on the harder it will be to fully roll things back to their pre-crisis state when we can eventually all agree it's ended.

Some governments are taking advantage. Trump, for example, has chosen this moment to suspend immigration. More broadly, the UN Refugee Agency warns that refugee rights are being lost. Of 167 countries that have closed their borders in full or in part, 57 make no exceptions for asylum-seekers.

But governments everywhere are also being wooed by both domestic and international companies. Palantir, for example, is working with the US Centers for Disease Control and Prevention and its international counterparts to track the virus's spread. In the UK, Palantir and an AI start-up are data-mining NHS databases to build a predictive computer model. Largely uknown biometric start-ups are creating digital passports for NHS workers. The most startling is the news that the even-creepier NSO Group, whose government clients have used its software to turn journalists' and activists' phones into spy devices is trying to sell Western governments on its (repurposed) tracking software.

On Twitter, Pat Walshe (@privacymatters) highlights the Covid Credentials Initiative, a collaboration among 60 organizations to create verifiable credential solutions - that is, some sort of immunity certificate that individuals for individuals. Walshe also notes Jai Vijayan's story about Microsoft's proposals: "Your phone will become your digital passport". Walsh's commenters remind that in a fair number of countries SIM registration is essential. The upshot sounds similar to China's Alipay Health app, which scores each phone user and outputs a green, yellow, or red health code - which police check at entrances to areas of the city, public transport, and workplaces before allowing entry. Except: in the West we're talking a system built by private, secretive companies that, as Mike Elgan wrote last year at Fast Company, are building systems in the US that add up functionally to something very like China's much-criticized social credit scheme.

In Britain, where there's talk of "immunity certificates" - deconfinement apps - my model history of ID cards, which became mandatory under the National Registration Act (1939) and which no one decommissioned after World War II ended...until 1952, when Harry Willcock, who had refused to show police his ID card on demand, won in court by arguing that the law had lapsed when the emergency ended and the High Court agreed that the ID cards were now being used in unintended ways. Ever since, someone regularly proposes to bring them back. In the early 2000s it was to eliminate benefit fraud; in 2006 it was crime prevention. Now immunity certificates could be a wedge.

Tracking and tracing are age-old epidemiologists' tools; it's natural that people want to automate them, given the speed and scale of this pandemic. It's just the source: the creepiest companies are seizing the opportunity to de-creepify themselves by pivoting to public health. Eventually, Palantir has to do this if it wants to pay its investors the kind of returns they're used to; the law enforcement and security market is just too small. That said, at the Economist Hal Hodson casts nuance on Palantir's deal with the NHS - for now.

Obviously, we need all the help we can get. Nonetheless, these are not companies that are generally on our side. Letting them turn embed themselves into essential public health infrastructure feels like accepting letting a Mafia family use the proceeds of crime to buy themselves legitimate businesses. Meanwhile, much of the technology is unproven for health purposes and may not be effective, and basing it on apps, as Rachel Coldicutt writes, is a vector for discrimination

The post 9/11 surveillance build-up should have taught us that human rights must be embedded at the beginning because neither the "war on terror" nor the "war on drugs" has a formal ending when powers naturally expire. While this specific pandemic will end, others will come behind it. So: despite the urgency, protecting ourselves against permanent changes is easiest handled now, while the systems for tracking and tracing infections and ensuring public safety are being built. A field hospital can be built in ten days and then dismantled as if it never was; public health infrastructure cannot.


Illustrations: The Wicked Witch of the West and her crystal ball, from The Wizard of Oz (1939).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 17, 2020

Anywhere but here

Jacinda_Ardern_at_the_University_of_Auckland_(cropped).jpgThe international comparisons that feature in every chart of infection curves are creating a new habit. Expatriates are unusually prone to this sort of thing anyway, as I've written before, but right now almost everyone appears to have some form of leader envy. Eventually, history will judge, but for now the unquestioned leader on the leader leaderboard is New Zealand prime minister Jacinda Ardern, who this week followed up her decisive and undeniably effective early action by taking a 20% pay cut in solidarity with her country's workers. Also much admired this week - even subtitled! - is Germany's Angela Merkel, whose press conference explaining that small margins in infection rates make huge differences when translated into hospital beds over time, was widely circulated for its honest clarity. Late yesterday New York state governor Andrew Cuomo appeared to have copied it for his own presentation.

Cuomo's daily briefings have become must-see-TV for many of us with less forthcoming leaders; they start with facts, follow with frank interpretation, and end with rambling empathy. Cuomo's rise - which has led many to wonder why he wasn't a presidential candidate - is greeted more cautiously among New York state residents and by those who note the effectiveness of governors Jay Inslee (Washington) and Gavin Newsom (California)). On Sunday's edition of Last Week Tonight, John Oliver said, "I never really liked Andrew Cuomo before this, but I will admit he's doing admirably well, and I can't wait to get to the other side of this when I can go back to being irritated by him again.". He may already have his chance: yesterday evening Cuomo announced he'd signed up McKinsey to plan a strategy for ending the lockdown. Meanwhile, in a tiny unrepresentative sample of local contacts "what world leader do you wish you had in this crisis?", the only British leader mentioned was Scottish first minister Nicola Sturgeon. Only the US federal vacuum can make us feel better about our present government.

***

One unexpected entertainment in this unfolding disaster is the peeks inside people's homes afforded by their appearances on TV or Zoom. I am finally getting to browse at least a small portion of the bookshelves and artwork or admire the ceiling cornices belonging to people I've known for decades but have never had the chance to visit. How TV commentators set themselves up is revealing, too. Adam Schiff appears to unfortunately dress his broadcast corner like a stage set. And one MSNBC commentator sits in an immaculate kitchen, the expanse of whiteness broken only by a pink dishtowel whose movements are fun to chart. Presumably, right before broadcast someone goes through frantically cleaning.

***

This year appears to be the Year of New York. Even before the pandemic, the first Democratic presidential primaries were (however briefly) dominated by three 70-something New Yorkers: Michael Bloomberg, an aristocrat from Manhattan's Upper East Side (even if he was nominally born in Boston), whose campaign ads were expensive but entertaining; Bernie Sanders, whom no amount of Vermont-washing can change from an unmistakable Brooklyn Jew; and Donald Trump, the kid from Queens. In the Washington Post in February - so long ago! - Howard Fineman highlighted this inter-borough dispute and concluded: "The civil way to settle this is to put Trump, Sanders, and Bloomberg on a Broadway park bench and let them argue politics while they feed the pigeons." Two months on, the most visible emerging US leaders in the pandemic are Fauci, Brooklyn-born of Italian descent; Cuomo, Queens-born, also of Italian descent; and Trump.

Fauci was already a familiar name to readers of what a friend calls "plague books". He has been director of the National Institute of Allergy and Infectious Diseases since 1984, and played a crucial role in the AIDS crisis (see Randy Shilts' 1987 book, And the Band Played On) and ebola epidemic (see Laurie Garrett's 1995 title, The Coming Plague), and on and on to today. When he emerged as a member of the White House task force, the natural reaction was, "Of course" and "Thank God". And then: "How old is he, anyway?" He is 79 and looks incredibly fit. Still, one frets. Does he have to be kept standing there mute for two hours? He could be sleeping. He could be working. He could be...well, doing almost anything else, more usefully. We are all incredibly lucky to have him and he should be treated as a precious resource.

***

The loss of things to go to that provoke ideas for things to write about has me scrambling around the Internet looking for virtual stand-ins. For those interested in net.wars-type issues (and why else would you be here?), the Open Rights Group is hosting a weekly discussion group on Fridays at 16:30 London time (that is BST, or GMT+1), and ORG offshoots such as ORG Glasgow are also holding virtual events. I can also recommend the Meetup group London Futurists, which is hosting regular discussions that sound crazier than they actually are. Further afield, I'm sampling events in New York at Data & Society, and in California, at UC Berkeley's Center for Law & Technology. Why not? Anything with live humans trying to think about hard problems, and I'm there. Virtually.


Illustrations: New Zealand prime minister Jacinda Ardern campaigning in 2017 (Brigitte Neuschwander-Kasselordner, via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 27, 2020

The to-do list

Thumbnail image for casablanca-dooley-wilson-as-time-goes-by.pngWith so much insecurity and mounting crisis, there's no time now to think about a lot of things that will matter later. But someday there will be. And at that time...

Remember that health workers - doctors, nurses, technicians, ambulance drivers - matter just as much every day as they do during a crisis. Six months after everyone starts feeling safe and starts to forget, remind them how much we owe health workers..

The same goes for other essential services workers, the ones who keep the food stores open, the garbage and recycling being picked up, who harvest the crops, catch the fish, and raise and slaughter the animals and birds, who drive the trucks and supply the stores, and deliver post, takeout, and packages from Amazon et. al, and keep the utilities running, and the people who cook the takeout food, and clean the hospitals and streets. Police. Fire. Pharmacists. Journalists. Doubtless scores of other people doing things I haven't thought of. In developed countries, we forget how our world runs until something breaks, evidenced by Steve Double (Con-St Austell and Newquay), the British MP who said on Monday, "One of the things that the current crisis is teaching us is that many people who we considered to be low-skilled are actually pretty crucial to the smooth running of our country - and are, in fact, recognised as key workers." (Actually, a lot of us knew this.)

Stop taking travel, particularly international travel, for granted. Even when bans and lockdowns are eventually fully lifted, it's likely that pre-boarding and immigration health checks will become as routine as security scanning and showing ID have since 2001. Even if governments don't mandate it the public will demand it: who will sit crammed next to a random stranger unless they can believe it's safe?

Demand better travel conditions. Airlines are likely to find the population is substantially less willing to be crammed in as tightly as we have been.

Along those lines, I'm going to bet that today's children and young people, separated from older relatives by travel bans and lockdowns in this crisis, will think very differently about moving across the country or across the world, where they might be cut off in a future health crisis. Families and friends have been separated before by storms, earthquakes, fires, and floods - but travel links have rarely been down this far for this long - and never so widely. The idea of travel as conditional has been growing through security and notification requirements (I'm thinking of the US's ESTA requirements), but health will bring a whole new version of requiring permission.

Think differently about politicians. For years now it's been fashionable for people to say it doesn't matter who gets in because "they're all the same". You have only to compare US governors' different reactions to this crisis to see how false that is. As someone said on Twitter the other day, when you elect a president you are choosing a crisis manager, not a friend or favorite entertainer.

Remember the importance of government and governance. The US's unfolding disaster owes much of its amplitude to the fact that the federal government has become, as Ed Yong, writing in The Atlantic, calls it, "a ghost town of scientific expertise".

Stop asking "How much 'excess' can we trim from this system?" to asking "What surge capacity do we need, and how can we best ensure it will be available?" This will apply not only to health systems, hospitals, and family practices but to supply chains. The just-in-time fad of the 1990s and the outsourcing habits of the 2000s have left systems predictably brittle and prone to failure. Much of the world - including the US - depends on China to supply protective masks rather than support local production. In this crisis, Chinese manufacturing shut down just before every country in the world began to realize it had a shortage. Our systems are designed for short, sharp local disasters, not expanding global catastrophes where everyone needs the same supplies.

Think collaboratively rather than competitively. In one of his daily briefings this week, New York State governor Andrew Cuomo said forthrightly that sending ventilators to New York now, as its crisis builds, did not mean those ventilators wouldn't be available for other places where the crisis hasn't begun yet. It means New York can send them on when the need begins to drop. More ventilators for New York now is more ventilators for everyone later.

Ensure that large companies whose policies placed their staff at risk during this time are brought to account.

Remember these words from Nancy Pelosi: "And for those who choose prayer over science, I say that science is the answer to our prayers."

Reschedule essential but timing-discretionary medical care you've had to forego during the emergency. Especially, get your kids vaccinated so no one has to fight a preventable illness and an unpreventable one at the same time.

The final job: remember this. Act to build systems so we are better prepared for the next one before you forget. It's only 20 years since Y2K, and what people now claim is that "nothing happened"; the months and person-millennia that went into remediating software to *make* "nothing" happen have faded from view. If we can remember old movies, we can remember this.

Illustrations: Dooley Wilson, singing "As Time Goes by", from Casablanca (1942).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 12, 2020

Privacy matters

china-alihealth.jpegSometime last week, Laurie Garrett, the Pulitzer Prize-winning author of The Coming Plague, proposed a thought experiment to her interviewer on MSNBC. She had been describing the lockdown procedures in place in China, and mulling how much more limited actions are available to the US to mitigate the spread. Imagine, she said (or more or less), the police out on the interstate pulling over a truck driver "with his gun rack" and demanding a swab, running a test, and then and there ordering the driver to abandon the truck and putting him in isolation.

Um...even without the gun rack detail...

The 1980s AIDS crisis may have been the first time my generation became aware of the tension between privacy and epidemiology. Understanding what was causing the then-unknown "gay cancer" involved tracing contacts, asking intimate questions, and, once it was better understood, telling patients to contact their former and current sexual partners. At a time when many gay men were still closeted, this often meant painful conversations with wives as well as ex-lovers. (Cue a well-known joke from 1983: "What's the hardest part of having AIDS? Trying to convince your wife you're Haitian.")

The descriptions emerging of how China is working to contain the virus indicate a level of surveillance that - for now - is still unthinkable in the West. In a Huangzhou project, for example, citizens are required to install the Alipay Health Code app on their phones that assigns them a traffic light code based on their recent contacts and movements - which in turn determines which public and private spaces they're allowed to enter. Paul Mozur, who co-wrote that piece for the New York Times with Raymond Zhong and Aaron Krolik, has posted on Twitter video clips of how this works on the ground, while Ryutaro Uchiyama marvels at Singapore's command and open publication of highly detailed data This is a level of control that severely frightened people, even in the West, might accept temporarily or in specific circumstances - we do, after all, accept being data-scanned and physically scanned as part of the price of flying. I have no difficulty imagining we might accept barriers and screening before entering nursing homes or hospital wards, but under what conditions would the citizens of democratic societies accept being stopped randomly on the street and our phones scanned for location and personal contact histories?

The Chinese system has automated just such a system. Quite reasonably, at the Guardian Lily Kuo wonders if the system will be made permanent, essentially hijacking this virus outbreak in order to implement a much deeper system of social control than existed before. Along with all the other risks of this outbreak - deaths, widespread illness, overwhelmed hospitals and medical staff, widespread economic damage, and the mental and emotional stress of isolation, loss, and lockdown - there is a genuine risk that "the new normal" that emerges post-crisis will have vastly more surveillance embedded in it.

Not everyone may think this is bad. On Twitter, Stewart Baker, whose long-held opposition to "warrant-proof" encryption we noted last week, suggested it was time for him to revive his "privacy kills" series. What set him off was a New York Times piece about a Washington-based lab that was not allowed to test swabs they'd collected from flu patients for coronavirus, on the basis that the patients would have to give consent for the change of us. Yes, the constraint sounds stupid and, given the situation, was clearly dangerous. But it would be more reasonable to say that either *this* interpretation or *this* set of rules needs to be changed than to conclude unliterally that "privacy is bad". Making an exemption for epidemics and public health emergencies is a pretty easy fix that doesn't require up-ending all patient confidentiality on a permanent basis. The populations of even the most democratic, individualistic countries are capable of understanding the temporary need for extreme measures in a crisis. Even the famously national ID-shy UK accepted identity papers during wartime (and then rejected them after the war ended (PDF)).

The irony is that lack of privacy kills, too. At The Atlantic, Zeynep Tufecki argues that extreme surveillance and suppression of freedom of expression paradoxically results in what she calls "authoritarian blindness": a system designed to suppress information can't find out what's really going on. At The Bulwark, Robert Tracinski applies Tufecki's analysis to Donald Trump's habit of labeling anything he doesn't like "fake news" and blaming any events he doesn't like on the "deep state" and concludes that this, too, engenders widespread and dangerous distrust. It's just as hard for a government to know what's really happening when the leader doesn't want to know as when the leader doesn't want anyone *else* to know.

At this point in most countries it's early stages, and as both the virus and fear of it spread, people will be willing to consent to any measure that they believe will keep them and their loved ones safe. But, as Access Now agrees, there will come a day when this is past and we begin again to think about other issues. When that day comes, it will be important to remember that privacy is one of the tools needed to protect public health.


Illustrations: Alipay Health Code in action (press photo).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 28, 2020

The virtuous patient

US-health-insurance-coverage-state-2018.pngIt's interesting to speculate about whether our collective approach to cybersecurity would be different if the dominant technologies hadn't been developed under the control of US companies. I'm thinking about the coronavirus, which I fear is about to expose every bit of the class, race, and economic inequality of the US in the most catastrophic way.

Here in Britain, the question I'm most commonly asked has become, "Why do Americans oppose universal health care?" This question is particularly relevant as the Democratic primaries bed down into daily headlines and pundits opining on whether "democratic socialist" Bernie Sanders and Elizabeth Warren, who both favor "Medicare for All", are electable. How, UK friends ask, could they not be electable when what they're proposing is so obviously a good thing? How is calling health care a human right "socialist" rather than just "sane"? By that standard, Europe is full of socialist countries that are functioning democracies.

I respond that framing health insurance as an aspirational benefit of a "good job" was a stroke of evil genius that invoked everyone's worst meritocratic instincts while putting employers firmly in the feudal lord driving seat. I find it harder to explain how "socialist" became equated with "evil". "Socialized medicine" apparently began as a harmless description but in the 1960s the American Medical Association exploited it to scare people off. I thought doctors were supposed to first, do no harm?

Of course, a virus doesn't care who's paying for health care - the real crux of the debates - but it also doesn't care if you're rich, poor, upper crust, working class, Republic, Democrat, or a narcissist who thinks expertise is vastly overrated and scientists are just egos with degrees. The consequence of treating health care as an aspirational benefit instead of a human right is that in 2018 27.5 million Americans had no health insurance. As others have noticed, uninsured people cluster in "red" states. Since Donald Trump took office, however, the number of uninsured is slowly regrowing.

Some of the uninsured are undoubtedly people who are homeless, but most are from working families. They work in gas stations and convenience stores, as agency maids and security guards, as Uber drivers, and...in food service. Skeleton staffing levels mean bosses penalize anyone trying to call in sick; low wage levels make sick days an unaffordable "luxury"; without available child care, kids must go to school, sick or well. Every misplaced incentive forces this group to soldier on and to avoid doctors as much as possible. The story of Ozmel Martinez Azcue, who did the socially responsible thing and got himself to a hospital for testing only to be billed for $3,270 (of which his share is $1,400) when he tested negative for coronavirus, is a horror story deterrent. As Carl Gibson writes at the Guardian, "...when you combine a for-profit healthcare system - in which only those wealthy enough to get care actually receive it - with a global pandemic, the only outcome will be unmitigated disaster".

This is a country where 40% of the population can't come up with an emergency $400, for whom no vaccine or test is "affordable". CDC's sensible advice is out of reach for the nearly 10% of the population whose work requires their physical presence; a divide throroughly exposed by 2012's Hurricane Sandy.

Sanity would dictate making testing, treatment, and vaccines completely free for the duration of the crisis in the interests of collective public health. But even that would require a profound shift in how Americans understand health care. It requires Americans to loosen their sense that health insurance is an individual merit badge and exercise a modest amount of trust in government - at a time when the man in charge is generally agreed to be entirely untrustworthy. As Laurie Garrett, the author of 1994's Pulitzer Prize-winning The Coming Plague, warned last month, two years ago Trump trashed the pandemic response teams Barack Obama put in place in 2014, after H1N1 and Ebola made the necessity for them clear.

If the US survives this intact, Trump will take the credit, but the reality will be that the country got lucky this time. Individuals won't, however; a pandemic in these conditions will soon be followed by a wave of bankruptcies, many directly or indirectly a consequence of medical bills - and a lot of them will have had health insurance. Plus, there will be the longer-term, hard-to-quantify damage of the spreading climate of fear, sowing distrust in a society that already has too much of it.

So back to cybersecurity and privacy. The same type of individualistic thinking underlies computer and networking designers who take the view that securing them is the individual problem of each entity that uses them. Individual companies have certainly improved on usability in some cases, but even the discovery of widespread disinformation campaigns has not really led to a public health-style collective response even though pervasive interconnection means the smallest user and device can be the vector for infecting a whole network. In security, as in health care, information asymmetry is such that the most "virtuous patient" struggles to make good choices. If a different country had dominated modern computing, would we, as Americans tend to think, have less, or no, innovation? Or would we have much more resilient systems?


Illustrations: The map of uninsured Americans in 2018, from the US Census Bureau.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.