dad, geek, terrible hockey player. works @cogolabs.
211 stories

The Summer of Magical Thinking

1 Share

What’s your college or university doing about the fall semester?

This question seems more urgent now then ever, given how Dr. Anthony Fauci told a Senate committee today that he is profoundly worried about the nationwide trends regarding the covid-19 virus. “We are now having 40-plus thousand new cases a day. I would not be surprised if we go up to 100,000 a day if this does not turn around,” he warned. In the higher-ed world, recent headlines have presented a litany of covid hotspots, from football players at Clemson to over 140 students and staff at Georgia. And that’s before everyone returns to campus from their various summer spots and activities. Nationwide, the midwest, as well as states like Florida and Arizona, are seeing an ominous rise in covid-19 cases, and a shortage of hospital capacity and health care resources looms on the horizon.

So…what’s your college or university doing about the fall semester?

According to the aggregate results for over 1,000 higher-ed institutions aggregated by The Chronicle of Higher Education, the most likely answer is “planning for in-person” instruction—61% of the colleges and universities in this dataset have said this is their plan. The next most prevalent answer is some sort of hybrid model (20% of the institutions), with only 8% “planning for online” (one has to assume that a large portion of this group is the Cal and Cal State systems), and a mere 3.7% who have yet to decide. What strikes me about this data is that out of over 1,000 institutions of higher learning, over eight hundred of them are planning on at least some degree of face-to-face instruction, with three-quarters of that cohort proceeding as if that will be the dominant mode for the fall semester. Business as usual, apparently.

It’s the presidents and administrators in this group that have been the whistling the loudest when walking past the graveyard. Mitch Daniels wants you to believe everything will be just fine this fall, but he’s only the loudest representative of the magical thinking camp. Purdue’s going to do face to face classes, by gum, Daniels has told anyone who will listen; to do otherwise, to not “re-open,” he argues, would be “an unacceptable breach of duty.” Brown University’s president Christina Paxson (trained as an economist) argued in The New York Times last month that colleges and universities must reopen in the fall, as the risks of not doing so apparently far outweigh continuing the remote instruction we all embarked upon this spring. Liberty University, Jerry Falwell Jr.’s demesne, had a raft of Covid-19 cases this spring, which critics charged was due to the school’s blithe dismissal of the need for any public health precautions. And despite Liberty’s propaganda arm insisting their approach is a “model for the fall,” it’s worth noting that the university has just been sued by some of its students for failing to take protective measures as the virus spread on campus. Notre Dame’s president, John Jenkins, says reopening for the fall is “worth the risk”; he wants us to consider the consequences for future generations if we allow the education of today’s students to be interrupted. (Not present in his meditations is any consideration of the consequences for future generations from the present one having a spike in its death rate.)

Hey Mitch–this u?

There are several things Daniels, Paxson, Jenkins, et al., have in common besides being presidents of campuses committed to re-opening in the fall: they do not spend significant time in either the classrooms, dormitories, or dining halls of said campuses, and indeed have the luxury of offices and routines that can easily keep them at least relatively sequestered from large groups of people and things like hallway traffic and lecture halls with sniffling, coughing students. They also likely have private restroom facilities, which, when you think about it, is a big deal in these covid-drenched times. As Juliana Gray put it in her brilliant McSweeney’s piece “A Message From Your University’s Vice President for Magical Thinking,” what these campuses and hundreds of others like them, have proclaimed as their strategy is “Our university will proceed as if everything will be okay because we really, really want it to be.”

This is, of course, ludicrous.

We are in the midst—likely still in the first wave, even—of a global pandemic, caused by a virus for which we do not yet have a vaccine. The United States, because of our unique capacity for both sociopathic individualism and blithe dismissal of inconvenient facts, leads the world in per capita cases and deaths from the virus. Several weeks ago, many states (including Iowa, where I reside) decided that even though they hadn’t really closed closed, it was still time to “re-open,” because capitalism. And now, with R-naught numbers headed in the wrong direction, and new covid cases reaching record daily highs in some areas, the sheer folly of this rush to get back to “normal” has become tragically evident.

Have I mentioned that Dr. Fauci thinks 100,000 new cases a day is a distinct possibility?

In light of all this, the thing that scares me the most is that I hear a lot about why leaders want their campuses to be as open and in-person as possible, but very little about how that will happen, specifically. Oh, sure; Mitch Daniels got his advancement office on the case, and now you can subsidize a student protection kit for the low, low price of $65. Yes, it’s crass as hell [1] but it’s way more specific than many campuses have gotten. I understand the existential dread that’s out there with college leadership, I really do. I work at a small, not-lavishly-resourced, tuition-dependent university. A plunge in enrollment is bad, perhaps fatal, news for schools in our demographic. Because we live in a country whose political leaders have decided we can’t have nice things, and thus higher ed is in truly perilous shape, there is ample reason to be afraid of the financial consequences of anything different than an as-normal-as-possible fall semester.


Leaders who make decisions out of fear often make bad decisions. It makes one reactive, rather than proactive, and conveys a sense of desperation rather than assurance. For the figures on our campuses who get paid the big bucks to Lead Boldy and Innovatively™, we ought to expect more than we’re getting. No one has the answers to what the fall semester will look like; hell, just trying to plan two weeks out is like trying to nail Jell-O to the wall. When we hear assurances that “we’ll be face to face” and “you can count on having the full [insert University here] experience,” those sound like Advancement Office and CFO prayers rather than actual plans. All of us in higher education understand the stakes involved. Most of us understand them, I would submit, in a more nuanced and multifaceted way than some of the decision-makers. In that light, it seems to me we can draw upon the clear lessons we’ve already learned from the previous few months of pivoting to remote instruction:

Face-to-face is not the a priori gold standard.

Students do not learn simply because they are physically present in the same space as other students and the instructor. Yes, face-to-face teaching and learning has been the predominant mode of instruction in higher education as long as it’s been around. And it’s the preferred pedagogical approach of a large majority of instructors and students. But it is not the only way to teach and learn, as online learning practitioners have been telling us for years. Do many students want the traditional in-person, residential college experience? Yes. But do they want it bad enough to live in a room in Disease Vector Hall on the residential quad? Will they even have that experience this year? That leads me to the next point:

Whatever face-to-face occurs in the fall will be weird, awkward, and contingent.

Unless you’re Jerry Falwell, Jr., in-person instruction this semester will involve plexiglass shields, masks, socially-distant classrooms, staggered schedules to reduce hallway traffic, expanded class times to accommodate smaller capacities, and enough Lysol wipes to make the entire campus smell lemony fresh for months. When the proponents of “as much face-to-face learning as possible!” make their case, they’re doing so with an idealized image of some seminar room where IDEAS HAPPEN and The Discourse percolates, and you can’t replicate that with Zoom, goddamnit! But in reality, that seminar you’re talking about won’t be Socrates and his interlocutors in the Agora, it’ll be twelve students scattered around a big lecture room, sitting 6-8 feet away from anyone else, wearing masks, and having to yell just to be heard.

Classrooms are going to be rearranged, there will be social pressures for students to at least act like they care about others’ health, and perversely, there will also be social pressures for students to stop being sheeple and quit bitching about social distance and masking, man, it’s such a pain. A student’s daily routine in this type of environment is going to be weird, at the very least. And is there anyone reading this who would bet against another spike in cases by, say, October, and the whole pivot-to-online thing having to occur once again? Is this awkward, stilted, face-to-face experience worth it? As institutions, we aren’t asking that question.

We haven’t come close to figuring out how face-to-face is going to work when the rubber hits the road.

Yes, there are more and more institutions issuing policies for a covid-influenced fall. Students will be required to wear masks on campus. Some activities will occur differently, or not at all. For some campuses, dorms will be single-occupancy. Dining halls will be grab and go, not buffet-style.


But…..*inhales deeply*

What are you going to do when folks don’t adhere to those community expectations? What happens if a student comes to class without a mask and the instructor is immuno-compromised, so they ask that student to mask up or leave? Who is responsible for wiping down tables and chairs between classes? Do you really think social distancing will happen in building hallways and common spaces between classes? What if a student tests positive for the virus, and one of their instructors decides they need to go into quarantine because of a family member’s health status? Are you going to make your employees divulge personal health information whenever something like this happens? What if you have a student who thinks masks are political discrimination and their parents back up their refusal to wear a mask on campus? What if one of your instructors gets ill? Who takes over the class? How is that determined? Should faculty have a “Covid Buddy” just in case? How are you going to avoid getting sued? Even if you have people sign waivers (HA!), doesn’t the very act of seeking that release of liability serve as evidence you’re aware of the risks involved? Has anybody involved community leaders in their strategizing about the fall semester? Colleges and universities exist in larger communities, and the residents of these locales are going to be significantly affected by your institution’s choices; what are you telling them about how you’re trying to ensure their safety?

Had enough? I’ve got more, you know. This is just the tip of the iceberg, and your strategy damn well better be thinking about these types of scenarios. Because they will occur.

Your faculty and staff are not cannon fodder.

To be blunt: it’s real easy to rhapsodize about the beauty and importance of in-person teaching when you aren’t the one in a classroom with dozens of students in the midst of a global pandemic. If your institution is planning on any degree of face-to-face instruction, and you are not involving actual instructors in that planning, or even acknowledging the many concerns these instructors have as legitimate, you are failing. If you are not supporting those who are redesigning courses to meet the needs of a hy-flex, hybrid, or socially-distant F2F course, you are failing. If you expect adjunct faculty to do this extra work without any acknowledgement or additional compensation, you have no ethics. And you are failing.

Colleges and universities run on relationships; but the physical environment where these relational interactions occur is riskier than ever before. Faculty and staff can interact with literally hundreds of different students per day. How is the institution making things safe for them? What plans are in place for locations like the Business Office, Bookstore, Registrar, and Financial Aid, that are often overcrowded in normal times? The employees who staff those offices play a vital role in both the institution’s daily business and student success. They should not be punished for being in such student-facing roles. Lots of them are worried; are you listening to them? Are you acknowledging those worries? Or are you inwardly rolling your eyes and wishing these overdramatic doomsayers would just understand how hard you’re trying to fix everything? If you answered that last question in the affirmative, you’re failing.

This virus is making structures of inequality worse.

If you are an upper-level college or university administrator, you are most likely wealthy and white. This pandemic is disporportionately affecting people who are not wealthy and not white.

What does that mean? One example: when you say you campus is going to be undertaking rigorous deep-cleaning measures, know that the cleaning and maintenance staff you’re asking to undertake this hazardous and grueling work is, if the average statistics hold, mostly Black and Brown people. The same goes for your food service workers. Higher education has a dismal record with campus workers; it will be even worse as these workers shoulder an unfair burden, asked to work harder in more hazardous conditions to alleviate the consciences of those who argue campuses should be as open as possible. Any plan for the upcoming semester that does not account for the extra burdens placed upon vulnerable groups is an unsatisfactory plan and a repudiation of the values your mission statement trumpets. [2]

Magical thinking is not a leadership strategy.

This is the crucial point. If you have a compelling “why” for your fall semester plans, there had better be an even more compelling, well-thought-out, sustainable “how” that accompanies it. College leaders have healthy egos; I get it, it’s part of the job. But a pandemic is not something you can will your way through, or persist in a “strategic approach” long enough to make it go away. There need to be answers to the litany of questions that have, and will continue to, come up from all quarters of your campus community. The Mitch Daniels approach is not leadership; it’s a belligerent gamble that uses others’ lives as stake money. The Christina Paxson approach is not leadership; it’s a declaration that it’s OK to sacrifice some lives for “the economy.” You may think you’re more nuanced than they are, that you’ve thought the issues through more deeply…but have you?

Let me pose this question: how can you assume any safety measure you take in classrooms and academic spaces will matter at all if the dorms remain…the dorms (the landlocked version of cruise ships, for the purposes of this scenario)?

Let me pose another question: if your re-opening plan was an experiment, would your institution’s IRB approve it?


What seems clear, even in an unclear time such as this, is that no one is going to do everything right this fall. We must reckon with the fact, as distasteful and against one’s optimistic nature as it is, that there are no great options for the Fall. What we are after is simply the least worst one.

That’s the hard conversation we need to have, and it’s one largely absent from the panglossian statements about how awesome we’ll be able to keep things this fall. Yes, the financial stakes for our institutions are high. Yes, this is existential for some of us. Yes, remote instruction can impact enrollment. All these are bad. You know what else is bad? Dead students. Dead Faculty. Dead Staff.

What, honestly, are we saying we’re willing to risk, and what—PRECISELY—are we risking it for?

That is the conversation that needs to happen. As yet, it has not.

We have 6 weeks.


  1. [1] It also seems to belie Daniels’ casual assurances that everything will be just fine this Fall because students are all young and can fight this virus better than us olds—which of course begs the question of who he actually thinks will be teaching said students.
  2. [2]And even if your campus contracts these services out, it still matters; leadership means being responsible for everything the institution does, not outsourcing low-wage labor and then pleading ignorance.
Read the whole story
2 hours ago
Wakefield, MA
Share this story

Crooks abuse Google Analytics to conceal theft of payment card data

1 Share
Crooks abuse Google Analytics to conceal theft of payment card data

Enlarge (credit: Pexels)

Hackers are abusing Google Analytics so that they can more covertly siphon stolen credit card data out of infected ecommerce sites, researchers reported on Monday.

Payment card skimming used to refer solely to the practice of infecting point-of-sale machines in brick-and-mortar stores. The malware would extract credit card numbers and other data. Attackers would then use or sell the stolen information so it could be used in payment card fraud.

More recently, these sorts of attacks have expanded to use against ecommerce sites after hackers have compromised them. Hackers use the control they gain to install unauthorized code that runs deep inside the back-end system that receives and processes payment card data during an online transaction. The malicious code then copies the data.

Under the radar

One challenge in pulling off the hack is bypassing website security policies or concealing the exfiltration of massive amounts of sensitive data from endpoint security applications installed on the infected network. Researchers from Kaspersky Lab on Monday said that they have recently observed about two dozen infected sites that found a novel way to achieve this. Instead of sending it to attacker-controlled servers, the attackers send it to Google Analytics accounts they control. Since the Google service is so widely used, ecommerce site security policies generally fully trust it to receive data.

“Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users,” Kaspersky Lab researcher Victoria Vlasova wrote here. “Administrators write * into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources.”

The researcher added: “To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts.”

The “UA-XXXX-Y” refers to the tracking ID that Google Analytics uses to tell one account from another. As demonstrated in the following screenshot, showing malicious code on an infected site, the IDs (underlined) can easily blend in with legitimate code.

In a statement issued several hours after this post went live, a Google spokesman wrote: “We were recently notified of this activity and immediately suspended the offending accounts for violating our terms of service. When we find unauthorized use of Google Analytics, we take action.”

The attackers use other techniques to remain stealthy. In some cases, the data siphoning is canceled if the person entering the payment card data has the developer mode of their browser turned on. Because security researchers often used developer mode to detect such attacks, the hackers forgo the data theft in these cases. In other cases, the attackers use program debugging methods to conceal the malicious activity.

Payment card skimming on websites has remained a problem, particularly for people shopping with smaller online merchants who don’t pay enough attention to securing their systems. There are some notable exceptions, but generally larger sites are less prone to these sorts of hacks.

In most if not all cases, it’s impossible for end users to detect credit card skimming with the naked eye. Most antivirus products, however, will catch all or most such attacks. Making online purchases with developer mode turned on can’t hurt and can help in many cases. Other than that, the best defense is to regularly and carefully scrutinize statements for unauthorized purchases and charges.

Updated to add comment from Google

Read Comments

Read the whole story
19 hours ago
Wakefield, MA
Share this story

On Contact Tracing and Hardware Tokens


Early in the COVID-19 pandemic, I was tapped by the European Commission to develop a privacy-protecting contact tracing token, which you can read more about at the Simmel project home page. And very recently, Singapore has announced the deployment of a TraceTogether token. As part of their launch, I was invited to participate in a review of their solution. The urgency of COVID-19 and the essential challenges of building supply chains means we are now in the position of bolting wheels on a plane as it rolls down the runway. As with many issues involving privacy and technology, this is a complicated and nuanced situation that cannot be easily digested into a series of tweets. Thus, over the coming weeks I hope to offer you my insights in the form of short essays, which I will post here.

Since I was only able to spend an hour with the TraceTogether token so far, I’ll spend most of this essay setting up the background I’ll be using to evaluate the token.

Contact Tracing

The basic idea behind contact tracing is simple: if you get sick, identify your close contacts, and test them to see if they are also sick. If you do this fast enough, you can contain COVID-19, and most of society continues to function as normal.

However, from an implementation standpoint, there are some subtleties that I struggled to wrap my head around. Dr. Vivian Balakrishnan, the Minister-in-charge of the Smart Nation Initiative, briefly stated at our meeting on Friday that the Apple/Google Exposure Notification system did not reveal the “graph”. In order to help myself understand the epidemiological significance of extracting the contact graph, I drew some diagrams to illustrate contact tracing scenarios.

Let’s start by looking at a very simple contact tracing scenario.

In the diagram above, two individuals are shown, Person 1 and Person 2. We start Day 1 with Person 1 already infectious yet only mildly symptomatic. Person 1 comes in contact with Person 2 around mid-day. Person 2 then incubates the virus for a day, and becomes infectious late on Day 2. Person 2 may not have any symptoms at this time. At some future date, Person 2 infects two more people. In this simple example, it is easy to see that if we can isolate Person 2 early enough, we could prevent at least two future exposures to the virus.

Now let’s take a look at a more complicated COVID-19 spread scenario with no contact tracing. Let’s continue to assume Person 1 is a carrier with mild to no symptoms but is infectious: a so-called “super spreader”.

The above graphic depicts the timelines of 8 people over a span of five days with no contact tracing. Person 1 is ultimately responsible for the infection of several people over a period of a few days. Observe that the incubation periods are not identical for every individual; it will take a different amount of time for every person to incubate the virus and become infectious. Furthermore, the onset of symptoms is not strongly correlated with infectiousness.

Now let’s add contact tracing to this graph.

The graphic above illustrates the same scenario as before, but with the “platonic ideal” of contact tracing and isolation. In this case, Person 4 shows symptoms, seeks testing, and is confirmed positive early on Day 4; their contacts are isolated, and dozens of colleagues and friends are spared from future infection. Significantly, digging through the graph of contacts also allows one to discover a shared contact of Person 4 and Person 2, thus revealing that Person 1 is the originating asymptomatic carrier.

There is a subtle distinction between “contact tracing” and “contact notification”. Apple/Google’s “Exposure Notification” system only perform notifications to the immediate contacts of an infected person. The significance of this subtlety is hinted by the fact that the protocol was originally named a “Privacy Preserving Contact Tracing Protocol”, but renamed to the more accurate description of “Exposure Notification” in late April.

To better understand the limitations of exposure notification, let’s consider the same scenario as above, but instead of tracing out the entire graph, we only notify the immediate contacts of the first person to show definite symptoms – that is, Person 4.

With exposure notification, carriers with mild to no symptoms such as Person 1 would get misleading notifications that they were in contact with a person who tested positive for COVID-19, when in fact, it was actually the case that Person 1 gave COVID-19 to Person 4. In this case, Person 1 – who feels fine but is actually infectious – will continue about their daily life, except for the curiosity that everyone around them seems to be testing positive for COVID-19. As a result, some continued infections are unavoidable. Furthermore, Person 2 is a hidden node from Person 4, as Person 2 is not within Person 4’s set of immediate notification contacts.

In a nutshell, Exposure Notification alone cannot determine causality of an infection. A full contact “graph”, on the other hand, can discover carriers with mild to no symptoms. Furthermore, it has been well-established that a significant fraction of COVID-19 infections show mild or no symptoms for extended periods of time – these are not “rare” events. These individuals are infectious but are well enough to walk briskly through crowded metro stations and eat at hawker stalls. Thus, in the “local context” of Singapore, asymptomatic carriers can seed dozens of clusters in a matter of days if not hours, unlike less dense countries like the US, where infectious individuals may come in contact with only a handful of people on any given day.

The inability to quickly identify and isolate mildly symptomatic super-spreaders motivates the development of the local TraceTogether solution, which unlocks the potential for “full graph” contact tracing.

On Privacy and Contact Tracing

Of course, the privacy implications of full-graph contact tracing are profound. Also profound are the potential health risks and loss of life absent full-graph contact tracing. There’s also a proven solution for containing COVID-19 that involves no sacrifice of privacy: an extended Circuit-Breaker style lockdown. Of course, this comes at the price of the economy.

Of the three elements of privacy, health, or economy, it seems we can only pick two. There is a separate and important debate about which two we should prioritize, but that is beyond the context of this essay. For the purpose of this discussion, let’s assume contact tracing will be implemented. In this case, it is incumbent upon technologists like us to try and come up with a compromise that can mitigate the privacy impact while facilitating public policy.

Back in early April, Sean ‘xobs’ Cross and I were contacted by the European Commission’s NGI program via NLnet to propose a privacy-protecting contact tracing hardware token. The resulting proposal is called “Simmel”. While not perfect, the salient privacy features of Simmel include:

  1. Strong isolation of user data. By disallowing sensor fusion with the smartphone, there is zero risk of GPS or other geolocation data being leaked. It is also much harder to do metadata-based attacks against user privacy.
  2. Citizens are firmly in control. Users are the physical keeper of their contact data; no third-party servers are involved, until they volunteer their data to an authority by surrendering the physical token. This means in an extreme case, a user has the option of physically destroying their token to erase their history.
  3. Citizens can temporarily opt-out. By simply twisting the cap of the token, users can power the token down at any time, thus creating a gap in their trace data (note: this feature is not present on the first prototypes).
  4. Randomized broadcast data. This is a protocol-level feature which we recommend to defeat the ability for third parties (perhaps an advertising agency or a hostile government) from piggy backing on the protocol to aggregate user locations for commercial or strategic benefit.

Why a Hardware Token?

But why a hardware token? Isn’t an app just better in so many ways?

At our session on Friday, the TraceTogether token team stated that Singapore needs hardware tokens to better serve two groups: the underprivileged, and iPhone users. The underprivileged can’t afford to buy a smartphone; and iPhone users can only run Apple-approved protocols, such as their Exposure Notification service (which does not enable full contact tracing). In other words, iPhone users, like the underprivileged, also don’t own a smartphone; rather, they’ve bought a phone that can only be used for Apple-sanctioned activities.

Our Simmel proposal makes it clear that I’m a fan of a hardware token, but for reasons of privacy. It turns out that apps, and smartphones in general, are bad for user privacy. If you genuinely care about privacy, you would leave your smartphone at home. The table below helps to illustrate the point. A red X indicates a known plausible infraction of privacy for a given device scenario.

The tracing token (as proposed by Singapore) can reveal your location and identity to the government. Nominally, this happens at the point where you surrender your token to the health authorities. However, in theory, the government could deploy tens of thousands of TraceTogether receivers around the island to record the movement of your token in real-time. While this is problematic, it’s relevant to compare this against your smartphone, which typically broadcasts a range of unique, unencrypted IDs, ranging from the IMEI to the wifi MAC address. Because the smartphone’s identifiers are not anonymized by default, they are potentially usable by anyone – not just the government – to identify you and your approximate location. Thus, for better or for worse, the design of the TraceTogether token does not meaningfully change the status quo as far as “big infrastructure” attacks on individual privacy.

Significantly, the tracing token employs an anonymization scheme for the broadcast IDs, so it should not be able to reveal anything about your location or identity to third parties – only to the government. Contrast this to the SafeEntry ID card scanner, where you hand over your ID card to staff at SafeEntry kiosks. This is an arguably less secure solution, as the staff member has an opportunity to read your private details (which includes your home address) while scanning your ID card, hence the boxes are red under “location” and “identity”.

Going back to the smartphone, “typical apps” – say, Facebook, Pokemon Go, Grab, TikTok, Maps – are often installed with most permissions enabled. Such a phone actively and routinely discloses your location, media, phone calls, microphones, contacts, and NFC (used for contactless payment and content beaming) data to a wide variety of providers. Although each provider claims to “anonymize” your data, it has been well-established that so much data is being published that it is virtually a push of a button to de-anonymize that data. Furthermore, your data is subject to surveillance by several other governments, thanks to the broad power of governments around the world to lawfully extract data from local service providers. This is not to mention the ever-present risk of malicious actors, exploits, or deceptive UI techniques to convince, dupe, or coerce you to disclose your data.

Let’s say you’re quite paranoid, and you cleverly put your iPhone into airplane mode most of the time. Nothing to worry about, right? Wrong. For example, in airplane mode, the iPhone still runs its GPS receiver and NFC. An independent analysis I’ve made of the iPhone also reveals occasional, unexplained blips on the wifi interface.

To summarize, here are the core arguments for why a hardware token offers stronger privacy protections than an app:

No Sensor Fusion

The data revealed by a hardware token is strongly limited by its inability to perform “sensor fusion” with a smartphone-like sensor suite. And even though I was only able to spend an hour with the device, I can say with a high degree of confidence that the TraceTogether token has little to no capability beyond the requisite BLE radio. Why do I say this? Because physics and economics:

Physics: more radios and sensors would draw more power. Ever notice how your phone’s battery life is shorter if location services are on? If the token is to last several months on such a tiny battery, there simply is not enough power available to operate much more than the advertised BLE functions.
Economics: more electronics means more cost. The publicly disclosed tender offering places a cap on the value of parts at S$20, and it essentially has to be less than that because the producer must also bear their development cost out of the tender. There is little room for extraneous sensors or radios within that economic envelope.

Above: the battery used in the TraceTogether token. It has a capacity of 1000mAh. The battery in your smartphone has a capacity of around 3x of this, and requires daily charging.

The economics argument is weaker than the physics argument, because the government could always prepare a limited number of “special” tokens to track select individuals at an arbitrary cost. However, the physics argument still stands – no amount of money invested by the government can break the laws of physics. If Singapore could develop a mass-manufacturable battery that can power a smartphone sensor suite for months in that form factor – well, let’s just say the world would be a very different place.

Citizen Hegemony over Contact History

Assuming that the final TraceTogether token doesn’t provide a method to repurpose the Bluetooth Low-Energy (BLE) radio for data readout (and this is something we hope to confirm in a future hackathon), citizens have absolute hegemony over their contact history data, at least until they surrender it in a contact tracing event.

As a result the government is, perhaps inadvertently, empowering citizens to rebel against the TraceTogether system: one can always crush their token and “opt-out” of the system (but please remove the battery first, otherwise you may burn down your flat). Or perhaps more subtly, you can “forget your token at home”, or carry it in a metallized pouch to block its signal. The physical embodiment of the token also means that once the COVID-19 pandemic is under control, destroying the token definitively destroys the data within it – unlike an app, where too often uninstalling the app simply means an icon is removed from your screen, but some data is still retained as a file somewhere on the device.

In other words, a physical token means that an earnest conversation about privacy can continue in parallel with the collection of contact tracing data. So even if you are not sure about the benefit of TraceTogether today, carrying the token allows you to defer the final decision of whether to trust the government until the point where you are requested to surrender your token for contact trace extraction.

If the government gets caught scattering BLE receivers around the island, or an errant token is found containing suspicious circuitry, the government stands to lose not just the trust of the people, but also access to full-graph contact tracing as citizens and residents dispose of tokens en masse. This restores a certain balance of power, where the government can and will be held accountable to its social contract, even as we amass contact tracing data together as a whole.

Next Steps

When I was tapped to independently review the TraceTogether token, I told the government that I would hold no punches – and surprisingly, they still invited me to the introductory session last Friday.

This essay framed the context I will use to evaluate the token. “Exposure notification” is not sufficient to isolate mildly symptomatic carriers of COVID-19, whereas “full graph” contact tracing may be able to make some headway against this problem. The good news is that the introduction of a physically embodied hardware token presents a safer opportunity to continue the debate on privacy while simultaneously improving the collection of contact tracing data. Ultimately, deployment of a hardware token system relies upon the compliance of citizens, and thus it is up to our government to maintain or earn our trust to manage our nation’s best interests throughout this pandemic.

I look forward to future hackathons where we can really dig into what’s running inside the TraceTogether token. Until then, stay safe, stay home when you can, and when you must go outside, wear your mask!

PS: You should also check out Sean ‘xobs’ Cross’ teardown of the TraceTogether token!

Read the whole story
4 days ago
Wakefield, MA
Share this story

The only Massachusetts map that matters

1 Share

Ari Ofsevit created a listing of the addresses of all the state's Dunkin' Donuts, then combined that with a database of the populations of the state's 351 cities and towns to create a map showing where people have the most Dunk's options within their borders. In the map, the lower the number, the greater the per-capita density of Dunkin' Donuts per community. Towns in white are, shockingly, Massachusetts communities with no Dunk's at all.

Read the whole story
7 days ago
Wakefield, MA
Share this story

This Ohio city’s plan to get more people to buy electric cars worked

1 Share
Giving someone a short test drive in a plug-in vehicle is the quickest way to get them to consider buying one.

Enlarge / Giving someone a short test drive in a plug-in vehicle is the quickest way to get them to consider buying one. (credit: Monty Rakusen/Getty Images)

In 2016, the city of Columbus, Ohio, won a nationwide Department of Transportation challenge and was named America's first smart city. This contest was not just for bragging rights, like some kind of Mensa for municipalities; the award came with $40 million in DOT funding for testing better transportation policies, with an additional $10 million from the Paul G. Allen Family Foundation. As part of Smart Columbus' plans to make moving around more safely more sustainable, the foundation asked the city to increase adoption of battery electric cars and plug-in hybrids through an electrification program. And it succeeded.

The electrification program, which we wrote about last year, involved several different approaches to getting more local residents to switch to BEVs. The city assembled a fleet of 12 BEVs and PHEVs for a "ride and drive" roadshow, visiting communities and places of work to give people an opportunity to try out an EV—something that just under 12,000 people did over the course of two years.

The city created an experience center with a second fleet of test-drive plug-ins. This provided another 400 people with test drives from 2018 but also entertained more than 30,000 visitors from opening, educating them about alternative powertrains as well as shared mobility. On top of that, Smart Columbus conducted an online education campaign and worked with 35 area car dealerships, training staff so they could sell EVs. And finally, it worked with the local utility, AEP Ohio, to build out public level 2 and DC fast charging infrastructure in the region.

In 2016, before the grant was awarded, BEV and PHEV sales were just 0.4 percent in the seven-county region. When the electrification program began in April 2017, the goal was to boost this to 1.8 percent of new vehicle sales—or 3,200 EVs—by March 2020. And it worked; over the course of those 22 months, 3,323 new BEVs and PHEVs found homes in the region. Plug-in sales actually reached as high as 2.4 percent in Q4 2018 and 1.6 percent in Q4 2019. (2019 was a disappointing year nationally for plug-in sales, so we can forgive the year-on-year decrease.) Smart Columbus estimates that the program will cut carbon emissions by 1,850 tonnes over ten years.

(credit: Smart Columbus)

The outreach program also helped increase the odds that other locals will switch to electric powertrains, too. Favorable perceptions of BEVs and PHEVs rose from October 2017 to March 2020 (BEVs: 48 percent to 62 percent; PHEVs: 57 percent to 65 percent). And in October 2017, only a third of those surveyed said they were somewhat or extremely likely to purchase a BEV or a PHEV; by March 2020, that had grown to just over one-in-two.

"We’re thrilled to see the progress and success of the smart city program over the years," said Paul Keating, senior director of Philanthropy at Vulcan Inc, the company that oversees the business and charitable activities of the late Paul Allen. "Columbus has demonstrated how a region can develop new transport systems through innovation to reduce the world’s dependence on fossil fuels. And in doing so, Columbus has created a model that can be replicated nationwide."

Read Comments

Read the whole story
9 days ago
Wakefield, MA
Share this story

It’s unconstitutional for cops to force phone unlocking, court rules

1 Comment
It’s unconstitutional for cops to force phone unlocking, court rules

Enlarge (credit: releon8211 / Getty)

Indiana's Supreme Court has ruled that the Fifth Amendment allows a woman accused of stalking to refuse to unlock her iPhone. The court held that the Fifth Amendment's rule against self-incrimination protected Katelin Seo from giving the police access to potentially incriminating data on her phone.

The courts are divided on how to apply the Fifth Amendment in this kind of case. Earlier this year, a Philadelphia man was released from jail after four years of being held in contempt in connection with a child-pornography case. A federal appeals court rejected his argument that the Fifth Amendment gave him the right to refuse to unlock hard drives found in his possession. A Vermont federal court reached the same conclusion in 2009—as did a Colorado federal court in 2012, a Virginia state court in 2014, and the Massachusetts Supreme Judicial Court in 2014.

But other courts in Florida, Wisconsin, and Pennsylvania have reached the opposite conclusion, holding that forcing people to provide computer or smartphone passwords would violate the Fifth Amendment.

Lower courts are divided about this issue because the relevant Supreme Court precedents all predate the smartphone era. To understand the two competing theories, it's helpful to analogize the situation to a pre-digital technology.

A safe analogy

Suppose that police believe that a suspect has incriminating documents stored in a wall safe and they ask a judge to compel the suspect to open the safe. The constitutionality of this order depends on what the police know.

If the government can't show that the suspect knows the combination—perhaps the suspect claims the safe actually belongs to a roommate or business partner—then all courts agree that forcing the suspect to try to open it would be unconstitutional. This is because the act of opening the safe functions as an admission that the suspect owns the safe and the documents inside of it. This fact could be incriminating independent of the contents of any documents found inside the safe.

On the other hand, if the government can show that the suspect knows both the password and which specific documents are in the safe—perhaps because the suspect described the safe's contents during an interrogation—then all courts agree that the suspect can be forced to open the safe. That's because the Fifth Amendment is a right against self-incriminating testimony, not the production of incriminating documents.

But what if the state can show the suspect knows the combination but doesn't know which documents are in the safe? Here the courts are split.

One theory holds that only the act of opening the safe is testimonial. Once the safe is open, the safe contains whatever documents it contains. The police get the information in the documents directly from the documents, the same as they would if they'd found them lying on the suspect's desk. So the contents of the documents are not compelled testimony.

The other theory—the one endorsed by Indiana's Supreme Court this week—holds that it matters whether the police know which documents they're looking for. If the police are looking for specific documents that they know are in the safe, then there may be no Fifth Amendment problem. But if the request is more of a fishing expedition, then it's barred by the Fifth Amendment, since the act of opening the safe gives the police access to information they wouldn't have otherwise. Some courts have found this argument particularly compelling due to the vast amount of information on modern smartphones.

The Hubbell ruling

A key ruling here is a 2000 Supreme Court opinion in the prosecution of Webster Hubbell, a Bill Clinton associate who got ensnared by the Whitewater investigation. Prosecutors asked Hubbell to produce documents in 11 broad categories. By combing through the documents Hubbell provided, prosecutors were able to find evidence to charge Hubbell with mail fraud and tax evasion. Hubbell argued that the prosecution violated his Fifth Amendment rights, since he'd been compelled to provide the evidence used to prosecute him.

The Supreme Court sided with Hubbell. The key issue was that the prosecutor's subpoena to Hubbell lacked particularity. It asked for broad categories of documents and relied on Hubbell to figure out which documents met the criteria prosecutors provided.

Hubbell wasn't just producing specific documents requested by the government. He was using his own knowledge and judgment to provide the government with documents whose existence it might never have discovered without Hubbell's help. Whenever Hubbell turned over a document the authorities didn't know about, he was implicitly admitting that it existed. That admission was an act of testimony protected by the Fifth Amendment, the Supreme Court ruled.

Indiana's Supreme Court argues that the same principle applies when a suspect is compelled to unlock a smartphone. By unlocking her phone, Katelin Seo would be giving prosecutors access to files they didn't know existed and might not be able to access any other way.

"Even if we assume the State has shown that Seo knows the password to her smartphone, the State has failed to demonstrate that any particular files on the device exist or that she possessed those files," Indiana's Supreme Court held. "Detective Inglis simply confirmed that he would be fishing for 'incriminating evidence' from the device."

The Indiana ruling is hard to square with Hubbell

There are good policy reasons to favor the Indiana Supreme Court's interpretation of the law. Modern smartphones contain a wealth of sensitive personal information that simply didn't exist in a pre-smartphone era. It's troubling to give police or prosecutors free rein to rummage through every aspect of a suspect's personal life looking for evidence of illegal behavior.

At the same time, I don't think the Indiana Supreme Court's reading of Hubbell precedent makes much sense. The key to the Hubbell ruling was the fact that prosecutors relied on Hubbell's knowledge and judgment to locate incriminating documents.

"Given the breadth of the description of the 11 categories of documents called for by the subpoena, the collection and production of the materials demanded was tantamount to answering a series of interrogatories asking a witness to disclose the existence and location of particular documents fitting certain broad descriptions," the Supreme Court wrote in its 2000 ruling. By contrast, while the government doesn't know which specific files are on Seo's smartphone, the government also isn't relying on Seo's knowledge or judgment to decide which files it wants. The smartphone contains whatever files it contains, and the prosecutors want access to all of them.

In other words, the subpoena effectively forced Hubbell to tell prosecutors whether or not certain categories of documents existed. But if a suspect unlocks a smartphone, the suspect is only admitting that she owns the smartphone. She's not making any statements—implicit or otherwise—about what files exist on the smartphone.

Let’s talk strongboxes

A key sentence from the Hubbell ruling makes this clear. The Supreme Court wrote that Hubbell's actions were "like telling an inquisitor the combination to a wall safe, not like being forced to surrender the key to a strongbox." The courts have been clear that the government can force a suspect to supply the key to a strongbox even if the government (in the words of the Indiana Supreme Court) "failed to demonstrate that any particular files" exist in the strongbox. That's because supplying the key doesn't tell the government what's in the box—it merely enables the government to look for itself.

Imagine that a suspect admits to police that she wrote down her smartphone's passcode on a piece of paper and put the paper in a strongbox. A judge wouldn't violate the Fifth Amendment by ordering the suspect to turn over the key to the strongbox—even though the practical impact is exactly the same as unlocking the phone directly. That's because entering the passcode merely amounts to an admission that the suspect owns the phone—not to any statements about what files are on the phone.

Of course, as I mentioned previously, a number of courts have reached the opposite conclusion. They've read Hubbell as requiring the government to have a specific idea of which files it wants in order to compel decryption.

In any event, this is a case that's crying out for intervention by the US Supreme Court. This issue will only get more important as people conduct more of their personal lives—and commit more crimes—with the aid of smartphones. Enough courts have staked out contradictory positions that the only way to resolve it is for the US Supreme Court to take one of these cases and provide a definitive ruling.

Read Comments

Read the whole story
10 days ago
Useful explanation of why the courts are split over this.
Wakefield, MA
Share this story
Next Page of Stories