Another Day, Another Health Insurance Hack Affecting 11 Million People
Welp, here we go again. Health insurer Premera Blue Cross announced on Tuesday night that it had been hacked, and that 11 million customers could be affected by the breach. For some people, the hackers had access to both financial and medical data. The number affected may not seem like much compared with the 80 million people who had records compromised in the Anthem breach announced last month, but that's just your apathy talking.
Premera, a Washington state nonprofit, detected the hack on Jan. 29, but the attack seems to have occurred earlier, on May 5 of last year. On a website specifically for disseminating information about the hack, Premera said that names, birthdays, email addresses, physical addresses, telephone numbers, Social Security numbers, member IDs, bank account information, medical information, and insurance claims may all have been exposed in the breach. Premera will notify all affected customers by (snail) mail, and will offer two years of free credit monitoring to each of them. Major clients, according to the Wall Street Journal, include Microsoft and Starbucks.
Premera is working with the cybersecurity firm Mandiant and the FBI to investigate the breach. Some suspect that the attack was state-sponsored by China. Brian Krebs, who runs the cybersecurity blog Krebs on Security, wrote in a post, "There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem."
When asked about potential Chinese involvement in the hack, Zhu Haiquan, a Chinese Embassy spokesman, told the Journal that, “Chinese laws prohibit cyber crimes of all forms. ... Jumping to conclusions … is not responsible and counterproductive.”
Mark Stamford, the founder and president of cybersecurity firm OccamSec (which isn't investigating the Premera hack), cautions against the assumption that state-sponsored hacks are always to blame. "There probably aren't as many nation-state attacks going on as we're publicly being made aware of," he said. "If you're a nation-state you're more likely to try and gain access to assets that are going to give you useful information over a long time."
Stamford also highlights a growing trend where companies focus on their reaction to large-scale hacks instead of investing in prevention. "These hacks haven’t been some sort of supertechnical from-the-future attacks," he said. "Usually someone has a weak password, someone clicks on a phishing email ... and that just opens the door."
My Severed Thumb and the Ambiguities of Technological Progress
A fruit fly without wings isn’t necessarily sick if it lives in a very drafty place, according to French philosopher of medicine Georges Canguilhem The wind is bound to carry the fly to the apples and oranges that provide it with nutrition. Close the kitchen window, however, and it’ll need to find another way to move. As Canguilhem explains in The Normal and the Pathological, health is not a constant. Instead, he argues, we call ourselves healthy when we are able to adapt to the demands of environments.
Today, technology is the wind that buffets us most powerfully, at once helping us meet old needs and producing new ones. We often greet technological innovations as unambiguously positive, and they can be. As a diabetic, I have benefited immensely from portable glucose monitors that allow me to adjust my insulin dosages in response to my current blood sugar levels. Without question, I am healthier—no matter how you define the term—for these devices than I would be without them. Nevertheless, certain developments challenge us in ways both large and small. A freak accident when I was a child, for example, ended up having surprising ramifications for the way I use technology today.
Nintendo Said It Would Never Make Smartphone Games. Guess Who’s Going Mobile Now?
For years Nintendo has made a point of sticking with proprietary consoles instead of flinging itself into mobile gaming. This has been a controversial approach that has spawned countless think pieces and explainers over the years. But on Tuesday the company announced that it is partnering with the Japanese mobile game developer DeNA to create smartphone games and other mobile features.
The two companies are each putting $18 million into purchasing each other’s stock, which will give Nintendo a 10 percent stake in DeNA and will give DeNA a 1.24 percent stake in Nintendo. Along with using Nintendo characters in mobile games, the partnership will also lead to a new type of digital membership that will allow Nintendo users to transition more seamlessly between mobile devices, PCs, and dedicated game consoles.
The company said in a statement, “Leveraging the strength of Nintendo’s intellectual property and game development skills in combination with DeNA’s world-class expertise in mobile games, both companies will develop and operate new game apps ... including its iconic game characters, for smart devices.” Nintendo says, though, that only new games will get mobile versions. The company doesn’t seem to be focusing on bringing classic favorites to your smartphone (unfortunately).
As Kotaku points out, DeNA already makes a steady stream of free-to-play games that come out in the iOS and Android apps stores. The company’s strategy is to make money by offering tempting in-app purchases that help users with the game or make it more fun in some way. To some this will feel like the obvious partner for Nintendo, but others may interpret it as cheapening the Nintendo experience and diluting the brand. “I worry that micro-transactions could destroy the Nintendo brand and its reputation among gamers,” Erik Kain wrote in Forbes on Tuesday. “I believed Nintendo could make a comeback if they stayed true to their core mission. ... This was not meant to be.”
And some have been cautioning against a Nintendo mobile transition since long before this partnership was announced. “It is not an inevitability that Nintendo must put its games on rival hardware or die,” Chris Kohler wrote in Wired UK more than a year ago. “It takes time, effort, talent and care to create successful mobile games. It's not free money, it's a significant diversion of resources from Nintendo’s platforms.”
It’s good to see Nintendo innovating, and hopefully DeNA is the right partner to make Nintendo some money in mobile without destroying its empire. Investors seem happy, at least: Nintendo shares finished up 27.5 percent on Tuesday at $18.22. But it’s hard not to be wary of something that the company has always said would never happen.
The Bell Tolls for Internet Explorer
It's been clear for a while that Internet Explorer was on its way out, but now we know more about how the transition will happen. It's not going to be at the Microsoft Convergence conference on Monday; chief marketing officer Chris Capossela explained that IE will be present in Windows 10, but it will take a major back seat to Microsoft's new browser, which is still codenamed Project Spartan.
In January, Microsoft explained in a blog post that Spartan is extensively backward compatible with websites designed for IE. This week, it went a step further, though, essentially acknowledging the crazy IE shenanigans that have been going on over the last 10 years—namely extensive use of insecure old versions caused by Microsoft's lack of IE updates during the mid-2000s.
The company said in its January blog post that to maintain support for truly ancient legacy websites (of which there are apparently too many to ignore), "Internet Explorer will also be available on Windows 10." It's not clear whether all versions or only business versions of Windows will have both browsers present, but it's a good reminder of just how insidious IE has become.
Meanwhile, Microsoft is trying to move forward. As the Verge reports, Capossela said during Microsoft Convergence, "We’re now researching what the new brand, or the new name, for our browser should be in Windows 10." He showed off some market research that indicated a positive response to the Microsoft brand name when used with some of the possible browser names the company has been trying out (which are still secret).
It's been a long road, IE, and I wish you were being completely wiped from the Earth. But this is a decent first step.
Happy 5th Birthday, National Broadband Plan!
While most people associate March 17 with leprechauns, beer, and all things Irish, in the tech policy world the date holds additional, geekier significance: It’s the anniversary of the 2010 National Broadband Plan, an FCC-led initiative that promotes the goal of achieving universal, affordable Internet access by 2020. Today, the plan turns five years old — an occasion that reminds us that even though net neutrality has dominated the headlines in 2015, the FCC has also taken significant steps over the past few months to help improve the American broadband market and ensure that we remain globally competitive in the 21st century. There’s still plenty of room for improvement, but we’ve come a long way since the National Broadband Plan made its debut half a decade ago.
As part of the 2009 stimulus package, which included billions of dollars in funding for rural broadband infrastructure investment, Congress directed the FCC to develop a detailed strategy to ensure that every American had high-speed Internet access. After a year of research and soliciting public comment, the FCC unveiled the National Broadband Plan in March 2010. The final product—nearly 400 pages filled with long-term goals, charts, and footnotes quoting Shakespeare—laid out a multipronged approach for the federal government to “ensure that the entire broadband ecosystem—networks, devices, content and applications—is healthy.” Its four key strategies included encouraging fiber investment, allocating resources like spectrum more efficiently, promoting universal service, and maximizing the benefits of broadband to improve delivery of public services like health care and education.
When Opting Out Is Not an Option
On Thursday, March 26, Future Tense—a partnership of Slate, New America, and Arizona State University—will hold an event on medical device security and privacy at the New America office in Washington, D.C. For more information and to RSVP, visit the New America website.
Opting out comes with an alluring sensibility: If you don’t like it, don’t use it—whatever it is. But the proliferation of consumer medical devices is changing the landscape. Today’s companies aren’t just mining our contact lists, calendars, and search histories anymore: They’re checking our blood pressure and heart rate, tracking our diet and exercise habits, and even digging into our genetic heritage—all things once reserved for the privileged relationship between doctor and patient.
We may have become comfortable with sharing our personal information, but these data are different, and the information they reveal about us may be extremely valuable—and dangerous. Companies won’t just be mining our data to determine if we’re in the market for a new car, but a new kidney. They’ll be hunting for the most lucrative kind of customer: the desperate.
And it won’t just be the device manufacturers themselves who will have access to these insights. These data can be leaked in unexpected ways. Merely trying to interpret your own health data, say by typing “blood glucose 154 mg/dl” or “BRCA1” into a search engine or email, can put you at risk.
And that’s the problem. Opting out may no longer be a choice between privacy and convenience, but a choice between privacy and living long enough to know one’s grandchildren. That is no choice at all. Opting out is not an option.
This isn’t a hypothetical. Medtronic now collects heartbeat data from more than 1 million customers, retrieved through pacemakers and implanted defibrillators. That data, as the Wall Street Journal investigated, is extremely difficult for customers to even view, let alone control who has access to it.
The WSJ quoted a senior Medtronic executive Ken Riff as saying data was "the currency of the future.”
Today, it may be only the sick who are forced into this bargain. Tomorrow, it may be all of us. It’s entirely likely that having our genomes sequenced and our blood-glucose levels constantly monitored will become the norm. One day soon it may be considered ignorant and irresponsible not to be constantly monitoring your child’s health data, much as it is with opting out of vaccines today. Many parents already purchase smartphones for their children so that they can remain in constant contact (and track them in real time, if the need arises).
The ever-rising costs of nonparticipation make clear the need to rethink our approach to consumer privacy. We need to build a relationship with our technology that isn’t reduced to a buyer-beware, take-it-or-leave-it mentality. Instead of asking how we can opt out, let’s ask how we can collectively opt in to systems we can trust to preserve our privacy.
Pew Survey: Almost Half of Americans Have No Interest in Email Encryption
A new survey released on Monday by Pew offers a window into how Americans feel about government surveillance, and what they’re doing, or not doing, to protect themselves. It’s been almost two years since Edward Snowden began leaking documents that revealed the scope of NSA mass surveillance, and 90 percent of survey respondents said they had heard at least something about the situation. (Not clear where the 6 percent who said they’d heard nothing have been.)
Thirty-four percent of people who had heard about government surveillance reported that they had taken at least one action to obscure their digital information. Some changed their social media privacy settings (17 percent) or uninstalled certain apps (13 percent). Others even said that they have been trying to reduce online communication by speaking in person (14 percent).
Aspects of the news are heartening. For example, 25 percent of participants who had heard about surveillance programs said that they had started using stronger passwords. And 17 percent reported changing their search engine habits. There’s concerning news, too, though. Forty-six percent of respondents had neither adopted nor considered adopting email encryption, like Pretty Good Privacy (PGP). Thirty-one percent didn’t even know these types of tools existed. Similarly, 40 percent had never used or considered using anonymity services like Tor, and 39 percent didn’t know what those services were.
In terms of whether mass surveillance serves the public good, 61 percent of people who had heard about the programs in the first place said they were less confident than ever that the efforts were positive. Thirty-seven percent said they were more confident in the programs. But there was a pretty even split on the question of whether the courts have been fairly balancing citizens’ privacy rights with law enforcement’s desire to collect information. Forty-eight percent said that the courts have struck a good balance, and 49 percent said they haven’t. Broadly, 52 percent of people reported being concerned about data surveillance, and 46 percent said they were unconcerned.
The sample size for the study was 475 people, so it’s not enormous. It seems to show what you may have noticed in your own life: that protecting personal data online can seem daunting and that it’s hard to know what to think about the pros and cons of surveillance. It’s also difficult to know what to do about it if you want to resist involvement. If you’re still kind of wondering why you should care, half the country may be on your side. But luckily the other half seems to be learning about what’s up.
Yahoo Is Jostling to Be Known as the Most Secure Email Provider
Google announced in June that it was working on a new Chrome extension to simplify end-to-end encryption and make it more accessible to average users. And Yahoo started hinting in August that it wanted to develop a similar service. Now that plan seems to be underway.
At South by Southwest on Sunday, Yahoo's information security chief, Alex Stamos, showed a video demonstrating how quick and simple the plugin would be to use. In the demo, he pitted Yahoo's tool against traditional end-to-end encryption setups. The Yahoo user was able to send a secure message and start browsing cat photos, while the user of the other approach was still working. The Washington Post reports that Stamos views end-to-end encryption as an option customers will want to use for their most sensitive messages—not for everything.
"What we're trying to do at Yahoo is build our products so they're safe and trustworthy, not just secure," Stamos told the Post.
And the company is taking other steps to achieve this goal, too. Alongside the discussion about an end-to-end extension, Yahoo also announced a new password system called "on-demand" passwords. The feature lets Yahoo Mail users register their cellphones with their accounts so they can have short, four-character codes sent to their phones every time they want to log in.
Users don't have one master password that can be leaked or stolen, and they need to have their phone with them to log in. The approach is sort of like the two-factor authentication that popular services already offer but with a new twist. As CNET reports, Yahoo's vice president of product management for consumer platforms, said during Yahoo's South by Southwest presentation, "This is the first step to eliminating passwords."
Yahoo's services aren't exactly hip, but the company does have a loyal user base. And if it can deliver trustworthy security products, it may be able to lure converts.
It’s Absurd That Comcast Can Block the HBO Go App on Your PS4
As a broadband or cable subscriber, you’re probably thinking that you should be able to access online video content without your Internet service provider’s—or cable provider’s—permission. Yet this simple feat is proving ridiculously difficult for Comcast subscribers. Comcast is unique among large ISPs and cable companies because it can use its size and content ownership to undermine online video competition in creative, infuriating ways. And it’s the dearth of protections supporting the online video market that allows Comcast to get away with it.
Strong net neutrality rules prevent Comcast the ISP from blocking or throttling online video competitors. But Comcast the cable company has multiple tricks up its sleeve to stifle online video competition.
Comcast’s scope and power enable it to refuse to sell its own video programming to other online video providers, including Netflix. This is despite agreeing to an ineffective NBC merger condition designed to prevent this behavior. Comcast, as the largest distributor of video programming, can use its leverage in negotiations to put restrictions on the online availability of even someone else’s programming. If that’s not enough, Comcast also controls the largest base of broadband subscribers in the United States, giving it a negotiation advantage over Internet-backbone companies that want to connect to its networks. Indeed, the sheer size of Comcast means it can grow only by disadvantaging its competitors to maintain video dominance—and it’s not afraid to do so.
Case in point: That HBO Go app that launched March 3 for the PlayStation 4? Not happening for Comcast Xfinity subscribers who pay for HBO. If you try to access HBO Go on a Comcast Internet connection using Verizon-provided credentials, you can. But if you try to access HBO Go on a Verizon Internet connection using Comcast-provided credentials, you can’t.
One of the less understood ways that Comcast is able to direct the future of online video is through its control of “authentication.” A lot of online video apps like HBO Go have traditionally been of little use to cord-cutters because they’re tied to regular pay-TV subscriptions. To use these services, you need to log in with credentials obtained from your cable provider. This means that your cable company determines what online video app you can access on any particular device. Most pay-TV providers authenticate these apps as a matter of course—their customers are paying for service, and accessing these apps is part of the service they're paying for. But not Comcast.
Comcast prefers to refuse its customers access to particular apps on particular platforms. In March 2014, it was discovered that Comcast had previously blocked people with Rokus from accessing HBO Go and Showtime. There is no technical reason for this—Comcast customers with other devices could access those apps, and non-Comcast subscribers could access those apps on a Roku. Comcast just decided, for whatever reason, that they would rather their subscribers not use some apps on some devices. Given the scrutiny Comcast’s practices are under during its Time Warner Cable merger review, it’s not surprising that in November 2014, the company finally allowed its customers to use those apps. (Funnily enough, Comcast also refuses authentication to Hulu, too, even though it shares Hulu ownership.)
When we asked Comcast for comment, a representative sent us this statement:
Xfinity customers who subscribe to HBO currently have access to the full HBO library via their set to box, or via Xfinity TV Go platforms across devices. We also currently authenticate more than 90 networks across 18 devices (and we authenticate HBO specifically on many third-party devices including Apple TV and Roku) so there is no shortage in the number of ways for our customers to access their content across the devices and platforms of their choice.
Unless, of course, customers want to access HBO Go on a PlayStation 4. There’s just no mention about why Comcast is blocking the app or word on when that might change. We can only speculate as to Comcast’s motives based on previous behavior. It may be that Comcast is so much bigger than other cable companies that it’s just slow-moving. It’s much more likely that Comcast would prefer people watch traditional video and use Comcast-supplied set-top boxes instead of third-party equipment like PlayStation 4s. It might also be that either Comcast or HBO isn’t willing to pay to access the other’s customers. Whatever the reason, the effect is clear: Comcast customers are restricted in how they can watch video content in ways that customers of other companies are not.
There are several ways to solve this problem, but the best option is to extend the competitive protections some video providers already enjoy to online video providers. We can ensure that online video becomes a standalone alternative to the traditional cable bundle by dropping authentication through existing cable providers entirely. We can promote a competitive market for pay-TV set-top boxes to allow consumers to watch HBO Go and even pay-TV content on the device of their choosing. Another obvious solution is for the Federal Communications Commission and the U.S. Department of Justice to block Comcast’s acquisition of Time Warner Cable, which would prevent this problem from spreading.
No one is saying that entering the online video market is impossible, but incumbent companies like Comcast have proven that they’re willing to use every trick they can to preserve their dominance when faced with competition. These tricks can take many forms, from the big (consolidation via megamergers) to the subtle (denying the authentication process). Only more online video competition will solve this problem, but in the short term, Comcast’s behavior around authentication is just another reason why it should not be permitted to expand its reach by buying Time Warner Cable. Things are already bad enough.
Fukushima’s Food Is Safe, but People Are Still Freaked Out
Sae Ochi should know better, and she knows she should know better. As the director of internal medicine at Soma Central Hospital, just 30 miles from the Fukushima Daiichi nuclear power plant that melted down after a tsunami in 2011, she is tasked with monitoring local radiation exposure levels. She has screened thousands of people, and only a few showed levels high enough for her most sensitive instruments to detect.
She eats locally grown food sold at the supermarket and even the occasional wild berry, which probably does contain a bit of radiation. “When I go hiking, I will eat a berry or two, because it’s only a tiny amount and it looks so delicious,” Ochi says. But then she adds a caveat: “That’s because I have no children.” If Ochi were a parent, she says, she wouldn’t do it—even though she knows local radiation levels are negligible. “All mothers,” she says, “try to take zero risks.”
Researchers have accumulated and analyzed reams of data about food from Fukushima and the Pacific Ocean. A protective system stopped even potentially contaminated food from getting to the public. Extensive decontamination, monitoring, and regulations have made food from around Fukushima perfectly safe. Yet fear persists.
Between 2011 and 2014, an ambitious government program checked the radiation levels of nearly every kind of food produced in Fukushima. The program sampled milk at dairy centers once every two weeks, and tested fruits, vegetables, and tea leaves at their farms of origin three days before they were scheduled to ship. In total, the program took nearly 900,000 samples.
“When I saw this number, I was stunned,” says Georg Steinhauser, a chemist at Colorado State University. “This hasn’t been done in the history of mankind.” Steinhauser was the first researcher to dive into the mounds of data to try to figure out how radiation levels changed over time. His team focused on one leading indicator: cesium 137, one of the longest-lived radioactive byproducts of a meltdown. They dug into nearly 140,000 samples from the first year of the monitoring program.
For the vast majority of the samples, radiation levels were below Japan’s limits, the strictest in the world. The government’s standards limited radiation levels in food to just one-sixth the levels permissible in food imported to Europe, for example—and to just 1/100,000 the levels produced by naturally occurring radioactive isotopes in a human being. Steinhauser’s team found that just a year after the Fukushima meltdown, radiation in only 3.3 percent of the food exceeded Japan’s limits. The numbers rose to 4.0 percent in the second year, but eventually dropped to 0.6 percent by the end of August 2014. The food, it appears, is getting safer over time. Virtually no item above Japan’s limit—no piece of fruit, meat, or anything else—got into any supermarket.
After the Fukushima meltdown, government teams stripped the outer bark off of trees in the area, and removed the top several inches of soil. That kind of decontamination is specifically aimed at cesium, which falls out of the air like dust. “It’s transported by wind and clouds,” says Kathy Higley, a radioecologist at Oregon State University who studies decontamination. “Then it washes out, or it contacts and sticks to surfaces.” If it falls on plants that animals then eat, the animals get contaminated, too. But it turns out that cesium actually has a tough time getting into plants. They absorb it because chemically cesium looks a lot like the essential nutrient potassium, but Fukushima soil is already potassium-rich—and fertilized with even more. So the crops tended to take up the nutrient instead of the radioactive imposter. And cesium-137 tended to stick to the clay in the soil, too.
Of course, that’s just food produced in Fukushima. Some radiation did get into the ocean, and researchers detected radiation in fish along the coasts of Oregon and Washington—but in negligible amounts. “The fact that you can see it doesn’t mean that it’s a hazard,” says Delvan Neville, a graduate student at Oregon State University who studies radiation levels in albacore tuna.
The enormous size of the Pacific dilutes radioactive isotopes until they’re harmless. In fact, only 1 percent of the radioactivity in the ocean comes from Fukushima, Steinhauser says. The rest? Cold War–era nuclear weapons tests. “Fukushima has not made a big impact on overall radioactivity, believe it or not,” he says.
The problem is, a lot of people still don’t believe it. “People are really afraid that the Pacific is so contaminated that you can’t eat any fish anymore,” Steinhauser says. “It’s not true, and I find it very difficult. This is one of the biggest challenges in my work.”
Even the converted feel torn. Ochi, for example, knows it’s important to dispel irrational fears, yet she sympathizes with the fearful. “Maybe there is nothing that is perfectly correct or perfectly wrong,” she says. “The most important thing is not to blame people who make a different decision.”
But when those decisions are clearly wrong, such as extreme cases in which mothers feed their children McDonald’s because they think it’s safer, her rational side emerges. “Some people try too hard to avoid radiation, and bring in other health risks,” she says. It’s a tug of war between fear and science, a conflict that remains a challenge in Fukushima.
Also in WIRED: