COVID-19: Whither the Pandemic?

Last week, I published a post about the burgeoning spread of Coronavirus infections, based on the perspectives of my brother, Nelson Nones, who lives and works in East Asia.

I’ve now received an updated analysis from him which is quite interesting.  It’s based on plotting COVID-19 infection rates against average February temperatures for 123 countries.

Here are his findings:

  • The world’s worst COVID-19 hotspots (China, Italy, Iran, South Korea, France, Spain, Germany and Switzerland) are clustered in a February temperature band ranging from -9 to +7 degrees C.
  • The world’s least contagious COVID-19 countries are clustered in a February temperature band ranging from +10 to +28 degrees C. Among those, the poorest countries are the least contagious; the richest (Singapore, Australia and Malaysia) are the most. Presumably this is because international travel is more common in richer countries.
  • Finland, the US, Japan, UK, Taiwan and Thailand lie near the best-fitting trend.
  • With the progression of the seasons, mean temperatures in the US will climb from -4C in February to +20C in July. Following the best-fitting curve, this means the US infection rate would be 63% (nearly two-thirds) lower in July than the present 4 cases per million.

Nelson’s conclusion:  “The pandemic won’t last!”

In conducting his analysis, Nelson used COVID-19 case data and country populations come from the worlometers.info news feed. Average February temperature data come from the World Bank.

These are interesting stats, to be sure — and interesting prognostications as well.  Caution should be the watchword in these times.  But the Coronavirus news may be uniformly brighter as the seasons warm.

What are your thoughts?  Feel free to share your views in the comment section below.

The Coronavirus Threat: A view from East Asia.

Regular readers of Nones Notes Blog know that my brother, Nelson Nones, has lived and worked outside the United States for nearly 25 years – much of that time in East Asia. So naturally I was curious about his perspectives on the spread of the Coronavirus from its epicenter in Wuhan, China, what precautions he is taking in the face of the threat, and his perspectives on how the actions of Asian countries affected by the outbreak may be mitigating the potential effects of the virus.

Here is what Nelson wrote to me in response to my query:

The Coronavirus has not affected my business here in Bangkok to date. I did make a trip to Singapore during the last week of January and to Taiwan during the first week of February, after arriving back in Thailand from the U.S. on January 12th.  I haven’t been sick at all – before or since.

However, in an abundance of caution I am keeping myself at home as much as possible, and I have decided not to travel anywhere until the current hullabaloo dies down.

As for the situation here in Thailand, this country is actually the location of the first COVID-19 (Coronavirus) case ever recorded outside Mainland China. This was back on January 13th, just two weeks after China first notified the World Health Organization (WHO) of the new disease, and only two days after China recorded its first COVID-19 death.  

The patient here in Thailand was a Chinese woman who had traveled from Wuhan, the epicenter of the pandemic.

Since then, Thailand has recorded 42 additional cases for a total of 43 patients, of whom only one died (on Sunday March 1st), and 31 have recovered.  This leaves 11 active cases – all considered mild.

The first case of human-to-human virus transmission within Thailand was recorded on January 16th, affecting a taxi driver. Of the 43 cases confirmed so far, 25 affected Chinese citizens; seven affected Thai citizens with travel histories to China, Japan or South Korea; seven affected Thai citizens who work in the tourism or healthcare industries; and the remaining four were other domestic cases (of which only two potentially represent “community spread”).  Thailand’s infection growth factor peaked on January 26th.

Being one of the world’s most popular tourist destinations (especially from China), Thailand has never imposed any travel restrictions, even from China (nor has the U.S. ever imposed any COVID-19 travel restrictions on Thailand), but all arriving international passengers are screened by an initial body temperature check. Those who fail the initial screening are required to disclose their travel histories within the past 14 days, in detail.  If they have travelled to or from any affected areas, and exhibit any COVID-19 symptoms, they are immediately quarantined at a specially-designated hospital for isolation and treatment.

Under the circumstances, and considering its geographic proximity to China as well as the normal volume of Chinese tourist travel, I think Thailand’s containment efforts so far have been successful and offer some lessons for the United States. Containment in India, Indonesia and Bangladesh so far is even more impressive (Indonesia reported its first two cases only on March 2nd).

Displayed below is a listing of South, Southeast and East Asian countries, ranked by population (together with the U.S. for comparison purposes), showing the number of cases and deaths reported so far:

* Excludes Diamond Princess cruise liner cases.

Sources:

Case data are from https://www.worldometers.info/coronavirus/#countries

Populations are from https://en.wikipedia.org/wiki/List_of_countries_by_population_(United_Nations)

The countries shaded in green, above, are those which did not require advance visas for Chinese citizens holding ordinary passports, prior to the imposition of temporary COVID-19 travel restrictions. These countries were either visa-free or allowed “visa on arrival.”

The countries in red typeface, above, are those which had imposed temporary COVID-19 travel restrictions as of early February 2020. These include “entry bans on Chinese citizens or recent visitors to China, ceased issuing of visas to Chinese citizens and re-imposed visa requirements on Chinese citizens or countries that have responded with border closures with China.” (See https://en.wikipedia.org/wiki/Visa_requirements_for_Chinese_citizens for source data.)

It’s quite clear from the data above that, excluding Mainland China itself, there is little or no correlation between the incidence of COVID-19 cases or deaths and the leniency of a country’s previous or current travel restrictions in so far as Mainland Chinese are concerned.

Indeed, all of the four countries having a higher number of cases than Thailand (Japan, South Korea, Hong Kong and Singapore) required advance visas before the COVID-19 outbreak, and all but one (Hong Kong) had imposed COVID-19 entry bans as of February 2nd

Conversely, apart from Thailand, the countries which did not require advance visas before the COVID-19 outbreak have averaged fewer than one case per country (although all of them except Cambodia and East Timor had imposed temporary COVID-19 travel bans by February 2nd).

The countries shown in bold typeface above are those which are geographically closest to the COVID-19 epicenter. An average of 570 COVID-19 cases have been reported within each of these 10 countries; only Laos has been immune so far. Conversely, an average of 6 COVID-19 cases have been reported within each of the remaining 26 countries (excluding China itself).

From these data, I’ve drawn the following four generalizations:

  • Outside of Mainland China, international travel bans and visa restrictions are not effective tools for controlling the spread of COVID-19 disease within a country.
  • Geographic proximity to Mainland China is well-correlated to the historical spread of COVID-19 disease in South, Southeast and East Asia.
  • Vigilant screening and disposition of suspected cases is vital to containing the spread of COVID-19 disease, as Thailand’s experience demonstrates.
  • Allowing high concentrations of suspected cases to form without treatment, such as Wuhan (China), the Diamond Princess docked at Yokohama (Japan) and Shincheonji church at Daegu (South Korea), is a recipe for disaster.  

Of course, the virus and its spread is an evolving narrative, and Nelson’s observations may soon be overwhelmed by new developments. Still, I was somewhat surprised to read that the situation is not quite as dire as the news reporting here in the U.S. would seem to indicate.

Have you heard from overseas friends or colleagues about how they are responding to the Coronavirus outbreak? Please share their perspectives with other readers here.

Facial Recognition Faceoff

Facebook has been resisting outside efforts to rein in its “faceprints” facial recognition initiative – and mostly losing.

I’ve blogged before about the concerns many people have about facial recognition technology, and the troubling implications of the technology being misused in the wrong hands.

Facebook would claim to be the “right hands” rather than wrong ones when it comes to the database of “faceprints” it’s been compiling over the past decade or so. But its initiative has run afoul of an Illinois biometric privacy law passed in 2008.

The Illinois measure, which prohibits companies from collecting or storing people’s biometric data without their consent, is one of the strongest pieces of legislation of its kind in that it also allows individual consumers to sue for damages – to the tune of up to $5,000 per violation.

And that’s precisely what’s happened.  A class-action suite was filed in 2015 by a group of Illinois residents, alleging that Facebook has violated the Illinois privacy law through its photo-tagging function which draws on a trove of “faceprint” photos to recognize faces and suggest their names when they appear in photos uploaded by friends on Facebook.

Facebook has vigorously resisted efforts to rein in its faceprint initiative, arguing that any such lawsuits should be dismissed because users haven’t actually been injured by any alleged violations of the state law.

That stance has been rejected – first in U.S. district court and then in the court of appeals. Undaunted, Facebook appealed to the U.S. Supreme Court which turned down the appeal in late January.

Rebuffed at all legal levels, Facebook has now decided to settle the suit for a reported $550 million, including payments of ~$200 each to claimants in the Illinois class-action suit.

Facebook has lost, but the whole notion of facial recognition technology could well be like playing a game of whack-a-mole. As it turns out, another firm has developed similar functionality and is busily selling facial recognition data to police departments across North America.  According to a recent investigative article publishing in The New York Times, a company called Clearview AI has mined billions of photos from Twitter, Facebook and other social platforms.  (Clearview is now being sued in Illinois for allegedly violating the same biometric privacy law that was at the center of the Facebook suit.)

And indeed, the efforts to rein in facial recognition activities may be a little too little, a little too late: According to a recent report from Business Insider, the faces of more than half of all adults in America have already been logged into police or government databases.

… Which brings us to a parallel response that appears to be gaining traction: figuring out ways to fool facial recognition software.  A number of entrepreneurs are developing intriguing methods to beat facial recognition software.  Among them are:

  • Clothing designers have begun to target weaknesses in the ability of facial recognition software to process overlapping or unusual shapes, as well as deciphering multiple similar images appearing in close proximity. One such example is a pair of goggles fitted with near-infrared LEDs that interfere with the ability to scan facial features.
  • Headscarves decorated with different faces “confuse” the software by overloading it with excessive amounts of data in the form of numerous facial features.
  • So-called “adversarial patches” – a graphic print that can be added to clothing – exploit the vulnerabilities in facial recognition scanning by making a person “virtually invisible for automatic surveillance cameras,” according to creators Simen Thys, Wiebe Van Ranst and Toon Goedemé.

Will the two-front attack on facial recognition technology from the legal as well as technology standpoint succeed in putting the facial recognition genie back in the bottle? It’s debatable.  But it’s certainly making things more of a challenge for the Facebooks and Clearviews of the world.

The unintended “open book” company … opens a can of worms.

Transparency is usually considered a good thing. But when it means your company is an open book, it’s gone too far.

Unfortunately, some companies are making far too much of their information visible to the world without realizing it. Clean laundry, dirty laundry – the works.

One of these instances came to light recently when vpnMentor, a firm that bills itself as an “ethical hacking group,” discovered an alarming lack of e-mail protection and encryption during a web-mapping project regarding an international piping, valve and fitting manufacturing organization.

I’m going to shield the name of the company in the interest of “discretion being the better part of valor,” but the company’s data that was found to be visible is amazingly broad and deep. Reportedly it included:

  • Project bids
  • Product prices and price quotations
  • Discussions concerning suppliers, clients, projects and internal matters
  • Names of employees and clients
  • Internal e-mail addresses from various branch offices
  • Employee IDs
  • External/client e-mail addresses, full names and phone numbers
  • Information on company operations
  • Travel arrangements
  • Private conversations
  • Personal e-mails received via company e-mail addresses

Basically, this company’s entire business activities are laid out for the world to see.

The vpnMentor research team was able to view the firm’s “confidential” e-mail communications. Amusingly, the team saw its own e-mails it had sent to the firm warning about the security breach (that the company never answered).

“The most absurd part is that we not only know that they received an e-mail from one of the journalists we work with, alerting them to the leak in this report, but we [also] know they trashed it,” as one of the team members noted.

The company in question isn’t some small, inconsequential entity. It operates in 18 countries including the biggies like Germany, France, Germany, the United States, Canada and Brazil.  So the implications are wide-ranging, not just for the company in question but also for everyone with which they do business.

The inevitable advice from vpnMentor to other companies out there:

“Review your security protocols internally and those of any third-party apps and contractors you use. Make sure that any online platform you integrate into your operations follows the strictest data security guidelines.”

Are you aware of any security breaches that have happened with other companies that are as potentially far-reaching as this one? It may be hard to top this particular example, but if you have examples that are worth sharing, I’m sure we’d all find them interesting to to hear.

The promise — and peril? — of microchip implants for people.

In 2017, when employee volunteers at Three Square Market, a Wisconsin-based technology company, agreed to have microchips implanted in their wrists so that they could access the company’s lunchroom vending machines without exchanging money, some people tittered.

At best, it was viewed as a publicity effort to draw attention to the firm and its work in the microchip industry.

So where are we with human microchip implants two years later? Well … not so far along in some ways, and yet things may be poised for a sea change in the not-too-distant future.

And actually, it has less to do with human microchip implants as a convenience as it does with their potential to revolutionize health monitoring and medical diagnoses.

Biohax International, a Swedish-based company founded more than five years ago, is further along on the development curve than most other developers in the field. According to a report from Thomas Industry Insights, thousands of Swedes now have microchip implants, and the number is expected to continue growing at a robust pace.

At present, Biohax chip implants can house anything from emergency contact information to FOB and other access capabilities for cars, homes and even public transportation.

But the next frontier looks to be in healthcare. At present, prototype microchips are being developed that will enable continual monitoring of a person’s vital signs – things like glucose monitoring and blood pressure monitoring.

It isn’t difficult to imagine a day when certain patients are prescribed potentially lifesaving microchip implants that will serve as “early warnings” to nascent health emergencies.

Is this the future?

There could be a downside, of course – there nearly always is with these sorts of things, it seems. What does a world look like where physicians, insurance companies, employers or credit card companies make implants a mandatory condition for service or employment?

How far of a line is it to go from that to being part of a “surveillance state”?

And even if the situation never came to that, would people who demur from participating voluntarily in the “microchip revolution” be somehow walled off from the benefits microchips could deliver – thereby becoming “second-class citizens”?

The ethical questions about human microchip implants are likely to be with us for some time to come — and it’s certainly going to be interesting to see how it all plays out.

Do you have particular opinions about the “promise and peril” of microchip implants? Please share your thoughts with other readers here.

Cookie-blocking is having a big impact on ad revenues … now what?

When Google feels the need to go public about the state of the current ad revenue ecosystem, you know something’s up.

And “what’s up” is actually “what’s down.” According to a new study by Google, digital publishers are losing more than half of their potential ad revenue, on average, when readers set their web browser preferences to block cookies – those data files used to track the online activity of Internet users.

The impact of cookie-blocking is even bigger on news publishers, which are foregoing ad revenues of around 62%, according to the Google study.

The way Google conducted its investigation was to run a 4-month test among ~500 global publishers (May to August 2019). Google disabled cookies on a randomly selected part of each publisher’s traffic, which enabled it to compare results with and without the cookie-blocking functionality employed.

It’s only natural that Google would be keen to understand the revenue impact of cookie-blocking. Despite its best efforts to diversify its business, Alphabet, Google’s parent company, continues to rely heavily on ad revenues – to the tune of more than 85% of its entire business volume.

While that percent is down a little from the 90%+ figures of 5 or 10 years ago, in spite of diversifying into cloud computing and hardware such as mobile phones, the dizzyingly high percentage of Google revenues coming from ad sales hasn’t budged at all in more recent times.

And yet … even with all the cookie-blocking activity that’s now going on, it’s likely that this isn’t the biggest threat to Google’s business model. That distinction would go to governmental regulatory agencies and lawmakers – the people who are cracking down on the sharing of consumer data that underpins the rationale of media sales.

The regulatory pressures are biggest in Europe, but consumer privacy concerns are driving similar efforts in North America as well.

Figuring that a multipronged effort makes sense in order to counteract these trends, this week Google aired a proposal to give online users more control over how their data is being used in digital advertising, and seeking comments and feedback from interest parties.

On a parallel track, it has also initiated a project dubbed “Privacy Sandbox” to give publishers, advertisers, technology firms and web developers a vehicle to share proposals that will, in the words of Google, “protect consumer privacy while supporting the digital ad marketplace.”

Well, readers – what do you think? Do these initiatives have the potential to change the ecosystem to something more positive and actually achieve their objectives?  Or is this just another “fool’s errand” where attractive-sounding platitudes sufficiently (or insufficiently) mask a dimmer reality?

DMARC’s job of demarcating: How well is it doing?

In the drive to keep the onslaught of fake e-mail communications under control, DMARC’s checks on incoming e-mail is an important weapon in the Internet police’s bag of tricks.  A core weapon of cyber felons is impersonation, which is what catches most unwitting recipients unawares.

So … how is DMARC doing?

Let’s give it a solid C or C+.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a procedure that checks on the veracity of the senders of e-mail. Nearly 80% of all inboxes – that’s almost 5.5 billion – conduct DMARC checks, and nearly 750,000 domains apply DMARC as well.

Ideally, DMARC is designed to satisfy the following requirements to ensure as few suspicious e-mails as possible make it to the inbox:

  • Minimize false positives
  • Provide robust authentication reporting
  • Assert sender policy at receivers
  • Reduce successful phishing delivery
  • Work at Internet scale
  • Minimize complexity

But the performance picture is actually rather muddy.

According to a new study by cyber-security firm Valimail, people are being served nearly 3.5 billion suspicious e-mails each day. That’s because DMARC’s success rate of ferreting out and quarantining the faux stuff runs only around 20%.  And while America has much better DMARC performance than other countries, the Unites States still accounts for nearly 40% of all suspicious e-mail that makes it through to inboxes due to the shear volume of e-mails involved.

In developing its findings, Valimail analyzed data from billions of authentication requests and nearly 20 million publicly accessible DMARC and SPF (Sender Policy Framework) records.  The Valimail findings also reveal that there’s a pretty big divergence in DMARC usage based on the type of entity. DMARC usage is highest within the U.S. federal government and large technology companies, where it exceeds 20% of penetration.  By contrast, it’s much lower in other commercial segments.

The commercial sector’s situation is mirrored in a survey of ~1,000 e-mail security and white-collar professionals conducted by GreatHorn, a cloud-native communication security platform, which found that nearly one in four respondents receive phishing or other malicious e-mails daily, and an additional ~25% receive them weekly.  These include impersonations, payload attacks, business services spoofing, wire transfer requests, W2 requests and attempts at credential theft.

The GreatHorn study contains this eyebrow-raising finding as well:  ~22% of the businesses surveyed have suffered a breach caused by malicious e-mail in the last quarter alone.  The report concludes:

“There is an alarming sense of complacency at enterprises at the same time that cybercriminals have increased the volume and sophistication of their e-mail attacks.”

Interestingly, in its study Valimail finds that the government has the highest DMARC enforcement success rate, followed by U.S. technology and healthcare firms (but those two sectors lag significantly behind). It may be one of the few examples we have of government performance outstripping private practitioners.

Either way, much work remains to be done in order to reduce faux e-mail significantly more.  We’ll have to see how things improve in the coming months and years.