Biosurveillance is the process of tracking medical and health data for clues about a possible health event like an outbreak. Historically, it’s a normal and necessary part of public health. But COVID-19 took everyone off guard, and now our governments will be looking for ways to strengthen future biosurveillance methods.
With the current availability of remote health monitoring and vaccination-tracking apps (along with other types of “pandemic tech” and biometrics), we face an alarming scenario: the steps we take today for the worthy goal of fighting COVID, could someday be used against us in the advancement of mass surveillance. Imagine anti-terror techniques plus digital contact tracing all rolled into one, then add some artificially intelligent police drones and a few cybercriminals looking to profit off medical ransomware. The surveillance state is going to have a heyday.
So put on those earphones, raise a mask and make sure your smartphone passcode is sufficiently strong, because it’s going to be a wild ride.
Pandemic Tech Could Expand Post-9/11 Surveillance
In the same way everything changed after 9/11, we will likely encounter widespread, global biosurveillance strategies as we barrel head-first into an increasingly digital reality that can track our every move in the name of public health.
Some public health experts, such as former FDA commissioner Scott Gottlieb, have already called for bringing “the tools of national security” into the mix. In his new release Uncontrolled Spread, Gottlieb writes, “COVID showed that a pandemic poses a grave national security risk. The political pressure to improve our surveillance, using all our capabilities, is simply too great.”
One would think that after 9/11, all the talk about bioterrorism would have led to a partnership between the public health community and the intelligence sector. This is only partially the case. As part of Homeland Security, the US set up several programs: the National Biosurveillance Integration Center (NBIC), BioWatch, and the National Biodefense Analysis and Countermeasures Center. And while the NBIC did play a role in early tracking of COVID-19, for the most part the intelligence sector operates independently from our main public health source: the Centers for Disease Control (CDC). This is what experts like Gottlieb say needs to change, raising hairs on the arms of privacy advocates everywhere.
Big corporations, on the other hand, have been cashing in on biosurveillance for a while. In June 2021, the CDC renewed a contract with Denver-based data analytics company Palantir Technologies for the purpose of disease surveillance. Palantir was founded in 2004, in the post-9/11 era, and quickly partnered with the intelligence community (including the Department of Defense and the CIA) to use big data analytics from mass surveillance to stop future terrorist attacks. Currently under ongoing investigation by Project PM, Palantir has long been on the privacy watchdog radar because its data-mining techniques are remarkably comprehensive and invasive.
The National Institutes of Health has also contracted with Palantir to continue a COVID-data gathering partnership. This program will use supposedly “privacy-preserving record linkage (PPRL)” to link data “with medical images, omics tools, electronic health records and social determinants of health to help researchers answer questions about long COVID. PPRL finds and links records on the same patient across independently maintained data sources using a cryptographic hash value to protect their identity.” While Palantir promises security, the cross-linkage of sensitive health data raises significant concern.
Some privacy advocates are speaking up. In an article posted during April 2021, the American Civil Liberties Union (ACLU) said, “We must ensure that temporary COVID-19 data surveillance infrastructures do not needlessly outlast this once-in-a-century pandemic.” And the Electronic Frontier Foundation recently released a guide on COVID and digital rights, calling for increased vigilance against privacy invasion.
Perhaps the most chilling warning comes from NSA whistleblower Edward Snowden, who says about COVID-19 and biosurveillance , “They already know what you’re looking at on the internet. They already know where your phone is moving. Now they know what your heart rate is, what your pulse is. What happens when they start to mix these and apply artificial intelligence to it?”
The potential for misuse is staggering.
Digital Contact Tracing and Law Enforcement
For example, let’s look at contact tracing. In its original form, contact tracing is a trust-based, human-to-human activity. Public health workers must find a way to talk with individuals in their communities about who they’ve seen, where they’ve been, and what (or whom) they may have touched. It can be a highly personal conversation. At the beginning of an outbreak, contact tracing could help to slow down or even stop a pathogen.
With COVID-19, contact tracing hit a wall because the virus simply moved too fast, especially once the delta variant became dominant. But prior to the delta variant, tech companies were going crazy trying to come up with the perfect contact tracing app. Since our phones track our location (and often our nearby contacts) then digital contract tracing through our smartphones seems like the next natural step. Digital contact tracing also removes much of the need for human-to-human trust.
The tech sector placed a lot of optimism in these apps for COVID, even leading to a partnership between tech giants Google and Apple, but these particular apps weren’t as successful as hoped, partly due to issues with signal strength and privacy concerns. Google and Apple said that in the future, their iOS and Android systems will have this COVID notification system built into the phone, so that users simply opt-in rather than take the time to install an app. The system, called Exposure Notifications, “uses Bluetooth signals from smartphones that have opted-in to determine how closely and for how long two phones were nearby.”
The success of such digital contract tracing depends on how many users opt-in, so we can probably expect a big push toward this technology should the COVID virus continue to spread or in the event of another pandemic. With increased calls for more “national security” in our public health efforts, we could very well see the required implementation of digital contact tracing systems in the future. But what if these same technologies were applied not only to preventing the spread of disease, but also to the surveillance of protests, activist groups, and journalists?
Indeed, Rolling Stone has revealed that police departments all over the country are allocating COVID funds into surveillance under the guise of “crowd control” and other supposed public health measures. In North Carolina, for example, COVID money contributed to the purchase of AI-based public-data monitoring software from Dataminr, a company that police used in the 2020 surveillance of Black Lives Matter protests. And in Mesa, Arizona, we’ve heard reports that a police department is using millions of dollars in COVID funds to bolster a “real-time crime center” for the purpose of community surveillance.
Additionally, COVID-19 has increased demand for AI-enabled drones, not only for direct public health causes like vaccine and medication delivery, but also among police departments hoping to use drone technology to reinforce social distancing in crowds and allow for remote, contactless policing.
As if the police don’t already have enough power.
The Street Finds Its Own Uses
In the global wake of COVID-19 and increased telehealth, smartphones have arguably become the most common biosurveillance device. Some countries have mandates in place requiring citizens to download certain apps to their smartphones for the purpose of disease-tracking or vaccination status.
Unfortunately, smartphone apps are also vulnerable to cyberattack.
In 2020, a telehealth app named Babylon disclosed a vulnerability “that allowed patients to view video conferences of other patients with doctors.” In this case, it was not a targeted hack and was quickly patched, but imagine if the vulnerability had been exploited by a cybercriminal wanting access to sensitive medical data. Another app used for patient scheduling by Luxottica in Italy was hacked in 2020 by ransomware, affecting almost 830,000 patients.
And whole countries could be at risk. In Indonesia, for example, a breach in the country’s COVID-19 app exposed the health data of about one million people. Not only did this data include COVID test results, but it also exposed personal information and contact details, along with private records from hospitals and Indonesian officials using the app. This type of exposed raw, unencrypted data could lead to ransomware attacks and other nefarious activities by cybercriminals and nation-state actors.
It’s not just the smartphone apps themselves that are open to attack, but the entire global healthcare system is vulnerable. Ransomware is skyrocketing since COVID across the healthcare industry, with data extortion being the most common technique worldwide. And USA Today recently published a story about the albeit morbidly-named “killware,” which is malware used with the intention of ending lives in hospitals and other high-risk institutions.
This rise in healthcare cybersecurity risk has led to increased burnout among healthcare IT and security professionals, who have been tasked with keeping information safe and private, in an era when protected health information (PHI) is “being communicated via unsecured or personal communication tools.”
As a global society trying to cope with the ongoing trauma of COVID-19, we’re literally handing our health information over to governments and cybercriminals alike while our security industry struggles against the tide to protect us from our own naivete.
An Urgent Need for Ethical Biohackers
Does a device you own (or wear) store and/or control health information about you in any way electronically? Your Fitbit, your insulin pump, your smartphone healthcare portal? What about your prescription record? Your social media posts? Your email subject lines? Your search history? What about the words you speak around an active microphone on your smartphone (or someone else’s phone)? Does your physician, specialist or psychiatrist store your information in a digital health record? Did you connect to a telehealth appointment during COVID? Have you ever downloaded a COVID-tracking app required for some reason, such as for international travel or even just to attend a music festival?
If it can be digitally stored or tracked, it can be hacked. Everything connected to the internet is hackable. The sooner we understand this, the sooner we can make our biosurveillance systems safer against malicious cybercriminals and oppressive government entities.
To counter these increasingly sophisticated biosurveillance methods, we need to get into the hacker mindset. Hackers look for vulnerabilities in devices and systems, and “good hackers” try to find those vulnerabilities before a bad actor (or an authoritarian regime) can get hold of them. Most hackers are curious by nature, and sometimes do dangerous things with technology due to this curiosity. Because healthcare cybercrime and biosurveillance abuse in particular increase the risk for human casualties and carry a huge potential for harm, we need radical solutions. We need to think like hackers. Specifically, we need to think like bio-hackers.
It sounds counterintuitive, but ethical biohacking could be a potent weapon against future biosurveillance misuse.
“Biohacking” is a broad term that encompasses a wide range of activities, from simply employing nutrition techniques to optimize the human body, to more invasive DIY biology like genetic manipulation and cybernetic augmentation. But in the cybersecurity community, biohacking literally refers to digital infiltration of electronic biomedical systems and devices.
For example, one form of biohacking commonly discussed at DEF CON is implantable RFID or NFC chips. This type of tech is the ultimate biosurveillance tool; it is literally under the skin, tracking its user from within. It received a lot of press during COVID because conspiracy theorists surmised that maybe COVID vaccines contain microchip implants. (Spoiler: The vaccines do not contain any form of microchip or tracking technology.
I reached out to several security professionals for more information about why hackers, of all people, sometimes get their chip implants at the hacker conferences themselves. You would think hackers would be extra wary of such technology, especially at a conference surrounded by other hackers.
Deviant Ollam says it this way: “The most important question to ask with any biometric-based authentication tools: 1. Who controls the data on the credential, 2. Who controls how the credential can be used. In short, it’s all about control… As with many things involving personal info, not even biometric related, ‘who controls your information, and what are they doing with it’ is the question that should be on everyone’s minds and everyone’s lips in the tech sector.” Then he goes on to explain that “hackers get chipped at conferences because they want to participate in cool bleeding edge body modification but do so in a way that is safe according to those two rules.”
According to DEF CON Biohacking Village Executive Director Nina Alli, people who get chipped at the conference should wait about two hours after the process before loading any data to the chip, at which point they can load whatever they want: “Some people use it as an extended time work badge, others as an extension of their car alarm, some put YouTube or personal info (Twitter/LinkedIn) links.” So then do the hacker cyborgs get together and try to hack each other? Apparently not. “They don’t necessarily start working on breaking the chips. The cool factor about chips is their discretion.”
Granted, concerns about microchip implant hacking are warranted. In an interview for Gizmodo, computer science professor Matthew Green says, “The real question in my mind is whether anyone will actually want to hack your implant. The big difference between a theoretical hack and one that gets exploited in the real world is usually money.”
As a side note, mandatory microchip implantation is a blatant violation of human rights that is already banned in many states. Because coerced or mandatory microchipping has the potential to affect someone’s ability to securely work, buy or sell, we need more legislation across the globe restricting forced chipping. However, voluntary microchip injection is another thing entirely. Biohackers who decide to “get chipped” often do so with a full acknowledgment of the risks. Sweden, for example, is at the leading edge of this human microchipping trend. Thousands of Swedes currently use microchip implants to confirm their ID, make payments, or even to gain entrance to the gym.
Security researcher Len Noe talked extensively about his own microchip implants at the 2021 RSA Conference. “At least people are not going to be blindsided, slapped in the face by something that could be a very world-changing type of technology… Don’t fear the biohacker,” Noe said, in an interview with Archer News.
Voluntarily biohacking with chip implants can be, for some curious people, an excellent way to learn more about biometric identification technologies, raising awareness about implications for potentially widespread biosurveillance. If we start thinking like hackers, we will automatically want to verify “who controls the information, and what they are doing with it.” If I’m going to get an implant in my hand, I’d probably want to make damn sure the thing isn’t broadcasting my personal data to nation-state cybercriminals. Learning about the technology is our first defense against it.
Implantable microchips are an extreme example, but a less stigmatized biometric is Amazon One, which uses your palm print linked to your account information to complete transactions. It’s not like you can just remove your hand if your information gets hacked, as you could with an implanted chip. Security professional Deviant Ollam says that Amazon One is “the kind of thing that makes hacker and security people’s skin crawl.”
And consider this: we hold our smartphones in our hands often as an extension of our own bodies. When we want to communicate or check in somewhere, we reach for our smartphone. It knows where we are at any given point in time, and with the rise of biosurveillance after COVID it will soon be able to track vaccination status and symptoms across populations and international borders. Thinking like biohackers will allow us to better control what forms of biosurveillance can access our devices. For example, if we know that digital contact tracing uses Bluetooth, turning Bluetooth off on our smartphones might be a good option.
In these COVID times, we’re already biohackers to some extent, experiencing surveillance capitalism in a world where cybercriminals can hold our health data for ransom.
We might as well make the most of it. Cyberpunks, mount up.
Anna L. Davis (link to Anna L. Davis (@AnnaLDavis1) / Twitter) is an author and editor. Her sci-fi novel Open Source (Enhancement Series) features hackable medical devices in a near future cyberpunk dystopia.
Looking for alternative clothing, but sick of giving your money to the Man? You’re in luck: from the occult to the retro 80’s, Snarkeez supplies the finest in counter culture attire! With a range of killer clothing for those brave enough to stand out, Snarkeez will have you covered for any occasion. Whether it’s hitting the streets, the beach, or the classroom, you’ll be sure to make an impression. The best part: you’ll be helping independent clothing designers at a price that won’t break the bank. So take a peek at Snarkeez!
If you enjoyed this article, please consider dropping a buck in the tip jar over at patreon! Every dollar helps a lot.
Want to write for Neon Dystopia? Check out our submission guidelines for all the details on how!