The 2008 measles outbreak in San Diego

A pediatrician friend of mine pointed out this bit of news in Pediatrics on the January 2008 outbreak of measles in San Diego:

The outbreak began in January 2008 when a 7-year-old boy whose parents refused to vaccinate him returned to the U.S. from Switzerland. Before symptoms appeared, he infected his 3-year-old brother and 9-year-old sister. Neither was vaccinated.

Neither were 11% of the boy’s classmates, whose parents shared similar beliefs that a healthy lifestyle protected against disease while vaccines were riskier than the illnesses they prevented.

In the end, 839 people were exposed to measles. Eleven were infected, and 48 exposed kids too young to be vaccinated were quarantined — forbidden to leave their homes — for 21 days. Jane Seward, MBBS, MPH, was the CDC’s senior investigator for the outbreak.

Despite the extraordinary efforts of health workers, what really ended the San Diego outbreak wasn’t quarantine or post-exposure vaccination. It was the high vaccination rate in the rest of the community that kept the outbreak from becoming an epidemic.

This is the summary of the study:

The importation resulted in 839 exposed persons, 11 additional cases (all in unvaccinated children), and the hospitalization of an infant too young to be vaccinated. Two-dose vaccination coverage of 95%, absence of vaccine failure, and a vigorous outbreak response halted spread beyond the third generation, at a net public-sector cost of $10376 per case. Although 75% of the cases were of persons who were intentionally unvaccinated, 48 children too young to be vaccinated were quarantined, at an average family cost of $775 per child. Substantial rates of intentional undervaccination occurred in public charter and private schools, as well as public schools in upper-socioeconomic areas. Vaccine refusal clustered geographically and the overall rate seemed to be rising. In discussion groups and survey responses, the majority of parents who declined vaccination for their children were concerned with vaccine adverse events.

CONCLUSIONS Despite high community vaccination coverage, measles outbreaks can occur among clusters of intentionally undervaccinated children, at major cost to public health agencies, medical systems, and families. Rising rates of intentional undervaccination can undermine measles elimination.

The medical and public health community needs to really get going on this. The article ends by saying the researchers met parents with “real fears” about the risk of autism from vaccines. I’m sure their fears are real, but how on earth do you convince them otherwise?


Talk at USC Wednesday

In case you’re at USC or in the area, I’m giving a talk tomorrow there on some of the work I’ve been doing with Kamalika Chaudhuri (whose website seems to have moved) and Claire Monteleoni on privacy-preserving machine learning.

Learning from sensitive data – balancing accuracy and privacy

Wednesday, March 24th, 2010
EEB 248

The advent of electronic databases has made it possible to perform data mining and statistical analyses of populations with applications from public health to infrastructure planning. However, the analysis of individuals’ data, even for aggregate statistics, raises questions of privacy which in turn require formal mathematical analysis. A recent measure called differential privacy provides a rigorous statistical privacy guarantee to every individual in the database. We develop privacy-preserving support vector machines (SVMs) that give an improved tradeoff between misclassification error and the privacy level. Our techniques are an application of a more general method for ensuring privacy in convex optimization problems.

Joint work with Kamalika Chaudhuri (UCSD) and Claire Monteleoni (Columbia)

Privacy and Google Web History

Posted on ArXiV last night: Private Information Disclosure from Web Searches. (The case of Google Web History), by Claude Castelluccia, Emiliano De Cristofaro, Daniele Perito.

Our report was sent to Google on February 23rd, 2010. Google is investigating the problem and has decided to temporarily suspend search suggestions from Search History. Furthermore, Google Web History page is now offered over HTTPS only. Updated information about this project is available at: this http URL

The link above has some more details of their back and forth with Google on the matter, and at least it looks like Google’s on the losing end of it.

Search histories have a lot of information in them, since searches correlated with local events, such as disease spread (related and interesting is Twitter’s tracking of earthquakes). Since user sessions can be compromised by someone hijacking the cookies that maintain the session, Google requires HTTPS for many services, like GMail, but not for the “automatic suggestion” for searches. The authors implemented an attack called The Historiographer:

The Historiographer uses the fact that users signed in any Google service receive personalized suggestions for their search queries based on previously-searched keywords. Since Google Web Search transmits authentication cookies in clear, the Historiographer monitoring the network can capture such a cookie and exploit the search suggestions to reconstruct a user’s search history.

This attack is not looking at a short time-window of browsing history, but essentially the entire search history as stored by Google. They did real experiments, and found:

Results show that almost one third of monitored users were signed in their Google accounts and, among them, a half had Web History enabled, thus being vulnerable to our attack. Finally, we show that data from several other Google services can be collected with a simple session hijacking attack.

So how does it work? The program hijacks the SID cookie from the user by eavesdropping, and then issues prefixes to the suggestion services; that is, it simulates a user typing in the first few letters of a search query. Prefixes have to be at least 2-3 letters to trigger the suggestion, and the top 3 completions are given. Of course 26^3 is a lot of prefixes to try, so the system has to sample effectively. The system just queries the top 10% of most frequent 3-letter prefixes (based on the statistics of English), which amounts to 121 queries to the system. If a particular 2-letter prefix (e.g. “pr”) is a prefix for many 3-letter prefixes (e.g. “pre”, “pra”, “pro”) which result in 3 completions, they will proceed greedily to look at longer prefixes in that direction. Note that this is the same principle behind Dasher (or arithmetic coding, really).

Based on this, the system can reconstruct the search history for the hijacked user. By using Google’s personalized results service, they can also get more information about the user’s preferences. A little more worrying is this observation:

In fact, a malicious entity could set up a Tor exit node to hijack cookies and reconstruct search histories. The security design underlying the Tor network guarantees that the malicious Tor exit node, although potentially able to access unencrypted traffic, is not able to learn the origin of such traffic. However, it may take the malicious node just one Google SID cookie to reconstruct a user’s search history, the searched locations, the default location, etc., thus signi cantly increasing the probability of identifying a user.

It’s an interesting paper, and worth a read if you are interested in these issues.

self (the remix)

Last weekend I had a chance to see Mo’olelo Performing Arts Company‘s production (they also have a blog) of Robert Farid Karimi’s self (the remix) featuring Karimi and DJ D Double:

Storyteller/performance artist, def poetry jam performer, national poetry slam champion robert farid karimi — supported by an amazing soundscape spun live by Chicago DJ and Violator All-Star DJ D Double — mixes together stories, movement, and music to tell the tale of a first generation child of Iranian and Guatemalan immigrants learning how to survive the cultural imperialism of the United States on his quest to find wholeness in the fractured atmosphere of the 70s and 80s.

It’s a coming-of-age story that seems to have a new relevance given the current tensions between the US and Iran and the heated rhetoric around immigration. I usually enjoy solo performance, and although this is technically a dual performance, the “style” is similar to other narrative solo performances (c.f. Josh Kornbluth). What was particularly effective is the way in which DJ D Double weaves the soundtrack and effects into the narrative. It’s rapid-changing and pulls samples, beats, and songs from every direction, providing an structure to support Karimi’s performance while commenting and in an effect becoming its own character. In terms of “solo performance,” it’s some of the best use of sound I’ve seen.

The show only has a few more performances, starting tonight and going through this weekend. If you’re in San Diego and reading this (probably 5 people total), then go check it out!

giving no credit where it is not due

Luca pointed to a paper by Chierichetti, Lattanzi, and Panconesi, which has an amusing comment in the last section (I don’t want to spoil it).

The paper itself is interesting, of course. Conductance often appears in bounds on mixing times for Markov chains, but the rumor spreading problem is a bit different than the consensus problems that I have studied in the past. A nice quote from the introduction:

Our long term goal is to characterize a set of necessary and/or suffcient conditions for rumour spreading to be fast in a given network. In this work, we provide a very general suffcient condition — high conductance. Our main motivation comes from the study of social networks. Loosely stated, we are looking after a theorem of the form “Rumour spreading is fast in social networks”. Our result is a good step in this direction because there are reasons to believe that social networks have high conductance.

Not-so-recent reads

Mixing It Up: Taking on the Media Bullies and Other Reflections (Ishmael Reed) — This is a collection of Reed’s more recent writings, with big pieces on Don Imus, Kobe Bryant, and the John McWhorter. He also has a set of interviews with Sonny Rollins and a nice essay on Charles Chesnutt. Reed’s writing is ascerbic as ever, but I found the essays a mixed bag. For me, some of the nicest pieces were the shorter ones, but they were all thought-provoking.

Karnak Café (Naguib Mahfouz) — This is a short novella set after the war in which Egypt lost Sinai. The narrator frequents this cafe where three younger university students also hang out. The three disappear one day during a string of arrests and return months later. The narrator begins to learn of their experiences and how their lives were destroyed by the government’s manipulation. It’s a tightly written and compelling story that seems all-too-relevant these days. I highly recommend it.

Jhegaala (Steven Brust) — This is the latest in the Vlad Taltos series, and is mainly about untangling the hidden relationships in a small town of Easterners. If you like the series already (or are addicted) you will read it anyway, and it definitely will not make sense without reading the rest of the series…

Yellow : Race in American Beyond Black and White (Frank H. Wu) — One of the earlier books on Asian Americans and politics that was targeted towards a large readership. Although it feels a little dated now (if that is possible), it still makes some solid points. However, the end of the book was a bit disappointing, with its big love for Deep Springs.

Let’s Get Free : A Hip-Hop Theory of Justice (Paul Butler) — After a riveting first chapter, ex-prosecutor Butler takes us on a tour of how the modern criminal justice system is stacked and requires active resistance from the public. He’s an expert on jury nullification, which I didn’t know about before. However, the book kind of derails in the last few chapters with its discussion of new technologies feeling a bit more rambling than making a tight point. It was a quick and interesting read, though.

New Roots in America’s Sacred Ground (Khyati Joshi) — This was a study of mostly middle-class 2nd generation desis and their religious practices. The strong parts of the book came from the interviews, but I wasn’t sure if I agreed with all of its conclusions. Also the focus on professionals versus working-class people makes me feel like the picture was incomplete.

Slumberland (Paul Beatty) — A deeply weird tale of DJ Darky (Schallplattenunterhalter Dunkelmann), who moves to Berlin to find an old jazzman and complete the most perfect beat. I couldn’t put this book down, but I think it appealed to me because of the combination of Germany and jazz.

Faceless Killers (Henning Mankell) — An early Kurt Wallander mystery. People say his mysteries are more violent than the norm, but I found it engrossing albeit depressing.

Maus I and Maus II (Art Spiegelman) — This is a re-read — I had read them apart and now I read them back to back. A must-read.

Writing for Social Scientists (Harold Becker) — I’m not a social scientist, but this book has a lot of useful advice on how to write and edit, which I think would have been useful while writing my thesis but is also good for thinking about research projects in general.

Asterios Polyp (David Mazzucchelli) — It’s a pretty amazingly constructed graphic novel about Ideas about Art, incredibly controlled to the point of sometimes feeling trite, but the way in which style and substance are married on the page makes it a real delight to read.

Black Hole (Chris Burns) — Deeply disturbing and somewhat traumatic and somewhat hopeful. I’ve been wanting to read this since an excerpt was published in McSweeney’s comics issue.

Interracial Intimacies (Randall Kennedy) — The first (and largest) part of the book is a history of black-white race relations in America from the perspective of interracial relationships. Kennedy chooses historical examples carefully to advance the thesis that deep and meaningful romantic relationships existed even during slavery. He then spends the last two chapters of the book railing against any and all race-matching in adoption, including a rather stunningly misguided argument against the Indian Child Welfare Act (ICWA). In all of these arguments, Kennedy blithely dismisses some studies as wrong because they contradict his opinion (invalid), others for having low sample counts (valid), but in all cases argues his own point via anecdote. While detailed research and example cases help bolster his points about history, they fail stunningly to make a rational case about policy, and his un-nuanced view further highlights the poverty of his own evidence. In a sense, Kennedy advances a moral argument (“race matching is bad”) by saying contrary evidence is not representative but never making the case that his own evidence is representative. Maybe lawyers shouldn’t make arguments about ethics. In any case, this book left a bad taste in my mouth, not because I think race-matching is always good, but because the argument was so bad.