The Call for Privacy Regulations of Big Tech Companies

By CHHS Extern Jaime McCoy

Big tech companies are currently self-regulated, but that could soon change. With members of Congress being younger and more diverse than ever before, it seems to be the perfect time to address the regulation of technology. Congress is currently holdings oversight hearings, and lawmakers are proposing new regulations in a crackdown on how big tech companies’ use and resell their customers’ personal information. The need to know what big tech companies are doing with consumers data is a growing need that policymakers have not adequately addressed in the past. Rep. Jan Schakowsky (D-Illinois) told NPR, “In the last two weeks alone, we learned that Facebook exposed individuals’ private health information that consumers thought was in a protected closed group, and collected data from third-party apps…on issues as personal as woman’s menstrual cycles and cancer treatment.”

The main motivation for stricter privacy regulations is that people want to know how these big tech companies are using their data. The more people are relying on technology and entrusting these companies with their private information, the clearer it becomes that Congress needs to step in and hold these companies accountable.

In the context of the current divisive political climate, it is rare for privacy regulation of tech companies to garner bipartisan support. On Tuesday, March 12, 2019, GOP Senator Josh Hawley (R-Missouri), questioned Google’s senior privacy counsel, Will DeVries, about Google’s tracking policy for the company’s Android mobile devices. It might be surprising to learn that even when users turn off their location tracking services, or even turn off their phone, the company is still gathering data about that devices’ location. DeVries defended this action by stating, “gathering location data is what makes maps work, what makes routing of calls work, and other functions.”

Hawley criticized this defense by responding, “Any robust definition of consumer welfare must acknowledge that [Google and Facebook] have harmed consumers by conditioning participation…on giving away enormous—and growing—amounts of personal information.”

This issue is not exclusive to mobile devices. Social media platforms are constantly gathering data from its users as well. Social media platforms offer free access to users, once they agree to the terms and conditions. But are these services actually free? Big tech companies make billions of dollars each year by selling advertisers insight information from the data users share on their platforms. This data is gathered from the website users visit, the posts users like on social media, and even users locations.

Most users do not normally read the Terms of Conditions before agreeing to their terms. These terms are normally lengthy, filled with legal jargon and updated frequently, making it difficult for the average user to fully understand what they are agreeing to. Tech companies should be required to inform their users upfront what data they will be collecting and what they plan on doing with that information.

Currently, some states have taken it upon themselves to enact privacy legislation that is lacking at the federal level. However, due to the global reach of technology, separate state legislation would eventually be problematic for tech companies and consumers. Dave Grimaldi of the Interactive Advertising Bureau said, “The Internet is global, it most certainly goes over state lines. And I think that changing or altering the Internet experience to state to state would be something that would be a giant turnoff to consumers and just wouldn’t help anyone.”

Unfortunately, it is very unlikely that big tech companies will stop gathering data from users. Furthermore, having states coming up with their own solutions to this issue is not the answer, as it would create greater problems for tech companies and consumers. The best resolution would be for Congress to require big tech companies to disclose what they are doing with the data collected. Congress should also consider putting requirements in place for how and what information these companies can disclose to advertisers. In regards to the terms and conditions, companies should be mandated by Congress to simplify the wording for the common user that does not have a technology background. This standard could be in line with the reasonable person standard. It is important that Congress begin to regulate big tech companies in regards to the data they are collecting from users and what they are doing with that information. Without this regulation, users are disclosing more information than the may realize to data consumers who could potentially disclose that information in the long run.

EPA’s New Plan To Address Toxic Chemicals In Drinking Water Falls Short

By CHHS Extern Suhani Chitalia

Per- and polyfluoroalkyl substances (PFAS) are a group of man-made chemicals that include PFOA, PFOS, and GenX. PFAS are commonly found in packaging used for food, commercial household products, industrial work environments, drinking water and living organisms. PFAS presents a threat to public health because most people come into contact with PFAS and the chemicals can accumulate and stay in the human body for a long period. Harvard University researchers have reported that public drinking water supplies serving more than 6 million Americans exceed the EPA suggested threshold for PFAS. Studies indicate that PFOA and PFOS can impact infant birth weights, the immune system, and can cause cancer and thyroid hormone disruption.

On February 14th, the Environmental Protection Agency announced a refined plan to address a set of “forever chemicals” that have long posed a threat to millions to Americans. The PFAS Action Plan establishes three overarching goals: (1) provide both short-term solutions and long-term strategies to address this important issue (2) provide a communication plan to address this emerging environmental challenge and (3) respond to the extensive community engagement inputs and public docket letters.  However, many environmental groups and impacted communities have found that the “action plan” falls short in regulating these toxic chemicals. Impacted communities have stated the suggestive measures set forth by EPA are not sufficient and that binding maximum exposure limits should be established and enforced. This initial action by the EPA is merely a start to the process of regulating these harmful drinking water contaminants, and enforceable limits seem to be a distant reality.

Because the regulatory process is often slow and burdensome (experts estimate that setting a federal limit to PFAS exposure under the federal rulemaking process can take as long as ten years), States have been forced to take the lead in addressing PFAS exposure. Thus far, however, only New Jersey has formally adopted PFAS drinking water standards toxic chemicals. New Jersey has set the Maximum Contaminant Level (MCL) to 13 parts per trillion as recommended by the New Jersey Drinking Water Quality Institute. At least another seven states have policies or have indicated that they plan to pursue policies stricter than the EPA’s current health advisory of 70 parts per trillion.

The courts are also serving as an avenue for change and progress to address toxic chemicals. Thus far, courts have focused on Military Sites because they are commonly known to have PFAS contamination. The Department of Defense has identified approximately 400 current or former military sites with known or suspected contamination.  This past October, affected communities in Pennsylvania won a major victory in a Third Circuit ruling addressing a lawsuit against the United States Navy. The judicial decision will ultimately allow individuals whose drinking water was contaminated with PFSA chemicals from neighboring Naval military bases to proceed with their lawsuits against the U.S. Navy. The Third Circuit recognized the damaging effects of toxic chemicals released from the military bases, and asks the Navy to pay for medical surveillance of exposed families so that serious health problems associated with exposure to chemicals can be detected early.

PFAS has been around for decades and their toxicity levels and impacts on human health are now being brought to light. It is important that government officials move forward with stringent regulations, and where they are not willing, that state governments step in to protect public health.

CHHS Staff Presenting at Public Health Preparedness Summit

 

Several CHHS staff members will share their expertise with public health preparedness professionals nationwide as presenters at the 2019 Preparedness Summit on March 26th & 27th in St. Louis, MO.  Please see the schedule and hyperlinks below for details.

If you are attending the Summit, we hope to see you at our presentations!

Tuesday, March 26, 2019

1:30 PM – 3:00 PM CT

B09 – Opioid Declarations – Combined Session

Presentation: When Should a Public Health Crisis be Declared an Emergency? A Look at Using Emergency Powers to Combat Public Health Issues Like the Opioid Crisis

Using the opioid overdose crisis as a case study, this presentation examines state emergency powers, their practical use in combating opioid overdoses, and potential impacts emergency declarations may have on combating this and other public health crises.

CHHS Presenters:

Maggie Davis, JD, MA

Senior Law and Policy Analyst

Christopher S. Webster, JD

Public Safety Technology Program Director

 

Wednesday, March 27, 2019

8:30 AM – 10:00 AM CT

D15 – Childcare Preparedness – Combined Session

Presentation: A, B, C, Disaster: Increasing Community Resilience through Enhanced Relationships with Early Childcare Providers & Educators

Learn about the critical role childcare providers and educators can play in response and recovery, and how public health officials and emergency responders can utilize and support this key resource to enhance children’s well-being and build community resilience. Workshop ideas, experiences, and best practices with other professionals in the field.

CHHS Presenter:

Trudy C. Henson, JD, MA

Public Health Program Director

12:00 PM – 3:30 PM CT

Poster 13 – Vulnerability Assessment of Medical Countermeasure Response in the National Capital Region

The National Capital Region (NCR) assessed its regional vulnerabilities in providing emergency medical countermeasures (MCM) to its population during a widespread biological incident. Other jurisdictions may adopt the NCR’s assessment process to identify and prioritize MCM response vulnerabilities for their future regional preparedness efforts.

CHHS Presenter:

Clark J. Lee, JD, MPH, CPH

Senior Law and Policy Analyst

Updates on the Purdue Pharma Saga: Founding Family Member Dr. Richard Sackler Went Along with Plan to Conceal Drugs’ Strength

By CHHS Extern Kyla Kaplan

The CDC reported in 2018 that the drug OxyContin (oxycodone) is one of the top opioid drugs used in this country, and often leads to cases of overdose and/or death. As lawsuits against Purdue Pharma, the company that developed OxyContin, solidify, new information has surfaced that Dr. Richard Sackler, a member of the family that founded and controls Purdue Pharma, was involved in spreading false information.

These lawsuits are far from over as our country continues to worry about the opioid crisis. On October 26, 2017 President Trump declared the “opioid crisis a national public health emergency under federal law.” However, in order to see change, the company and its’ leaders who fostered this epidemic must take further responsibility for actions that were intentional and lead to an abuse of this opioid.

OxyCotin, which was developed in 1995 and launched in 1997 by Purdue Pharma, is a strong narcotic that is used to relieve pain, but it also heavily abused recreationally. Since August of 2018, at least 27 states – interestingly Maryland is not one of them- have decided to fight this epidemic and go after Purdue Pharma for misleading marketing campaigns and minimizing the seriousness of the drug.

Sackler appears to have intentionally not corrected the false impression among medical professionals that OxyCotin was weaker than morphine. He seemed to do this due to the fact that the false information being spread was “boosting prescriptions – and sales.”

Back in 2007, Purdue Pharma settled with the government and plead guilty to “misbranding OxyCotin.” They were forced to pay over $600 million for the criminal damages.  Purdue Pharma admitted that they understood the risk of addiction and the strength of OxyCotin. Nonetheless, this guilty plea was largely overlooked by public opinion as the sale of OxyCotin continued to increase over the next several years.

Further, Purdue Pharma’s culpability in the opioid epidemic was largely forgotten until 2018 when a copy of a confidential Justice Department report showed that federal prosecutors who were “investigating the company found that Purdue Pharma knew about “significant” abuse of OxyContin in the first years after the drug’s introduction in 1996 and concealed that information.”

Now, information that Sackler supported and aided in the decision to suppress the truth about OxyCotin is being made public. An email exchange between Sackler and Michael Freidman, the head of sales and marketing and the person who came to Sackler and received input on the decision not to correct the false information, is now surfacing.

In the email exchange, Friedman wrote to Sackler:

“It would be extremely dangerous at this early stage in the life of the product…to make physicians think the drug is stronger or equal to morphine… we are well aware of the view held by many physicians that oxycodone [the active ingredient in OxyContin] is weaker than morphine. I do not plan to do anything about that.”

Sackler responded that the “agreed” with Friedman and let the myth continue.

This exchange, along with other comments made by Sackler, are now being requested as a result of lawsuits being filed by “hundreds of cities, counties, states, and tribes” against Purdue Pharma. These suits all revolve around the drug, and more specifically, the Sackler family’s history of misleading medical professionals, and in turn patients, about the strength and thus recommended dosage of the drug. An example of one of these lawsuits is the Massachusetts complaint, which was made public in January 2019 and exposed the Sackler’s involvement, particularly Richard Sackler, in the way that OxyCotin was marketed to the public.

Purdue Pharma continues to support the Sackler family. The Sackler’s and Purdue Pharma maintain that “…the company accurately disclosed the potency of OxyContin to healthcare providers” and on the label of the drug it is “made clear that OxyContin is twice as potent as morphine.”

CHHS Shares Expertise as Maryland General Assembly Takes Another Look at Election Cybersecurity

This week, cybersecurity experts from the University of Maryland Center for Health and Homeland Security (CHHS) provided their opinions about legislation up for debate in the Maryland General Assembly. The bill, cross-filed as HB 706 and SB 919 – “Absentee Ballot Requests, Delivery, and Marking”, would address widespread security concerns by enacting a practical limit on the population of voters who can request absentee ballots receive them electronically. Currently, Maryland allows all registered voters to request an absentee ballot online and then have their ballot emailed to them. While convenient for many voters, this method is an easy target for fraud committed using a man-in-the-middle attack. The bills under consideration would dramatically limit this vulnerability by requiring voters apply to qualify for an e-mailed ballot by either showing that they qualify under the federal laws such as the Americans with Disabilities Act or Uniformed and Overseas Citizens Absentee Voting Act, or showing that they would otherwise be unable to vote.

CHHS Founder & Director Michael Greenberger and Senior Law & Policy Analyst Netta Squires were invited to provide written and oral testimony, respectively, for members of the House of Delegates who are considering a vote on the bill. In a packed hearing room, the Committee on Ways and Means listened to comments on the proposals intended to improve election integrity by addressing issues with absentee ballot rules. Absentee ballots are regarded as a particularly vulnerable part of any election system, as was highlighted by the revelations in the latest North Carolina election.

CHHS Senior Law & Policy Analyst Netta Squires

After reports of irregularities in absentee ballots raised enough questions in a close vote tally, the State Board of Elections decided to not certify a winner in the Congressional Representative race in the 9th District. Following months of investigations, the State Board of Elections announced that there will be a new election later this year. Leslie McCrae Dowless, hired by candidate Mark Harris’s campaign to manage get-out-the-vote operations, allegedly took advantage of absentee ballot rules to cast hundreds of votes illegally in favor of his candidate. In February, Dowless was indicted by the local district attorney’s office for violating state laws by illegally possessing and submitting absentee ballots in the spring of 2018.

Election security has been a major issue around the world since at least 2016, when the public became aware of Russian interference attacks on multiple fronts. Maryland itself has had its State Board of Elections system probed by Russian government agents in recent years. While the Department of Homeland Security (DHS) and US intelligence community have fortified defenses against foreign interference, the fact is that most control of election security and laws rests in the hands of states and localities. As Netta Squires explained in her testimony, “The responsibility of making the election system more secure falls not only on DHS but also on officials in all levels of government.”

Legislation similar to HB 706/SB 919 has come to the General Assembly before, but did not move out of committee. One concern was that the proposed restrictions were too limiting and that some voters who are honestly dependent on absentee ballots would be disenfranchised. Netta Squires commented that the 2019 version of the bill adds language that broadens the population of voters who can benefit from online voting, without becoming unnecessarily broad. This is an improvement over the previous versions, as it balances concerns of exposing online voting to low-tech hacking threats with possibly leaving out voters who need absentee and online voting to have their voice heard.

Region V FSE Volunteer Sign-Up (May 23, 2019 from 8am-3pm)

On May 23rd, 2019, CHHS will help facilitate a Full Scale Exercise on behalf of the Region V Hospital Coalition. We are currently seeking volunteers to serve as mock patients. Please sign up to volunteer below:

U.S. Measles Outbreak May Land in Court

By CHHS Extern Felicia Langel

What began as scientific fraud became an emerging global health crisis just twenty years later.  In 1998, Dr. Andrew Wakefield and his colleagues published an article in the British medical journal, The Lancet, claiming a link between the measles, mumps, and rubella (“MMR”) vaccine and autism.  Wakefield’s work was immediately challenged by the scientific community for its lack of scientific rigor, and, within a few years, most of Wakefield’s team retracted their findings.  Then, a journalistic investigation by Brian Deer in 2004 found that Wakefield and his team committed deliberate fraud for financial gain, and The Lancet fully retracted the article in 2010. 

            Long after Wakefield’s article was debunked, the scientific fraud persisted due to Wakefield’s attacks on vaccine science, the release of a celebrity-endorsed anti-vaccine movie in 2016, and the rise of anti-vaccine groups on social media.  In the United States, measles cases soared.  The Centers for Disease Control and Prevention (“CDC”) declared measles eliminated in the United States in 2000.  However, since 2010, CDC documented 2,085 measles cases in eight outbreaks among primarily unvaccinated communities.  In 2018–2019, CDC is tracking three outbreaks in New York, one outbreak in Texas, and one outbreak in Washington for a current total of 499 measles cases.  CDC warns parents that measles can cause serious health complications in children under five years old, and that the best protection against measles is the MMR vaccine.   

All fifty states have school vaccination laws that include vaccine exemptions for medical reasons.  Further, the majority of states permit vaccine exemptions based on religious beliefs.  Moreover, seventeen states allow philosophical exemptions based on personal beliefs.  The American Medical Association and the American Academy of Pediatrics advocate for the elimination of these nonmedical exemption (“NME”) laws for “individual, public health, and ethical reasons.”  This is because ninety-five percent of the population must be vaccinated against measles to provide community (also known as “herd”) protection to the part of the population that cannot be vaccinated, such as immunocompromised people and children under one year old.  Currently, it is in those states with NME laws, particularly Arizona, Kansas, Michigan, Oregon, Pennsylvania, Texas, Utah, and Washington, where the community measles hotspots are centered.

In response to the recent rise in U.S. measles cases, lawmakers in New Jersey, New York, Iowa, Maine, Vermont, and Washington proposed either eliminating or tightening their NME (to include religious exemption) laws.  These states would follow California which eliminated both its NME and religious exemption laws after a measles outbreak at Disneyland in 2015.  However, the Food and Drug Administration Commissioner Dr. Scott Gottlieb is considering using the Federal health agencies to proactively reign in the States’ lax NME laws to prevent measles “outbreaks on a scale that is going to have national implications.”  Possible intervention by the Federal government is causing pushback from several States because school entry requirements is a traditional State police power under the Tenth Amendment of the U.S. Constitution. 

In Henning Jacobson v. Commonwealth of Massachusetts, the U.S. Supreme Court affirmed the constitutionality of a Massachusetts statute that mandated smallpox vaccination for public health and admission to public school.  During the New Deal (1933-1945), the Court interpreted the Commerce Clause (Article I, Section 8) as allowing Congress to regulate such non-enumerated economic activities as labor, agriculture, and manufacturing.  From the Court’s reasoning in the Commerce Clause case, United States v. Darby, the reserved police powers granted to the States by the Tenth Amendment were “but a truism,” and there was no textual basis in the Constitution that limited Federal authority over the States.  Soon thereafter, the Federal government began regulating activities, such as public health, that had once been regulated solely by the States.  Hence, it is apparent that, should the U.S. measles outbreak worsen, the battle between the States and the Federal government over Federally-mandated measles vaccination will play out in the courts, and possibly impact public health policy well into the future.        

CHHS Experts Contribute to Nationwide Cybersecurity Curriculum

The National Security Agency, in 2017, awarded a series of grants to universities to build academic courses on critical cybersecurity topics. The goal of the project was to establish a free, open-source repository of courses and modules so that the public would have access to content developed by the the country’s foremost cybersecurity experts. CHHS was proud to be among 54 grantees.

CHHS Cybersecurity Program Director Markus Rauschecker and CHHS Senior Law & Policy Analyst Ben Yelin designed three course modules that are now published on the National Cybersecurity Curriculum Program website “CLARK.” The courses are:

CHHS was proud to partner with the National Security Agency for this important initiative. For more, see: http://cis1.towson.edu/~cyber4all/index.php/nccp-page/

The State of Cybersecurity at the State of the Union: Largely Forgotten

By CHHS Extern Adam McCormick

On February 5, President Donald J. Trump delivered his second State of the Union Address, all but ignoring cybersecurity. The lengthy 82-minute speech touched on immigration, the economy, bipartisanship, and the military. The lone mention of a tech related issue was a brief jab at China for “years of targeting our industries and stealing our intellectual property.”

In the past several years, cybersecurity has become one of the fastest growing industries and topics in the country. Election meddling, attacks on the power grid, and cyber assaults on the country’s largest corporations have all become reality.

In a speech reportedly designed to foster bipartisanship, a mention of bolstering military cyber capabilities, creating information technology job programs, or hardening the infrastructure against cyber attacks could have garnered a rare standing ovation from both sides of the aisle. Cybersecurity is one of the few topics in which both Republicans and Democrats agree on the fundamental principles. Multiple bipartisan bills have been introduced in the past year relating to the topic.

Outside of the State of the Union Addresses, the Trump administration has not been silent on the issue, this past year releasing a National Cyber Strategy and signing a bill creating the first cybersecurity defense agency. In a year defined by political gridlock and decisive midterm wins for Democrats, both topics could have easily been presented as wins for the President. Instead, he mostly focused on divisive issues that might further poison the well.

The topic of cybersecurity is not without controversy for President Trump. The Russian meddling in the 2016 election remains a topic he either refuses to discuss or outright denies. The related 2017 Intelligence Community Assessment determined that Russia ordered an influence campaign during the presidential election designed to assist then candidate Trump. Further, the President has demonstrated limited knowledge on the topic, referring to it as “the cyber.” Similarly, his cybersecurity advisor, Rudy Giuliani, faced widespread ridicule recently after mistakenly accusing Twitter of “allow[ing] someone to invade” his account.

Downplaying cybersecurity during the State of the Union is not unusual. During his 2018 State of the Union, President Trump failed to reference cybersecurity and other tech issues. Similarly, in his 2014 address, President Barack Obama only made passing reference to “information security” after devoting a small portion of his 2013 speech on the topic. President Obama’s final 2016 address devoted more time on the issue, mentioning “data management” and “cyber threats.”

Cybersecurity is no longer a fringe topic and should not be treated as such by the President during the year’s biggest speech. The state of cybersecurity in the U.S. may not necessarily be weak, but it certainly seems ignored by those in power. To the nation’s cyber adversaries, the President’s silence signifies that continued attacks will be downplayed, if not tolerated. Even a brief rally for increased focus or spending on cybersecurity would have served as a unifying moment for the country in the face of mounting threats.

Emergency Food for Federal Furlough Workers: Pantries Around the Country Step-in During the Government Shutdown

By CHHS Extern Kyla Kaplan The 35-day government shutdown may be over for now, but its impact will continue for those who were deeply affected by it. One of the big effects of the shutdown was the large amount of federal workers that work paycheck to paycheck and could no longer …