 Hello, DefCon. My name is Andrea and today I'm going to be talking to you about threat models for patient communities on social networks. I'm not going to spend too much time about me. This is my second year at DefCon. I am a BRCA1 Community Data Organizer, a Mutant Turned Security Researcher. Last year I presented on a major security flaw in Facebook's group architecture. I started a nonprofit called Like Collective and Enough About Me. I want to start with this photograph of Portland. It is a community under siege. And when we look at this photograph, depending on your politics, your ideology, your education level, your hopes, your fears, you might see different things from this photograph. But one thing we might agree on is that Portland is a community in turmoil. When I look at this photo and I see thousands of beautiful points of light generated from cell phones from people with varying levels of technical literacy and I hope to God they understand how their data at this protest may be used against them. They are vulnerable and in raising their voices, their data can be something that is weaponized. Well, how do we think about this in context of a digital community for healthcare or for health? Well, I'd like to start with just a quick framework for what I'm going to cover today on threat models and health social networks from a community's perspective. We often think about protecting systems and data and not necessarily about the communities or digital spaces where we reside. So in this talk, I'll cover how the nature of the adversary when we think about threat models is becoming difficult to detect. I'm going to talk about how nobody is immune to an infodemic, especially as this COVID pandemic rages on. I'll talk a little bit about how influence can be deadly or it can save lives. And finally ask, what is a path forward from here? How do we survive an infodemic? Well, let me start with my village. This is a quick network graph of my own community. Just like that picture in Portland, I would kind of explain to everybody who isn't involved in patient communities or e-patient social networks. We are right now also a community under siege. We are losing access to care. We are losing access to meds. We are high risk communities who have adverse or underlying conditions that make us more at risk to potentially dying from COVID. And these are work that spans to a much larger scale. In fact, you know, just there aren't a lot of statistics on this in the pandemic, but I'll give you or point you to a survey from 2018 from Hope Lab that shared 51% of young adults have tried to find people online with health concerns similar to their own. What we call this phenomenon is peer support. And there's a whole body of evidence around how peer support and health can have really beneficial effects. It can also have harmful effects when the tech platforms where we reside or the knowledge that we share can be weaponized against us. Further, it can be much more difficult when the nature of the adversary is becoming harder and harder to detect. Well, what has this looked like over the past couple of months? We have physicians at the steps of the Supreme Court in their white lab coats, advocating for the use of hydroxychloroquine, which we know is not an evidence based treatment for COVID-19. We have doctors flocking to TikTok. A lot of ways these doctors have the best of intentions, but when we encourage the sharing of knowledge in a health community, we are inevitably exposing the people who engage at that level on these platforms to have those data weaponized against them. Well, the nature of the adversary is also becoming difficult to detect because the leaders and scientists who have traditionally been in these positions of power are in some ways enabling disinformation. This is a picture of George Church, who recently launched a dating app based on genomics and here he is snorting his own vaccine that is not FDA approved, and it begs the question, how are we replacing science with ideology? How are these disinformation narratives targeting vulnerable groups? Well, more and more, it's starting to feel like no one is coming to save us. Well, further, no one is immune to add targeting or disinformation on these tech platforms where we reside. I highly encourage you to take a look at this recent news article about Facebook and direct to consumer pharmaceutical ads. And here's just one great example of a direct to consumer ad. I have to laugh at this one for anybody who knows about Gina, the genetic information non-discrimination acts. Here we have a direct to consumer ad that is advertising life insurance based on your genome. Well, there's a problem with that. Genetic information or the Gina, the genetic information non-discrimination act has one loophole that allows companies to discriminate and that one loophole is for life insurance companies. So I ask or it begs the question, how far have we gotten from serving and the people that reside on these platforms with good knowledge in a way that is going to protect them instead of use health or genetic information against people. Influence can be deadly. I'm going to give you a couple of examples here. One is making the round lately in Facebook groups. It's a black self treatment, a fake cancer cure, and this is what happens when you apply a snake oil treatment that essentially burns your skin and is being, you know, pedaled by marketers in these different groups. Some of them are people joining close groups with under the guise of being a person offering support when really they have an interest in peddling snake oil or other types of treatments. Parents are poisoning their children with bleach in order to cure autism. And we could teach you the debate all we want on the anti-vax movement. I will just offer up this one example of a mom not giving her son tamiflu. Eddie later died. There are more and more examples popping up like this all over the place and I could go on and on. So in one aspect there is a bright spot here when we think about social networks coming together and doing so in a way that is evidence-based. I want to give this one example of a community within my own, you know, ecosystem of breast cancer social networks that actually came together in a good way. This was a group of women who organized around a rare disorder called BIA LLC, which is breast implant illness and a rare form of leukemia that was being caused by a certain type of textured implant that a lot of women who are going through breast reconstruction or bilateral mastectomies were opting to have. Well, as it turns out, the data on adverse events for this particular type of implants were not being reported back to the FDA. And so these women banded together on very large Facebook groups. They worked with physicians and the outcome of that was allergen was cited and there was an FDA warning and more transparency in different processes around post approval study requirements for breast implants. So there can be good outcomes here when we think about how social networks come together. It's just a double-edged sword. Peer support and the lifelines I've seen over the many years that I've been on social media can be life-saving. They can change things, but we have to recognize that there are good effects and bad effects. We have to bolster the good. Well, really acknowledging the harm and asking ourselves how do we reground in ethics and how do we first do no harm. Well, what does an infodemic look like when we zoom out and take a look at how social networks, bots and disinformation campaigns target vulnerable communities at scale. Here's a quick snapshot of known conspiracy theories and disinformation hashtags. And I'm just going to give this one example and move my cursor over here at the right so you can see QAnon in red. This is a cluster of the QAnon hashtag tweeting about COVID. This comes from a really great open-source project called Project Domino. I invite you to reach out to Leo Mayerova, who is the co-founder of Grasp History. And I'm on their COVID hunting team in Project Domino, and it's just a really fantastic group that is banded together and started visualizing what these disinformation networks, what these bot networks look like. And things about, you know, how their behavior can be clustered together in, you know, the types of language that are being used or the number of tweets per day that might be a pattern that is statistically significant. Well, I look at this and I think, well, my gosh, this is a snapshot of the infodemic. This is what a biological process looks like on a social network. To me, it looks like social networks not being able to detect and respond effectively to these campaigns in a way that's getting ahead of the infodemic. These are the reasons why we're not flattening the curve. Here's another picture that I think is really important. This is another one from Project Domino. This is roughly 211,000 tweets from 50 COVID-related misinformation hashtag campaigns. I'm going to give out a shout out to Cody Webb who helped generate this. And once again, you know, this is what pollution of information and social networks when people are going through trauma looks like at scale. This is what networks when we have sock puppets attacking and just spewing out the wrong information to vulnerable people who are seeking knowledge, evidence based knowledge, and they don't know who and what to believe anymore. So where does this leave us. Leading the world in not flattening the curve. Here is daily confirmed cases of five day moving average of new cases where we are hitting between 60 and 70,000 on our five day moving average of new cases. Users really don't have rights when it comes to health privacy on social networks, and that in of itself is a threat model we need to think about health information can be used to deny jobs can be used to deny healthcare and the one agency that we have put a complaint forth to is the FTC. Well, I think it's important to think about this really great paper from nature medicine called privacy in the age of medical big data. It shows or paints a picture of the big data policy landscape as an iceberg. In the water at the tip of the iceberg we have all hippocovered entities, where so much in cybersecurity when we talk about protecting devices when we talked about, you know, health data breaches, that's above the iceberg. Well, below the iceberg is a lot more. Not only has the FTC failed to enforce or protect the health privacy on social networks and I know I'm blocking this so I'm going to move over here. There we go. The FTC had a settlement back in 2019 a $5 billion settlement. And we brought a complaint to the FTC under this PHR breach notification goal. It's the one rule in the one agency outside of health and human services that has authority to enforce any kind of consumer protection for health information. And so we went to them said, you know, Facebook has a major data breach that has to do with health information and there was basically no response in this $5 billion settlement. Meanwhile, health insurers are vacuuming up details about us. It can raise our rates. Any health information that you share on a social network can be used by data aggregators and packaged up to basically be used to discriminate against you. And I want everybody just to be very careful about that. For me, as somebody who's been on social media for 10 years, the genie is already out of the bottle. We recognize that when people go through a new diagnosis they're seeking support and information but we don't have any safe harbors we don't have any space safe spaces anymore to talk about our health. And that's a problem. Where do we go from here. I think we need to lock arms and I'm going to take a page from I am the cavalry and say, no one is coming to save us. I've tried. Nobody's coming to save us the only people who are coming to save the us are the ones directly affected. And I really hope that I can give a meaningful call to action to the folks who are listening today. I need the cyber security community I need the national security community I need healthcare leaders and experts to come and lock arms with these patient communities and lift our voices up. We don't do that. If we don't meet people where they are and start giving them meaningful rights and protections. This harm in damage is going to continue and we are not going to flatten the curve. So what does that look like and how are we doing this through the light collective. We have a very ambitious roadmap. We are working on a framework for collective self governance governance that is driven by patient communities that reside on social networks. We are developing best practices to protect patient support groups that already exist on Facebook and Twitter and asking ourselves well, if we are in such a hostile environment, maybe we need to leave the platform how do we do that. We're looking at legal frameworks like a data trust. We're looking at cyber hygiene best practices onboarding mentors, and I invite you to get involved to donate. We have weekly events, and we would love to see you there. Finally, thank you for your time. Join us you know where to find me. Come follow be like lights, and we will see you on the internet. Bye for now.