I heard a talk last week at the Intelligence and Security Informatics Conference (ISI2009) about the models used for disease spread, and I realized why the WHO (and everyone else) were surprised by the speed with which the H1N1 flu spread. These models have different assumptions about the probability of spread from one person to another, how much time each individual is infectious, ill, recovering, and immune or not. But they tend to have one underlying assumption about spread, and that is that it’s a planar phenomenon. Spread is usually modelled as a differential equation, a kind of model that if 500 people are in a school and the probability of infection is 10% in a day, then 50 people will become infected.

The problem with these models is that they don’t take into account the “six degrees of separation” phenomenon. Although most people mix with only a small number of people who are geographically close, enough others mix with people who are geographically far away. As a result, after 3 transmissions, the infection hasn’t reached half the world’s population — but it has reached half way around the world!! Failing to take into account the connectivity between people makes the models far, far too conservative about spread.

Including the graph structure that connects people shows that quarantine mechanisms cannot possibly work. These long-distance connections apply at all scales, not just between countries. So if there’s an outbreak in a single city block, there will be some people who have travelled a few miles away before the infection is detected; in an outbreak in a city, there will be some people who have been to another city; and so on.

Of course, the work on “six degrees of separation” was based on communication, which does not always imply transmission. So the constants might be a but larger; but it seems clear that the pass-the-parcel (pass-the-virus) graph can’t have much larger diameter.

Many researchers study social network graphs to try and understand how we as humans interact, especially in information systems and online. However, it has always been difficult to validate results because privacy concerns usually limit access to real datasets. Many results have been validated using artificial graphs, generated in a way that mimics the large-scale properties of real graphs. For example, the artificial graphs look like real graphs in the sense that they obey power laws, have the right kind of degree sequences and so on.

Often, preferential attachment is used as the construction technique. In this algorithm, an edge is attached to a vertex with a probability in proportion to the number of edges already attached to it.  This seems intuitively plausible in many human settings: a person with many friends tends to meet more people and so has a greater chance of making more friends.

There have been hints for a while that these artificial graphs were not quite like real graphs, even though they match according to many large-scale measures. For example, Newman showed that, in human graphs, high-degree nodes tended to be connected to high-degree nodes, while in technical networks this was not the case — even though both looked the same from a power-law perspective.

But now Faloutsos’s group at CMU have shown convincingly that there are substantial differences between artificial and real graphs. They looked at what happens to the diameter of a graph as edges are uniformly randomly deleted. As edges are deleted, the diameter grows slowly but, at some point, there’s a sharp increase. They call this the shatter point.

The important thing is that the shatter point of artificial graphs is substantially higher (i.e. the fraction of edges remaining when this happens) than for real graphs. In other words, graphs generated by humans rather than simply by preferential attachment are somehow tougher. Although humans must be choosing edges to connect based on local criteria, they must somehow do this in a way that makes the global srtucture of the graph more robust. It’s not at all clear (to me at least) how this happens, but it seems plausible.

One of the implications of this difference is that it calls into question much of the conventional wisdom about social networks, whenever this has been derived from, or validated by, artificially generated datasets. Which is quite a lot of the time.

The “Deccan Mujihadeen” have claimed responsibility for the Mumbai attacks today. It doesn’t seem clear who this group is, but there are two good reasons why it’s plausible that such a group might exist and have typical Salafist motivations.

The Deccan is the plateau in central eastern India, roughly contiguous with Andhra Pradesh with its capital, Hyderabad. Andhra is what remains of the domains of the Nizam and is a historically Muslim region. As part of the independence agreement, the NIzam was given considerable independence from the rest of India, an agreement that was quickly violated by the Indian government who ‘invaded’ within a year. There is thus a natural solidarity of feeling with Muslims in Kashmir who found themselves part of India rather than (Muslim) Pakistan because of their rajah who was a Hindu.

The descendants of the Nizams of Hyderabad have the best claim to be Caliph, which provides a second basis for radical Islam to be centred in Andhra. A useful source of background is the book The Last Nizam by John Zubrzycki (MacMillan).

OTOH a group called Indian Mujahideen, with much less geographical locality, threatened attacks on Mumbai after successful attacks they carried out on Jaipur. So there may be some opportunism and specious justification in the choice of the group name to take responsibility for these attacks.

There’s some background here

and, by now, in many other places.

Suspicion of an al Qaeda link arises because of the simultaneous attacks, which has been a favourite tactic. However, the range of attack modalities and the low level of skill required for some of them suggest to me that there were a large number of lightly trained participants. Which doesn’t rule out an al Qaeda supervisor, of course.

See also Times of India on this subject.

The Call for the LACTS 2009 workshop is now available here.

The workshop takes place at the SIAM Data Mining Conference and brings together academics, practitioners, law enforcement, and intelligence people to talk about leading-edge work in the area of adversarial data analysis.

The workshop is intended primarily for early-stage work. The proceedings are published electronically, but authors may retain copyright.

The deadline for submissions is probably late December, but perhaps a little later (still being decided).

There’s been some recent discussion about the risks of being able to store money on cell phones and so to move it about in a way that’s hard to see using conventional tools. Of course, this isn’t really a new thing — putting money on a credit card before a trip and then using it in a different place is a well-known way of moving money across international borders (and, for a while, getting a decent exchange rate while doing it). You can find some of the discussion, in a counterterrorism setting, here.

This concern seems overblown to me. There are significant disadvantages to a terrorist in carrying and using an electronic device that is able to reveal where he is and, worse still, do so without making it obvious. There are a number of issues that require different amounts of skill to exploit:

1. Cell phones that are turned on tell the nearest tower(s) roughly where they are. The tower can tell the direction in which the phone lies, and can estimate its distance. If multiple towers can see it, they can triangulate to get an even better position estimate. This ability is built in as part of the Extended 911 service that lets emergency services find someone in difficulty easily.
2. Increasingly cell phones know where they are because they have inbuilt GPS sensing. They can be interrogated for this information under certain circumstances (a beloved plot device in TV dramas). This data can be integrated with other s/w on a phone, providing other channels for it to be disseminated.
3. Cell phones are not robust from a security point of view and it is relatively straightforward to install hacks on them. For example, you can find instructions for turning every call into a silent conference call with another phone.
4. SIM cards can be cloned so that another phone in the same cell receives the same packets (although this seems likely to confuse the cell tower).
5. Even without access to the telco system and the encrypted communication, the device is radiating and so all of the standard location technologies will work. (Picking the device of interest may be difficult in urban settings.)

All of which suggest that cell phones are not going to be the terrorists’ friend any time soon. If they don’t want to carry such devices, they are unlikely to want to use them as electronic wallets.

It may help to keep a cell phone turned off, but this assumes that there’s no backdoor that enables the phone to communicate even when powered down. And it has to be on to be used as a wallet.

Of course, there are anonymous cell phones around, but even this does not solve the problem. There are already data-mining services that attempt to predict when multiple phones are owned by the same person based on the pattern of cell towers that they use with what frequency.

There are several reasons why bad guys might want to make information available on the web, but not have it be accessibe to everyone, especially to those who are looking for them. For example, they may want to disseminate propaganda, do recruitment, or provide training.

I’ve written before about ways to do this: passwords, unusual protocols, virtual worlds, and so on.

Another interesting possibility is to exploit the ability to dynamically serve web pages to provide different versions of web pages,both at different times, and to requests arriving from different parts of world (geolocation now being reasonably well established, good enough that e.g. I can’t access Pandora from Canada).

The essence of the idea is that the link target of a hyperlink can change without the anchor text, and so the appearance, changing. So, for example, a link may point to a completely innocuous page for 59 minutes in the hour, but between 13 and 14 minutes past, may point somewhere else. The exact time is now readily available, and connection speeds on the internet in most parts of the world are good enough that it is possible to visit a particular web page within a given minute. So, if you know in which minute the ‘gate’ is open, you can arrange to go through it.

Of course, there’s still the possibility (a 1 in 60 chance) that a random visitor will go through the ‘gate’ so the basic scheme needs some extension. First the concealed target should look exactly like the regular (59 minutes) target, so that it’s not obvious to an accidental visitor that anything unusual has happened. Second, the scheme can be chained so that a secret link from the second page opens up during some other minute, making it much less likely that an accidental visitor will go through two gates. And the chain can be made as long as necessary to reduce the probability of an accidental passage.

It’s important that the url for each of the pages involved is dynamic so that the final destination (or any of the intermediate steps) can’t be bookmarked. Then each visitor must follow the path on each visit.

Of course, the knowledge required is the minutes when the window is open on each page, and not the exact path. Thus it is possible to open other possible paths during other minutes, and so provide red-herring paths for anyone who becomes suspicious and starts reloading a page every minute and seeing whether and how the source changes.

Of course, the pattern of minutes that the gates open can be made data dependent or changing in other ways that are computable by those who are in the know, but hard for others to figure out.

Since the key is a sequence of numbers in the range 1-60, it can be displayed fairly openly as long as its significance is not appreciated, for example, coded in the publication date and time of some otherwise innocuous and public document.

It’s possible that the length of the window can be reduced below a minute with some experience.

My new book, Knowledge Discovery for Counterterrorism and Law Enforcement, is out. You can buy a copy from:

The publisher’s website

Amazon.

(Despite what these pages say, the book is available or will be within a day or two.)

As the holiday season approaches, perhaps you have a relative who’s in law enforcement, or intelligence, or security? What could be better than a book! Or maybe you’d like to buy one for yourself.

(A portion of the price of this book goes to support deserving university faculty.)

I’ve written before about how virtual worlds present new challenges to the surveillance of bad guys. In systems such as Second Life, it’s hard to see what someone is doing inside such a virtual world (unless you’re Linden).

The situation is even worse in WWW-like virtual worlds, such as the Multiverse. Here each piece of virtual world is owned by someone, and there are teleport mechanisms (like links) to move between them. Not only can an owner provide a safe place for bad guys to meet where it’s hard to surveille them, but they can also prevent someone being followed by crashing the site after it’s been used. (This is also possible for conventional web sites which I’ll talk about in a later post.)

But new online games such as Spore open up new possibilities for communicating in hard to track ways. Spore is not really a multiplayer game, and it isn’t very obvious how much data sharing is going on. The point of the game is to build civilisations based on creating (designing) organisms which then ‘evolve’ through several stages.

Here’s the communication part. The game only works when it’s connected to the internet, and whenever a creature is created or evolves, it is uploaded to a central site, and then redistributed to the worlds of some other users.

This, by itself, would not be a very useful communication mechanism because the chances of a particular creature ending up in a particular user’s world is very small. But there is a mechanism to point to one of your ‘friends’ and get his/her creatures appearing in your world — and this provides the communication channel. Notice that the channel pulls content, which is what is needed in a covert setting. The person generating the content is the one likely to have attracted attention, so systems where that person has to overtly say whom to communicate with are less attractive for bad guys. It’s much harder to work out who might have asked for content from a channel, especially as some people who didn’t ask for it get it as well.

What kind of content can be sent along this channel? It isn’t a trivial process to transmit volumes of content. The simplest approach is to use each organism as a codeword. A more complex alternative is to use properties of organisms as alphabet symbols and send arbitrary content. And the way in which the civilization evolves can send a very simple signal about how much progress has been made on a particular task — and one that is so subtle that it is extremel hard to notice. What could be more innocent than playing a game?

I thought it would be interesting to look at the level of spin in Reagan’s speeches. He shares some characteristics with Obama; not in political opinions but in his ability to motivate an audience, and to be resistant to potentially embarrassing factual issues.
Here is the plot from yesterday’s post comparing Obama and McCain since their conventions, with five campaign speeches (all I could find) by Reagan between the convention and the 1980 election.

Comparing the spin of Reagan, Obama, and McCain

The points with red stars are Reagan’s speeches. As you can see, his level of spin is much higher than either of today’s candidates. The ability to use high levels of spin without coming across as phony is, of course, what makes an actor, so this is not entirely surprising. And I’ve argued all along that high levels of spin pay off for a politician, and the ability to give high-spin speeches especially to people who do not already like you is a key asset for a politician. Reagan is a good example of this in action.

Here is the analysis of levels of spin in Obama and McCain’s speeches up to a few days ago. Usual labelling (refer to previous posts for background).

Spin scores (red - McCain, blue - Obama)

The most obvious thing to see in this plot is how McCain’s speeches all tend to lie on one side of the deceptiveness axis while Obama’s tend to lie on the other side. This is because McCain has started using motion words at high rates (and Obama does not). This has a small effect on deceptiveness score, but rates of use of motion verbs are not all that important to signalling deception.

The individual levels of spin from the convention to the end of October are here:

McCain

Obama

The last time I posted was during the period where Obama’s level of spin was quite low. As you can see, it has risen sharply again in the past week. This suggests that he is not as confident of winning now as he was then — he has consistently shown a pattern of stepping out from his facade and using lower spin when he feels confident about winning.