Thursday, July 1, 2021


I'm Stephen Cobb and this is my general purpose blog, which was recently transferred to Blogger from WordPress (that is why you may finding some images missing and the date on this post could be in the future—as the saying goes, it's a long story).

If you are looking for my professional work, on things like cybersecurity and data privacy, check out I also tweet about those topics, and life in general, at @zcobb. And I have work on Medium, SlideShare, and ResearchGate.

In 2019, I was recognized as an award-winning technologist and I've been a CISSP since 1996. My master of science in security and risk management was earned at the University of Leicester (Criminology Department). I recently moved from San Diego to Coventry in England, which is where I was born and grew up.
From 2011 to mid-2019 I was Senior Security Researcher at ESET, Europe's biggest security software company, where I helped create the award-winning security blog, We Live Security. These days I do my own research on my own time, working at the nexus of technology, ethics, gender, crime, privacy, and public policy.

In my "spare time" I try to raise awareness of various medical conditions that have disabled my partner of 30+ years, Chey Cobb. These include ME/CFS and iron overload, the potentially deadly genetic condition, caused by Celtic Curse, also known as hereditary hemochromatosis. I also endeavor to speak up for equality and diversity. #HeForShe

Tuesday, September 22, 2020

Just time for a quick update

You may recognize the phrase "Just time for a quick update" from John Oliver's show "Last Week Tonight With John Oliver." Like me, John is a dual national (UK/US) who was born in the UK, in the part that is called The Midlands.

John was born in the city of Birmingham. I was born in the city of Coventry. These two cities are close together but have remained separated by about seven miles of protected green space thanks to some sensible planning here in the Midlands. (Note, it is not called the Midlands because it is in the middle of the UK, it's not, it's in the middle of England, which is one of the four "regions" that make up the United Kingdom—it's complicated.)

A year ago today, I arrived here in the Midlands from America, with my partner, Chey, to explore a possible future in which we could be closer to my mum—who turned 90 in 2019—and my brother and his wife. Mum was born and raised and still lives in the Midlands. My brother and his wife now live in Spain. 

Less than six months into this experiment, the parameters changed: Coronavirus created a whole new set of variables, including restrictions on our ability to go to Spain or back to America or pretty much anywhere. 

Obviously, no "quick update" can capture the many and varied implications of all this, but fortunately I can point you to some of the things I have been doing during this time, namely research and writing on malware, cybercrime, cybersecurity, and a worrying lack of trust in tech firms

I will try to share some of the details of our ongoing experiment as time permits, mainly in the hope of helping others who may been dealing with some of the same challenges we have faced, but also some of the joys we have encountered, like the view at the top of this post. That's what the way to my mum's house looks like, on a very good day.

Thursday, January 30, 2020

Brexit: 11 p.m. GMT on 31 January 2020

I have always thought that joining the ECC/EU was good for the UK.

I have always thought that leaving the ECC/EU would be bad for the UK.

I am not happy that Brexit is happening. Period. Full stop.

No, seriously, that is the whole article. Nothing more to read. Too sad and angry to write any more.

Thursday, November 28, 2019

What Am I Thankful For? A diagnosis of congenital amusia

In November of 2008 I wrote: "we’ve arrived at the time of the year when it’s traditional to speak of things for which we’re thankful, I figured I would put it like this: I am thankful for a diagnosis, even though that diagnosis is hemochromatosis." Now I'm back with thanks for another diagnosis, one that thankfully does not involve physical pain and suffering, although it has had quite an impact on my life.

The difference a name makes

It was my partner, Chey Cobb, who received that diagnosis of hemochromatosis. The thankfulness we felt at getting this diagnosis came from having a name for the constellation of symptoms that had forced her to quit working and turned her daily life into a daily struggle (one that, sadly, has continued to this day). We were both surprised by what a difference it makes to have a name for the suffering you've been going through.

As inveterate researchers, we saw Chey's diagnosis as a starting point for exploring treatment options, finding support groups, and lobbying policy-makers. I started a Facebook page and website to raise awareness of hemochromatosis, which is widely under-diagnosed and not well understood by many doctors. We personally validated a CDC study that found the average time to get one's hemochromatosis correctly diagnosed was nine years, enough time for the condition to cause irreversible damage to joints, liver, heart, brain, kidneys, and other organs.

Sadly, we saw a replay of this diagnosis phenomenon three years ago when doctors confirmed our daughter's suspicions that she had Multiple Sclerosis (MS). The day she got that confirmation she called us in state akin to elation, tinged with validation, even though she knew all too well that the road ahead was going to be a very tough one. But we understood how much it meant to have a name for what you've got.

Now hear this

When you get a medical diagnosis, particularly one that's taken many years to obtain, there are two phrases that are likely to come to mind right away: "that explains a lot" and "I knew I wasn't imagining things." (The latter is likely to be familiar to female readers - numerous studies show that the tradition of doctors telling women their symptoms are "all in your head" is still a thing.)

The diagnosis that I am thankful for today "ticks all the boxes" as they say in England: it explains a lot, and it validates a whole bunch of thoughts and feelings I've had since December, 1959. That's when, during rehearsals for the school Christmas concert, I first learned of the problem for which I now have a diagnosis: congenital amusia.

Technically, "a deficit in fine-grained pitch discrimination," what I have is sometimes called "tin ear." Indeed, what the teacher said to seven year-old me was: "Stephen Cobb, stop singing, you have a tin ear." What Mrs. Ashby did not know, and I have only just learned, is that I was born that way. In other words, congenital amusia means that I have always been, from birth, somewhat tone deaf.

(I don't want to go into detail about the congenital amusia in this article - I put together the 4amusia website for more information - but studies show that 4% of people have this disorder. My particular form of amusia is not severe, it doesn't mean I don't enjoy music, and I don't lack a sense of rhythm; but, regardless of how hard I try, I can't sing or learn a musical instrument - my brain lacks something in the pitch processing and retention department.)

What I am so thankful for today is the knowledge that my inability to carry a tune or learn a musical instrument is not due to laziness, sloth, or weakness of character - qualities of which I, and many other people with my condition, are routinely accused. I am so grateful that I can now say, with scientific certainty, that those accusations were inappropriate.

I'm sure I could write a whole chapter about how much it hurt to suffer those accusations, the self-recrimination and doubt that it induced. I know I could have done without the castigation of teachers who were sure I could learn to play the recorder - a rite of passage in English schools of the 1950s and 60s - if only I would apply myself.

Then there's the chapter on how frustrating it was to grow up in the sixties with a strong poetic streak but no ability to voice the songs I composed, not to mention fruitless hours failing to learn guitar. Sure, I could pose for the album cover, but I was never going to be on the album.

But today I'd much rather give thanks for the unexpected gift of this diagnosis: the empathy it has given me for this thing called neurodiversity, the growing realization that human beings are not all wired the same way.

While I realized long ago that organizational aversion to people who are "different" is bad for organizations, and bad for "differently-abled" people who can bring great insight and real value to any mission, I have to admit that I didn't truly 'get' neurodiversity until I learned that my own brain had a wiring issue.

And as I look at what is happening today in terms of research, it strikes me that there is great potential for humans to learn more about the many different ways in which we are wired. These days a decent school is going to recognize something like dyslexia at an early age and respond appropriately. Hopefully, schools will soon be recognizing that some children don't hear pitch the same way most people do.

While I sometimes get quite emotional about this topic, let me be clear that knowing more about neurodiversity isn't just about people feeling better about themselves, it has seriously practical implications. Knowing the ways in which you are different makes you better able to be the way you are, and it sometimes happens that there are benefits to being wired differently. Society is better off as a whole if we can see that, and go with it.

*With a huge thanks to those scientists who believed people when they said "my failure to learn an instrument was not for lack of effort."

Monday, July 15, 2019

It's official! I'm making some big changes

I have retired from my job at ESET and we're moving to England!

While I tried to provide an early warning of this news to as many friends and family as possible, things have been a bit hectic, so it's possible that I missed you - if so, my apologies.

This blog is  one way to make sure everyone knows, and at the same time provide some back story to these changes.

Retire? Why? How?

After a very enjoyable eight year relationship with ESET, the company at which I've worked longer than any other, I began to think it was time to change things up a little, or down a notch, depending on your perspective.

And I knew that - owing to several factors on which I will elaborate later - the change would involve a move. So we began to look at living somewhere other than San Diego.

When Chey and I went to the UK earlier this year - for my mum's 90th birthday - we arrived at the conclusion that we would like to move closer to her. We now plan to complete our relocation by early September, to a cozy place just a short walk from mum's flat in Coventry, the thousand year old city in which I was born. And when we've unpacked and the dust settles, I expect to be sitting in a comfy chair in small study with a big internet pipe, conducting independent research into the darker aspects of humans and technology.

I will probably reemerge as Stephen Cobb, Independent Researcher. Down the road it could be Stephen Cobb, Public-Interest Technologist. (And I wouldn't rule out Prof. Cobb since Coventry has two thriving universities and there are several more nearby, including my alma mater, the University of Leicester).

What? When?

Timing is not always everything, but it did play a big role in this set of changes. By the end of 2018 I had reached a point in time that is referred to in America as "full retirement age." This is when Americans can start receiving the full amount of their pension (if you were born in 1952, that age is currently 66). What I mean by "pension" is Social Security retirement benefit, but we decided to use the term pension because in England "social security" means something quite different.

As 2018 unfolded I began see this pension as a "social retainer," a way for me to finance a different approach to my life's work, a chance to labor at my own speed, in my own way. I will write more about that work in a different place, but suffice to say it involves - among other things - helping the world to "enjoy safer technology." As you may know, that phrase is how ESET - my former employer - frames its mission, and it's one reason that I worked there so long.

I realized that a pension potentially means being able to choose my own strategy - like writing a book to give substance to the points I want to make, or making those points as an independent voice, not someone employed by a corporate entity (to be clear, ESET had an admirable commitment to objective research and required me to stay "vendor-neutral" in my public speaking - but one ethical company cannot save the reputation of an industry that needs redeeming).

But why did I say: "a pension potentially means being able"? Well, the enabling power of a pension is dependent on the size of that monthly check from the government relative to the cost of living where you live. Exactly how dependent will vary based on your circumstances. All of which turns out to be quite relevant to our decision to move to Coventry in England, as I will now explain.

How much?

The "Too Long, Didn't Read" version is that the pension checks which Chey and I started to receive this year are not enough to live on in San Diego given that we don't own a home here. We are members of a fairly large group of people whose assets were wiped out by the Great Recession, so we entered this decade with no savings and no home of our own.

Since 2011, we have lived in rented property in San Diego, where the average rent is now over $2,000 a month. When we moved here we decided to live near the ESET building in Little Italy so that I could walk to work (which costs a lot less than driving, with way less stress). You pay a premium for this location but sadly, Little Italy has become less of a community in recent years, and more of an entertainment district. We have felt it grow less livable even as it has become less affordable, providing additional incentive to move from our current location. (After dozens of moves in the nearly five decades since I left home, I've come to see moving across the country or over the ocean to be no more of a pain than moving across town.)

Last year, rents in San Diego as a whole rose 7%, and the average monthly rent in Little Italy is now over $2,400, and still rising. We pay slightly more than that, for a decidedly smaller place than the one we rented for $1,750 when we first moved here in 2011. So, unless you already own property in San Diego, or have managed to accumulate and retain a large nest egg, the prospect of retirement here, however appealing it might seem, is economically infeasible.

Being researchers, we analyzed numerous "more affordable" places after our nest egg was cracked by the Big Bank Fraud (then smashed by the Great Recession and mopped up by the for-profit healthcare industry). Turns out we can live in a nice house in Coventry for less than half what we currently pay in Little Italy. True, Coventry has less than half the number of sunshine hours you get in San Diego, and twice as much rain, but our pensions should be enough to pay the bills plus occasional flights to see my brother in Spain, while keeping us in wax jackets and wellies to boot.

The changes we are making this year have already taught us a lot and as our journey continues I will endeavor to share what we discover along the way. In the meantime, I will be tweeting as @zcobb if you'd like to follow me there.

Friday, May 31, 2019

23andMe and Hemochromatosis

This blog post captures an exchange that occurred online in 2016 and is a work in progress.

I read your blog regarding Hemochromatosis and decided to look further into the 23andMe test. They tell me that their test results do not report on HFE. Do you know if this is a recent change with their testing or am I missing something? Below is the email correspondence I had with 23andMe.

Do current 23andMe test results show C282Y, H63D and S65C mutations? If so, where do I find this information in the reports?


Thank you for contacting the 23andMe Team. The 23andMe Personal Genome Service does not include a health report on hemochromatosis (HFE).

To see the full list of the topics addressed by our health reports, please visit:
While many of our health reports address medical issues, it is important to remember that the feature is neither a diagnostic tool nor a substitute for a physician’s advice.
Please let us know if we can be of further assistance.
Best Regards,
The 23andMe Team

Kim – Thank you SO MUCH for supplying this information. I was not sure of the “official” 23andMe position was these days on the HFE data. My wife and I signed up years ago when this data was freely available to all 23andMe users. Then the FDA stepped in and censored a lot of the health data. But…you should be able to get the information using the technique discussed here: link. Download the PDF document from that blog post ( Using 23andMe to determine HFE status) and it will tell you how to extract your HFE status from the Raw Data option. If you run into problems, leave me a comment here.

Sunday, January 13, 2019

High blood pressure cure? For some, this treatment's not a conn

TLDR: I used to have HBP. Now I don't. If you have high BP and low potassium, check out Conn's syndrome. If you have Conn's, an operation can fix it. I had the op in 2013 when my BP was 150/100 while on BP meds. At the end of 2013 it was 120/70 w/out meds, and it still is.


Why am I re-sharing this information?

I wrote about my experience with Conn's syndrome back in 2013. This blog post is simply a re-sharing of what I wrote back then. Why am I doing this? Every time I hear a person say "I have high blood pressure" or HBP, my thoughts go like this:

  • I know what HBP is like.

  • HBP is not very nice.

  • HBP can shorten your life.

  • I am extremely fortunate that I don't have HBP any more.

  • Should I tell this person about Conn's syndrome?

Of course, the answer to that question depends on a range of variables: who is the person saying they have high blood pressure? Where is this being said? Do I know this person? I try to weigh these variables before speaking, but as people who know me will tell you, I tend to err on the side of speaking up, sometimes to strangers. I also have a tendency to speak up about some things that other people might prefer to keep private.

On the other hand, a fair number of people have thanked me for sharing the story of my battle with high blood pressure because they found it helpful - even if a bit icky. (As the saying goes: your mores may vary.) And that is why I wrote about my experience - so people could "read all about it" if they wanted to, rather than listen to me talk about it. Also, I could refer people to my blog if there was not the time or inclination to go into details in person.

So here are the relevant blog posts in historical order (as in earliest first - I am not suggesting that these articles are 'historic'):

June 4, 2013: The adrenalectomy story begins...
Sorry I’ve been out of touch (my adrenal adenoma is to blame)

June 5, 2013: The Conn is on...
Cobb’s got Conn’s? Probably, but I go through Adrenal Vein Sampling (AVS) to be sure

July 13, 2013: A geek worried about a robot?
Robot or not? Robotic surgery and risk, part one

August 25, 2013: Success is in sight!
Adrenalectomy, from pain to promising signs of progress

What now?

I always intended to write one more blog post on this topic, documenting the long-term prognosis and perhaps adding some references. I guess this is that 'one more' blog post. Sadly, I don't have time to do a full reference list but this article on Conn's syndrome is quite helpful, as is this more technical paper).

My sense from reading the literature is that there will be many more cases like mine: people cured of their HBP, often after years of being told that their HBP had no known cause and they just weren't eating and living right. These people will be identified by: [a] continual improvements in ultrasonography (US), computed tomography (CT), and magnetic resonance imaging (MRI); and hopefully [b] greater awareness of Conn's syndrome.

The summer of 2018 marked the five year anniversary of my operation and return to 'normal' blood pressure without drugs. It has been a busy five years. I started a masters degree in late 2014 and graduated in early 2016, all while carrying a very full workload (from an employer wise enough to subsidize graduate school tuition).

For the most part I have felt pretty healthy. I have had some issues with my digestive system and I sometimes wonder if that is a lingering side effect, not of the adrenalectomy itself, but the infection I got during my hospital stay. Nevertheless, that operation was well worth it and I feel very fortunate that - thanks again to a wise employer - my health insurance covered it. I am reminded that it is in the national interest for everyone to have access to affordable healthcare, so that the negative economic impact of conditions like HBP can be reduced by more efficient diagnosis and treatment.

Here's to good health, and lower BP!


Wednesday, November 15, 2017

What's this #HeForShe thing?

Technically speaking, #HeForShe is a hashtag, a social media tool defined as: "a word or phrase preceded by a hash or pound sign (#) and used to identify messages on a specific topic (Wikipedia).

About two years ago I started adding the #HeForShe hashtag to things like the "Welcome to CobbsBlog" page and my Twitter profiles (@zcobb and @thestephencobb). The #HeForShe hashtag originated with, and is the name of, the UN Women’s solidarity movement for gender equality.

The idea behind HeForShe is that it: "invites men and boys to build on the work of the women’s movement as equal partners, crafting and implementing a shared vision of gender equality that will benefit all of humanity."

Tagging things #HeForShe is a way for me to share the fact that I have accepted that invitation. Why? Because I truly believe that gender equality does benefit all of humanity. I also believe that gender equality will not be achieved unless more men - most men, all men - commit to it, and make it a priority, in practical terms and not just as a vague aspiration.

Getting schooled on #HeForShe

I came to know about #HeForShe because I was studying at the University of Leicester when, back in May of 2015, it joined the UN Women’s HeForShe solidarity movement as an IMPACT 10x10x10 champion, one of 10 universities around the world participating in the program with the goal of taking "bold, game-changing action to achieve gender equality within and beyond their institutions."
"Announced at the World Economic Forum in Davos, Switzerland, in January of 2015, HeForShe’s IMPACT 10x10x10 programme engages 30 key leaders across three sectors—the public sector, private sector and academia. All 30 IMPACT champions have made common commitments and have also developed tailored commitments, formally reviewed by an expert team at UN Women and approved personally by the Executive Director of UN Women, Phumzile Mlambo-Ngcuka."

But the fact that my school had embraced HeForShe was not why I chose to do so. I honestly feel that gender equality has always been something that I believe in, from well before my first stint at university (University of Leeds, 1971-74). I can't say that I was born a feminist - the scientific jury is out on whether that is even possible - but I knew that I was a feminist-sympathizer as soon as I heard the word used in a sentence. That would have been around 1965, shortly after I became a teenager and read The Feminine Mystique.

Here's what happened: about that time my mum enrolled in college under a government program to reduce the shortage of teachers created by the baby boom. Her decision - which my dad supported practically, emotionally, and philosophically - resulted in a real world experience of gender equality in action. Among other things it demonstrated that:

  1. Women can have a productive career outside the home.

  2. This is not a threat to men.

  3. Men and boys can do housework quite well.

On top of that, mum's time as a mature student created a steady flow of interesting books into our house, notably the afore-mentioned 1964 classic, The Feminine Mystique, by Betty Friedan. This has since been "widely credited with sparking the beginning of second-wave feminism." As I read - entirely of my own volition - Friedan's analysis of women frustrated with society's narrow and deeply limiting definition of what a woman should be - wife, mother, cook, cleaner - it rang true with my own observations.

That's right, I had - for whatever reason - been observing women from an early age (maybe I was born to be social scientist). As a child I was surrounded by women, at home, at church, and at the shops. I listened to them talking. I read women's letters to the advice columns in ladies' magazines (which were definitely not feminist back then).

Rather fortuitously, my childhood in Coventry, England, was enriched by frequent visits from numerous aunts and great aunts, all of whom had all survived at least one world war. My mum's mother had actually lived through aerial attacks in both World War One and World War Two. All of them had lived through large-scale bombing campaigns, including the one in 1940 that killed over 500 people in Coventry in one night and destroyed two-thirds of the city's buildings (Wikipedia). My grandma and several of her sisters worked in munitions factories which were targeted in these campaigns.

Often when I was small these women, most of them housewives with grown children, would sit and talk about those times gone by, and I would quietly listen at their feet. That is how I came by precious historical vignettes like this: my Great Aunt Tot standing in the middle of the street shaking her fist and swearing at a German Messerschmitt 109 as it made a daylight strafing run on the factory at the end of the road.

So maybe it is not surprising that I grew up thinking of women as strong, independent individuals; all the while growing increasingly angry that society would not treat them equally. Yes, there has been some progress, but nowhere near enough. Hopefully #HeForShe can help us move things forward.

Of allies, male feminists, and good men

I hope to find time to write more about HeForShe but in the meantime I will try to use the hashtag wherever appropriate in order to raise awareness of gender inequality and the need for men to work to eliminate it.

What I will try to avoid is referring to myself as an ally of women, or a male feminist, or a good man. Those are designations to which I aspire, but it is not part to claim them.

Tuesday, July 4, 2017

Will "repeal and replace" hurt genomic medicine and victims of genetic conditions?

Let me give you the short version of my answer up front: Yes. If the current privacy protection for genetic medicine in the US, in which Obamacare/ACA has played a key role, is diminished by the "repeal and replace" efforts of the current US administration, then America's hopes for genomic medicine will also be diminished. Victims of some genetic conditions will be particularly hard hit, as will all forms of research that involve the human genome.

The even shorter version goes like this: Why would I give anyone my genetic information if that might lead to myself and my family being denied insurance or paying higher premiums, for medical, life, or longterm care policies?

Fans of genomic medicine are apt to respond by saying there's no need to worry because there are laws to prevent that type of discrimination. To which I have heard many people say: I don't trust the insurance companies and/or the government to abide by those laws. And besides, laws can be repealed, and databases can be hacked.

In short, when it comes to enjoying the benefits of medical science, Americans face a bleaker future than the residents of other wealthy countries due to the absence of two rights: the right to health care and the right to privacy.


Who am I to present these arguments? For more than 25 years I've been studying information security, data privacy, and risk. I've been a Certified Information System Security Professional for more than two decades and I have a Master of Science degree in Security and Risk Management. I have also put in more than a decade as primary caregiver for someone with a genetic illness (variously known as hereditary hemochromatosis, genetic haemochromatosis, Celtic Curse, Bronze Diabetes, Iron Overload). In that role I have spent many years interacting with the families of hemochromatosis patients and the main support group for this condition, the Iron Disorders Institute.

What is the problem? The House recently passed legislation called the American Health Care Act of 2017 (H.R. 1628). There is a Senate version known as the Better Care Reconciliation Act of 2017. As far as I know, both of these pieces of legislation remove a gene-related provision of the current law, ACA (a.k.a. Obamacare). Here's the problem:

  1. The Genetic Information Nondiscrimination Act of 2008 a.k.a. GINA says employers and health insurers can't use your genetic data in hiring decisions and health insurance coverage; but, as Maryam Zaringhalam at Slate points out: life, disability, and long-term care insurance are not covered under GINA’s provisions, and those insurers "already use genetic testing results to deny coverage to otherwise healthy individuals".

  2. Furthermore, GINA only protects people who are genetically predisposed to a disease as long as they are asymptomatic. In other words: "once a person begins showing symptoms, GINA no longer matters" (Zaringhalam- see link in References below). For example, my wife was born with the HFE mutation that can produce a potentially fatal condition known as iron overload but she was asymptomatic for the first few decades of her life. Then, in her forties, due a phenomenon dubbed hemopause, she became increasingly symptomatic. She is now eminently "declinable" under pre-Obamacare rules.

  3. This GINA "loophole" as Zaringhalam calls it, was closed by Obamacare. That's because the ACA outlawed discrimination in health care insurance pricing or coverage based on preexisting conditions.

  4. Now the current administration looks set to return America to the days when preexisting conditions were considered grounds for charging higher insurance premiums.

  5. That would mean returning health insurance to the list of things you pay more for if your insurer has knowledge of your genes. Remember, that list already includes life, disability, and long-term care insurance.

I would be the first to admit that the above is a simplified account of the problem, but I stand by its accuracy and will go into more detail below. A complicating, and possibly offsetting factor in this story is the plethora of state laws on genetic data, medical privacy, and health insurance. Those might give you hope, but then you have to factor in the rampant hacking of supposedly private databases of personal and medical information that we have witnessed over the past few years. Bottom line? It is not hard to understand a response of "No way!" when you suggest to someone that they should get their genes tested, even when that test could potentially save their life, or those of their relatives.

And the AHCA/BCRA may not be the extent of genetic meddling by the current administration. Legislation has been proposed that would enable employers to charge employees a prohibitively higher premium for employer-provided healthcare if the employee does not share his or her genetic data. Check out HR 1313 and some of the articles about it that I have listed below.

Healthcare's genetic dimension

The following statement should concern every company and investor in the field of human genomics: if the current administration's stance on preexisting/genetic conditions does not change, then other countries, the ones with universal healthcare, will continue to tap more and more of the benefits of genetic science, even as misguided policies in America continue to cripple genomic medicine.

Those short-sighted, science-constraining policies include charging some people more for insurance than others, based on their DNA. While many Americans have a vague notion that genetic discrimination is illegal in America because of GINA, the reality is quite different, as I pointed out above. GINA already allows insurance companies to charge you more for long-term care policies and life insurance policies (think about that if you plan on getting old in America, or want to use life insurance to provide for loved ones when you die). And I know from personal experience that GINA is not as reassuring to people with genetic conditions as its advocates had hoped (as I will explain in a moment).

Fortunately, the country took a step in the right direction when Obamacare closed the GINA health insurance loophole. The medical benefits of prohibiting health insurance pricing and coverage based on preexisting/genetic conditions are obvious: the more that doctors know about your genetics, the better placed they are to care for you. The more you trust that your DNA won't be used against you, the more likely you are to share that information.

That expansion of genetic knowledge, personally and in the aggregate, is the direction science has been taking since DNA was discovered. Take hereditary hemochromatosis. Known as HH for short, it also used to be called bronze diabetes because it can turn your skin orange and cause diabetes. If HH is not properly diagnosed and treated it can kill you (unless you kill yourself first - think of all the health problems that the great American writer Ernest Hemingway suffered from before he shot himself - he suffered from undiagnosed bronze diabetes).

Discovery of the genetic basis for HH in 1996 revolutionized care for this condition. By testing the genes of people with HH symptoms, the condition could be definitively confirmed and thus appropriate treatment could be confidently prescribed. Fortunately, the basic treatment is to draw blood, and if your HH is diagnosed soon enough and doctors respond appropriately your life expectancy will not be decreased.

But wait there's more, discovery of the genetic basis of this condition made it possible to calculate how many people might have the mutation. Scientists dubbed the mutation HFE and they found several variants, known by memorable names like C282Y and H63D. By testing the DNA of sample groups of people, researchers could extrapolate the prevalence of HFE mutations and carriers. It turns out that about 1 in 250 white Americans are susceptible, particularly those with Northern European ancestry.

All of which is valuable data to improve the fight against HH. If someone is diagnosed with HH, family members can be tested and those that are susceptible can make prophylactic lifestyle changes (reducing their consumption of alcohol, red meat, and tobacco for a start). I have heard many cases where the diagnosis of one family member helped improve the health of several relatives, and will continue to do so for generations to come. For some genetic conditions it is conceivable that they could be entirely eliminated over time.

How to handicap genetic medicine in America

Unfortunately, before Obamacare, insurance companies could delay, and/or charge more for, medical coverage of preexisting conditions. So a lot of people that I met in the iron disorders community before 2010 were very reluctant to get genetically tested. Let me explain why that is not good. I don't mean that those people are not good. These are good people put in a bad situation.

Suppose you are concerned that something like HH runs in your family. This mutation can cause your body to retain excess iron that damages organs like the liver, heart, and brain, as well as joints. If untreated it can kill you. On the other hand, if you know you inherited the genetic mutation responsible for HH then you can adjust your lifestyle to reduce the chances the condition will express. Furthermore, you can request an annual check of your iron (ferritin) levels to detect any increase above normal (ironically, ferritin levels used to be checked routinely before 1996, revealing hidden cases of HH, but now your doctor may need to suspect HH before ordering).

I hope it is becoming clear that unless America firmly and for all time bans discrimination in healthcare coverage based on genetics or preexisting conditions, American scientists are going to struggle to get the genetic data from Americans that they need to improve medical treatment. To be clear, this is about everyone, not just those with a genetic condition like HH. Suppose you get cancer caused by exposure to some carcinogen or other. These days the efficacy of many forms of cancer treatment can be enhanced by knowing your genetic makeup. But what if that genetic makeup can also be mined by insurance companies who have a financial incentives to find out what else might be wrong with you? Do you one day find yourself a cancer survivor who is uninsurable due to some hereditary genetic mutation.

Why our caring needs to be universal

Charging different medical insurance premiums for different groups of people makes no sense if your goal is to create a civilized society based on the principles of equality and liberty and justice. Ever other "developed" country has accepted that the best way to provide the best care to the most people at the most bearable cost is to have the same premium for everyone, paid according to means.

To be clear, that means everyone is obliged to pay something, regardless of age, gender, geography, profession or preexisting conditions. For example, if I earn a higher than average salary, I pay closer to 100% of the premium than someone who earns less than me. That is the case today when it comes to covering the cost of defending the country or educating its children. Defense and education are universal needs and we accept that we all have to pay for them as best we can. People who don't have children still have to pay school taxes, and so on.

I would argue that we are never going to realize the full benefits of genomic medicine if the country does not enshrine into law a right to medical care, the cost of which is not dependent upon our health status. For example, in the country where I grew up, the cost to me of my medical needs as a healthy 20 year-old college student was the same as the cost for my 50 year-old father, who died of cancer: zero out of pocket costs, no co-pay, no deductibles, just a monthly contribution based on earnings.

One group of Americans will be particularly hard hit by any fresh obstacles to genomics: those who suffer from rare diseases.  As this Financial Times article makes clear, large scale genetic studies can find cures for rare diseases. But can such studies scale appropriately in a society fearful of what genetic data sharing might mean to one's financial future? Organizations like NORD, the National Organization for Rare Disorders are clearly concerned and you can bet they are organizing against anything the current administration might do that impacts victims of rare disorders.

Why we need universal privacy protection

Along with universal care, we need a universal presumption of privacy for our personal information. In all EU countries, your personal information enjoys protections under the law and as a right. In the US, the question of whether your personal information is protected is unclear, in other words: it depends, on the nature of the information, its location, your location, even your status in society (see my white paper referenced below). Suppose you borrow a book from the library. Is that information protected? The answer in America is: that depends. There is no US federal protection of your library lending records. There is no explicit right under which they are protected. However, most states do have library record privacy laws.

Where the lack of a right to data protection in the US really bites is new forms of data. When people started to rent videos, the records of what you rented were not protected until congress passed the Video Privacy Protection Act of 1988 (VPPA). That only happened after politicians realized how embarrassing the revelation of an individual’s rental records could be (as demonstrated during Judge Robert H. Bork's Supreme Court confirmation hearings, which directly led to the VPPA).

Similarly, information about your DNA was not protected until a law was passed (GINA). To be fair to the folks who study the human genome, they seem to have been, and remain, passionate and unanimous in their support of privacy protections. Sadly, that may not be enough to insure the success of genomic medicine in America. Beyond the research labs and the corridors of the academy there is a massive trust gap wth respect to genetic data. The gap will need to be filled even if Obamacare is not repealed.

If Obamacare is repealed and replaced with something that allows discrimination against preexisting conditions, with no plugging of GINA loopholes and carve-outs, then America's chances for a healthier future through genomics and personalized medicine will fade.

The cyber factor

Finally, it has to be said: even if the Obamacare protections for people with preexisting/genetic conditions remain unrepealed, the world of genomics is still going to have to deal with the erosion of trust in technology and institutions created by rampant cybercrime, whether that crime is committed for monetary gain, political advantage, or the sheer bloodymindedness of disaffected individuals. As a society we are feeling the negative effects of a constant barrage of headlines like this: “Over 113 million health records breached in 2015 - up 10-fold from 2014” (CSO Online).

Even specialized websites like Fierce Healthcare have a hard time keeping up with the data breach stories. Consider this from December, 2016: “More than 25 million patient records were reportedly compromised as of October 2016. And then, in November, the cases spiked: There were 57 health data breaches—the most in any one month this year.” These headlines are not confined to trade publications. Here is just one from the New York Times: "Millions of Anthem Customers Targeted in Cyberattack". Imagine reading that if Anthem has your DNA data.

The cumulative impact of cyber-badness on our faith in technology can be measured in several ways. Consider what happened when I asked 1,000 computer-using adults in the US if they thought problems with digital technology, like computer hacking and network outages, posed a risk to their security and wellbeing. Fully two thirds of respondents saw moderate or high risk (35% and 33.5%). Only one in five people said the risk was slight (19%) and only one in eight saw almost no risk (12.5%). Without an effective, globally-coordinated cybercrime reduction campaign, it is hard to see how these negative perceptions can be reduced.

One thing is certain, organizations active in genetic research and genomic medicine will need to be doubly secure in their handling of human DNA data. At the same time, they need to educate the government and the public about the need for a system of healthcare that fosters genetic research and genomic medicine, rather than inequity and fear.


Tuesday, February 7, 2017

There was no valedictorian and other observations on the way to my graduation

Last month I graduated from the Criminology Department of the University of Leicester with a Master of Science degree in Security and Risk Management (MSc SRM). I graduated in person, in England, with my own two-person cheering section (mum: Dorothy; partner: Chey).

The trip to get there was a long one, and I don't just mean the miles (6,000) or the years (two spent on the course, but many more getting ready for it). However, the journey was well worth making, and the graduation ceremony was well worth attending, even though it raised several questions that I feel obliged to answer here.

1. Why graduate in January?

The timing of my graduation ceremony was awkward to say the least, but it was due to the fact that the SRM program that I wanted to pursue has two cohorts per year, commencing in March and September, with two graduation ceremonies, July and January. I was in a September cohort for which the usual graduation is January.

That is not, in itself awkward, just unappealing, given how cold and grey January weather can be in England (for the photo of Chey and me on the right I had to crank up the Brightness).

But the exact timing was awkward, given that my employer, ESET, whose generous employee education program had funded my studies, decided to hold its annual North American Partner Conference (NAPC) that same week as my graduation.

The NAPC is a great event, hosted at the San Diego Hard Rock Hotel, and as head of the US Research Team I was expected to address the partners on the 2017 cybersecurity threatscape, the world into which they would be selling ESET's security solutions in the months ahead.

Fortunately, it was possible for me to do that, and go to the graduation, by speaking before lunch on the first day of the conference and then taking the direct BA flight from SAN to LHR later that afternoon. Unfortunately, that meant getting to our UK home base of Coventry late in the afternoon of the next day,  checking into a hotel, having dinner with Mum, and then rising next morning to head for Leicester. Not a lot of time to get over jet lag, but it was do-able.

2. Second or third masters degree?

At the end of my remarks to the NAPC I apologized for not being able to hang around for the whole two day event, making a joke about having to go and get my degree because the university refused to change the graduation date to accommodate ESET, even though it's one of the largest security software companies in the world.

That got a few laughs, but it's what I got over lunch that surprised me: questions about whether this was my second or third masters degree, or more generally: "How many degrees is that then Professor Cobb?"

I can honestly say my initial reaction was entirely factual: I said that this was my first masters, two degrees total. Some people obviously assumed I had spent a lot more time in academia than is the case. But I had to chuckle when I told my classmates about this at our department's pre-graduation buffet, because they all said they would have played along with the assumption: "Second or third masters degree? Hmm, let's see, hard to keep track."

Of course, my fellow graduands were all security people, many working in physical and operational security, and this accustomed to the odd piece of, shall we say, tactical social engineering. And for some of them this was their first degree, since it is possible to do a Masters degree in England without a Bachelors or, as in my case, without a relevant Bachelors. My first degree, back in the 1970s, was in English and Religious Studies (and the number computers involved was zero).

A big motivating factor in attending my second graduation is that I skipped my first one. Why? I was boycotting the royal family. Allow me to explain. I have always objected to monarchy and my first degree would have been handed to me by the Chancellor of the University of Leeds, a position held at the time by a member of the British royal family.

I did not think that was appropriate and I did not want her handing me my degree. At the time, this posed something of a dilemma for my mum, seen here on the right. As far as we knew, I was the first person in our family to get a degree, so it was definitely something to celebrate, but on the other hand, my mum and dad had raised me to stick by my principles, on top of which, they weren't fans of the royal family either.

In the end we compromised and I a posed for some suitably formal picture taking in my grandparents' garden, wearing the appropriate gown from a Leeds alum who was a friend of the family. (My grandfather might not have had a degree, but by the time he was 50 he was able to sell his share of an engineering firm in Coventry that he co-founded, and retire with a garden large enough for a bowling green and graduation pictures.)

3. Isn't that against the rules?

In America, the rules of academic hierarchy tend to be strict. For example, you will have a hard time getting a paid teaching gig at a US university if you don't have a masters degree. But rules can be bent at times, for example when a new discipline emerges. There was a time, not much more than a decade ago, when you couldn't hire someone with a computer security degree to teach computer security because such degrees did not exist.

This led to an interesting exchange when I was being interviewed for my job at ESET in 2011. The head of HR, who has since become a good friend, said to me: "Your resumé indicates that you taught master of science in information assurance classes at Norwich University, but how was that possible when you only have a bachelors degree?" To which I replied, "Well spotted! It was only possible because the Dean made an exception, based on my knowledge and experience."

In fact, the award-winning MSIA program at Norwich, created in 2002, was put together by someone with a PhD in applied statistics and invertebrate zoology, Dr. Mich Kabay. To create and deliver the program's online curriculum, Mich tapped myself and Chey and a small army of security industry experts, none of whom - to the best of my knowledge - had a degree in security at the time. His approach paid off in short order as Norwich was quickly named a Center of Academic Excellence in Information Assurance Education (referred to as COE for short) by the NSA's Deputy Director for Information Systems Security.

I was initially surprised that people assumed I had multiple degrees, and then I felt flattered. I decided it meant that they think I know what I'm talking about. And that is actually true most of the time: I do try to talk only about what I know, or at the very least, to provide a clear disclaimer when I'm asked, or tempted, to talk about something that I'm not sure about.

Over the years folks have occasionally referred to me as Doctor Cobb, and I have immediately pushed back. I do not have a doctorate, even now. But I am less concerned when folks call me Professor Cobb. I have taught at university, and may do so again at some point. However, and just to be clear, I currently only have two degrees.

4. What happened to the valedictorian?

Another funny thing that happened on my way to, and upon return from, my graduation, was the multiple requests from my manager for a copy of my valedictorian speech. According Wikipedia, Valedictorian is "an academic title of success used in the United States, Canada, Central America, and the Philippines for the student who delivers the closing or farewell statement at a graduation ceremony (called a valedictory)." Fair enough, but notice which country/region is not on that list? Graduation ceremonies in England, and certainly the one that I attended at Leicester, do not have a valedictory or valedictorian.

The intent of the good-humored ribbing was to suggest that I had graduated at the top of my class. But that's another thing my class did not have: individual ranking. When I got my Bachelors degree in 1974, the results for all the students were posted on the department notice board, a physical object in a specific geographic location. Going to the department and looking at the board was how I, and all my classmates, found out that I got a First (English universities used to rank degrees as First, Upper Second, Second, and something else). As it turned out I was the first person to get a Joint First in English and Religious Studies at the University of Leeds, and the only person to get one that year. But there was no list of results ranking my class. For my masters I got my grade via a website and that only showed one result: mine (which was Merit, one level below Distinction).

So it is quite possible that I was not the top student in my class. There were 33 of us graduating and none of asked about each other's grades - I think we were all just glad to have made it to the finish line, especially since most of us were holding down full time jobs, often in challenging places (like Kabul and Beirut to name two).

Indeed, whenever I was feeling like giving up I reminded myself that studying in San Diego was a lot easier than in a lot of the places my colleagues were coping with, so I should quit complaining, and besides, I was studying in my native language, which quite a few of my classmates were not (I confess that I'm awed by people who get a degree in a non-native language).

So in closing, but still speaking of languages, I promise my next post will be about the meaning and significance of the University of Leicester motto: Ut Vitam Habeant (here's a hint).

[Disclaimer: I have not yet written that blog post.]