FYI.

This story is over 5 years old.

Tech

Why Homeland Security Unleashed an 'Alien Virus' on Silicon Valley

Short answer: It was to prove a point that wireless emergency alerts could be way better—and save more lives.

At 5 PM on 25 April 2015, dozens of cell phone users in Mountain View were warned of a bizarre road accident. A satellite had crashed to Earth on the busy Moffett Boulevard, three miles from Google's headquarters, causing gridlock.

Half an hour later, things got really weird. First responders to the scene began sickening with an unknown virus. By half past six, the infection had spread to Palo Alto and Menlo Park, traffic was at a standstill for miles, and gunshots had been heard in nearby Sunnyvale.

Advertisement

The messages—issued through the Wireless Emergency Alert (WEA) system that normally warns of severe weather and missing children—kept coming. A firestorm in San Jose, mobbed hospitals and widespread civil unrest. By the next afternoon, California Governor Jerry Brown had ordered the evacuation of millions of people and the National Institutes of Health had confirmed the virus was extraterrestrial in origin. As darkness fell, the president imposed martial law.

But there was no need to panic. This was, of course, just an exercise, a scenario dubbed "Alien Catastrophe" by researchers with funding from the Department of Homeland Security to test new technologies for public alerts.

The real battle being fought right now is not between the National Guard and interstellar microbes but between government agencies keen to drag WEA into the digital age and a telecom industry that seems happy with things just the way they are.

All the information that could rescue a child or save your life today has to squeeze into less than two-thirds of a tweet.

First deployed in 2012, Wireless Emergency Alerts are those blaring cell phone tones that wake you in the middle of the night with an Amber Alert or notice of an incoming storm. WEAs are sent to every single cell phone within range of certain cell towers, allowing local, state and national agencies—Alert Originators (AOs) in the jargon—to achieve blanket coverage of the population in a way that radio and TV broadcasts no longer can. Since 2012, the more than 500 AOs across the US have sent out over 21,000 WEA alerts.

Advertisement

Some of those messages have certainly reunited families and avoided disasters. In 2013, WEA is credited with saving the lives of 29 children at a soccer camp in Connecticut, whose sports dome was blown away by a tornado moments after the manager received a warning on her phone and rushed the kids to safety. And earlier this year, two children in Florida who had been abducted by their mother were recovered after utility workers recognized her vehicle from an Amber Alert WEA.

But the system is painfully limited. Because of the way the underlying technology works (more on this later), WEAs are text-only messages limited to just 90 characters. All the information that could rescue a child or save your life today has to squeeze into less than two-thirds of a tweet. And there is currently no way to include a clickable phone number or web link for recipients to report sightings or learn more.

The geographical targeting of WEAs is also fairly crude. Alert Originators know or suspect the areas that will be affected by an event. They draw a geometric shape on a map and pass that along to the wireless carriers. The carriers then translate that polygon into which cell towers will broadcast the message. Inevitably, the irregular polygon doesn't map well on to hexagonal cells, so carriers ending up spamming many more phones than necessary to avoid missing anyone.

The upshot, says Martin Griss, the recently retired director of the Disaster Management Initiative at Carnegie Mellon University's Silicon Valley campus, is that, "People are getting messages that shouldn't be getting them and are then irritated and opting out." It only takes a second to turn off Amber Alerts and emergency alerts in your phone's settings, excluding you from all future messages.

Advertisement

Late last year, the Federal Communications Commission (FCC) decided that it was time for a change. In November, it proposed a drastic overhaul of WEA that would see messages grow from 90 to 360 characters, include phone numbers, URLs and possibly multimedia content for the first time, and get far more precise geotargeting. It also suggested that WEAs be issued in languages other than English, and be presented in new ways to reduce the likelihood of people opting out.

"Our proposals are tailored to impose minimum burdens on stakeholders, while ensuring that all Americans have the capability to receive timely and accurate alerts," wrote the commissioners.

An example of a WEA alert augmented with a clear map, which could help recipients better understand and respond to the alert. Image: CMU/DHS

But cell phone industry stakeholders reacted with all the calm and composure of a Mountain View cop being engulfed by virulent alien goo.

In a filing to the FCC, Apple wrote, "Long alerts may inundate the user with information, leading to less user comprehension and increasing the likelihood of user opt-out." AT&T complained that, "Embedding URLs in all WEA messages poses a threat of congesting wireless networks."

Among its long list of objections, Verizon urged the Commission to "assess whether the marginal improvements of geofencing (if any) warrant the substantial effort of new device- and network-level standards." As for supporting a variety of new languages, thought Verizon, "This is a worthy longer-term endeavor… but is not feasible in the near-term."

Advertisement

The Competitive Carriers Association, which represents nearly 100 wireless carriers, went further still. It recommended that providers should be allowed to opt-out of the WEA program in certain areas, and even be given a complete waiver if they could not comply with any new WEA requirements.

In short, says Hakan Erdogmus, a software engineering professor at CMU, "There is also open resistance from wireless carriers and platform developers to the idea of adding more functionality to the system. They really don't want to do more than they are doing right now."

While handset manufacturers and wireless carriers regularly update features and services for data, social media, music and video, the obstacles to upgrading a primitive public safety system are, apparently, insurmountable.

To investigate this puzzle, the Department of Homeland Security's Science and Technology Directorate commissioned Carnegie Mellon to conduct a study of WEA usage, and to develop and test strategies for improving the alert system. Martin Griss, Hakan Erdogmus and a third CMU professor, Bob Iannucci, took up the challenge.

They interviewed over 100 Alert Originators from around the country, analyzed the links between WEA and social media, developed new compression technologies and visualization tools, and then tested them in a series of trials, culminating in the Alien Catastrophe.

They started with message length. The 90-character limit comes from WEA's root in a pre-millennial 2G cell phone technology called Short Message Service Cell Broadcast or SMS-CB. The advantage of SMS-CB is that it works like an old-fashioned TV broadcast, reaching every device within range at the same time. It's not dependent on network traffic, so no matter how many people are streaming cat videos or playing Pokémon Go, the message will quickly pop up on every device connected to a specific cell tower. This makes it particularly useful during major disasters, when everyone is trying to call their mom.

Advertisement

"If we had a large earthquake that took out a lot of infrastructure, the way the WEA system is engineered means that it will probably survive even when other networks don't."

Modern 4G handsets, however, can easily accommodate 360 character messages, and Alert Originators are overwhelmingly in favor of them. The National Center for Missing and Exploited Children (NCMEC) says that it can be extremely difficult to fit sufficient information in current Amber Alerts, while the National Weather Service (NWS) wants longer messages to explain meteorological terms. Both organizations also want multimedia content, such as images of maps or missing children.

Apple's complaint to the FCC, that longer WEAs could overload users with information and increase opt out, is contradicted by several scientific studies. A 2014 report by the University of Maryland on terrorism alerts (also funded by DHS) found that longer messages were more effective at helping people understand the risks and choose the correct protective action.

In its own user tests, CMU found that there were no significant differences between the understanding and adequacy of short and long alerts, and that long alerts were significantly more relevant and actionable, and less annoying.

Almost every wireless company that commented on the FCC's rules was worried about including clickable phone numbers or URLs in WEAs. Apple's complaint is typical, that "users simultaneously attempting to access embedded references during emergencies could overwhelm networks."

Advertisement

This is a real danger. While two-thirds of recipients in CMU's test found web links in alerts useful, their effect on congestion remains uncertain. One argument for including them is that networks see a spike in traffic around WEAs anyway, as users seek information or contact loved ones. The URLs embedded in WEAs could link to small, specialized web pages, perhaps cached locally, to minimize disruption.

The critical thing, said Bob Iannucci, is that the messages themselves are as complete as possible: "If we had a large earthquake that took out a lot of infrastructure, the robustness and the way the WEA system is engineered means that it will probably survive even when other networks don't."

This graphic illustrates how little geographic precision the current system (closer to figure A) allows for. Image: DHS/CMU

Improved geotargeting is the other big change the FCC is pushing. Currently, users in rural areas can receive supposedly localized messages that relate to emergencies happening hundreds of miles away. "Better geotargeting was Alert Originators' top priority," said Martin Griss. "Because AOs don't know who will actually receive the alert, they don't feel they have enough control—and in many cases they won't use it."

To solve this, the CMU researchers used the GPS and WiFi location technologies found in virtually every modern cell phone. In their system, a WEA encoding the Alert Originator's polygon would be sent out using the same cell towers as today—a wider area than necessary. But then the phones themselves would decide whether or not to display the alert, depending on whether each handset located itself inside the polygon.

Advertisement

This also allows for the customization of alerts. For instance, a user could set their phone to always show messages from places that they visit regularly, such as their home or child's school, even if they were far away when the alert was issued. In CMU's user tests, subjects found geotargeted WEAs significantly more relevant than non-geotargeted alerts.

Verizon, however, is not convinced. "Geofencing would raise a number of potential concerns, including the potential need to establish a data session to enable a device to receive alert area coordinates, which could adversely affect network capability; and a device's need to track the customer's location (which the user may turn off) and the attendant privacy concerns and latency challenges," it wrote to the FCC.

CMU has some ideas here, too. Last year, Hakan Erdogmus and his team devised algorithms to compress complex polygons—such as a winding river about to flood—to as little as 10 percent of their original size, just 8 to 55 characters. These would be small enough to include in the WEA itself, eliminating the need for a data link. And if a phone could not fix its location, he says, it could simply default to showing the message.

As for privacy, all computation would be done on the phone itself, with nothing shared back to the carrier or AO. (Also: It's interesting to see Verizon use a pro-privacy argument as pushback to the new WEA concepts when it's taken an opposite stance on user privacy for more profitable technologies.)

Advertisement

The final improvement that CMU tested was a new interface. The researchers wanted to shift away from today's fleeting pop-up alerts to something that gives broader situational awareness. They designed an iOS and Android app, called WEA+, that includes icons, maps and threaded messages. It presents a digested sequence of alerts to help users better cope with situations that evolve over time.

The scheduled sequence of alerts sent out in the April 2015 test. Image: DHS/CMU

During the public tests in Pittsburgh and Silicon Valley, CMU tested dozens of new WEA features. Users knew they had signed up for a test but they didn't know any details in advance. "We created scenarios that were multi-dimensional, with lots of things going on, that we thought if they were sent as text messages might give rise to confusion," said Iannucci. "The alien virus worked really well. Users could suspend their disbelief and respond accordingly."

For the most complicated scenarios, the digest view made it many times more likely that a user correctly understood the emergency they were facing (even if they didn't believe it). People liked the app too, by a factor of over three to one compared to the normal WEA messages.

CMU admits that the shift to an app-style interface would be a massive change for WEA, requiring significant work on the part of carriers, handset manufacturers and platform developers like Android and Apple. Verizon's response suggests you shouldn't hold your breath. In its FCC filing, the nation's largest wireless carrier wrote, "Any regulations or standards… risk stifling handset manufacturer creativity, with questionable overall benefit to consumers."

Advertisement

"There is resistance to even the smallest incremental change, with no apparent good reason," said Erdogmus. "They're pushing back, pushing back, and that probably stopped some of the improvements that could have been implemented earlier."

Nevertheless, the time does look ripe for change. By the end of this year, AT&T will have shut down its 2G network, with Verizon set to follow by the end of 2019. Once there are no live 2G handsets, and only a few 3G phones rattling around, the move to 360-character WEAs seems inevitable.

Once that happens, there will be plenty of room for CMU's efficient polygons to deliver superior geotargeting. That in turn should spur Alert Originators to make better use of the system, generating more feel-good stories of rescued kids and tornado survivors to reassure users.

Even AT&T, although remaining skeptical, recently agreed to a limited trial of embedded URLs to see whether they cause "unmanageable congestion" when included in Amber Alerts.

None of this really gets to the heart of the problem, though, which is a phone industry that sees WEA as a regulatory headache rather than an opportunity to protect and serve its customers. Instead of putting their billions towards improving a public safety technology that has been proven to save lives, they stall for time and focus instead on vapid "upgrades" like personalized message bubbles and pop-up menus.

"If we're at the whim of wireless carriers and platform developers, then I don't think large scale improvements will be possible," said Erdogmus. That would suck. After all, you never know when an infected satellite is going to land on your head.

Follow Mark on Twitter: @meharris.

Correction: This story originally referred to CMU research in Philadelphia. It was in Pittsburgh. We regret the error.