💾 Archived View for spam.works › mirrors › textfiles › programming › epidemic.ctl captured on 2023-06-16 at 20:10:05.
-=-=-=-=-=-=-
Date: 29 Oct 89 20:27:52 GMT
Subject: Secure Distributed Databases for Epidemiological Control
English update of:
Stodolsky, D. S. (1989, August).
Brugerforvaltet datakommunikationssystem til bekaempelse af seksuelt
overfoerbare infektionssygdomme
[Secure Distributed Databases for Epidemiological Control].
Research proposal submitted to the AIDS-Fund Secretariat, Danish Health
Department.
(Available from the author at the Psychology Department, University of
Copenhagen )
==============================================================
Secure Distributed Databases for Epidemiological Control
Abstract
The project's objective is to develop a personal computer-based
system for control of infectious agents. The overall goal is a
better understanding of affects of enhanced social facilitation
and health education on disease transmission. A theory of real-
time epidemiological control, based on contact tracing, specifies
a cryptographicly-secure distributed-database system
providing situationally specific risk assessments that are based
upon personal histories.
Personal computer systems negotiate exchanges of information that
permit preselection of conversation partners. The techniques used
yield unprecedented protection for user's identities and data.
Users communicate under the protection of pseudonyms. Data is
kept private, but is releasable through exchange negotiations.
The systems permit self-administration of questionnaires and
distribution of health information, as well as
communication with selected conversation partners.
Information on changing health status and risk related
behaviors are routinely gathered during system operation. In
addition to giving users situationally specific risk assessments,
these data permit new types of epidemiological analysis.
A pilot project devoted to design and development of a
prototype system is specified in detail. The plan includes
discussions with potential organizational participants in the
proposed experiment and other interested parties.
=====================================================
30 August, 1989
"I don't want to know your name,
I want your history."
(Painters and Dockers, 1988).
Secure Distributed Databases for Epidemiological Control
(Controlling Sexually Transmitted Diseases with Informational Barriers)
1..Objectives
Information technology offers new techniques for the control of
infectious agents that can complement medical and public health
measures. The techniques described here are most useful when medical
measures are of limited value and where privacy concerns
predominate. The discussion is focused on control of the Human
Immunodeficiency Virus (HIV), even though the approach is of general
applicability. For instance, HIV seropositive persons benefit even more
from this approach than others, since it helps protect them from
exposure to infectious agents that can activate the virus and cause
other infections. The specific project objective is the development of
information technology techniques for control of sexually transmitted
diseases. The overall project objective is to investigate the impact of
social facilitation and health education on disease transmission, that is
achieved by using such techniques.
Social facilitation has two roles. First, to enhance risk free contacts
through preemptive detection of risky transactions. Second, to reduce
the total number of transactions, and thereby risk, by stabilizing
relationships through increasing the probability that continuing
interactions results from mediated contacts. Both of these objectives
require negotiations using significant amounts of sensitive information
prior to actual contact. In the first case this information is of a medical
nature, in the second it is of an ideological or social nature. The
negotiation procedure can be highly restrictive, resulting in rejection of
most potential contacts. Thus, if social support is to be maintained, the
scope of potential contacts must be increased. This requirement is
satisfied by using telematic systems and computer support in the
negotiation process. Such automatic mediation also permits effective
protection of sensitive personal information, thereby enhancing the
likelihood that the data is complete and reliable.
1.1..Detection of risk
Preemptive risk detection is facilitated by individualized real-time
epidemiological modeling. Both the medical and behavioral history of
each person is available during the negotiation process. Certain risky
contacts are blocked by the mediating system. For instance, a
HIV seropositive person would never be matched with a HIV
seronegative person. In most cases, however, medical test results will
not be available, thus behavioral information provide estimates of risk.
Adequate data is maintained to permit contact tracing in real-time
when a positive test result occurs. Thus, a single positive test result
could propagate through a chain of contacts, changing the risk status of
a large number of persons rapidly. Persons at high risk would be
rejected as social contacts, in most cases, until a negative test result was
obtained. This would lead to voluntary compliance with a program of
selective testing for persons at greatest risk. Thus, preemptive risk
detection operates in two ways. First, risky contacts are rejected by
presumably uninfected persons, thereby blocking transmission of
infectious agents. Second, at-risk persons are motivating to seek
medical assistance for a change of risk status.
1.2..Stabilizing relationships
As long as infectious agents are prevalent, risk of infection is
proportional to the number of (risky) contacts. In the case that persons
are seeking a stable relationship, a prior knowledge of objective factors
including behaviors, and subjective factors such as interests, desires,
attitudes, and beliefs can play a role in predicting outcome of a contact
and thereby minimizing the number of contacts needed to find a stable
relationship. While guarantees of privacy can improve the reliability of
data contributed by persons, it is likely that feedback from prior
contacts can be used to improve data accuracy. It certainly can play a
role in confirming that self reports are complete and honest.
1.3..Security system development
The success of the strategy proposed requires the ability to use data
without disclosing it except when absolutely required. The highly
sensitive nature of the data needed for this study presumes
development of improved security models. Security that is dependent
on trusted third parties may be adequate for the initial phase of this
study, but elimination of such intermediaries is an objective. Thus, in
the limit, each person would exercise control over their sensitive data
directly. This would, of course, require a personal computer or "smart
card" for each user. Such systems have been proposed and will become
economically feasible in the near future. Specification and feasibility
analysis of various security enhancements will be examined as part of
the project.
A first security enhancement step would be to provide the user with a
card that in connection with a password or personal identification
number (PIN) could be used to activate remotely held sensitive data.
This level of security is currently available with electronic funds
transfer (EFT) terminals (automated teller machines). A next level of
security is to provide each user with a "key loader" that provides a
sequence of binary digits that is used to decode remotely held data files
that normally remain enciphered.
Optimal security is available when data is under the direct physical
control of the user as well as being secured by password and
cryptographic security mechanisms. Currently available personal
computers have adequate capacity to perform these functions. Central
data would list pseudonyms (public-keys) of persons using compatible
systems and provide mail boxes for messages. All exchanges of
information would be encrypted.
2..Significance
The AIDS epidemic has created a medical emergency of major
proportions. It also threatens to create a crisis of social control
unprecedented in modern times. The major reason for this is the lack
of medical countermeasures against the virus. A second reason is the
effect of the HIV on the brain, AIDS dementia complex (ADC), that can
result in irresponsible behavior (AIDS not, 1987; Smith, 1989). A third
reason is that some common institutions for social coordination may
actually accelerate the spread of the disease. This deficiency can be
overcome by a strategy that simultaneously enhances personal
integrity and social control.
Factors including changing population density, behavioral patterns, and
infection pathways alter niches for pathogenic organisms which evolve
under new conditions. AIDS is an example of a disease which has
dramatized the availability of a new niche. Seale and Medvedev (1987)
argue that the AIDS epidemic could not have started without the
availability of multi-use hypodermics. An important characteristic of
this disease is inapparent infection that inhibits its control. Effective
control presumes the ability to visualize the infectious agent and take
appropriate action to avoid further transmission. Cost effective medical
testing alone cannot reliable visualize HIV, due to delayed
seroconversion resulting from the virus remaining hidden inside cells,
failures in seroconversion, and even loss of antibody response.
Transmission can apparently not be reliably blocked by physical
barriers. Related organisms pose an even greater threat prior to
identification (Cancer virus, 1987). These limitations demand a new
control strategy suitable to new conditions of disease transmission.
The control strategy suggested here permits an approach to disease
management independent of medical capabilities. It has the potential of
being both effective and economical. Infection risk is visualized entirely
through information handling. Thus, the technique can be applied
without detailed knowledge of the infectious agent. Avoidance of
infection is an integrated function of the information handling strategy,
as is the motivational structure needed to promote cooperation. A most
important aspect of the strategy is that it is a preventative approach.
Brecher (1975) concluded that the three major strategies for control of
sexually transmitted diseases, treatment of symptomatic cases, contact
tracing, and routine screening are ineffective compared to simple
preventative measures. He argues for health education and effective
prophylaxis as likely to lead to reduced incidence. In the case of HIV,
prophylaxis is the only strategy currently available, and thus it is
crucial that informational as well as physical barriers be used to inhibit
the spread of the virus.
This is perhaps even more important when we consider the long term
dynamics of disease. Often diseases evolve in the direction of reduced
virulence, making them less apparent and often more prevalent (Seale
& Medvedev, 1987). In the case of HIV, it is likely that the first
successful medical countermeasures will consist of methods to extend
the latent period of the disease. Thus, while currently, a person can
remain symptom free for 5 to 7 years, a person receiving this first type
of treatment for HIV may remain symptom free for 20 years or more.
The key premise of this strategy asserts that HIV infection and AIDS
are chronic, manageable conditions (Smith, 1989). During this time
persons may pose a continuing infection risk. If these persons are to
remain contributing members of society the informational barriers
suggested here may be crucial.
A wide range of compulsory measures directed towards individuals
have been suggested and in some cases implemented, even though their
negative side effects have been recognized. However, voluntary ones
which could be equally effective have not been exploited. The potential
of voluntary measures has been recognized by the public. The news
report, "Blodgivarnaal blir 'friskhetsintyg'?", was occasioned by a sharp
increase in blood donors in Malmo and reports that blood donor pins
were being used at a dance hall as health certificates (Fredriksson,
1987). A corresponding increase was noted to not have occurred in
Goteborg. In Malmo the pins are given out after the first blood
donation, while in Goteborg they are given out after ten donations. So
the difference in public response is hardly surprising, it results from a
natural experiment on the control of sexually transmissible diseases.
3..Background
3.1..Informational precursors in social medicine
The epidemiological approach taken here is similar to the highly
effective public health measures taken in 18th and 19th century to
control infectious diseases. Up until that time cities (e.g., Copenhagen
and Stockholm) most often had no effective sewage or garbage disposal
services. This led to a situation in many cities where maximum
population levels were reached, with deaths due to infection balancing
population inputs. Having recognized that many diseases were
transmitted (by microorganisms) in wastes, public works programs
were undertaken in order to segregate fluids carrying wastes from
fluids used for consumption and for food preparation. These measures
were taken well before effective medical procedures for dealing with
many diseases were developed, and in most cases before the actual
causative agents were identified. A key point is that knowledge about
transmission of infectious agents preceeded their control. This control
was implemented by a physical restructuring of fluid management
through sanitary engineering.
The fluids dealt with here are distinguished by the source individual.
Due to higher population densities, changes in attitudes about sex,
increases in uses of invasive procedures (use of blood and other bodily
products in medicine, and use of injectable drugs) persons are now
much "closer" in a physiological sense then in earlier times (Seale &
Medvedev, 1987). It is not only recommended to avoid certain classes
of fluids that are in general known to contain infectious agents, but to
avoid contact with body fluids from classes of persons in risk groups
(Prostitutes asked, 1987). The approach discussed here goes one step
further in this line of development, it introduces measures permitting
one to routinely avoid contact with fluids from specific individuals who
are at risk or known to be carriers of an infectious agent. This requires
the routine use of prior knowledge about these agents. That is, the
availability of informational precursors associated with these agents.
3.1.1..Biological agents
A clear understanding of the approach requires distinction between
biological agents, informational agents making demands upon attention,
and informational agents that require only processing by machines. If
each person was to inform a potential contact of all infectious agents
carried by that person, then we could say that an informational
precursor existed for each infectious agent. This would give persons the
option of avoiding contact with fluids containing infectious agents.
3.1.2..Informational demands upon attention
Aside from the privacy problems and diagnostic uncertainties which
would reduce the effectiveness of such a procedure, there are major
informational demands upon attention associated with it. Particularly in
the case where there is a reasonable prevalence of an infectious agent
in a population, the simple communication of diagnostic information
would be inadequate. With sexually transmitted diseases, in most cases,
at least one new person has been infected by the time a given
individual has been diagnosed as carrying the infectious agent. Thus, a
person would have to communicate not only their own diagnostic
information, but also the diagnostic information from previous contacts.
Some of information concerning a given contact would only become
available much after that contact had take place, thus inducing
unrealistic informational demands upon communicators.
3.1.3..Information processible by machine
A solution to this problem is to structure diagnostic data in
standardized machine readable forms, thus permitting precursor
information (both from direct diagnosis and from diagnostic
information transmitted by contact tracing) to be exchanged by
computers prior to an anticipated contact. This strategy also permits the
introduction of an effective solution to the privacy problem. The idea is
to make use of the information without revealing that information
except when it is no longer sensitive (Stodolsky, in prep.). It also
compensates to some degree for diagnostic uncertainties, since what is
transmitted by automated contact tracing is information about risk, as
opposed to direct diagnostic information. The automated contact tracing
mechanism can also be implemented in a manner protecting personal
integrity (Stodolsky, 1979a; 1979b; 1979c; 1983; 1986)
3.2..Theory of operation
The system outlined here is most simply explained if we assume that
each person has a personal computer capable of directly exchanging
information with those of other persons. These computers can, in the
simplest case, generate random numbers that are used to label
transactions. A transaction is defined as an interaction capable of
transmitting the infectious agent. After each transaction, therefore, a
person has a unique label or code for that transaction.
In the event that a person becomes ill or is identified as carrying an
infectious agent, the transaction codes which represent transactions
during which that agent could have been transmitted are then
broadcast to all other computers. If a receiver's computer has a
matching code, then that person is alerted to the possibility of the
agent's presence, and can report to a medical center for testing and
treatment. This iterates the process, thus identifying all carriers
eventually. The effect is to model the epidemiological process, thereby
identifying all (potential) carriers through forward and backward
contact tracing.
In order to clarify the procedure, consider a scenario in which there are
two types of actors, persons (Pi) and doctors (Di) (Figure 1). Doctors
operate only within a health center (HC). There are also two types of
agents, biological and informational, that can be transmitted during a
transaction. Informational agents are always transmitted with physical
agents. Each actor has a computer that can exchange information with
another actor's computer. A doctor's computer can also broadcast
messages to all actors at once by sending them through a more
powerful computer at the health center. Contact tracing is illustrated
by the sequence in Figure 2. At time T1 person A (Pa) and person B
(Pb) engage in a transaction. Their computers label this transaction with
a number N1 and store the number. Pb then physically moves into
contact with person C (Pc), this transaction is labeled N2 and recorded
at time T2. At time T3, Pb becomes ill and reports to a doctor (Da). The
doctor verifies the infectious nature of the illness and then reads the
transaction codes, N1 and N2, out of Pb's computer. These are broadcast
to all other computers at time T4. When Pa's computer receives the
broadcast, the transaction code N1 matches the number stored in
memory. This alerts Pa to the fact that s/he is in the chain of
transmission of the infection ( in this case Pa was the initial carrier of
the infectious agent). When Pc's computer receives the broadcast, the
transaction code N2 matches the number stored in memory. This alerts
Pc to the fact that s/he may have been infected (at T2). The alerting of
Pa is an example of backward tracing from Pb. The alerting of Pc is an
example of forward tracing. We assume in this simplest case, that when
an alert is received, the affected person voluntarily reports to a doctor.
In a more secure system, a person's computer would not be capable of
generating new transaction codes if a matching code had been received.
This would indicate to potential new contacts that contact with this
person was risky. (Actually, the more secure procedure would require
the exchange of updated health certificates.)
3.3..Operational alternatives
An ideal system would ensure that all contacts were mediated by
computer. Since the most appropriate technology, powerful wristwatch
like computers with communication capabilities, is not available for the
moment (though key components have become available [Ivey, Cox, ,
Harbridge, & Oldfield (1989)]), development will proceed on standard
personal computers. While these machines are available in a hand held
format, people can not be expected to carry them at all times. In many
cases, people can organize their contacts using a personal computer
from an office, public computer center, or their home, but clearly other
options must be available. A voice-message system that duplicates all
function of the personal computer, but with voice output and telephone
key-pad input is an attractive option. It permits planned organization
of contact opportunities with limited, but, for most persons, more than
adequate security.
In the case of chance meetings, persons would be required to make an
inquiry prior to proceeding with a contact. The common magnetic strip
credit card offers an adequate level of security, but requires a readily
accessible teller machine. Such a verification system assumes
cooperation of appropriate financial institutions. A telephone-based
verification system used in a manner similar to credit card verification
is another option. The various options will be considered during the
first year of the project.
4..Research plan
The overall research plan is based on a 2 factor design with repeated
measures. One factor is risk group and the second is availability of an
experimental health conferencing system. Dependent measures include
health status and health related behaviors. The plan is designed to
permit rigorous evaluation of results without interfering with effective
service to the subject populations, and to permit rapid scaling up to a
larger population if justified by the initial results. If the security needs
are met, it is expected that demand for service will exceed supply. The
waiting list management strategy will generate the control groups.
The effect of the health conferencing system on infection and risk
behaviors is of major interest, thus this effect is measured as a within
subject factor. Each group will be compared to itself at a later time.
Comparison to cross sectionally matched individuals controls for time
effects. The differential effectiveness the experimental intervention on
different risk groups is studied as a between subject factor in order to
enhance the generalizability of the results. A nested multi-variate
analysis of co-variance with repeated measures using matched controls
is used for overall data evaluation.
4.1..Method
A secure conferencing system permitting automated interviewing and
selection of conversation partners, as well as mail delivery functions
will be developed. The software will be installed on two identical
systems. One system will be made available to the Organization of Gays and
Lesbians in Denmark, the other to the (HIV) Positive Group in Denmark.
Each person expressing interest in participating receives information
describing the study and a preliminary self-administered interview.
Person applying to the Positive Group must present evidence of
seropositivity to be considered further. Persons applying to the
Organization of Gays and Lesbians in Denmark must present results of a
Polymerase Chain Reaction (PCR) investigation to be considered further.
Upon presentation of appropriate medical evidence, the registrar
assigns them a pseudonym and password. A comprehensive interview
covering health history and health behaviors is then self-administered.
Each person receives health education materials and is placed on the
waiting list.
When 500 persons are available from each organization they will be
formed into matched groups and randomly assigned to either treatment
or control conditions. The treatment groups receive a questionnaire for
guiding the selection of conversation partners. Controls remain on the
waiting list for six months at which time they are integrated into the
treatment condition. Depending upon results of a risk assessment
interview, serological testing may again be required. Participants are
required to give feedback interviews after meeting conversation
partners. This serves as a check on self-reported data and as a source of
information on opportunities for transmission of infectious agents. Data
on interactions with other persons and degree of risk associated with
them is also collected routinely. Sexual transmitted infections and other
conditions requiring medical intervention are reported routinely. Health
behavior interviews are readministered on six month intervals just
prior to integration of a new persons into the treatment groups.
4.2..Time frame
The first year is devoted to preparations including software
development, finalizing arrangements with participating organizations,
and pilot testing (See "Specific tasks for preparation phase (First year)"
below). The first six month period of the second year is reserved for
training of registrars , and accumulating and interviewing of
participants. The second six month period is for comprehensive testing
of operational procedures as the first set of participants begins using
the experimental system. Cross sectional data analysis techniques will
be applied during this period.
The third half-year of the operational phase of the project will be
devoted to the integration of the first set of control groups into the
treatment condition. After this, all procedures and software will have
been finalized. Longitudinal data analysis procedures will be integrated
with those already in use. At two additional six month intervals, half of
those on the waiting list will be added to the experimental groups using
the health conferencing system.
4.3. Specific tasks for preparation phase (First year)
4.3.1..Contact and discussions with organizations.
The wide range of sensitive and important questions raised by the
proposed study make it imperative that affected and concerned
organizations and persons (Dansk Epidemiologisk Institut, Statens
Serum Institut, Registertilsynet, Sundhedsstyrelsen, Landsforeningen
for Boesser og Lesbiske, Positivgruppen, Frivillige Bloddonorer, selected
journalists and politicians, etc.) have the opportunity to review and
comment upon the proposal. This will include, but not be limited to
those collaborating in the experiment proper. Invitations to a workshop
series will be issued to those selected. The workshops will include
lectures, demonstrations (both manual and computer), and discussions.
Feedback from participants will be used as input to the experiment
design.
4.3.2..Design of experimental trials
The specifics of the design including control procedures will be
structured to insure both scientific validity of collected data and
acceptability of procedures to participants and their organizations. It is
expected there will be conflicts between these two demands and the
workshops will be used to anticipate and facilitate their resolution. A
specific question to be addressed will be the potential conflict between
demands for participation and capacity of organizations to respond to
them without sacrificing rigor of the trials. While previously developed
questionnaires will serve a base for data collection, specific concerns
and interests of different organizations and interests groups will
influence the actual data requested from participants.
4.3.3..Design of secure registration procedures
Protection of the participants identity will be in part dependent upon
the security of the registration and pseudonym assignment procedures.
Abuse of the system that could result from persons obtaining multiple
names will also be controlled by the registration system. Both
administrative and cryptographic mechanisms will require careful
specification. After a description of the cryptographic mechanisms for
registration, organizational placement for administrative procedures
will be determined.
4.3.4..Software development
The most important factor in protection of the participants is the
security of their own computer systems. Both privacy and protection of
identity depends upon the integrity of the cryptographic software. The
software is also plays an essential role of demonstrating the system so
better understanding can be achieved by both users and
representatives of organizations considering the adoption of the system.
Certain components of the proposed system perform functions that
have never been implemented on computer systems or that have not
been implemented to perform the functions needed in this application.
Preliminary software development will permit a better estimate of the
overall effort required to satisfy the security and efficiency
requirements in the proposed application. Preliminary development
will also permit testing of the user interface to ensure easy operation
under strict security requirements.
4.3.5..Simulation modeling
Simulation modeling for predicting effects of the completed system can
play both analytic and educational roles. Graphics can effectively
illustrate the relative impact of preventative as opposed to treatment-
based methods in epidemiology. Such simulations can influence
organizational decision makers as well as potential users. Analytic
questions concerning the relative impact of limited adoption of the
technology on overall population morbidity and mortality can also be
answered with simulation methods. This could answer cost
effectiveness questions and be used to guide the rate of adoption of the
new technology. Considering the very large expenses associated with
clinical treatment of AIDS, the simulation models may be useful in
estimating appropriate funding for operational stages of the project.
4.3.6..Publication of "Hormones" epidemiological model.
While the general concept of real-time epidemiological modeling has
been presented at a conference (Stodolsky, 1983), publication has been
limited to an application involving control of electronic infections on
computer networks (Stodolsky, 1989). Conference presentation and
publication as a human population oriented application will strengthen
theoretical review, and directly address specific questions concerning
human and legal rights. The secure model was included in a recent
conference presentation (Stodolsky, 1986). It would best be
mathematized and then subject to a proof of correctness to insure that
any flaws are identified before substantial software development
efforts are made.
4.3.7..Publication of "Conditional privacy:..."
The paper "Conditional privacy: Protecting expression by one-bit
matchmaking" received public exposure in a conference presentation
(Stodolsky, 1986). While the method is relatively straight forward
cryptographicly, conference presentation and publication would
increase the probability that any protocol errors are uncovered and
perhaps suggest enhancements that integrate certification with
information exchange.
4.3.8..Test data collection
Once data requirements are identified, data collection procedures will
be tested in a software environment approximating the final system.
This will permit identification of user interface and security problems
that could cause problems.
4.3.9..Pilot tests
Test of the completed system, not including cryptographic security, can
be conducted with non-sensitive data to insure operational procedures
are functional. Participants could include students and interested
person attending demonstrations.
5..References
AIDS not gentle on the mind. (1987, March 26). New Scientist, (1153),
38-39.
Brecher, E. M. (1975). Prevention of sexually transmitted diseases. The
Journal of Sex Research, 11(4), 318-328.
Cancer virus linked to drug users. (1987, May 21). International Herald
Tribune, 8.
Chaum, D. (1985). Security without identification: Transaction systems
to make big brother obsolete. Communications of the ACM, 28(10),
1030-1044.
Fredriksson, A. (1987, July, 15). Blodgivarnaal blir "friskhetsintyg"?
Goteborgs-Posten, No. 88, 18.
Hellerstedt, L. (1987, June 19). Homosexutredning: Aidstest "frikort"
foer loesslaeppt sex. Dagens Nyheter.
Ivey, P. A., Cox, A. L., Harbridge, J. r., & Oldfield, J. K. (1989, August).
A single-chip public key encryption subsystem. IEEE Journal of Solid-
State Circuits.
Painters and Dockers (Rock musicians). (1988). "Safe Sex", Crocodile
(Compact Disk EMA CD1). Export Music Australia.
Prostitutes asked not to give blood. (1987, April 9). New Scientist,
(1555), 29.
Seale, J. R. & Medvedev, Z. A. (1987). Origin and transmission of AIDS.
Multi-use hypodermics and the threat to the Soviet Union: discussion
paper. Journal of the Royal Society of Medicine, 80, 301-304.
Smith, D. (1989, July 14). AZT, Acyclovir, and the case for early
treatment. AIDS Treatment News, Issue No. 83.
Stodolsky, D. (1979a, April 9). Personal computers for supporting health
behaviors. Stanford, CA: Department of Psychology, Stanford University.
(Preliminary proposal)
Stodolsky, D. (1979b, May 21). Social facilitation supporting health
behaviors. Stanford, CA: Department of Psychology, Stanford University.
(Preliminary proposal)
Stodolsky, D. (1979c, October). Systems approach to the epidemiology
and control of sexually transmitted diseases. Louisville, KY: System
Science Institute, University of Louisville. (Preliminary project
proposal)
Stodolsky, D. (1983, June 15). Health promotion with an advanced
information system. Presented at the Lake Tahoe Life Extension
Conference. (Summary)
Stodolsky, D. (1986, June). Data security and the control of infectious
agents. (Abstracts of the cross disciplinary symposium at the University
of Linkoeping, Sweden: Department of Communication Studies).
Stodolsky, D. (1989). Net hormones: Part 1 - Infection control assuming
cooperation among computers [Machine-readable file]. Van Wyk, K. R.
(1989, March 30). Several reports available via anonymous FTP. Virus-
L Digest, 2(77). Abstract republished in van Wyk, K. R. (1989, April 24).
Virus papers (finally) available on Lehigh LISTSERV. Virus-L Digest,
2(98). (Available via anonymous file transfer protocol from LLL-
WINKEN.LLNL.GOV: File name "~ftp/virus-l/docs/net.hormones" at
Livermore, CA: Lawrence Livermore National Laboratory, Nuclear
Chemistry Division and IBM1.CC.LEHIGH.EDU: File name "HORMONES
NET" at Bethlehem, PA: Lehigh University. And by electronic mail from
LISTSERV@LEHIIBM1.BITNET: File name "HORMONES NET" at Lehigh
University).
Stodolsky, D. (in prep.). Conditional privacy: Protecting expression by
one-bit matchmaking.
=========================================================
/---[] []
| Pa | ---------------[]--------------
\---/ | [] |
| |
/---[] | /---[] /---[] |
| Pb | | | Da | | Db | |
\---/ | \---/ \---/ |
| |
| Health Center |
/---[] -------------------------------
| Pc |
\---/
----------------------------------------------------------
Explanation of Symbols:
/---\
Persons | Pi |
\---/
/---\
Doctors | Di |
\---/
Computers []
Figure 1
============================================================
P
h ----------- -----[]-----
y | N1,N2 | | N1,N2 |
s | Pb Da | | Da |
i | | | |
c ----------- ------------
a Pa Pa
l N1 N1=N1
Pb Pa Pa
P Pb
l N2 N2=N2
a Pc Pc Pc Pc
c
e Pb
Time ----------------------------------------------->
T1 T2 T3 T4
----------------------------------------------------------
Explanation of symbols:
Person i Pi Doctor A Da
Physical and Pi
informational Ni Transaction codes Ni
exchange Pj
----
Information Ni,Nj Health Center | |
transmission Pi ----
Information Ni=Ni Health Center -[]-
reception Pi Computer | |
and matching Transmitting ----
Time of operation Ti
Figure 2
===========================================================
David S. Stodolsky, PhD Routing: <@uunet.uu.net:stodol@diku.dk>
Department of Psychology Internet: <stodol@diku.dk>
Copenhagen Univ., Njalsg. 88 Voice + 45 31 58 48 86
DK-2300 Copenhagen S, Denmark Fax. + 45 31 54 32 11