Schneier on Security
A blog covering security and security technology.
« Identity Cards Don't Help |
| Shoulder Surfing Keys »
September 7, 2005
Lance Armstrong Accused of Doping
Lance Armstrong has been accused of using a banned substance while racing the Tour de France. From a security perspective, this isn't very interesting. Blood and urine tests are used to detect banned substances all the time. But what is interesting is that the urine sample was from 1999, and the test was done in 2005.
Back in 1999, there was no test for the drug EPO. Now there is. Someone took a old usine sample -- who knew that they stored old urine samples? -- and ran the new test.
This ability of a security mechanism to go back in time is interesting, and similar to police exhuming dead bodies for new forensic analysis, or a new cryptographic technique permitting decades-old encrypted messages to be read.
It also has some serious ramifications for athletes considering using banned substances. Not only do they have to evade any tests that exist today, but they have to at least think about how they could evade any tests that might be invented in the future. You could easily imagine athletes being stripped of their records, medals, and titles decades in the future after past transgressions are discovered.
On the other hand, athletes accused of using banned substances in the past have limited means by which to defend themselves. Perhaps they will start storing samples of their own blood and urine in escrow, year after year, so they'd have well-stored and untainted bodily fluids with which to refute charges of past transgressions.
Posted on September 7, 2005 at 6:32 AM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Storing the blood doesn't help an athlete, because in many cases the testing methods are secret, and are not performed in neutral labs or under reproducible conditions. The blood-doping test, for instance, while based on published research, uses a very secret set of tests (with unpublished false positive rates, etc.), and so cannot be refuted or even effectively argued against by an accused athlete.
By the way, the article states that they were testing urine, not blood.
It should be noted that "the" EPO test isn't excactly bulletproof: here in Belgium we have an athlete (Rutger Beke) who tested positive but was later found innocent.
"It should be noted that 'the' EPO test isn't excactly bulletproof...."
That's certainly true.
From what I've read, there are going to be no official sanctions, or even an official accusation, based on the test results. This is all the result of a newspaper getting a copy of the results.
he's not suggesting that they store the blood as "clean" against future doping - he's suggesting that clean atheletes store their blood to refute future accusations.
"By the way, the article states that they were testing urine, not blood."
You're right. My mistake.
I fixed the essay.
Everything is about money. An athlete doesn't care if 10 years latter he will be accused of doping. He already have the several millions contract with the big sports team and the big advertising company. The worst can happen to him is get fired. No one will ask him to reimburse all the money he already have.
Help me understand - the 'sample' is from 1999, right? EPO was banned in 2000. If he took in in '99, it probably wasn't sanctioned but wasn't against the rules. So, maybe shame on him but let they need to let it go.
Wrong. EPO has been banned for a long time, there just wasn't a test for EPO. The only riders to get busted for EPO, before, say, 2000, was when they got busted with EPO in their hotel.
This has implications potentially beyond sports - employees are often drug tested as well.
I always refuse on principle to give urine samples, and AM occasionally asked by clients. My principles are for sale however! On several occasions I have offered to "sell my urine" for US$5,000 per vial.
Hey, it's mine! No takers so far. BTW, my urine should test "clean," except for an abundance of caffeine.
Joe Lindsey of mountainbike.com has a very good analysis of the events, along with a strong background on the subject of doping in cycling. I suggest anyone looking for more information about this subject include his articles in your reading.
the security surrounding lance armstrong's alleged positive epo test doesn't pass the smell test. it wasn't done according to the protocol of the sport, it was done in a back room without supervision, enabling tampering with the sample, there is no backup sample now to verify the result, and the people doing it had motivation to smear mr. armstrong. the french are sore losers, and this is what happens when somebody humiliates them seven times in their showcase event. i can't wait till 2010 when they get around to testing his 2005 samples.
Jeez, does everything have to be about politics and the french hating the US and, as a result, Mr. Armstrong.
You are wrong, sir. The only "security" missing was an A sample. There is no motivation to "smear" Mr. Amrstrong. In fact, unlike most Americans, the French love Mr. Arsstrong and the tour director couldn't have gotten enough of Armstrong (though he's seen the test and now he's mad). If you had done any research you'd see the French haven't beeb able to contest the tour well, well before Lance won it. Get real and loose the talking points.
Try a fresh start on this, holding one assumption in mind: the result was a false positive. Blind faith in test results is very bad security.
Wasn't there already a massive EPO scandal in the 1998 Tour de France in which about half of the teams were forced to withdraw from the race? You have to wonder why competitors were still taking it after that point. I can only guess the gains outweighed the risk.
"the people doing it had motivation to smear mr. armstrong"
Wrong. The people doing it had motivation to sell newspapers.
I don't know the full details of the story, but as I understand it, there are enough holes in what happened here to illustrate why it's perfectly reasonable for athletes to fight drug testing in every possible way. Some thoughts:
I have been unable to find any information regarding the reliability of the specific test performed. There is no false positive rate published -> the closest I could come to a definitive answer was here:
"Only 6 labs in the world as of this past March carried out the EPO test. Dr. Catlin said, 'I don't know how other labs do it (the exact procedures they use in carrying out the test), but we don't call a test positive unless we're absolutely sure'. In addition, the March 2003 WADA report evaluating the urine EPO test stated 'in its normal use, this test, apparently, has never been found to give false positive results'.
This is a horrible measurement -> without a definition of "normal use", or an analysys of what "absolutely sure" means, we can't evaluate this test. I'm also always highly suspicious of anyone who provides "this has never been known to provide a false positive" as a point in an argument.
So, we don't know how accurate the test is.
Next point -> there is an established protocol for testing, with two samples to provide redundancy in the event of a positive test (so that the athlete can demand a second test, on the second sample, using a different testing authority if they so desire). This protocol wasn't followed in this case -> the original sample was already used, and this was a case of a second sample being used in a test environment, outside of the normal testing protocol.
Finally, there are privacy issues here -> the samples are supposed to be identified only by number, not by athlete, so that they can only be identified by an authorized party (presumably after the protocols have all been followed properly). The identification was performed by an unauthorized party.
So, we have the case where a sample that existed solely to provide a verification in coordination with a second sample was used outside the established testing protocol and then identified by unauthorized personnel.
Let's say I'm an athlete, who has a vested interest in keeping my public image free of these sorts of allegations of drug use (due to corporate sponsors or, if I don't give a hang about the money, just a desire to be known by the public as an honest competitor). I'm trying to be a good citizen by participating in drug testing programs, for the "good of my sport". Then my samples are used, outside of the established testing process, without my permission, and the results are then published by an unauthorized entity. How am I supposed to respond to this?
I'll tell you how *I* would respond to this -> I would sue the dickens out of the testing authority, the ruling body, and the publisher of the suspicious results. I would also get together with my union and demand that privacy laws be passed that ensured that a reoccurance of this event would lead to criminal prosecutions of those responsible for the misuse of my sample outside of the testing protocol.
> I always refuse on principle to give urine samples,
> and AM occasionally asked by clients.
I don't necessarily disagree with allowing corporations or athletic institutions to impose drug tests on their employees/competitors, but when there are no protections in place for the employees/competitors for exactly this failure mode, I think the public has a right to abstain from the tests, and should not be penalized for doing so.
There is another aspect of security at play here as well. The samples were supposedly stored with only a serial number of some type, with no indication of whose urine it was. Now, this French media company expects us to believe that they have been able to match the serial number with something identifying Lance Armstrong, even though this was not supposed to exist. How does one go about proving that claim? Or is it more beneficial to simply make the claim, knowing that it is sensational enough to get reported worldwide, and not worry too much about proof?
I agree that the French aren't getting "pissy" about Armstrong winning. They are actually happy for him. This is all about selling newspapers. Where ever you go, you will find "yellow" journalism somewhere. (sorry, had to "do" it).
"Perhaps they will start storing samples of their own blood and urine in escrow, year after year"
Seems like a top-notch athlete in a regulated sport already should have this kind of data, especially if they have been undergoing regular medical treatments for serious illnesses, etc.
If they don't already record "substance abuse" data, this might just be a matter of adding a few points to the normal barrage of samples and tests already being done, and perhaps allowing some kind of independent certification authority to periodically audit and approve the results before they are archived.
Medical records qualify as highly sensitive and regulated information, especially for athletes where the threat of disclosure is extra high. You would be surprised how many reporters, "gamblers", etc. are willing to get medical data by any means necessary on athletes -- big money, or even careers, are at stake.
And so, from a slightly related perspective, when people ask me about sensitive information retention policies I often tell them that it's best to keep a secure WORM-like record of anything that has a remote chance of being disclosed.
I agree that unless you can be assured of absolute destruction of data, you need a trusted method to establish validity down the road.
What are "usine samples" and "urie samples" ?
Re: Drug testing
I've only ever dealt with drug testing as an employee, not an employer.
Since you're involved in running a corporate entity, I'd be interested in hearing your take on drug testing, if you're able to comment (if you're not due to corporate policy, that's fine) :)
Do you test Counterpane employees? If you do:
Is this an "upon hiring" or "scheduled" test?
How do you evaulate your testing facility?
What is the protocol for challenging a test result?
How often (if ever) have you found a positive test to be successfully challenged?
The real irony, for me, is that the purpose of the samples was to protect the athlete. They were taken so that in the event of a positive test, a second independent test could be conducted. Instead, they're used to smear the athlete's reputation, with no recourse for independent analysis.
@I can't spell:
Despite the differences in spelling, usine samples are just like urie samples. They're both urine samples designed to pass through ignorant email filters for the list version of Cryptogram.
Dunno what the Tour du France director was thinking. Shouldn't he understand the importance of the protocol and that the protocol wasn't followed was grounds to dismiss the claims out of hand?
Anyway Lance is so pissed with the French smear campaign that he's considering ending his recent retirement. http://thestar.com.my/sports/story.asp?file=/...
That should get a few French knickers in knots. ;)
One can really wonders why the Tour de France is always faster in speed every year, and this after bikers stopped getting EPO after 1998 or 99 ... What could we deduce of that? Bikers stopped taking EPO and are faster?? Splendid!
At least bikers help the pharmaceutical companies to develop better drugs. These companies use unscupulously sportmen at the risk of their lives (or balls) to test new drugs. And I am not talking about the "doctors" that supervise injection. All of them sold their soul, and that's really a shame.
If you want to keep the debate at the stupid French-American relations level, you are missing something.
what are you a professor of, religion? i ask this because you evidently don't know what science is. science is the investigation of that which is knowable and verifiable, with a view to developing theories which are useful in predicting future events. a newspaper paid money to subvert the supervised, regulated protocol of drug testing in cycling, its illegitimate "test" implicates lance armstrong, and with no "b" sample left now, the conclusion printed in the newspaper is unverifiable, and consequently in the realm of faith rather than science. it all depends on how much faith you have in french journalists. your unquestioning willingness to believe what you hear about in a foreign newspaper is touching; i regret that i do not share it, i don't even trust american journalists.
This case is interesting in that they're pulling out six year old samples, but keep in mind that cyclists get caught doping all the time. Today it was Belgian Jan Kuyckx, for ephedrine and norpseudoephedrine. He has a defense involving pseudoephedrine (allowed) breaking down into orpseudoephedrine and ephedrine in the body.
Guilty or not, this is weekly news for cycling fans.
Why is it that only these six samples are tested? Aren't they testing old samples to todays standards? When all cyclers where tested, I suppose they were all positive, so waht are we talking about?
Or is it a journalist, who wants to earn some ditry money.
All the best to Lance...
Forget fale positives, false negatives and sample tampering. This is not about doping... In 1999 there was a world class athlete recovering from testicular cancer and chemo who may have been given EPO. Red blood cells are as important as electrolytes... shall we hold bananas and orange juice prior to a race? EPO had no bearing on his win in 1999 or there after. Those who would attempt to smear a reputation, tamper with a sample or publish yellow journalism will always be around. Lance should procreate a legion of riders and dominate the sport for the next 50 years... that'll show them! Its in the genes... Ride On Lance!
The part of this debate which most confuses me is: don't the "powers that be" which oversee the tour have a vested interest in preserving its integrity? American and Frenchman alike understand that if everyone says "not guilty" somebody is lieing. The issue of doping in all sports is becoming so prevalent, and so often denied, that simply asking the question "are you using steroids" requires the accused to PROVE his innocence. Subsequently, guilty until proven innocent becomes the standard. Take that slippery slope far enough and it isn't difficult to imagine a society where it is perceived that any champion is most likely cheating. Even if we believe there is only a small chance of his/her guilt, the lingering doubt is enough to destroy our faith, and consequently the very purity that draws us to sports in the first place. By selling a few million papers today, has their short-sightedness not cost them billions down the road by corroding the legitamacy of the champions of their premier competition?
How do you say "McCarthyism" in French??
Right on kit! Im right there with you on that one.
You always have our support Lance,
Now the truth is finnaly coming out in the new reports.
Good luck Lance and Crow!
I am horrified with this! if Lance Armstrong did take drugs he shouldnt be able to live with himself. He has touched the hearts of people all over the world with his courage. If all that is a sham its shocking!
"Perhaps they will start storing samples of their own blood and urine in escrow, year after year, so they'd have well-stored and untainted bodily fluids with which to refute charges of past transgressions."
Many athletes are already able to defeat urine and blood tests. I think the integrity of any samples, not taken randomly within and outside competition, will lack creditability.
Athletes sometimes test positive after unkowingly taking a banned substance - look at Greg Rudeski. Trying to remember what caused a sample you gave five years ago to test positive (if you are innocent) might be close to impossible.
Having said all that, the horse racing industry in Western Australia has been doing such testing for more than ten years. I think it has the potential to reduce the use of illegal performance enhancing substances in sports if appropriate protocols are put in place (perhaps taking more than two samples).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.