Daily-Dose

Contents

From New Yorker

From Vox

The interim government is showing that it’s still the Taliban.

The Taliban announced an interim government last week, as the movement transitions from insurgency to rulers of Afghanistan.

The top-level cabinet positions are all male, many of them staffed by Taliban loyalists, including those who had positions in the 1990s Taliban. It is a sign that, despite promises of some moderation, the new Taliban looks a lot like the old Taliban.

“At this point, they were like, ‘This is the Taliban, and we won, and we’re going to remain the Taliban,’” said Haroun Rahimi, an assistant professor of law at the American University of Afghanistan and a visiting scholar at the International Institute for the Unification of Private Law in Rome.

This shouldn’t be all that surprising. The Taliban could not abandon the ideology that fueled its 20-year movement, even if it comes with political costs within Afghanistan and with the outside world. That ideology is also helping to hold the movement together, and so, naturally, the leaders of the insurgency are going to find themselves with top positions in the government, Rahimi said. Any other outcome would risk splintering or fracturing the Taliban just as they’re about to take power.

“Posts are divided up as a way of basically rewarding loyalists in the group,” he continued. “This tells me — and I think it tells many countries — that the Taliban may actually be beholden to these internal fractures to the point that it would make them an ineffective government.”

That push-pull — the Taliban’s need to keep themselves together, and the need to actually do the job of government — may be the defining feature of this new chapter in Afghanistan, with unpredictable consequences for both the Taliban and the people in Afghanistan.

I spoke to Rahimi about the new Taliban government and its members, what it says about how the Taliban might rule, and what it means for Afghans and Afghanistan’s evolving relationship with the outside world.

Our conversation, edited and condensed, is below.

Jen Kirby

What are the big first impressions of this new Taliban government?

Haroun Rahimi

It is not permanent. But how long until a permanent government is formed? That’s a question mark; it can be years. The indications are that it’s going to be a long time.

They are all Taliban loyalists, senior members of the group. Many higher positions went to the old guard, meaning the people who were prominent in the first government of the Taliban, including the prime minister [Mullah Mohammad Hassan Akhund] — who’s the head of the government. He was the governor of Kandahar, as well as the foreign minister, and during the insurgency was the head of the leadership council based in Pakistan.

Predominantly, it’s the old guard — at least in the higher positions. There are some other members who are from the insurgency days, not from the old government. For example, the chief of the army staff is a non-Pashtun northerner who represents this new generation of Taliban.

Another thing you can think about is that it is still predominantly the political class of Taliban leadership. There are many people who are known to be major Taliban commanders who are not given a position yet. Even from inside the Taliban group, it seems like there were frictions, and choices were made, and certain factions gained more and some factions lost. If you think in terms of that trend, the political class, the vanguards — the people who claimed maturity and respect within the group — came forward, and the military was pushed a little bit backward.

Jen Kirby

I’m curious if there will be tension there between this political class and the military class, or between the old guard and the new guard. In other words, does this interim government look stable — or are there cracks in the foundation?

Haroun Rahimi

The Taliban have been very good at maintaining internal cohesion for 20 years. Even back when they were in government, they absorbed a lot of losses, a lot of casualties, but did not fracture. After [Taliban leader and founder] Mullah Omar passed away [he reportedly died in 2013], there were some splinter groups, but they reconsolidated fairly quickly.

The fear is that it’s going to be beholden to those internal dynamics, and it’s going to be mostly concerned with maintaining internal cohesion, making it an ineffective government, making it harder for them to compromise, moderate their stance, balance different objectives.

Nothing [in this government] is going to help them achieve the international recognition that they need. Nothing is going to help them appeal to a broader constituency inside the country that is here to help them govern Afghanistan better. Many of these people are given posts, and it’s seen as a distribution of power, not because they have any kind of qualification to run those posts.

Posts are divided up as a way of basically rewarding loyalists in the group. This tells me — and I think it tells many countries — that the Taliban may actually be beholden to these internal fractures to the point that it would make them an ineffective government.

 Wakil Kohsar/AFP via Getty Images
Taliban fighters stand guard along a road in Kabul on September 9.

Jen Kirby

Basically, the Taliban government may be so focused on keeping the peace within the government, they can’t really govern Afghanistan or deal internationally.

Haroun Rahimi

Letting women in would have made their appeal broader to Afghans and internationals. But also it would have upset their base, which sees women’s inclusion as an ideological betrayal. Can the Taliban government make that hard choice? It seems like it cannot.

Jen Kirby

Can you describe the structure of this current Taliban government?

Haroun Rahimi

There is a supreme leader, Mullah Haibatullah Akhundzada, who’s the spiritual leader, or the top leader of the group. Mullah Haibatullah Akhundzada is going to be the head of state.

 Afghan Islamic Press via AP

Mullah Haibatullah Akhundzada will be Afghanistan’s next head of state.

There’s the prime minister, the head of government, that is going to oversee the actual operation of the government. And there’s a cabinet that is going to run different portfolios within the government. The only difference from the previous regime is that it was a presidential system — so president and cabinet. Now there is a prime minister.

They have not yet formalized the entire structure of state. For example, there’s been no announcement of the judiciary. There is no announcement on who’s going to legislate. Partly, I think, the Taliban were not thinking in institutional terms, more in terms of how we can actually get some of the government going and put this question of how we’re going to distribute the power of the government between ourselves. Those were the more urgent concerns they were dealing with.

Jen Kirby

Is there any prospect of any sort of representative body, or even marginal democratic process?

Haroun Rahimi

The Taliban has made clear that, ideologically, they’re against elections. It’s not an ideology in a sense that it’s because of their version of Islam that they are against elections; their version of Islam is used for them to justify the insurgency against a democratic system, and now that they’re in power, it would not allow any elements of democratic governance. Otherwise, they would break the narrative that they had, and it would, I think, dissatisfy a lot of their fighters.

Whether they will have some sort of representative elements in the government, I think it can be managed representation. I think some sort of shura [an Arabic word for “consultation”] council is going to have some base of professional representation — it’s going to be different people from different parts of Afghanistan in some way, finding their ways there in that council to make sure there’s some elements of representation.

It’s not going to be based on elections, and it’s going to be very much people who are pro-Taliban. It’s not going be an opposition. They’re going to be local elites, aligned with the Taliban, who would be handpicked by the leadership that will be put into some sort of council. I think that’s the most likely scenario.

Jen Kirby

So the supreme leader. As head of state, does he call all the shots, or is he more of a figurehead?

Haroun Rahimi

During the past Taliban government, Mullah Mohammed Omar was the supreme leader. He pretty much called all the shots.

But once the Taliban became an insurgency, they went at a different structure. The insurgency was much more diffuse, just because of the fact that they had to be decentralized to survive. Mullah Omar had to be in hiding. There was a leadership council set up, that would basically oversee most of the work of the movement, and that leadership structure had different committees underneath it. The head of that leadership structure during the insurgency, at some point, was Mullah Mohammad Hassan, the person who’s now the prime minister.

But the supreme leader now, Haibatullah Akhundzada, he’s not Mullah Omar. I don’t think he has the same power. He doesn’t seem to be the sole decision-maker the same way Mullah Omar was when they were in power in 1990s.

Mullah Haibatullah is going to have real power, but I think it’s probably not going to be too centralized, just because there are too many heavy hitters and power is more diffuse in the movement right now. I don’t think anyone has the position of Mullah Omar who can claim that kind of monopoly of power in the group today.

Jen Kirby

What do we know about the prime minister, Mullah Hassan Akhund?

Haroun Rahimi

He was the head of the leadership council of the group, which was the highest council in the movement. In Pakistan, he was the top guy. He’s an old-timer. He was the governor of Kandahar during the Taliban movement, which was a huge deal because Kandahar was the seat of the power in the Taliban movement. He was a foreign minister for the Taliban government in the ’90s. He’s a major figure in the movement, old guard, a close person to Mullah Omar and seen as a kind of vanguard of the group.

Jen Kirby

Haroun Rahimi

The choice that was made to downgrade Mullah Baradar and put [Mullah Hassan Akhund] in charge, I think that tells us something. There were many sources saying [Baradar] would be the head of the government. It was very close to him being the top person. It’s literally a demotion just because he’s going to be the deputy prime minister. Even though he was the head of the cabinet office, he was the interlocutor to the world for the Taliban movement, he wasn’t able to be the head of the government.

Why it happened? Many people have different theories as to why it happened. The Taliban group has a complicated relationship with Pakistan. Pakistan obviously hosted the group and its leadership for a very long time. A lot of good ties were made. But also Pakistan tortured, imprisoned, and killed many of the Taliban leaders. Mullah Baradar was in prison for a very long time.

And Baradar was seen as a person who would be anti-Pakistan, a person who was one of the people who did not have good relations with Pakistan. Some see his demotion as a win for Pakistan.

How much of it was internal dynamics in the group? How much of it was facilitated, influenced by the Pakistani government? We don’t know. With the optics of the ISI chief [Pakistan’s intelligence agency] being in Kabul toward the end of the Taliban’s discussions over the government were being finalized, there is a correlation — it’s not causation, but it’s a correlation. Was it coincidence or not? I don’t know.

After the erupting of dispute over the position of head of state and visit of ISI, most probably Mullah Baradar won’t be the head of the new government. Someone very unexpected but close to ISI may take the charge. pic.twitter.com/ew4fzhdiJa

— Rahmatullah Nabil (@RahmatullahN) September 4, 2021

Jen Kirby

Do we have any other insight into the machinations?

Haroun Rahimi

I mean, the Taliban are very good at keeping internal deliberation secret. The internal debates don’t make it outside. This is the way they operated for the past 20 years, and that’s one of the reasons for their success. Even during the Doha talks, all the possible disagreements that existed were well-kept.

But in terms of what happened, Mullah Baradar and other leaders of the group, like the Haqqani network, came to Kabul many times. They spent time in Kandahar. Leadership within the movement went to other provinces and held consultation meetings with different leaders inside the country. There was work going on, you could at least know where the leaders were at different times, it was not just one room or one place, everyone deciding. We don’t know who orchestrated those meetings, what was discussed.

Obviously, there was an external element, too. [Supreme Leader] Mullah Haibatullah hasn’t shown himself in public; many believe he’s outside of Afghanistan. Sirajuddin Haqqani reportedly appeared in the Ministry of Interior. There’s no video or anything, but there are pro-Taliban accounts who tweeted about what he said in his first day. You have to realize that many people are on wanted lists, so there is a real fear that the US may actually drone them if they show up in public.

Jen Kirby

Let’s talk about Sirajuddin Haqqani. He’s on the FBI most-wanted list; he’s under United Nations sanction. Why is that, and what is his role in the movement that makes him different from some of these other guys?

Haroun Rahimi

The Haqqani network is often talked about as a distinct entity because the Haqqani network is classified as a terrorist group under US law. The Taliban is not.

Why is it? First of all, the Haqqani network has much more ties and contacts with the global jihadists, including al-Qaeda. Osama bin Laden, toward the end, was basically hosted in Tora Bora, in the eastern part of the country, by the Haqqani network. The Haqqani network is much more organized than other parts of the movement. Sophisticated attacks in Kabul were attributed to the Haqqani network, because they had more sophisticated and better-organized forces.

They have more sophisticated training, partly because they have a better relationship with global jihadists. And those ties make it a more effective entity as part of Taliban; there was the exchange of know-how, technology, and such linkages. It’s seen as more friendly toward the Pakistani establishment than southern Taliban, Mullah Baradar, for example.

Jen Kirby

And there are a few members of the Haqqani network in the Taliban government?

Haroun Rahimi

There’s a lot of Haqqanis in the government, because Haqqani comes from the name of a madrassa, a series of madrassas where religious trainings are provided. The father of Sirajuddin Haqqani was one of the founders of the madrassa, and a very important figure in the resistance against Soviet Union. So there are a lot of people who graduated from that madrassa and called themself Haqqanis.

The cabinet has other Haqqanis: There are four Haqqanis; two of them are family members, like brothers. But two other Haqqanis are not family members, they’re just the graduates of that madrassas. They are ideologically aligned with the Haqqani network, but they’re not of the family of Haqqani.

Jen Kirby

To place Haqqanis in the government, it looks both ineffective — having your ministers under possible drone attack doesn’t seem great — and it seems like a challenge to the United States and its allies. It looks as if the Taliban is saying we’re not beholden to outside pressures. Is that a fair way to interpret it?

Haroun Rahimi

It was not without understanding that it would cost the movement in terms of international legitimacy. Despite that, the appointments were made. Because to them, it was the right thing to do. These are the powerful people in the movement, and if the Taliban are supposed to establish a government, the most powerful people in the movement are going to hold the most important positions in the government.

Obviously, there is an external cost to this. I think they considered that, but I think they consider those costs to be less than eliminating a major powerful leader in the group that was responsible for this victory. I think they mitigated by saying it is a caretaker, interim government. I think they were smart enough to say, “Okay, we’re going to maybe gauge their reactions, and possibly adjust if it became too costly.” But I think at this point, they were like, “This is the Taliban, and we won, and we’re going to remain the Taliban. Now that we’re in power, we’re not going to be something different.”

Jen Kirby

What about cohesion between the political leadership and the rank-and-file Taliban, the foot soldiers of the movement. Is there any sense of how that is playing out?

Haroun Rahimi

I think the way the foot soldiers in the Taliban felt connected to the group was through ideology. They saw this as a movement; they saw this fight as jihad. Now they are seeing this government as the establishment of an Islamic government. The Taliban indoctrinated fighters in a certain understanding of Islam, and now they kind of have to stick to it, because if they divert, it may eliminate some of the rank and file because of that shared bond of the ideology.

The other issue is just: What are the fighters going to do now? They were fighting together, sleeping together, eating together. Now there’s not a lot of fighting left to do. They are still hanging around in government buildings, maybe doing some patrols of the population. But what’s next for them?

I think that is a major problem for the moment. I mean, if [the Taliban] say, “Go home, everything’s good, go find another job,” maybe a lot of them will be dissatisfied, or they will feel differently about the government. If they’re all going to be made into a police force, who’s going to pay for them? Who’s going to sustain that? If they’re going to be given civil jobs, can they actually do those jobs? Some of them are illiterate, most of them are illiterate. If you put them in charge of the government and reward them with government jobs, what kind of government would that be?

Jen Kirby

The case for the Taliban moderating was always based on this need for international legitimacy, which is a really nice way of saying that they need money. And that does not seem as if it’s going to be forthcoming, especially from the United States and its allies. Is that fair?

Haroun Rahimi

I think international community is going to be divided, for sure. There’s really no one international community. Many countries are going to choose to engage, and many countries are going to choose to support the Taliban and advocate for them, even with the current government.

Pakistan has already started a campaign of getting the Taliban included in the regional organizations. Uzbekistan said they would welcome the new government. China said they welcome it — but at the same time, they only offered about $35 million in aid, which is nothing, considering that it was supposed to be the heavy hitter and the heavy backer of the Taliban.

It seems like China is adopting a cautious approach. Maybe not saying, “We’re not going to recognize you,” but at the same time, not backing up that recognition with actual commitment of resources. Russia said they will not attend the inauguration. Tajikistan said they don’t recognize the government because it was not inclusive. The US and Europe are going to have a different approach. It’s going to be a divided international community, but major actors remain displeased with this move.

I think aid may continue, and I think it should, because there’s going be a humanitarian catastrophe if it doesn’t. But aid is just a Band-Aid. It’s food and medicine, just so people don’t die. It’s not about getting people out of poverty or keeping them above the poverty line. That requires an economic solution. People have jobs and go make money from those jobs. That requires major investments.

The US was pumping a lot of money into the government, into the Afghanistan economy. Yes, a lot of it was stolen, but a lot of it also found its way to the local economy. People were spending money in the country. It was all coming from outside. But now it’s not. Where’s that money going to come from?

There’s a drought going on; the farming sector is not going to flourish anytime soon. We don’t have the ability to build dams and do water management. They have to just weather this drought, because climate change is happening.

Also, a lot of people have moved to the city in the past 20 years just because a lot of money was in the city. It paid better to be in the city than in the village. Kabul used to have NGOs, the government, pumping money in. There’s not a lot of NGOs, and the government is pretty bankrupt. What does Kabul have to offer anymore? A lot of people chose to leave their village and come to Kabul now. They have to go back. Is there a place to go?

The international reaction is going to be mixed, but I think [the Taliban have] made it harder for them to get the investment they need to actually save Afghanistan’s economy — not to go back to the pre-Taliban, but actually save it from catastrophe. A lot of the focus on aid is well-placed in the immediate term. But long term, aid and food and medicine is not what makes up an economy.

Jen Kirby

How fragile should we consider this caretaker Taliban government then?

Haroun Rahimi

I think that that they were smart enough to say, “Okay, we’re gonna do this, but we’re not going make a permanent move.” I think that means they consider that they have to reconsider, make some sort of adjustments, if the international reaction is the worst-case scenario for the Taliban.

What kind of international reaction would generate change? How soon will they be willing to change? What changes would be made? I really don’t know. I think it will be very hard to take some of these heavy hitters out of the government. Not giving someone a position is one thing, taking away someone’s position is obviously even harder for if you think about internal cohesion.

I think they have two options.

One is they can restructure the state, create, like, a higher leadership council, move these people from ministries to higher-level political positions, and turn the cabinet into technical posts that will maybe satisfy some of the Afghans and some of the international community. I think that would be one way to go. But, again, [any] leadership council would have to be incredibly influential and powerful, and I don’t know how it would actually operate, if you have the decision-makers and government separated from each other.

The other alternative is just to use the remaining positions — the government is not a complete government yet — to bring in some other non-Taliban elements. I think there’ll be no women in the cabinet level, but I think they may appoint women in lower levels, like secondary leadership positions, under a lot of international pressure. Maybe in the health sector, education sectors, where they’ve all already shown some willingness to include women.

I think they’re going to take it gradually, do some things on the margins to see how much of the international backlash they can manage.

Jen Kirby

Even with the government they have now, is there any sense beyond the top leadership, they have people to implement policies or pick up the trash, you know, a real government that can govern?

Haroun Rahimi

I keep track of two places. One is Herat. That’s where I’m from. I keep updated on appointments made in Herat, and I keep updated on changes made in the ministry of higher education because I’m a teacher at a university.

All appointments so far have been unqualified Taliban members. Because we talk about collecting trash, the municipality in Herat, the mayor is this Talib who — if you’re looking for technical knowledge of urban planning or urban management — he obviously doesn’t have those. He was a fighter until days ago, but he’s now the mayor. The city is divided into districts. All the people in charge of districts are mullahs, meaning the people who had religious training — minimal often — and also were Talibs, meaning they were part of the fighting cadre of the group.

The minister of higher education, as well. He’s not illiterate, but he wouldn’t have background teaching at a university. He’s a Haqqani and a graduate of Haqqani madrassas, but not of the family Haqqani. He also made a statement saying that modern education is good, but religious education gives you also or maybe even more respect and dignity.

The person who’s the head of the central bank was the person who was running [the Taliban’s] finances. Running the finances of an insurgency group is obviously different than dealing with World Bank, IMF, and the system of finances of the world. But he’s the guy in charge. Does he know monetary policy? I highly doubt that. Does he know how to navigate the international economic structure that exists? Obviously not. They say he knows his stuff, but yes, his stuff was to basically run the finances of a mafia. That’s not how you run the central bank of a country, but that’s going to be the people they have.

Jen Kirby

One of the big concerns in Afghanistan from the US perspective is that the Taliban might become a “safe haven” for terrorists again. Does the interim government tell us anything about that possibility?

Haroun Rahimi

Taliban have different relationships with different terrorist groups in Afghanistan. There are many terrorist groups that are active in Afghanistan; some of them are anti-central Asian countries, anti-Chinese, anti- Indian, anti-Pakistan, and ISIS-K active in Afghanistan. The Taliban have different relationships with each of them. For example, the relationship with the TTP [Tehrik-i-Taliban Pakistan], which is the Pakistani Taliban, there’s a lot of alignment and supportive relationship. Whether they will be able to deliver to the Pakistani government, and crack down on the Pakistani Taliban, is much harder for them to do.

With regard to ISIS-K, they have been fighting each other. For example, they have already closed down a number of Salafi madrasas, the brand of Islam, that ISIS-K members often subscribe to.

With regard to al-Qaeda, every indication we have so far is that they are not going to be very aggressive against al-Qaeda. The people who were put in power, especially the Haqqani bunch, are known to have a good relationship with al-Qaeda. There were even indications lately that they will not really promise that they will cut ties.

They interpret their commitment narrowly, basically saying, “We’re not going let anyone use Afghanistan soil against other countries.” That means if there’s an attack in the future, saying, “Okay, even if was al Qaeda they did not plan they attack in Afghanistan, they planned it somewhere else.” There’s a lot of plausible deniability. It will be very hard for anyone to hold him accountable to that.

I think if the world pushes the Taliban toward the path of isolation — complete sanctions, etc. — they may actually get closer to al-Qaeda if they don’t have another funding source. So I think they haven’t shown any willingness to be aggressive towards al-Qaeda yet.

Jen Kirby

The same week the Taliban announced this government, it also violently broke up a protest in Kabul. If I’m an Afghan, what does this government say about my future right now?

Haroun Rahimi

There is a Nobel laureate economist, Albert O. Hirschman, who wrote a book called Loyalty Voice, and Exit. He was basically saying that if someone is unhappy with your organization, they have two choices, they can exit the organization, or they can voice their business or say something or make an attempt to change it. Which one they choose is going to be a function of the loyalty, how invested they are in your organization.

I think you can look at Afghanistan in those terms, too. It’s a different dynamic, but there’s a lot of similarities. For example, many Afghans will choose to leave, to exit, don’t try to change the Taliban, don’t try to make a difference in Afghanistan. The refugee exodus is a thing; a lot of people are trying to get out.

    <img alt=" " src="https://cdn.vox-
cdn.com/thumbor/8krL09EWVymHwUYZcBrUPLqzqo8=/800x0/filters:no_upscale()/cdn.vox- cdn.com/uploads/chorus_asset/file/22848169/GettyImages_1235143230.jpg" /> Marcus Yam/Los Angeles Times via Getty Images
Taliban fighters try to stop the advance of anti-Taliban protesters in Kabul, a day after they announced an all-male interim government without representation for women and ethnic minority groups on September 8.
 Aamir Qureshi/AFP via Getty Images
Taliban fighters escort pro-Taliban women as they march outside Shaheed Rabbani Education University in Kabul on September 11.

There’s going to be people who choose to stay and try to make a difference. Some of it is going to be armed resistance. Some of it is there, but they lack leadership, they lack foreign support, they lack even the manpower, because the country is so war-fatigued. So the armed resistance may not have a lot to draw on, but it exists.

The other would be to raise your voice to demonstrate. I think that’s where most Afghans who choose to stay and are unhappy with the Taliban may choose to go. Herat, my hometown, there were demonstrations. The choice people make — to stay, go resist, armed resistance or not — this is going to be depending on how much invested people are in Afghanistan, what are the options of leaving, and also how the Taliban will react to all of this, if they tolerate peaceful resistance and don’t use a lot of violence against them.

Jen Kirby

I imagine how the Taliban respond to peaceful protest may influence the possibility of a more organized armed resistance.

Haroun Rahimi

It took the Taliban a while to create an insurgency, too. It took them until 2004 to have a serious insurgency; they were topped in 2001.

I think one thing people may not pay enough attention to is this idea of performance legitimacy. You can have a very bad dictatorship, and as long as people’s lives don’t become unbearable, you’re more likely to stay in power and not get challenged. But if people don’t have anything to eat, if people’s lives are miserable, if the government doesn’t really have anything to show for itself, it’s very hard to keep people happy.

If the Taliban can make the economy work well, it’s peaceful, and people can live, I think pressure to get representation, women’s rights and such, may actually become much more manageable. If they don’t give people rights, if they’re not inclusive, and at the same time people are getting poorer, you’re going to see some sort of resistance.

Millions of people got Covid-19 tests through Walgreens. Their information wasn’t adequately protected.

If you got a Covid-19 test at Walgreens, your personal data — including your name, date of birth, gender identity, phone number, address, and email — was left on the open web for potentially anyone to see and for the multiple ad trackers on Walgreens’ site to collect. In some cases, even the results of these tests could be gleaned from that data.

The data exposure potentially affects millions of people who used — or continue to use — Walgreens’ Covid-19 testing services over the course of the pandemic.

Multiple security experts told Recode that the vulnerabilities found on the site are basic issues that the website of one of the largest pharmacy chains in the United States should have known to avoid. Walgreens has promoted itself as a “vital partner in testing,” and the company is reimbursed for those tests by insurance companies and the government.

Alejandro Ruiz, a consultant with Interstitial Technology PBC, discovered the issues in March after a family member got a Covid-19 test. He says he contacted Walgreens over email, phone, and through the website’s security form. The company was not responsive, he says, which didn’t surprise him.

“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz said.

Recode informed Walgreens of Ruiz’s findings, which were confirmed by two other security experts. Recode gave Walgreens time to fix the vulnerabilities before publishing, but Walgreens did not do so.

“We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” the company told Recode.

People’s sensitive data could be exposed to numerous ad and data companies to use for their own purposes, or they may be discouraged from getting a Covid-19 test from Walgreens if they aren’t confident that their data will be secure. The platform’s vulnerabilities are also another example of how technology meant to assist in the effort to stop the pandemic was built or implemented too quickly and carelessly to fully take privacy and security into account.

Walgreens also wouldn’t say how long its testing registration platform has had these vulnerabilities. They go back at least as far as March, when Ruiz discovered them, and likely far longer than that. Walgreens has offered Covid-19 tests since April 2020, and the Wayback Machine, which keeps archives of the internet, shows blank test confirmation data pages as far back as July 2020, indicating that the issue dates back at least that far.

The problems are in Walgreens’ Covid-19 test appointment registration system, which anyone who wants to get a test from Walgreens must use (unless they purchase an over-the-counter test). After the patient fills out and submits the form, a unique 32-digit ID number is assigned to them and an appointment request page is created, which has the unique ID in the URL.

The page created after a patient signs up for a Covid-19 test (patient ID in URL has been blurred).
The page created after a patient signs up for a Covid-19 test (patient ID in URL has been blurred).

Anyone who has a link to that page can see the information on it; there’s no need to authenticate that they are the patient or log in to an account. The page remains active for at least six months, if not more.

“The technical process that Walgreens deployed to protect people’s sensitive information was nearly nonexistent,” Zach Edwards, privacy researcher and founder of the analytics firm Victory Medium, told Recode.

The URLs for these pages are the same except for a unique patient ID contained in what’s called a “query string” — the part of the URL that begins with a question mark. As millions of tests across more than 6,000 Walgreens testing sites were run using this registration system, there are likely millions of active IDs out there. An active ID could be guessed, or a determined hacker could create a bot that rapidly generated URLs in the hope of hitting any active pages, security experts told Recode, giving them a source of biographical data about people they could potentially use to hack their accounts on other sites. But, given how many characters are in the IDs and therefore how many combinations there are, they said it’d be close to impossible to find just one active page this way — even with the millions of them out there. Of course, close to impossible is not the same as impossible.

Anyone who has access to someone’s browsing history can also see the page. That might include an employer that logs employees’ internet activities, for example, or someone who accesses the browser history on a public or shared computer.

“Security by obscurity is an awful model for health records,” Sean O’Brien, the founder of Yale’s Privacy Lab, told Recode.

What makes this potential leak significantly worse is just how much data is stored on the website and who else could be getting access to it. Only the patient’s name, type of test, and appointment time and location are visible on the public-facing pages themselves, but far more than that is behind the scenes, accessible through any browser.

As it did with vaccine appointments, Walgreens requires a great deal of personal data to register for one of its tests: full name, date of birth, phone number, email address, mailing address, and gender identity. And with a few clicks in a browser’s developer tools panel, anyone with access to a specific patient’s page can find this information.

    <img alt="Walgreens’ confirmation pages contain loads of sensitive personal information (blurred)." 
src=“https://cdn.vox-cdn.com/thumbor/n5Xp1prqngoyGTh4AB-lIc5a2mg=/800x0/filters:no_upscale()/cdn.vox- cdn.com/uploads/chorus_asset/file/22848439/walgreens_json_2.jpg” />
Walgreens’ confirmation pages contain loads of sensitive personal information (blurred).

Included is an “orderId,” as well as the name of the lab that performed the test. That’s all the information someone would need to access the test results through at least one of Walgreens’ lab partners’ Covid-19 test results portals, though only results from the last 30 days were available when a Recode reporter looked hers up.

Ruiz and the other security experts Recode spoke to also expressed alarm at the number of trackers Walgreens placed on its confirmation pages. They flagged the possibility that the companies that own these trackers — including Adobe, Akami, Dotomi, Facebook, Google, InMoment, Monetate, as well as any of their data-sharing partners — could be ingesting the patient IDs, which could be used to figure out the URLs of the appointment pages and access the information they hold.

“Just the sheer number of third-party trackers attached to the appointment system is a problem, before you consider the sloppy setup,” Yale’s O’Brien said.

Analysis from Edwards, the privacy researcher, found that several of those companies were getting URIs, or Uniform Resource Identifiers, from the appointment pages. Those could then be used to access the patient data if the company receiving them were so inclined. He said this type of leak is similar to what he discovered on websites including Wish, Quibi, and JetBlue in April 2020 — but “much worse,” as only email addresses were leaked in those cases.

“This is either a purposeful ad tech data flow, which would be truly disappointing, or a colossal mistake that has been putting a huge portion of Walgreens customers at risk of data supply chain breaches,” Edwards said.

Walgreens told Recode that it was a “top priority” to protect its patients’ personal information, but that it also had to balance the need to secure information with making Covid-19 testing “as accessible as possible for individuals seeking a test.”

“We continually evaluate our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients,” Walgreens said.

Again, Walgreens did not fix the issues before the extended deadline Recode provided to the company, nor would it tell Recode if it planned to do so. It did not address Recode’s questions about the ad trackers except to say that its use of cookies is explained in its privacy policy. However, tracking through cookies was not the issue Recode and Ruiz identified to Walgreens, and the company didn’t comment further when this was explained to it.

“This is a clear-cut example [of this type of vulnerability], but with Covid data and tons of personally identifiable information,” Edwards said. “I’m shocked they are refuting this clear breach.”

Ruiz’s family member’s data, along with that of potentially millions of other patients, remains up today.

“It’s just another example of a large company that prioritizes its profits over our privacy,” he said.

From The Hindu: Sports

From The Hindu: National News

From BBC: Europe

From Ars Technica

From Jokes Subreddit