0

Blackbox: Online voting in the 2020 elections

Written By: Michael Walsh

A Byte of Online Voting

Sorry, you cannot vote online in the primaries or in presidential elections this year. That is, unless you have been selected to participate in one of the few small-scale pilot programs, such as the DemocracyLive system in Seattle, Washington, the Voatz platform in West Virginia, or most recently, the Shadow voting tool used for the 2020 Iowa caucuses just a few weeks ago. [1] These voting tools use blockchain technology to generate a unique hash for each vote. [2] To mitigate the risk of election tampering, the votes are submitted, but not counted electronically. [3] Each electronic submission is verified with a printed version of the ballot, then the printed ballots are tallied to calculate the total number of votes. [4] These electronic systems are usually deployed in areas in which voter turnouts are low or voting is only possible by remote means. [5][6] Ideally, these types of services may help improve voter turnout in the United states—a country in which less than 56% of voting-age adults participated in the 2016 presidential election. [7]

There is little federal oversight for online voting infrastructure, but Congress allocated an additional $380 million for voting infrastructure and security improvements [8], and 85% of those funds are estimated by the U.S. Elections Assistance Commission to be used by states before the 2020 election. [9][10][11] Ideally, those funds will help to alleviate problems in areas with intermittent or low bandwidth internet connections, such as some of the precincts that experienced problems with the Shadow voting app during the 2020 Iowa caucuses. [12][13][14] Additionally, a slew of other bills has been introduced to help secure elections from (predominantly foreign) interference. [15] One amendment to the Help America Vote Act (“HAVA”) of 2002, passed in December 2019, allocated an additional $400 million to help secure voting infrastructure. [16][17] However, some experts indicate that modernizing and securitizing current voting infrastructure would cost nearly $2.5 billion, not considering recurring maintenance costs. [18] To modernize Pennsylvania’s infrastructure alone is estimated to cost upwards of $150 million, which accounts for nearly half of the total HAVA funds allotted from Congress. [19]

Election Security Concerns and the 2016 Election

The costs to establish secure voting infrastructure do not seem so exorbitant when considering voter trust. The year 2016 marked the first year in which Russian interference influenced the presidential elections. [20][21][22] This foreign interference happened not by meddling with voter infrastructure (which now usually verifies electronically submitted votes with paper ballots), but by alternative means such as phishing, distributed denial-of-service (“DDoS”), and denial-of-service (“DoS”) attacks. [23][24][25] Such interference in 2016 will certainly not be the last. [26][27] In a recent national survey that asked politicians about cybersecurity risks, “[f]orty percent said they’ve had an account compromised in a phishing attack. And 60% said they haven’t significantly updated the security of their accounts since 2016.” [28] Even without direct interference with voter infrastructure, threat actors can make a meaningful difference in the outcome of elections with phishing, DDoS and DoS attacks on other vectors including campaign email accounts or insecure servers used by political groups. In response, Microsoft and Google (the companies that provide the most popular email services in the nation) have been implementing security measures to prevent these attacks. Most countermeasures focus on implementing typical information security protections, such as multi-factor authentication, tokenization, and software-based mitigation techniques, such as spoofing and phishing detection. [29][30]

Experts still have many questions about the security and privacy of electronic voting systems, most particularly those that are completely paperless. [31][32][33][34][35] Nevertheless, some voting this year will be done in select states by phone or PC through the Voatz system (but with paper ballot verification). [36] Voatz uses blockchain technology paired with biometric data from users’ phones, such as face scans and fingerprints. Although this version of multi-factor authentication may alleviate fraudulent voting, it poses serious privacy concerns [37] and does not address other salient security risks of online voting, such as phishing, DDoS, and DoS attacks. Regardless, the future of voting is likely to be a digital one, as a recent study from University of Chicago found. The survey estimated that voter turnout could increase by several percentage points [38][39], a figure that could compound with the help of universally compatible voting technology.

 

[1] Emily S. Rueb, Voting by Phone Gets a Big Test, but There Are Concerns, THE NEW YORK TIMES (Jan. 23, 2020), https://www.nytimes.com/2020/01/23/us/politics/mobile-voting-washington.html [https://perma.cc/B2SR-NF88].

[2] Voatz, Frequently Asked Questions, https://voatz.com/faq.html [https://perma.cc/9RBS-6BK5].

[3] Id.

[4] Id.

[5] Emily Dreyfuss, Smartphone Voting Is Happening, but No One Knows if It’s Safe, WIRED (Aug. 9, 2018), https://www.wired.com/story/smartphone-voting-is-happening-west-virginia/ [https://perma.cc/JC2B-SYWF].

[6] Rueb, supra note 1.

[7] Drew Desilver, U.S. Trails Most Developed Countries in Voter Turnout, PEW RESEARCH CENTER (May, 21 2018), https://www.pewresearch.org/fact-tank/2018/05/21/u-s-voter-turnout-trails-most-developed-countries/ [https://perma.cc/4T3C-4JD4].

[8] The Impact of HAVA Funding on the 2018 Elections, U.S. ELECTION ASSISTANCE COMMISSION (2019), https://www.eac.gov/sites/default/files/paymentgrants/TheImpactofHAVAFundingonthe2018Elections_EAC.pdf [https://perma.cc/6KDW-RNEJ].

[9] Id.

[10] U.S Senate Committee on Rules and Administration Oversight of the Election Assistance Commission, U.S ELECTION ASSISTANCE COMMISSION (May 15, 2019), https://www.rules.senate.gov/imo/media/doc/EAC_Testimony.pdf [https://perma.cc/95VB-NA4H].

[11] Elizabeth Howard, Defending Elections: Federal Funding Needs for State Election Security, THE BRENNAN CENTER (July 18th, 2019), https://www.brennancenter.org/our-work/research-reports/defending-elections-federal-funding-needs-state-election-security [https://perma.cc/P7UC-8ZW4].

[12] Kevin Roose, The Only Safe Election is A Low-Tech Election, THE NEW YORK TIMES (Feb. 4, 2020), https://www.nytimes.com/2020/02/04/technology/election-tech.html, [https://perma.cc/2C8W-982G].

[13] Nick Corasaniti, Sheera Frenkel & Nicole Perlroth, App Used to Tabulate Votes is Said to Have Been Inadequately Tested, THE NEW YORK TIMES (Feb. 3, 2020), https://www.nytimes.com/2020/02/03/us/politics/iowa-caucus-app.html [https://perma.cc/B7TG-YJ2P].

[14] Keith Collins, Denise Lu & Charlie Smart, We Checked the Iowa Caucus Math. Here’s Where it Didn’t Add Up, THE NEW YORK TIMES (Feb. 14 2020), https://www.nytimes.com/interactive/2020/02/14/us/politics/iowa-caucus-results-mistakes.html [https://perma.cc/HH8N-DURV].

[15] S. 2669, 116th Cong. (2019); H.R. 1946, 116th Cong. (2019); H.R. 4990, 116th Cong. (2019).

[16] U.S. Election Assistance Commission, How Can The States Use the Funds?, U.S. ELECTION ASSISTANCE COMMISSION (Jan. 6, 2020)  https://www.eac.gov/how-can-states-use-funds-0 [https://perma.cc/79W6-WHYA].

[17] H.R. 1158 § 501, 116th Cong. (2019).

[18] Lawrence Norden and Edgardo Cortez, What Does Election Security Cost?, THE BRENNAN CENTER (Aug. 15, 2019), https://www.brennancenter.org/our-work/analysis-opinion/what-does-election-security-cost [ https://perma.cc/TL69-YCU2].

[19] Howard, supra note 11.

[20] U.S. Senate Committee 116th Congress, Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 1: Russian Efforts Against Election Infrastructure With Additional Views, https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf [https://perma.cc/CZ47-7XLY].

[21] Andy Greenberg, Feds’ Damning Report on Russian Election Hack Won’t Convince Skeptics, WIRED (Jan. 6, 2017), https://www.wired.com/2017/01/feds-damning-report-russian-election-hack-wont-convince-skeptics/ [https://perma.cc/2T8Q-YZR9].

[22] David E. Sanger and Catie Edmonson, Russia Targeted Election Systems in All 50 States, Report Finds, THE NEW YORK TIMES (July 25, 2019), https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html [https://perma.cc/78SM-YVZ4].

[23] Andy Greenberg, Everything We Know About Russia’s Election-Hacking Playbook, WIRED (June 9, 2017), https://www.wired.com/story/russia-election-hacking-playbook/ [https://perma.cc/EAZ8-W5Z4].

[24] Shannon Bond, 2020 Political Campaigns Are Trying To Avoid A 2016-Style Hack, NAT’L PUB. RADIO (Jan. 28, 2020), https://www.npr.org/2020/01/28/799062773/2020-political-campaigns-are-trying-to-avoid-a-2016-style-hack [https://perma.cc/T2ER-KQ9U].

[25] Jeremey Ashkenas, Was It a 400-Pound, 14-Year-Old Hacker, or Russia? Here’s Some of the Evidence, THE NEW YORK TIMES (Jan. 26, 2017), https://www.nytimes.com/interactive/2017/01/06/us/russian-hack-evidence.html [https://perma.cc/U9CX-N829].

[26] Miles Parks, Russian Hackers Targeted The Most Vulnerable Part Of U.S. Elections Again, NAT’L PUB. RADIO (July 28, 2018), https://www.npr.org/2018/07/28/633056819/russian-hackers-targeted-the-most-vulnerable-part-of-u-s-elections-again [https://perma.cc/MR8E-3H3Q].

[27] Shannon Bond, Microsoft Says Iranians Tried To Hack U.S. Presidential Campaign, NAT’L PUB. RADIO(Oct. 4, 2019), https://www.npr.org/2019/10/04/767274042/microsoft-says-iranians-tried-to-hack-u-s-presidential-campaign [https://perma.cc/K9ST-T55N].

[28] Bond, supra note 24.

[29] Tom Burt, Protecting Democracy with Microsoft AccountGuard, MICROSOFT BLOG (August 20, 2018), https://blogs.microsoft.com/on-the-issues/2018/08/20/protecting-democracy-with-microsoft-accountguard/ [https://perma.cc/7MGY-MW5X].

[30] Lily Hay Newman, Google’s Giving Out Security Keys to Help Protect Campaigns, WIRED (Feb. 11, 2020), https://www.wired.com/story/google-free-security-keys-campaigns/ [https://perma.cc/4TN7-9SQ2].

[31] David Jefferson et al., What We Don’t Know About the Voatz “Blockchain” Internet Voting System (May 1, 2019), https://cse.sc.edu/~buell/blockchain papers/documents/WhatWeDontKnowAbouttheVoatz_Blockchain_.pdf [https://perma.cc/62H2-MQN4].

[32] Michael A. Specter et al., The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, Mass.  Inst. of Tech., https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf [https://perma.cc/89H7-XLP2].

[33] Abby Abazorius, MIT Researchers Identify Security Vulnerabilities in Voting App, MIT NEWS (Feb. 13, 2020), http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213 [https://perma.cc/AA49-97FS].

[34] Robby Mook et al., Cybersecurity Campaign Playbook, HARV. KENNEDY SCHOOL BELFER CENTER (Nov. 2017), https://www.belfercenter.org/CyberPlaybook [https://perma.cc/82NN-KA57].

[35] Miles Parks, In 2020, Some Americans Will Vote On Their Phones. Is That The Future?, NAT’L PUB. RADIO (Nov 7, 2019), https://www.npr.org/2019/11/07/776403310/in-2020-some-americans-will-vote-on-their-phones-is-that-the-future [https://perma.cc/4W62-9TLS].

[36] Voatz, supra note 2.

[37] Jefferson et al., supra note 31.

[38] David Stone, West Virginia Was the First State to Use Mobile Voting. Should others follow? UCHICAGO NEWS (July 30, 2019), https://news.uchicago.edu/story/voting-mobile-devices-increases-election-turnout [https://perma.cc/NAF9-69B5].

[39] Anthony Fowler, Promises and Perils of Mobile Voting, U. OF CHI. (June 2019), https://cpb-us-w2.wpmucdn.com/web.sas.upenn.edu/dist/7/538/files/2019/06/Fowler_MobileVoting.pdf [https://perma.cc/6N8C-VQGZ].

0

23andMe: Who Can See Your Genes?

Written By: Kira Gill

I. Introduction

Beginning in the 1990s, the Information Age expanded upon the available molecular tools used for genetic research.  Accompanying this expansion of tools was a revolution and rise of systems biology. The development of genetic engineering allowed manipulation, creation, and reparation of genetic material and cellular behavior. [1] On October 1, 1990, a group of researchers started the Human Genome Project, an effort to sequence and map all of the human genome. [2] This project was completed in April 2003, taking almost 13 years which led to a complete genetic blueprint for building a human being. [3] Who knew that just three years later, 23andMe would come about, allowing for at-home genetic testing?

II. 23andMe

23andMe is a company founded in Silicon Valley which aims to use genetic testing to boost personalized healthcare and allow individuals to learn more about their heritage. [4] 23andMe charges $99 to customers to take a saliva test at home and receive information about the individual’s ancestry. [5] For $199, customers will not only receive ancestry traits, but also information of one’s health predispositions. [6] After 23andMe receives your sample, it takes just 2-3 weeks for the results to come back, compared to the 13 years it took for the Human Genome Project. [7] From human to human, the genes are about 99.5% the same; however, there are variants in the genome which include different genes passed down from parent to child. [8] 23andMe identifies the variants in the sample and analyzes them to find unique traits within the person. [9] Naturally, a plethora of legal issues have stemmed from this new technology.

III. Privacy Issues

There has been a long list of privacy issues which have occurred due to the highly accessible genetic information offered by 23andMe.  A few cases in particular pose more serious issues including sperm donors who were typically offered the option to remain anonymous. [10] Using 23andMe’s services, offspring of sperm donors have been able to track those who had wished to remain anonymous. [11] One woman violated her contract by trying to find her sperm donor through 23andMe. [12] She was successful, but the sperm bank ordered a cease-and-desist against her and revoked the use of the other gametes she had purchased from the same donor. [13]

Another issue that remains is the use of the DNA collected from at-home tests by police to match DNA samples in current cases. [14] Although these test results are extremely beneficial to the police for solving open cases within their database, for example, the Golden State killer, the use raises concerning issues. [15] A class action lawsuit was also filed against 23andMe in regard to the data being stored in a large database and its use by third parties. [16] Since the technology is so new and the development occurred so rapidly, there is not much legal precedent regarding genetics and privacy.

IV. Genetic Information Nondiscrimination Act of 2008

Currently, there is only one prominent law that regulates genetic privacy, the Genetic Information Nondiscrimination Act of 2008 (GINA). [17] GINA is a federal law which passed due to increasing concerns about the accessibility of genetic information. [18] GINA prohibits health insurance companies from requesting, requiring, or using genetic information to make decisions about an individual’s eligibility for health insurance. [19] Also, GINA prohibits employers from discriminating against their employees based upon their genetic information. [20] In essence, GINA only offers minimal protection as it applies only to health insurance and employment issues.

V. Conclusion

Overall the accessibility and publicity of private genetic information brings up a series of legal issues.  Per its advertisements, 23andMe has taken action by becoming FDA approved. [21] It also addressed privacy concerns by stating the genetic information is not given to other databases without explicit consent from consumers and cannot be taken by law enforcement unless demanded by a subpoena or court order. [22] The legislature has started intervening but has been limited to GINA thus far. As issues with genetic privacy continue, the legislature will have to adapt and balance the public interest of privacy, as well as the benefits that this data produces, such as steps towards personalized healthcare and cures to genetically predisposed diseases.

 

[1] D. Ewen Cameron, Caleb J. Bashor & James J. Collons, A brief history of synthetic biology, 12 Nature Rev.: Microbiology. 381, 381-90 (2014).

[2] The Human Genome Project, NATIONAL HUMAN GENOME RESEARCH INSTITUTE, https://www.genome.gov/human-genome-project [https://perma.cc/XQ5T-P5TQ].

[3] Id.

[4] 23andMe, https://www.23andme.com/howitworks/ [https://perma.cc/ZZ9G-FXKQ].

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.  

[10] Meghana Keshavan, ‘There’s no such things an anonymity’: With consumer DNA tests, sperm banks reconsider long-held promises to donors, Stat. (Sept. 11, 2019), https://www.statnews.com/2019/09/11/consumer-dna-tests-sperm-donor-anonymity/ [https://perma.cc/R3DT-YZAF].

[11] Id.

[12] Id.

[13] Id.

[14] Christi J. Guerrini, Jill O. Robinson, Devan Petersen & Amy L. McGuire, Should police have access to genetic genealogy databases? Capturing the Golden State Killer and other criminals using a controversial new forensic technique, 16 PLOS Biology1, 1-9, Oct. 2, 2018.

[15] Id.

[16] CBS News/AP, Class-action lawsuit filed against 23andMe over misleading marketing, CBS NEWS (Dec. 4, 2013, 12:32 PM), https://www.cbsnews.com/news/class-action-lawsuit-23andme/ [https://perma.cc/CZM5-RMRD].

[17] Genetic Discrimination, NATIONAL HUMAN GENOME RESEARCH INSTITUTE, https://www.genome.gov/about-genomics/policy-issues/Genetic-Discrimination [https://perma.cc/U55N-FPPV].

[18] Id.

[19] Id.

[20] Id.

[21] 23andMe, https://www.23andme.com/howitworks/ [https://perma.cc/ZZ9G-FXKQ].

[22] Id.

0

The CCPA: What is it and what does it mean for consumer privacy?

Written By: Bryce Hoyt

Beginning on January 1, 2020, the California Consumer Privacy Act (“CCPA”) took effect, resulting in a flood of emails from corporations stating, “We’ve updated our privacy policy.” [1] The CCPA is the most comprehensive and far-reaching consumer privacy law to date, mimicking the European Union’s General Data Protection Regulation (“GDPR”). [2] For example, companies with $25 million in annual revenue or any company storing data on at least 50,000 people must comply or face a potential fine of up to $7,500 per record in violation. [3] Although CCPA is a state law, it applies to any business meeting the threshold requirement above, and that also does business in California or collects personal information on California residents. [4] This means that many companies outside California or even the United States are still mandated to comply if they do substantial business with California [residents].

A few key provisions of the act include prohibiting the sale of personal data on children under the age of 13 without parent authorization and requiring children between the ages of 13-16 to give affirmative consent themselves before collecting any data (also known as the “opt-in” requirement). [5] Additional provisions put more power in the hand of the consumer by allowing individuals to request full disclosure of the type of data the business collects, the category of third-party companies the data is sold to, and the purpose of selling said data. [6] One of the most unique provisions allows consumers to request all personal data relating to said individual to be permanently deleted from the company records and gives the right to a private cause of action for any violation (with exceptions). [7] These are just a few key aspects of the extensive requirements and guidelines set forth in the CCPA.

Privacy organizations and firms have started releasing CCPA “readiness assessment guides” to help advise companies and clients on how to comply with the sweeping changes to consumer privacy law. [8] Although the act lays out, in detail, many necessary changes companies must make to comply, some aspects remain ambiguous, such as what constitutes a data breach “cure”. Furthermore, it is unclear the degree of enforcement by the California Attorney General’s office. It appears only future litigation will answer the questions left open by the legislation—as of now, companies are diligently working to establish company protocol to avoid being the defining precedent.

[1] Maria Korolov, California Consumer Privacy Act (CCPA): What you need to know to be compliant, CSO (October 4, 2019, 3:00 AM PDT), [https://perma.cc/QN8T-CW8V].

[2] Id.

[3] Id.

[4] Emily Tabatabai, Antony Kim, & Jennifer Martin, Understanding California’s Game-Changing Data Protection Law, CORPORATE COUNSEL (July 16, 2018), https://s3.amazonaws.com/cdn.orrick.com/files/UnderstandingCaliforniaDataProtectionLaw.pdf [https://perma.cc/U5X3-BSME].

[5] Cal. Civ. Code §1798.120 (West 2019).

[6] Cal. Civ. Code §1798.110 (West 2019).

[7] Cal. Civ. Code §1798.150 (West 2019).

[8] ORRICK, California Consumer Privacy Act – Are you CCPA-Ready?, https://www.orrick.com/Practices/CCPA-Readiness [https://perma.cc/D6K4-G2E9].