Written By: Michael Walsh
A Byte of Online Voting
Sorry, you cannot vote online in the primaries or in presidential elections this year. That is, unless you have been selected to participate in one of the few small-scale pilot programs, such as the DemocracyLive system in Seattle, Washington, the Voatz platform in West Virginia, or most recently, the Shadow voting tool used for the 2020 Iowa caucuses just a few weeks ago. These voting tools use blockchain technology to generate a unique hash for each vote. To mitigate the risk of election tampering, the votes are submitted, but not counted electronically.  Each electronic submission is verified with a printed version of the ballot, then the printed ballots are tallied to calculate the total number of votes. These electronic systems are usually deployed in areas in which voter turnouts are low or voting is only possible by remote means. Ideally, these types of services may help improve voter turnout in the United states—a country in which less than 56% of voting-age adults participated in the 2016 presidential election.
There is little federal oversight for online voting infrastructure, but Congress allocated an additional $380 million for voting infrastructure and security improvements, and 85% of those funds are estimated by the U.S. Elections Assistance Commission to be used by states before the 2020 election. Ideally, those funds will help to alleviate problems in areas with intermittent or low bandwidth internet connections, such as some of the precincts that experienced problems with the Shadow voting app during the 2020 Iowa caucuses. Additionally, a slew of other bills has been introduced to help secure elections from (predominantly foreign) interference (see S.2669; H.R. 1946; H.R. 4990). One amendment to the Help America Vote Act (HAVA) of 2002, passed in December 2019, allocated an additional $400 million to help secure voting infrastructure. However, some experts indicate that modernizing and securitizing current voting infrastructure would cost nearly $2.5 billion, not considering recurring maintenance costs. To modernize Pennsylvania’s infrastructure alone is estimated to cost upwards of $150 million, which accounts for nearly half of the total HAVA funds allotted from Congress.
Election Security Concerns and the 2016 Election
The costs to establish secure voting infrastructure do not seem so exorbitant when considering voter trust. 2016 marked the first year in which Russian interference influenced the presidential elections. This foreign interference happened not by meddling with voter infrastructure (which now usually verifies electronically submitted votes with paper ballots), but by alternative means such as phishing, distributed denial-of-service (“DDoS”), and denial-of-service (“DoS”) attacks. These kinds of interference will certainly not be the last. A recent national survey asked politicians about cybersecurity risks, “[f]orty percent said they’ve had an account compromised in a phishing attack. And 60% said they haven’t significantly updated the security of their accounts since 2016.” Even without direct interference with voter infrastructure, threat actors can make a meaningful difference in the outcome of elections with phishing, DDoS and DoS attacks on other vectors including campaign email accounts or insecure servers used by political groups. In response, Microsoft and Google (the companies that provide the most popular email services in the nation) have been implementing security measures to prevent these attacks. Most countermeasures focus on implementing typical information security protections, such as multi-factor authentication, tokenization, and software-based mitigation techniques, such as spoofing and phishing detection.
Experts still have many questions about the security and privacy of electronic voting systems, most particularly those that are completely paperless. Nevertheless, some voting this year will be done in select states by phone or PC through the Voatz system (but with paper ballot verification). Voatz uses blockchain technology paired with biometric data from users’ phones, such as face scans and fingerprints. Although this version of multi-factor authentication may alleviate fraudulent voting, it poses serious privacy concerns and does not address other salient security risks of online voting, such as phishing, DDoS, and DoS attacks. Regardless, the future of voting is likely to be a digital one, as a recent study from University of Chicago found. The survey estimated that voter turnout could increase by several percentage points, a figure that could compound with the help of universally compatible voting technology.
 Emily S. Rueb, Voting by Phone Gets a Big Test, but There Are Concerns, The New York Times (Jan. 23, 2020), https://www.nytimes.com/2020/01/23/us/politics/mobile-voting-washington.html [https://perma.cc/B2SR-NF88].
 Voatz, Frequently Asked Questions, https://voatz.com/faq.html [https://perma.cc/9RBS-6BK5].
 Rueb, supra note 1; Emily Dreyfuss, Smartphone Voting Is Happening, but No One Knows if It’s Safe, Wired (Aug. 9, 2018), https://www.wired.com/story/smartphone-voting-is-happening-west-virginia/ [https://perma.cc/JC2B-SYWF].
 Drew Desilver, U.S. Trails Most Developed Countries in Voter Turnout, Pew Research Center (May, 21 2018), https://www.pewresearch.org/fact-tank/2018/05/21/u-s-voter-turnout-trails-most-developed-countries/ [https://perma.cc/4T3C-4JD4].
 The Impact of HAVA Funding on the 2018 Elections, U.S. Election Assistance Commission (2019), https://www.eac.gov/sites/default/files/paymentgrants/TheImpactofHAVAFundingonthe2018Elections_EAC.pdf [https://perma.cc/6KDW-RNEJ].
 Id.; U.S Senate Committee on Rules and Administration Oversight of the Election Assistance Commission, U.S Election Assistance Commission (May 15, 2019), https://www.rules.senate.gov/imo/media/doc/EAC_Testimony.pdf [https://perma.cc/95VB-NA4H]; Elizabeth Howard, Defending Elections: Federal Funding Needs for State Election Security, The Brennan Center (July 18th, 2019), https://www.brennancenter.org/our-work/research-reports/defending-elections-federal-funding-needs-state-election-security [https://perma.cc/P7UC-8ZW4].
 Kevin Roose, The Only Safe Election is A Low-Tech Election, The New York Times (Feb. 4, 2020), https://www.nytimes.com/2020/02/04/technology/election-tech.html, [https://perma.cc/2C8W-982G]; Nick Corasaniti, Sheera Frenkel and Nicole Perlroth, App Used to Tabulate Votes is Said to Have Been Inadequately Tested, The New York Times (Feb. 3, 2020), https://www.nytimes.com/2020/02/03/us/politics/iowa-caucus-app.html [https://perma.cc/B7TG-YJ2P]; Keith Collins, Denise Lu, Charlie Smart, We Checked the Iowa Caucus Math. Here’s Where it Didn’t Add Up, The New York Times (Feb. 14 2020), https://www.nytimes.com/interactive/2020/02/14/us/politics/iowa-caucus-results-mistakes.html [https://perma.cc/HH8N-DURV].
 S.2669, 116th Cong. (2019); H.R. 1946, 116th Cong. (2019); H.R. 4990, 116th Cong. (2019).
 U.S. Election Assistance Commission, How Can The States Use the Funds? (Jan. 6, 2020) https://www.eac.gov/how-can-states-use-funds-0 [https://perma.cc/79W6-WHYA]; H.R. 1158 § 501, 116th Cong. (2019).
 Lawrence Norden and Edgardo Cortez, What Does Election Security Cost?, The Brennan Center (Aug. 15, 2019), https://www.brennancenter.org/our-work/analysis-opinion/what-does-election-security-cost [ https://perma.cc/TL69-YCU2].
 Howard, supra note 8.
 U.S. Senate Committee 116th Congress, Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 1: Russian Efforts Against Election Infrastructure With Additional Views
https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf [https://perma.cc/CZ47-7XLY]; Andy Greenberg, Feds’ Damning Report on Russian Election Hack Won’t Convince Skeptics, Wired (Jan. 6, 2017), https://www.wired.com/2017/01/feds-damning-report-russian-election-hack-wont-convince-skeptics/ [https://perma.cc/2T8Q-YZR9]; David E. Sanger and Catie Edmonson, Russia Targeted Election Systems in All 50 States, Report Finds, The New York Times (July 25, 2019), https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html [https://perma.cc/78SM-YVZ4].
 Andy Greenberg, Everything We Know About Russia’s Election-Hacking Playbook, Wired (June 9 2017), https://www.wired.com/story/russia-election-hacking-playbook/ [https://perma.cc/EAZ8-W5Z4]; Shannon Bond, 2020 Political Campaigns Are Trying To Avoid A 2016-Style Hack, Nat’l Pub. Radio (Jan. 28, 2020), https://www.npr.org/2020/01/28/799062773/2020-political-campaigns-are-trying-to-avoid-a-2016-style-hack [https://perma.cc/T2ER-KQ9U]; Jeremey Ashkenas, Was It a 400-Pound, 14-Year-Old Hacker, or Russia? Here’s Some of the Evidence, The New York Times (Jan. 26, 2017), https://www.nytimes.com/interactive/2017/01/06/us/russian-hack-evidence.html [https://perma.cc/U9CX-N829].
 Miles Parks, Russian Hackers Targeted The Most Vulnerable Part Of U.S. Elections Again, Nat’l Pub. Radio (July 28, 2018), https://www.npr.org/2018/07/28/633056819/russian-hackers-targeted-the-most-vulnerable-part-of-u-s-elections-again [https://perma.cc/MR8E-3H3Q]; Shannon Bond, Microsoft Says Iranians Tried To Hack U.S. Presidential Campaign, Nat’l Pub. Radio (Oct. 4, 2019), https://www.npr.org/2019/10/04/767274042/microsoft-says-iranians-tried-to-hack-u-s-presidential-campaign [https://perma.cc/K9ST-T55N].
 Bond, supra note 15.
 Tom Burt, Protecting Democracy with Microsoft AccountGuard, Microsoft Blog (August 20, 2018), https://blogs.microsoft.com/on-the-issues/2018/08/20/protecting-democracy-with-microsoft-accountguard/ [https://perma.cc/7MGY-MW5X]; Lily Hay Newman, Google’s Giving Out Security Keys to Help Protect Campaigns, Wired (Feb. 11, 2020), https://www.wired.com/story/google-free-security-keys-campaigns/ [https://perma.cc/4TN7-9SQ2].
 David Jefferson et al., What We Don’t Know About the Voatz “Blockchain” Internet Voting, System (May 1, 2019), https://cse.sc.edu/~buell/blockchain-papers/documents/WhatWeDontKnowAbouttheVoatz_Blockchain_.pdf [https://perma.cc/62H2-MQN4]; Michael A. Specter et al, The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, Mass. Inst. of Tech., https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf [https://perma.cc/89H7-XLP2]; Abby Abazorius, MIT Researchers Identify Security Vulnerabilities in Voting App, MIT News (Feb. 13, 2020), http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213 [https://perma.cc/AA49-97FS]; Robby Mook et al., Cybersecurity Campaign Playbook, Harv. Kennedy School Belfer Center (Nov. 2017), https://www.belfercenter.org/CyberPlaybook [https://perma.cc/82NN-KA57]; Miles Parks, In 2020, Some Americans Will Vote On Their Phones. Is That The Future?, Nat’l Pub. Radio (Nov 7, 2019), https://www.npr.org/2019/11/07/776403310/in-2020-some-americans-will-vote-on-their-phones-is-that-the-future [https://perma.cc/4W62-9TLS].
 Voatz, supra note 2.
 Jefferson, supra note 19.
 David Stone, Jul 30, 2019 West Virginia Was the First State to Use Mobile Voting. Should others follow? U. of Chi. (July 30, 2019), https://news.uchicago.edu/story/voting-mobile-devices-increases-election-turnout [https://perma.cc/NAF9-69B5]; Anthony Fowler, Promises and Perils of Mobile Voting, U. of Chi. (June 2019), https://cpb-us-w2.wpmucdn.com/web.sas.upenn.edu/dist/7/538/files/2019/06/Fowler_MobileVoting.pdf [https://perma.cc/6N8C-VQGZ].
Written by: Bryce Hoyt
Beginning in 2017, Australian tech entrepreneur Hoan Ton-That founded a startup backed by billionaire Peter Thiel by the name of Clearview AI (Clearview) with the goal of creating a cutting-edge facial recognition technology. Two years later, Clearview emerged with the refined technology and began selling it to law enforcement agencies and private investigators all around the U.S. and Canada. The technology works by uploading a picture of a suspected criminal to the software, a sophisticated algorithm then automatically compares the picture to the Clearview database of over 3 billion photos scraped from publicly available pictures online (e.g., social media sites) to try and discover the person’s identity using unique biometric indicators such as distance between eyes or shape of the chin. If a match is found, the matching images are presented alongside the social media links where they were found.
So far, over 600 law enforcement agencies in North America have started using the Clearview software with the goal of helping solve shoplifting, identity theft, credit card fraud, murder, and child sexual exploitation cases. Law enforcement are only permitted to use the technology as a lead and cannot yet use the facial recognition technology as evidence in court. Ton-That claims the software has 99% accuracy and does not result in higher errors when searching people of color, a common issue and concern among other facial recognition tools.
Although Ton-That continues to remind the public that this tool is only used for investigative purposes to solve crimes—many people remain skeptical. New Jersey’s attorney general Gurbir Grewal said he was disturbed when he learned about Clearview and ordered law enforcement in the state to stop using the technology until a full review of the company is completed for data privacy and cybersecurity concerns. Additional reports have indicated that Clearview has given access to other clients, including commercial business and billionaires. Ton-That denies any commercial authorization of Clearview, however, the fear remains.
Such a controversial and unprecedented technology does not come without legal ramifications and investigation. Tech giants including Twitter, Google, YouTube, and Facebook have sent cease-and-desist letters to Clearview for scraping their data, echoing the 2018 Cambridge Analytica scandal. Ton-That defends the collection of data, claiming that because the pictures are taken from the public domain, Clearview has a First Amendment right to the publicly available information.
Tech giants aren’t the only ones challenging Clearview’s practices—in January of this year the American Civil Liberties Union (ACLU) filed a class action lawsuit against Clearview in Illinois, one of the only states with a biometric privacy law. The complaint alleges a violation of the Illinois Biometric Information Privacy Act (BIPA) for failing to obtain informed written consent by individuals before collecting and using a person’s biometric data, including facial recognition, as required by the act. The ACLU expressed its’ concern with Clearview, claiming that such a powerful and unregulated technology might lead to governmental tracking of vulnerable communities such as sexual assault victims and undocumented immigrants—which is the exact sort of behavior privacy legislation is intended to prevent. The ACLU is seeking a court order to force Clearview to delete all photos of Illinois residents gathered without consent and to prevent any further gathering until the organization is in compliance with the BIPA. Clearview would not be the first organization to have violated the BIPA. This January, Facebook paid a $550 million class action settlement for a violation of BIPA involving it’s “photo tagging” feature, after losing their appeal in the Ninth Circuit in 2019.
The fears of the ACLU are not unfounded, law enforcement agencies across North America have started using Clearview to identify children as young as 13 years old who are victims of sexual assault to try to locate them and attempt to get a statement. Many supporters of the technology claim that it’s the biggest breakthrough in the last decade for child sexual abuse crimes, but many worry of the potential harms in amassing such sensitive data. Privacy advocates remain reluctant to support such technology until it is tested and regulated. Liz O’Sullivan, the technology director at the Surveillance Technology Oversight Project commented, “[t]he exchange of freedom and privacy for some early anecdotal evidence that it might help some people is wholly insufficient to trade away our civil liberties.”
Beyond Clearview, facial recognition software has moved to commercial use—including airports, public venues, and most recently, public schools. The small town of Lockport, New York was one of the first known public schools to adopt facial recognition in the U.S., despite pushback from the community. The technology was installed with the purpose of scanning for weapons and monitoring individuals entering the school; comparing faces to a curated database of prohibited individuals such as sex offenders and barred students/employees. A few cities, including San Francisco, have banned the use of facial recognition tools in their community, even within law enforcement agencies. Although well intentioned, the unique technology presents many privacy concerns that are better off discussed and reconciled before being implemented as common practice.
With facial recognition in the spotlight and a growing concern of the unintended repercussions, a few tech companies including IBM have announced that they will no longer sell facial recognition services—urging for a national dialogue on whether the technology should be used at all. Critics of this public statement note that an additional motive stems from the fact that facial recognition software has not been profitable for IBM up to this point. It also remains unclear whether IBM will continue to research and develop such technology after halting sales. Amazon also announced that they are placing a one-year moratorium on police use of its facial recognition technology due to the current pushback from civil rights groups and police-reform advocates. Microsoft also followed suit in a statement the same week, stating they will no longer sell facial recognition software to police in the U.S. until there is a federal law to regulate the technology.
Facial recognition technology has also gained attention from legislators, resulting in numerous state bills and proposed federal legislation. Among the bills currently circulating at a state level, a controversial bill in California aimed at allowing businesses and government agencies to use facial recognition technology without consent for safety and security purposes with probable cause, has stalled in the legislature. The bill would have also followed the California Consumer Privacy Act (CCPA) by requiring state and local agencies to inform consumers of the facial recognition technology before using it for reasons not related to public safety. Those in opposition of the bill include the ACLU and the Electronic Frontier Foundation (EFF), who claim that the bill would have set very minimal standards for the use of the technology and did not address many of the privacy concerns related to face surveillance.
As of March, Washington state has enacted the first U.S. state law which limits the use of facial recognition technology by law enforcement. The state law (SB 6280), backed by Microsoft, sets limits on the use of facial recognition technology in a few ways: (1) governmental agencies must now obtain a warrant to run facial recognition scans (except in exigent circumstances), (2) the software must pass independent testing to ensure its accuracy, (3) any state or local government agency intending to use such technology must file with a legislative authority a notice of intent to develop, procure, or use a facial recognition service, specifying the purpose for which the technology is to be used, and (4) a state or local government agency intending to use such technology must develop a comprehensive accountability report outlining the purpose of the use, the type of data the technology collects, and various other clarifications on protocol.
Critics of the bill point out that it was sponsored by State Senator Joe Nguyen, who is currently employed at Microsoft, which is perhaps the reason that the bill places far less restrictions on commercial development or sale of the technology. The ACLU was also quick to make a rebuttal to the bill, stating that although the safeguards proffered in the bill are better than none, anything short of a facial recognition ban will not safeguard civil liberties.
At a federal level, a bipartisan bill has been introduced to the Senate referred to as the “Commercial Facial Recognition Privacy Act,” designed to offer legislative oversight for commercial applications of facial recognition technology. The bill would require companies to gain explicit user consent before collecting any facial recognition data and would limit companies from sharing the data with third-parties. The bill, also endorsed by Microsoft, seems to address the commercial side of facial recognition technology that Washington state’s law fails to acknowledge. The consent requirements mimic many other privacy laws—requiring that a company obtain affirmative consent before using the technology, provide the user with concise notice of the capabilities and limitations of the technology, state the specific purpose for which the technology is being employed and a provide a brief description of the data retention and deidentification practices of the processor. The company is thereby limited to the purpose for which they informed the user and must obtain additional affirmative consent if they wish to share the data with a third party or re-purpose the data.
Regardless of whether the bill survives, the proposed legislation provides insight into the mind of Congress and outlines the willingness of tech giants to help navigate a more informed and regulated route through new technological advances such as facial recognition. The macro and micro consequences of such an innovative yet frightening tool are worth skepticism, but perhaps we can find the middle ground between civil advocates and fast-pace tech executives to forge a more privacy conscious future.
 See Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, The New York Times (Jan. 18, 2020), https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html.
 See Donie O’Sullivan, This man says he’s stockpiling billions of our photos, CNN (Feb. 10, 2020), https://www.cnn.com/2020/02/10/tech/clearview-ai-ceo-hoan-ton-that/index.html.
 Hill, supra note 1.
 O’Sullivan, supra note 3.
 See Kashmir Hill, Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich, The New York Times (Mar. 5, 2020), https://www.nytimes.com/2020/03/05/technology/clearview-investors.html. See also Ben Gilbert, Clearview AI scraped billions of photos from social media to build a facial recognition app that can ID anyone — here’s everything you need to know about the mysterious company, Business Insider (Mar. 6, 2020), https://www.businessinsider.com/what-is-clearview-ai-controversial-facial-recognition-startup-2020-3.
 Alfred Ng, Steven Musil, Clearview AI hit with cease-and-desist from Google, Facebook over facial recognition collection, cnet (Feb. 5, 2020), https://www.cnet.com/news/clearview-ai-hit-with-cease-and-desist-from-google-over-facial-recognition-collection/.
 See Alfred Ng, Clearview AI faces lawsuit over gathering people’s images without consent, cnet (May 28, 2020), https://www.cnet.com/news/clearview-ai-faces-lawsuit-over-gathering-peoples-images-without-consent/. See also Angelique Carson, ACLU files class-action vs. Clearview AI under biometric privacy law, iapp (May 29, 2020), https://iapp.org/news/a/aclu-files-class-action-vs-clearview-ai-under-biometric-privacy-law/.
 Ng, supra note 8.
 See Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019). See also Corrine Reichert, Facebook pays $550M to settle facial recognition privacy lawsuit, cnet (Jan. 29, 2020), https://www.cnet.com/news/facebook-pays-up-550m-for-facial-recognition-privacy-lawsuit/.
 Kashmir Hill, Gabriel J.X. Dance, Clearview’s Facial Recognition App Is Identifying Child Victims of Abuse, The New York Times (Feb. 10, 2020), https://www.nytimes.com/2020/02/07/business/clearview-facial-recognition-child-sexual-abuse.html.
 Davey Alba, Facial Recognition Moves Into a New Front: Schools, The New York Times (Feb. 6, 2020), https://www.nytimes.com/2020/02/06/business/facial-recognition-schools.html.
 Devin Coldewey, IBM ends all facial recognition business as CEO calls out bias and inequality, TechCrunch (June 8, 2020), https://techcrunch.com/2020/06/08/ibm-ends-all-facial-recognition-work-as-ceo-calls-out-bias-and-inequality/.
 Bobby Allyn, Amazon Halts Police Use Of Its Facial Recognition Technology, npr (Jun. 10, 2020), https://www.npr.org/2020/06/10/874418013/amazon-halts-police-use-of-its-facial-recognition-technology.
 Brian Fung, Tech companies push for nationwide facial recognition law. Now comes the hard part, CNN (June 13, 2020), https://www.cnn.com/2020/06/13/tech/facial-recognition-policy/index.html.
 See Taylor Hatmaker, Bipartisan bill proposes oversight for commercial facial recognition, TechCrunch (Mar. 14, 2019), https://techcrunch.com/2019/03/14/facial-recognition-bill-commercial-facial-recognition-privacy-act/.
 Ryan Johnston, Facial recognition bill falls flat in California legislature, statescoop (Jun. 4, 2020), https://statescoop.com/facial-recognition-bill-falls-flat-in-california-legislature/.
 Paresh Dave, Jeffrey Dastin, Washington State signs facial recognition curbs into law; critics want ban, Reuters (Mar. 31, 2020), https://www.reuters.com/article/us-washington-tech/washington-state-signs-facial-recognition-curbs-into-law-critics-want-ban-idUSKBN21I3AS.
 See S.B. 6280, 66th Leg., Reg. Sess. (Wash. 2020).
 Dave Gershgorn, A Microsoft Employee Literally Wrote Washington’s Facial Recognition Law, OneZero (Apr. 2, 2020), https://onezero.medium.com/a-microsoft-employee-literally-wrote-washingtons-facial-recognition-legislation-aab950396927.
 Hatmaker, supra note 23.
 See S. 847, 116th Cong. (2019).