As with all things Tiny Tyrant, incompetency and stupidity rule. Politico has the story on how the so-called commission on voter fraud is open to yet more hacking, and would provide a goldmine for those with cybercrime on their mind.
Cybersecurity specialists are warning that President Donald Trump’s voter-fraud commission may unintentionally expose voter data to even more hacking and digital manipulation.
Their concerns stem from a letter the commission sent to every state this week, asking for full voter rolls and vowing to make the information “available to the public.” The requested information includes full names, addresses, birth dates, political party and, most notably, the last four digits of Social Security numbers. The commission is also seeking data such as voter history, felony convictions and military service records.
Digital security experts say the commission’s request would centralize and lay bare a valuable cache of information that cyber criminals could use for identity theft scams — or that foreign spies could leverage for disinformation schemes.
“It is beyond stupid,” said Nicholas Weaver, a computer science professor at the University of California at Berkeley.
“The bigger the purse, the more effort folks would spend to get at it,” said Joe Hall, chief technologist at the Center for Democracy and Technology, a digital advocacy group. “And in this case, this is such a high-profile and not-so-competent tech operation that we’re likely to see the hacktivists and pranksters take shots at it.”
Indeed, by Friday night, over 20 states — from California to Mississippi to Virginia — had indicated they would not comply with the request, with several citing privacy laws and expressing unease about aggregating voter data.
Experts also criticized the commission’s two options for states to submit their data: via a White House email address and a Pentagon-run file-hosting service.
“Email is the worst; it’s like sending all your postal mail using postcards instead of letters in envelope,” Hall said. “It’s one of the harder methods of communication to secure.”
The commission’s alternative option, a file-hosting service run by a branch of the Army, isn’t currently configured to properly encrypt web traffic, which Hall said was “a massive red flag for their ability to properly secure other forms of secure file transfer.”
The perceived digital security miscues left many specialists stunned.
“Nothing about this letter appears to take information security into account,” said Matthew Green, a computer science professor and cryptography expert at Johns Hopkins University. “If I didn’t know this letter was real, I would assume it was a clever spearphishing campaign.”
When it comes to my state, I’m afraid to look, but I’m sure they are being compliant. Yet another thing to worry about. Politico has the full story.