Voter rolls are not a retail commodity.

Beginning with the DNC hack in spring of 2016, it dawned on me (maybe I’m slow to the party, but eventually it clicks) that the retail market in voter registration databases is a bad idea. That’s been highlighted in the last few weeks by Kris Kobach’s ill-fated attempt to federalize voter information in a searchable facility. This was one of the key take-aways from the recent Time article on that chillingly describes how access to voter registration can be used to disrupt elections without ever touching one of those insecure DRE voting machines.
I even worked out a threat scenario and circulated it to some friends who agreed (1) it is plausible, and (2) it is not obviously illegal. You can see why if you follow the complicated trail in Guardian article.  Or if you just look at what the people creating the market in your voting data say about it:
Notes for a 2016 Democratic Campaign
Eric Schmidt
April 2014

Key is the development of a single record for a voter that aggregates all that is known about them.  In 2016 smart phones will be used to identify, meet, and update profiles on the voter.  A dynamic volunteer can easily speak with a voter and, with their email or other digital handle, get the voter videos and other answers to areas they care about (“the benefits of ACA to you” etc.)

The point is to be able to create dashboard, accurate to the individual vote level, that is predictive of future voter behavior.  Civis Analytics is one such company:

Civis Analytics, a company founded by the chief analytics officer of Barack Obama’s 2012 re-election campaign, has raised $22 million in Series A funding.



I’m not happy there’s a market in voter data, but I am even less happy that political parties, market analysts, and election owners do not seem to understand the significance of unauthorized access.  Unless there is a statute to the contrary, trading and in this kind of information is no more serious than buying and selling grocery store loyalty data.

I want the voter data market to be regulated. There is no consensus around this topic, but I am convinced this is a security hole big enough to drive a truck through.  I have friends who disagree, saying transparency in voter roles is important to prevent vote buying/trading, voter intimidation, and other problems.  Agreed, but that’s a long way from giving tacit approval to monetizing my contact and other personal information.

[As a side note:  I am baffled that my NRA-supporting friends have not been as up in arms (get it?) about this as they have about federal gun ownership registries.]

Regulation of this market, like many in the information age, will be messy.  Just look at how colleges and universities wrap themselves around the axle to comply with FERPA-mandated protection of student data, for example.  But that does not mean it should not be done.  At the very least, regulation can force information aggregators like the DNC and the RNC to provide safeguards to deter the sort of casual intrusion marking the 2016 election.


Out-dated, insecure election system is damaging Georgia’s brand as a hub for cyber security innovation

A small, local newspaper in an Atlanta suburb, beat the Atlanta-Journal and Constitution (AJC) to the real impact that Georgia’s outdated, insecure computerized election system has on the state’s economy.

Over the last 20 years, Atlanta has become an international innovation hub for cyber security. Kleiner-Perkins backed Internet Security Systems was launched by a Georgia Tech freshman and went on to become one of the most important enterprise security firms in the country before it was acquired by IBM. SecureWorks, another Atlanta start up was acquired by Dell in 2011.  Atlanta’s tech scene is relying on a planned $50M cyber security center to cement its brand as the place to be.

That’s why the Newnan, Georgia, Times-Herald, article about the effect of national publicity about Georgia’s out-dated insecure election system provokes one of those “Whatever can they be thinking?” moments.  The AJC, which you would expect to be a booster, has missed this story completely (In fact, the AJC has been so conspicuously wrong/absent on the Georgia elections story that you have to wonder what the heck is going on in their editorial meetings).

The Time-Herald piece was not original reporting, I can excuse them for concluding that the election systems are safe and unchallenged, but the paper correctly points out that recent national attention can do serious damage to Georgia’s reputation:

…it is an ignominious way for the world to recognize Georgia’s growing role in cybersecurity. Fort Gordon near Augusta is the new home of the U.S. Army’s Cyber Command and a branch facility of the National Security Agency that contracted with the company employing the alleged leaker. 
The state is establishing a cybersecurity research center at Georgia Tech, near the headquarters of some of the private sector’s most successful digital-security firms and the country’s major hub of financial transaction processing. Stories from here like this one are likely to become less infrequent.
The Peach State is at the center of this story because it is now at the center of cybersecurity.

Ironic that the Secretary of State’s Office, which has major responsibility for business development, has contributed to this state of affairs by not moving swiftly and decisively to shore up Georgia’s voting technology. Why would new investment be attracted to a place that apparently cannot manage 1999-era systems?

Even if you think that the fuss over Georgia’s system is much ado about nothing, or is part of a liberal effort to explain away electoral failures, you should be concerned about the impact it might have on this growing piece of the local economy.  It’s a shame, because the entire problem can be fixed tomorrow with relatively little investment.


Georgia Sec. of State does not want DHS to designate election systems as critical infrastructure. Here’s why.

Georgia’s election officials were all bent out of shape last fall when the US Department of Homeland Security (DHS) wanted to designate American election infrastructure as critical to national security.  As Sec. of State Brian Kemp explained in his recent USA Today op-ed, it’s really just a matter of state sovereignty.  We don’t want the federal government telling us how to run our elections, is what Kemp is telling Georgians. In fact, he thinks so little of DHS, he wants you to believe the federal government (ours, not Russia’s) is the one hacking Georgia’s election system in a “massive attack,” according to a complaint filed by Kemp’s office last January.

The Inspector General of DHS investigated Kemp’s allegations and found to the Secretary’s embarrassment that what he had characterized as a massive attack, was actually normal web traffic. Never mind murmured Kemp.

A more likely explanation for the critical infrastructure freak-out is that the Secretary of State’s office treats the protection of computerized election system like a high school science fair project, not a precious resource to be protected. Wouldn’t that be embarrassing if the Feds showed up to check on his ability to manage critical infrastructure?

Way back in the early days of electronic voting in Georgia, then SoS Cathy Cox, a Democrat,  set up the Center for Election Systems (CES) at Kennesaw State University to test, program, maintain and provide training for the Diebold-based touchscreen voting machines and associated servers, networks, and software.

CES Director Michael Barnes served as an enthusiastic tour guide to the Atlanta Journal and Constitution, which posted this video on YouTube™

A well-positioned sign announced the state’s central technology organization, helpfully displaying its precise location.  No guards or even a receptionist to check the identities of visitors; no ID badges to distinguish students who were authorized to be there from those who merely wanted to examine the piles of election equipment and computers that had been left unattended in otherwise unsupervised rooms.

You would think that an important system like this would have the eye of top university leadership.  Director Barnes says no. CES is just another department in the school of science.

The most likely explanation for the Secretary’s over-the-top reaction to the suggestion that Georgia’s election system be classified as critical infrastructure is that the state’s election officials do not think it is that important, and they would prefer that not be widely known.




Secretary of State Brian Kemp takes his case public for maintaining Georgia’s reputation for the country’s most insecure voting system.

Georgia Secretary of State Brian Kemp responded this morning to a USA Today editorial that points out an inconvenient fact:

in Georgia, where researchers discovered a gaping hole in election security last fall, it’s unclear what has been done to plug it. Georgia Secretary of State Brian Kemp has argued vehemently against replacing the state’s voting machines, which are susceptible to sabotage because they lack a paper record of votes.

Kemp could have defended himself by behaving like a responsible public servant and: (1) acknowledging the threat, (2) promising to marshal the considerable resources at his disposal to meet the threat, and (3) forming a national strength-in-numbers coalition of election officials to adopt the common-sense reforms that are the consensus recommendation of voting technology experts.  He did not do that.

Instead, Kemp laid out his case for placing his personal political ambitions above his duty to protect Georgia voters:

As reporters chase stories to feed the 24-hour news cycle, they dilute facts and develop false narratives about Russian hacking and potential vulnerabilities in the system. The prevailing plot line is that states like Georgia can’t provide suitable security for elections.

At last month’s Senate Intelligence Committee hearing, national security officials testified that there is no doubt about Russian hacking. Committee members-who have been briefed on the threats and vulnerabilities-showed rare bipartisan agreement. They also said that DHS has not conducted classified briefings for state election officials, so Brian Kemp actually has no way to know whether the “narratives” are false.

This sounds like me.  When I was Mayor of Amity, Chief Brody tried to get me to close the beaches because of a great white shark that was snacking on 4th of July tourists.  I was more concerned about the political implications than protecting people.  I’ve apologized for my irresponsible behavior.  My hope is that Brian Kemp follows suit, but I don’t think that’s very likely.

The next best outcome is for Kemp’s Republican gubernatorial opponent, Lt. Gov. Casey Cagle to use this shocking editorial to argue that Kemp should never again be allowed to represent the public interest.

In the meantime, Georgians are left to wonder whether the results of recent elections can be trusted.


Chris Matthews barks “I like paper!” on Hardball. It’s what he does when common sense departs.

Georgia is only one of five states that does not use paper backup for its election system. Experts have written to Secretary of State @BrianKemGA asking him to move to paper ballots.  The arguments against it are weak, so why does Georgia continue to promote the nonexistent benefits of a this national embarrassment? @HardballChris doesn’t get it either and he’s not shy about calling out the hypocrisy on MSNBC:


Who has motivation for weakening voting protections? Quartz looked at the role of local officials in right to vote disputes. #protectGAvote


There’s a reason that GA election officials ignore the risks of the current system: they can’t help it

The brain is wired in ways that often lead decision-makers to act against their own interests. A 2015 article in Business Insider describes 20 cognitive biases that fool you into believing that you are behaving rationally when you are actually just responding to faulty wiring in your head:

…research suggests there are a number of cognitive stumbling blocks that affect your behavior, and they can prevent you from acting in your own best interests.

Brian Kemp may be acting on pure political opportunism, but it is also likely that he (and his followers) have hit one of these cognitive stumbling blocks. How can the Secretary of State ignore the overwhelming evidence that our election system is vulnerable?  It is the Ostrich Effect at work.

The ostrich effect bias is a tendency to ignore dangerous or negative information by ignoring it or burying one’s head in the sand. Sometimes we do this when we have already made up our mind about something. It may also be an indication we only want to consider the positive aspects of something.

How does it work?

The brain receives so much data at any given moment that it has to filter out some data in order to be able to attend and make meaning of incoming sensory information. When that occurs, we delete, distort, and generalize reality.

If we know the Ostrich effect is at work, maybe there is a way to support people to more rational approaches to election security and #protectGAvote. We should be asking Brian Kemp and his pals:

What about this information is hard for you to hear?
How does this information fit with what you already know?
How might ignoring this information affect our decision in the long run?
How might we include this information in a way that is productive to our thinking?