facebook noscript

2020 Election Security and PII Compliance

October 21, 2020
data-security-default

Please Vote!

If you are lucky enough to live in a democracy, you should always exercise your right to vote. Today, the U.S. Constitution guarantees every American over the age of 18 the right to choose their government, regardless of race, gender, religion, disability, or sexual orientation.

The 2020 election on November 3, however, has been marred not only with political acrimony but also with accusations of voter fraud, so you may still have at least two questions:

  1. How do I vote?
  2. How do I vote securely?

For the first question, it depends on where you live. In some states, anyone can vote by mail, and ballots are distributed automatically. In others, you must vote in person unless you have a valid excuse (the pandemic does not count).

This website covers registration and voting information for all 50 states.

Voting in a Pandemic

Voting in person can be a challenge, especially for people with disabilities, childcare responsibilities, or fear of discrimination. This year, the COVID-19 pandemic has also added fear of viral infection.

The spring political party primaries did not inspire confidence, as they were overwhelmed by long lines and technology failures. With two weeks remaining until election day, over 35 million Americans have already voted.

The Secret Ballot

A key indicator of a democracy’s health is its political privacy. When voters’ choices remain anonymous, there is far less room for corruption, intimidation, and blackmail.

Historically, the most common form has been the private booth, where voters draw a curtain, write their selection on a piece of paper, and place it into a box that contains every vote. When the poll closes, all of the ballots are counted together, under rules that make it difficult, if not impossible, to correlate an individual voter with his or her vote.

Electronic Voting

Today, democracies can cast and count votes electronically. Electronic voting, or E-voting, now refers to a wide range of activities, from a standalone electronic machine that marks a paper ballot to an Internet-connected computer that records, encrypts, and transmits votes to a remote server.

The latter is called I-voting, and its most advanced practitioner is Estonia. Tallinn held its first online election in 2005, and today Estonian voters, with a smartcard, can cast a vote from any Internet-connected computer in the world. For anonymity, a voter’s identity is removed from a ballot before it reaches the National Electoral Commission.

Postal Voting

The U.S. does not yet have Estonia’s level of e-government services, so vote-by-mail is the primary alternative to voting in person. In general, ballots must be postmarked by election day.

At election centers, postal ballots may be counted by hand or electronically. However, in the U.S., postal voter fraud is believed to be extremely rare. There are numerous integrity and secrecy checks in place and myriad observant parties including journalists and academics.

Personally Identifiable Information (PII)

No matter how you vote privacy is always a concern. Data thieves and hackers collect PII, or data points that, when combined, can steal someone’s online identity.

Examples of PII include your Social Security Number (SSN), credit card number, financial account numbers, email address, date of birth (DoB), maiden name, and much more. When combined with other readily available information, such as social media profiles, real-world identities are quite vulnerable.

Consider the Virginia Department of Elections registration website: here, you must provide your full name, address, driver’s license or state ID number, SSN, and DoB -- just to get the process started.

The U.S. Government has a mixed record on PII. There are official guidelines such as the Privacy Act of 1974, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act (FCRA), and the California Consumer Privacy Act (CCPA). But there are also spectacular failures such as the 2015 Office of Personnel Management (OPM) data breach, where millions of sensitive personnel records were stolen by foreign spies.

Securing Information & Elections

Information Security, or InfoSec, focuses on mitigating the unauthorized disclosure, disruption, deletion, and devaluation of data, including PII. It encompasses both physical and electronic protections for the CIA of data: confidentiality, integrity, and availability.

Within any enterprise (e.g. election infrastructure), InfoSec experts must identify information assets, evaluate vulnerabilities, create policies, manage security infrastructure, define access controls, educate employees (e.g. voters), and much more, all while retaining business efficiency and productivity.

During any high-profile event such as an election, all of these challenges are harder, because hackers and their malware are tailored to the operation at hand. Key personnel, individual states, and even national electoral infrastructure will be targeted.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is preparing for a wide range of cyber threats including spoofed Internet domains, disinformation, foreign intelligence operations, distributed denial-of-service (DDoS) attacks, insufficient access to voting information, false claims of hacked voter information, and more.

Very Good Security

Securing U.S. elections, and voter PII is a strategic challenge. The warnings of both academic dons and hacker conferences like DEFCON have been heard loud and clear, even on Capitol Hill. DARPA is even working on prototype unhackable solutions, but the fulfillment of its dreams still lies in the future.

Our company, Very Good Security, has adopted a revolutionary approach to this challenge called Zero Data™. We have built a multi-layer security platform on a core foundation of proxy protocols and aliases that enables you to collect, protect, and exchange sensitive information, like PII, without ever touching the original data. Further, because your sensitive information is protected within our secure vaults, the liability for a data breach shifts from your organization to VGS.

vgs

Try VGS at no risk. Because guess what: you can't hack (or leak) what isn't there.

Ken Geers Kenneth Geers, PhD

Information Security Analyst at VGS

Share

You Might also be interested in...

payments-default

Payment Gateway: Secure your E-commerce Transactions Correctly

Hoang Leung November 5, 2020

pci-violation

You’ve Been Notified of a PCI DSS Violation: Now What?

Stefan Slattery October 15, 2020

QSA

Enhancing PCI Qualified Security Assessor (QSA) and Customer Relations

Stefan Slattery October 8, 2020