Analysis: Iowa Election App Missteps episode artwork

EPISODE · Feb 7, 2020

Analysis: Iowa Election App Missteps

from Info Risk Today Podcast · host InfoRiskToday.com

The latest edition of the ISMG Security Report offers an analysis of the missteps that led to problems with the app used in this week's Democratic presidential caucuses in Iowa. Also featured: growing privacy concerns about facial recognition and business continuity tips for dealing with the coronavirus.

Episode metadata supplied by the publisher feed · Published Feb 7, 2020

The latest edition of the ISMG Security Report offers an analysis of the missteps that led to problems with the app used in this week's Democratic presidential caucuses in Iowa. Also featured: growing privacy concerns about facial recognition and business continuity tips for dealing with the coronavirus.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Analysis: Iowa Election App Missteps

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

The Iowa caucus apps potential for hacking, concerns regarding search engines for faces, and to 10 steps to ensure business continuity from the coronavirus outbreak. These stories and more in this week's ISMG Security Report. Hello, I'm Nick Holland. If the Iowa caucus debacle caused by a malfunctioning mobile app is anything to go by, or a pre-bumpy ride with the upcoming election reporting, not only did the app crash causing a significant ongoing delay in reporting of results, but the app itself was found to be vulnerable to hacking due to a lack of transmission safeguards, according to experts at Vertcode.

So it's more his ISMG's language editor security and technology, Jeremy Cook. If the Democratic Party's experiment with a new tabulation app during the Iowa caucuses is the warm-up for a nutty mix of voting and technology this election year, then we're in for a ride. But what happened in Iowa isn't a technology problem, where it is, on the surface. But the greater one is that it's a human problem, and one that's rooted in a failure to properly evaluate risk.

Iowa's much-anticipated caucus results were delayed after a mobile app commissioned by Iowa's Democratic Party malfunction, and the app was designed to let precinct officials more quickly report results. But a variety of problems emerged. The app couldn't be downloaded. If it was downloaded, it wouldn't start, or people couldn't log in.

However, there doesn't appear to be any evidence or hacking at this point. The app was developed by Colorado-based Shadow Inc, which describes itself as a for-profit technology consultancy for political campaigns. Company is now apologized. The existence of the app only came out a few weeks ago.

At that time, it was unknown who developed the app, whether it had been adequately tested or even audited for security vulnerabilities. NPR reported that Iowa's Democratic Party didn't want to reveal more information for fear of helping hackers. Now, as we all know, the security-by-of-security approach is exactly the wrong one, and one that rarely results in positive security outcomes. Any application that has a role in election infrastructure should be open for inspection and audits by wide community of experts.

And the message from computer security experts has been clear, using the internet or even computers as part of any sort of voting system is inherently dangerous these days. Network connectivity opens up all the usual vectors for attack, and electronic voting machines have long been found to be vulnerable. But what's most concerning about the Iowa situation is that despite heightened awareness around election security and interference over the last four years, leaders aren't making the right decisions about risk. The first caucus of the 2020 election season isn't the time to hastily deploy a new app that will be relied upon to deliver accurate results.

That's purely a call made by humans. The states are too high to deploy something faulty. It's almost as if Iowa's Democratic Party didn't ask itself, what if this all goes poorly? Luckily for Iowa, there's a tried-and-true backup paper.

The caucus results recorded on paper, which once counted, will provide reliable results. So the lessons of Iowa are already being acknowledged. Nevada State Democratic Party had planned to use a similar app as the one that Iowa used but has scrapped it. That's the right decision, but one that's only been made in light of Iowa's woes.

Let's hope the political parties and election officials haven't taken on other secret risks this election season. For Information Security Media Group, I'm Jeremy Kirk. You're listening to the ISMG Security Report on ISMG Radio, ISMG, your number one source for information security news. The combination of facial biometrics with AI is a growing cause for concern, partly because it's all well in undertones, but perhaps more so because it's actually coming to fruition with search engines that are scraping publicly available photographs from social networks and other sites and then using them for facial recognition purposes.

One of these is Clearview AI, a company that has scrapped billions of online faces thus far. With the story, it's about some of these executive editors today to breach today in Europe, Matthew Shorts. What he called Clearview AI is causing waves by offering what it says is a search engine for faces. The company says its product is used by more than 600 law enforcement agencies.

Its pitch is that it's scraped 3 billion public internet images from such sites as Facebook, YouTube, Twitter, and Venmo to produce its search engine for faces that has a claimed accuracy rate of 99.6%. Right now, we have billions and billions of images from millions of different websites all across the open internet. That's Clearview's founder, an Australian man called Hongtant, speaking with CBS News. He argues that what his New York-based company provides is a biometric version of the Google search engine.

Google can pull in information from all different websites, so if it's public, you know and it's out there and it can be inside Google search engine, it can be inside ours as well. Hongtant also says his company is only offering its services to law enforcement. Critics, however, said that could easily change in the future. The company's business practices first came to widespread light via a New York Times report last month.

Federal and state law enforcement officers told the newspaper that while they didn't know how Clearview works under the hood, they had used its app to help solve shoplifting, identity theft, credit card fraud, murder, and child sexual exploitation cases. The Times also reported that Clearview is planning future features, such as compatibility with virtual reality glasses, to enable real-time facial recognition in the field. After the report appeared, however, condemnation of Clearview by privacy experts and some government officials was swift. Questions also persist over the ethics of what it's doing and how it might be used for mass surveillance.

Already, a class action lawsuit has been filed against the company alleging that it violates Illinois state laws concerning biometric data. New Jersey banned all police and estate from using the technology pending an investigation into what safeguards are in place to governance use. And Facebook and Twitter have both said that the company's scraping violates their terms of service. Massachusetts Senator Edward Markey says the company's product appears to pose particularly chilling privacy risks and says he is deeply concerned that it is capable of fundamentally dismantling American's expectation that they can move, assemble, or simply appear in public without being identified.

He's written to the company, seeking answers to multiple questions, including the names of all of the law enforcement agencies currently using the tool. Montin says, legally speaking, however, he believes his company is in the clear. There is also a First Amendment right to public information, so the way we have built our system is to only take publicly available information and index it that way. Many legal experts agree, saying that while products such as Clearview might be creepy at an actual level at least, they're not illegal.

But Clearview's practices reveal a bigger problem, which is that any startup that's able to scrape this much data could potentially use it to train neural networks and build similar facial recognition tools. Technology giants might argue that this violates the terms of service, but what's to stop future companies, or even on friendly governments, from doing the same. On a potentially related note, this week a team of researchers at Facebook say that they've created a system designed to watermark images in a way that allows them to track whether the image was used to train a neural network. Such machine learning training involves fingerprinting images, so a system can find an optimal way, for example, to identify different individuals' faces.

But the system designed by the Facebook researchers has created watermarks that are also fingerprinted by the neural network. While that's no outright solution to the problem of big data biometrics, companies scraping billions of public-facing images, this approach might at least allow researchers to identify when large sets of images have been used to train neural networks. For a full fix, however, including on the privacy front, at least in the US, legal experts say lawmakers would probably have to pass a federal privacy law that prohibits the mass scraping of images to feed facial recognition systems. But until and unless Congress acts, expect to see many more clear views.

For Information Security Media Group, I'm Matthew Schwartz. In the realm of cybersecurity, viruses are typically the electronic kind, impacting computer networks and data. But biological viruses should also be a serious consideration for business continuity, as the impact of the coronavirus continues to spread. In the context, I have some G's SVP of editorial, Tom Field, spoke this week with Regina Phelps, found over emergency management and safety solutions, and an internationally recognized expert in the fields of crisis management, exercise design, and business continuity and pandemic planning.

Tom asked Regina, what business continuity teams should be considering for organizations today to prepare for potential impacts? Who's her response? That's a really great question. So first of all, I want to really build off your comment about media.

When you're gathering a situational awareness, and situational awareness is simply defined as what's going on right now, is that you need to be highly sensitive to the information that you're receiving. And what you need to do is that you need to really look carefully at all information that you're thinking of producing and sending forward. So our general rule in our client population is that we want to always, always have at least two sources or three to validate any information. I don't pull anything off of social media without doing triple validation.

There are so many crazy theories right now about the coronavirus, anything from the CIA releasing the virus into the United States to things such as rats from level four labs in Wuhan being released causing this particular outbreak and a zillion others. So you need to really be careful in your situational awareness. So that's the first thing I would just say to you. For what business continuity and individual should be doing at their company, what I would really say is I got kind of 10 things that are on my shopping list for people to be doing right now.

They should be working their infectious season pandemic plan, so hopefully they got that in their hot hands, they're revising it and modifying it in real time. If they don't have one, they need one. So they've got to have some idea of what they're going to be doing with their organization and that needs to be in a very thoughtful way. The second thing is that they really need to be developing regular and very likely daily situation status reports for the crisis management team and the executive team so that there's a uniform piece of information that everybody is using to make decisions about.

And if you're looking for a sample or an idea of what a good sit stat report looks like, I would direct your attention to the WHO website. They actually done a lot of work to turn their current sit stat report into really a fine document and it's a great template to consider when you're actually looking at what you would do yourself. The third thing is you've got to be looking at your supply chains and many companies are acutely doing that already and many might be sitting back thinking, well, you know, it's not going to really impact us at all. I would not be so sure.

You can find a mask anywhere in the United States right now, try to find gloves, just basic things are almost impossible to find and that could happen to you as well in other parts of your company. The fourth thing I would say to you is I would really encourage you to be communicating with your key stakeholders about what your plans are and what's going on with you. You certainly want to be communicating with your employees, but also you should be ready from an investor relations perspective to your key customers to talk about what your status is and what's going on. Many of my clients are being approached as a third-party vendor, for example, to understand what's going on with their response or what kind of impact they're having.

So that should be something that should be standard talking points that everybody should be using to talk about the same thing going on, so you don't have miscommunication. So the communication in your stakeholders is super important. The fifth thing I would say is that you should really be educating your employees on what I would call smart health habits. I mentioned that earlier.

And hopefully you're doing it anyway because it is flu season, so good hand-watching, cough hygiene, and really telling people to stay home when they're set. We don't need coughing hacking people at the office. I would also include, number six would be marketing importance of your company emergency notification system. Hopefully you have an emergency notification system, but that is only as effective as the information that's in it.

So an emergency notification system, as you know, can be used to send out emergency messages to your employees with a flick of a switch and contact everybody simultaneously. But of course, it's only as good as the contact information that you have, and if it's not reliable or accurate, then it's a problem. So you want to make sure that that's really refreshed. On my list, I would say number seven is you should be pulling out your BIA's and your business company plans, so your business impact analysis and your business company plans.

And I would look through everything through the lens of an infectious disease. What are the potential impacts? And many times, business company plans are really not written for something like a large number of people not being able to come to work or not able to work. Number eight on my list is I would really encourage you to reach out to all your critical third-party vendors is super common now around the world.

Everybody is very reliant on other companies to provide services for them. And what's going on with them? And what kind of plans do they have in place? And what's going on with their perspective of this disease outbreak?

If your third-party vendor is critically impacted, that could be a huge issue for you. And so do not be flat-footed. I'd be reaching out to all of them right now. You should inventory number nine.

You should do an inventory of your personal protective equipment, mask, gloves, hand sanitizers, for states-wise. Really hard to get masks. Really hard to get gloves right now in the U.S. And there's a reason for that.

Not only are people panicked and everybody buying them, but guess where they all come from? Yes, China. I think 90% of all the masks made are made in China now in the United States. So that could actually be a crisis in health care if we run out of those things for hospitals and people that need them on a daily basis.

And the last thing I would really encourage all of your information security professionals to really increase your screening. There are a ton of new scamming and new hacker efforts now using the virus actually as a way to build off people's anxieties. There's fake websites. There's phishing emails about more information on the coronavirus, there's all kinds of hoaxes.

And I've had some of my CISO buddies say to me that that's become a problem because people are building off the anxieties that we all have. And so, again, hackers and scammers look in the news and they're just smart like anybody else and they should try to take an opportunity and work it. So those are 10 things I would recommend all your folks to do right now.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on February 7, 2020.

What is this episode about?

The latest edition of the ISMG Security Report offers an analysis of the missteps that led to problems with the app used in this week's Democratic presidential caucuses in Iowa. Also featured: growing privacy concerns about facial recognition and...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!