Foreign interference is old news. So is poor data security.
The FBI and DNI called a news conference Wednesday, but unfortunately, they forgot to bring the news. Instead, they told us that foreign countries have obtained voter data for the purpose of interfering with our election.
On the topic of foreign interference, the willingness and ability of hostile nations to attack our electoral process is no secret. The US Intelligence Community Assessment attributing the infamous 2016 hacks of the Clinton campaign and DNC was declassified and published while I was still in the Obama administration, which feels like 3,000 years ago. Dozens of outlets before and after the election reported that Russia also attacked state and local governments, making off with assorted bundles of sensitive, non-public information (such as Illinois drivers’ licenses), and modifying voter registration data. Eventually, the Senate Intelligence Committee grudgingly admitted that the Russian effort targeted all 50 states, a systematic attack nothing like the isolated incidents that the US government first tried to portray. If anyone has just found out this week that Russia and Iran are actively attacking the 2020 election, well, they are really going to be upset when they hear about this new virus.
Regardless of foreign actors, it’s worth thinking about the tradeoff between privacy and transparency that is baked into the election process. Maintaining confidence in the process requires access and accountability, and there is a lot of election data that is, rightfully and by law, in the public domain and useful for many legitimate causes. When it’s obtained through the public process, and exploited by bad actors, there’s not much we in the industry can do. But we can and must protect our own data and derivative products, which are far easier to use. (We would know; we just spent two years compiling and cleaning those public records.) It’s important to us that no one on the Democratic side repeat the sorry episode from 2017, when a trove of personal data on 198 million voters was carelessly left exposed by a Republican data vendor.
To that end, Alloy rigorously applies industry best practices to control and audit access to our production systems, and protect our data in transit and at rest. We expect the same care from our customers, and those building applications that use Alloy data. In that spirit, we thought we would share a few specific recommendations that we have found to be the most important:
- A password manager is a must. It turns out that it does not, actually, require a 197 IQ to guess that your twitter password is ‘maga2020!’.
- A physical “security key” token (sometimes called FIDO, U2F, webauthn, or Yubikey) is necessary for high-leverage access points, such as your Facebook ad account or AWS root account. Usability on these has improved since 2016 — they even work on iOS now. When we heard many state parties couldn’t afford Yubikeys last year, we brought them to one of their annual gatherings, because in this ecosystem, we all have to support each other.
- We use ChromeOS (Pixelbooks) for all of our employees. Yes, the engineers use them. Yes, the designers use them. No, they don’t love it. You give up some power and access to familiar tools. We made this tradeoff to gain the significant improvement in safety against malware and browser threats.
- Our CISO, Alex Gaynor, co-created an open source component that enables you to use a TOTP key (aka “Authenticator app”) to obtain short-lived certificates for SSH logins. Please take advantage if it applies in your environment.
- Remember that your personal accounts are no less important than your official ones.
Alloy is dedicated to providing the best data and technology to progressive causes and campaigns working to strengthen our democracy. Safeguarding our accounts is vital to our mission.
