Thursday, April 16, 2020

The upcoming election in the face of COVID-19

I was interviewed by David Troy of TEDx MidAltantic about the issue of the upcoming election in the face of COVID-19. We discussed the options of "vote by mail" and electronic voting (link to interview). Here's a summary of my thoughts:

Voting by postal mail is an increasingly attractive option for the upcoming November election. While “vote by mail” systems have several drawbacks, in the face of COVID-19 and the need to keep a safe distance among people, this option may be the least unattractive. It is important to note that a state that planned on having a poll site election may not be able to automatically and easily switch over to a mail-in system overnight. There are many logistical issues that need to be addressed. One of the challenges faced by election officials is that at the moment, it is not clear if the pandemic will subside before November. Given that it could take months to switch from the current plans to a mail-in system, state officials would have to start planning the change now, without knowing for sure if they will need to switch.

"Vote by mail” provides opportunities for vote selling and voter coercion. For example, a spouse or employer may have the ability to pressure someone to vote a certain way. Furthermore, the postal system is not immune to tampering. Still, wide scale wholesale fraud is probably more difficult to achieve in a mail-in system than in many other systems such as fully electronic or Internet based ones. In the current crisis we face, we may need to give up on the perfect for the sake of the good (or the least bad) and switch the country over to mail-in voting for this upcoming election. We still have over 6 months, and hopefully that is enough time for states to take the steps that they need to achieve this change. Several states already vote by mail, and those states’ officials can provide guidance to states who want to switch over for this coming election.

There is a risk that if many states switch over to vote by mail, that they will make the switch permanent. It would be a shame if future elections eliminate poll site paper-based voting because of this one-time necessary adjustment we have to make this year. However, we should focus right now on November, 2020. We’ll have plenty of time to worry about future elections. Hopefully, we will be rid of this pandemic and will be able to focus on providing the best possible election system in 2022 and 2024.

Wednesday, February 26, 2020

Testifying in Annapolis in the Senate and then the House about IoT Security

Last week I testified at a hearing in Annapolis in the state senate finance committee on SB 443 Consumer Protection - Security Features for Connected Devices. Today, I testified in the state House of Delegates in the Economics Matters Committee on the house version of the bill, HB 888. The two bills are identical, and my written testimony is here.

The bill is very simple. It requires that connected devices, IoT devices, either have a unique, per-device key/password, or that the owner be required to change the password at first usage. The idea is that there would no longer be default passwords in use for a particular model of IoT device. In general, I think that this is a very good idea. Personally, I would like to see the bill go further. There could be some guidelines for strong passwords and other security features such as delays after a certain number of incorrect password attempts. But, I'm thrilled to see that Maryland is following in California's footsteps and introducing this type of legislation.

I found the experience of testifying in the Senate Finance Committee starkly different from that in the Economics Matters Committee in the House. The senate committee heard 13 bills that day and took almost 3 hours before they got to ours. I was on a witness panel with Joseph Jerome, Director of Multistate Policy at commonsense.org, Katie McInnis, Policy Counsel for Consumer Reports, and Holly Jacobs from the state attorney general's office. All of the panelists were well spoken and compelling. Not surprising considering that we were just saying that there should be a minimum baseline of security in connected devices. I found the senators to be engaged but not very knowledgeable about technology. In particular one senator who dominated the questioning seemed particularly clueless and slightly hostile to the bill.

The House Economics Committee heard 6 bills today. Ours was the fourth. I found the testimony on the first three bills incredibly interesting as they dealt with consumer privacy. One bill addressed breach notification. The other two dealt with storage of biometric data and location information. There was some minor opposition to the bills, mostly procedural, as the opposing witnesses requested that the efforts on these bills be merged into a comprehensive privacy and security law that would address all of the issues, rather than having piecemeal legislation. This seemed perfectly reasonable to me.

There were only two of us on my panel today, Katie McInnis from Consumer Reports and me. Katie spoke about the importance of protecting IoT devices as consumers are adopting more and more of these. She spoke about 19 documented hacks in December. The delegate who introduced the bill, Ned Carey, showed a video from the evening news of a hacker speaking to a little girl through a compromised Ring doorbell. I basically summarized my written testimony, but I also had received a link to a story earlier today about a major WiFi compromise, and I included a summary of this and how it relates to the current bill in my testimony. These IoT compromises are so common that there was a major story the very day of the hearing.

 I was pleasantly surprised by the level of discussion in the Q&A. Unlike their colleagues in the senate, the delegates were very knowledgeable about technology, IoT and security and privacy. They not only got it, but they chimed in with anecdotes of their own, and it was clear to me that this bill is very popular with the committee.

I always find it interesting to see how laws are created. While there is currently tremendous partisan gridlock in Washington, and I'm sure at the local and state levels as well, I was fortunate to not see any such issues in the two hearings. At least everyone seems to be in agreement that we need to do more to protect online connected devices.