December 22, 2024

Archives for 2008

Targeted political spam

I’ve complained about spammers before, but this one is new. I recently received a spam that supports the case of Michael Skelly for Congress, saying negative things about incumbent John Culberson. What’s interesting: this is my home precinct. These people are actually competing for my vote. This leads to the question: how on earth did the Skelly people manage to map my work email address to my home mailing address? Is there a database out there that they used? Maybe they just spammed everybody at my employer, since this particular Congressional district includes our campus; all of our students, in our dorms, who are registered locally will be voting in this particular race.

Part of me wants to bias my voting decision against the idiot candidate who thought that email marketing was a good way to efficiently reach voters. Sadly, that decision will have to be based on more substantial issues, like which candidate I think will perform better in Congress. Instead, I’m going to direct my fire at VerticalResponse, the service provider who the Skelly campaign used to send me the spam. According to their anti-spam policy,

VerticalResponse has no tolerance for the sending of spam and unsolicited mail, and we prohibit the use of third-party, purchased, rented, or harvested mailing lists. Any customer found using VerticalResponse to send such mail is banned from the use of our service.

VerticalResponse takes several steps to keep abuse to a minimum. Among other things, we:

– Interview new clients about both the origins of their mailing lists and their marketing practices. Clients who do not meet our standards are not allowed to use the VerticalResponse service.

– Read most emails before they can go out the door. Email sent through our system goes to a staging area where it is looked over by a member of the VerticalResponse staff. If we have any concerns, the mailing is stopped and we contact the client.

Really? I find that impossible to believe. In what way could any reasonable human have decided that a blob of partisan political attack messaging being delivered to what we can only presume is a non-trivial mailing list is, in any way, anything other than gratuitous spam? For the record, I have never supported either the Democratic or Republican parties financially. I am not a member of either party. The only possible way my email address could have been used is that it was either harvested in bulk, along with other Rice email addresses, or perhaps more charitably, if somebody thought “ahh, that Prof. Wallach seems like he’d be interested political propaganda from our party and/or candidate.” Neither one would appear to be compatible with VerticalResponse’s stated anti-spam policies.

I’ll also note that, while VerticalResponse provides a one-click way for me to opt out of this particular spam source, they provide no way for me to opt out of any other future source or otherwise specify any sort of policy from my end. There’s no way, short of training my spam filter, for me to say “I never want to receive email from VerticalResponse, ever again.” Surely, I figured, I can’t be the first person to complain about them, yet a Google search on any of the usual terms didn’t find anybody else complaining like this.

Instead, I started digging through my historical email. It appears that there have been a handful of VerticalResponse “campaigns” that I considered to be non-spam and have kept. One series of non-spam messages were from a house builder who I thought I might want to use at one point. Another was an update notice for a web service that I use. Historically, I’ve reported one other spam to them, via their abuse email address. They stated, in response, that they removed me from that particular mailing list and would investigate the infraction. I received no subsequent email about the resolution of that case.

Of course, that’s far from everything. Generally, when I get these things, I generally just click the “unsubscribe” link, retrain my spam filter, and move on with life. I haven’t kept count of how many such spams I’ve treated this way.

I did a similar search through my old mail for ConstantContact, one of VerticalResponse’s competitors. I found not a single email, from them to me, that I had kept, although several were forwarded to mailing lists that I archive, so those I kept. I have no records of having ever contacted their abuse department.

Does this mean that one vendor is more spammy than the other, does it mean that one vendor just has more market share than the other, or does it mean that my spam filter is removing more of this stuff before I have to look at it? It’s hard to say without more data.

Okay, big policy question: given that political campaigns and everybody else on the marketing side of the equation deeply loves the idea of targeted email marketing campaigns, how should we accommodate them? Should they be required to provide better proof to to firms like VerticalResponse or ConstantContact that their email addresses were harvested in some proper fashion? How on earth could they actually do such a thing? Short of having users opt-in directly at the email distribution service, everything else boils down to the email service taking the marketer at their word, which seems about as likely to be true as those “no documentation required” mortgages.

Maybe the answer is for “ethical” email distributors to pay fees, per message, perhaps as a government tax. Call it “spam postage”, and tweak the fee structure so the sender ends up paying more money when the recipient hit the “unsubscribe” or “abuse” button. First off, by adding a real monetary expense to the process, senders might be incentivized to reduce their mailing lists. The penalties incentivize them to cull their lists down to their true supporters. The only problem with a structure like this is that it tends to push email marketers away from “ethical” email distribution services and toward either do-it-yourself solutions or toward shady vendors who don’t charge the postage fees. (And, we all know that the real-money postage costs of physical mail do seemingly little to deter all the paper spam that we receive.)

For better or for worse, we’ll never get rid of email spam. Maybe we can filter out recurring messages from Nigerian dictators or overseas pharmacies, but no training-based spam filter is going to be able to learn every new thing to come down the block when it’s still new. The only thing that will ever truly work is if and when people just stop paying attention.

[Sidebar: so how should a political campaign effectively reach people like me to convey their message? I tend to go out and surf their web sites, read their policy papers, and I pay attention to the endorsements of newspapers, bloggers, and others who I trust. For the “down-ballot” races, I tend to spend some quality time with the non-partisan League of Women Voters guide. The LWV asks candidates to respond to a variety of relevant questions, but space constraints limit the answers. An online version could presumably give the candidates space to really explain their positions (and/or firmly demonstrate their lack of clue). At the end of all that, I make a cheat sheet with my favorite candidates and bring it with me to the polls.]

What Your Mailman Knows (Part 1 of 2)

A few days ago, National Public Radio (NPR) tried to offer some lighter fare to break up the death march of gloomier stories about economic calamity. You can listen to the story online. The story’s reporter, Chana Joffe-Walt, followed a mail carrier named Andrea on her route around the streets of Seattle. The premise of the story is that Andrea can measure economic suffering along her mail route–and therefore in that mythical place, “Main Street”–by keeping tabs on the type of mail she delivered. I have two technology policy thoughts about this story, but because I have a lot to say, I will break this into two posts. In this post, I will share some general thoughts about privacy, and in the next post, I will tie this story to NebuAd and Phorm.

I was troubled by Andrea’s and Joffe-Walt’s cavalier approaches to privacy. In the course of the five minute story, Andrea reveals a lot of private, personal information about the people on her route. Only once does Joffe-Walt even hint at the creepiness of peering into people’s private lives in this way, embracing a form of McNealy’s “you have no privacy, get over it” declaration. In the first line of the story, Joffe-Walt says, “Okay before we can do this, I need to clear up one question: Yes, your mailman reads your postcards; she notices what magazines you get, which catalogs; she knows everything about you.” The last line of the story is simply, “The government is just starting on its $700 billion plan. As it moves forward, Wall Street economists will be watching Wall Street; Fed economists will be watching Wall Street; Andrea will be watching the mail.”

There are many privacy lessons I can draw from this: First, did the Postal Service approve Andrea’s participation in the interview? If it did, did it weigh the privacy impact? If not, why not?

More broadly speaking, I bet all of the people who produced or authorized this story, from Andrea and Joffe-Walt to the Postal Service and NPR, if they thought about privacy at all, engaged in a cost-benefits balancing, and they evidently made the same types of mistakes on both sides of that balancing that people often make when they think about privacy.

First, what are the costs to privacy from this story? At first blush, they seem to be slight to non-existent because the reporter anonymized the data. Although most of the activity in the story appears to center on one city block in Seattle, we aren’t told which city block. This is a lot like AOL arguing that it had anonymized its search queries by replacing IP addresses with unique identifiers or like Phorm arguing that it protects privacy by forgetting that you visited Orbitz.com and remembering instead only that you visited a travel-related website.

The NPR story exposes the flaw in this type of argument. Although a casual listener won’t be able to place the street toured by Andrea, it probably wouldn’t be very hard to pierce this cloak of privacy. In the story, we are told that the street is “three-quarters of a mile [north] of” Main Street. The particular block is “a wide residential block where section 8 housing butts against glassy, snazzy new chic condos that cost half-a-million dollars.” Across the block are a couple businesses including a cafe “across the way.” Does this describe more than a few possible locations in Seattle? [Insert joke about the number of cafes in Seattle here.]

It’s probably even easier for someone who lives in Seattle to pinpoint the location, particularly if it is near where they live or work. For these people, thanks to NPR, they now know that in the Section 8 building lives “a single mom with an affinity for black leather is getting an overdraft notice” and a “minister . . . getting more late payment bills.” The owner of the cafe has been outed as somebody who pays his bills only by applying for new credit cards. If you lived or worked on this particular block, wouldn’t you have at least a hunch about the identities of the people tied to these potentially embarrassing facts?

Laboring under the mistaken belief that anonymization negated any costs to privacy, the creators of the story probably thought the costs were outweighed by the potential benefits. But these benefits seem to pale in comparison to the privacy risks, accurately understood. What does the listener gain by listening to this story? A small bit of anecdotal knowledge about the economic crisis? A reason to fear his mailman? The small thrill of voyeurism? A chance to think about the economic crisis while not seized by fear and dread? I’m not saying that these benefits are valueless, but I don’t think they were justified when held against the costs.

Independent Voters Disenfranchised in Louisiana

Louisiana held a Congressional primary election on October 4th, 2008. In the 4th-Congressional-district Democratic Primary, there were four candidates; the two candidates with the most votes advanced to the runoff. The margin between the second (advancing) candidate and the third (nonadvancing) candidate was 1,484 votes. But, as I will explain, at least 2,167 voters, and probably more than 5,000 voters, were wrongly prevented from voting in the Democratic primary. This disenfranchisement appears to result from incorrect or unclear instructions given by the Secretary of State to the pollworkers at all the individual precincts.

In Louisiana the Republican Party held a closed primary; that is, only those voters registered as Republicans could vote. The Democratic Party held an open primary; that is, the party allowed Democratic and Independent voters to vote in the Democratic congressional primary. Members of the Green Party, Reform Party, and Libertarian Party were not permitted to vote in the Democratic Primary. However, there were some races on the ballot other than the Congressional Primary election: for example, any voter in Shreveport could vote in the election for City Marshal.

On election day there were reports that when Independent voters pressed the button on the voting machine for a candidate in the Democratic congressional primary, nothing happened. In effect, these voters said that they were prevented from voting in the Democratic Congressional primary. This did not conform to the election law, because it did not respect the Democratic Party’s choice to hold an open primary.

Caddo Parish, in the 4th Congressional district, uses Sequoia AVC Advantage version 9.00H direct-recording electronic voting machines. I am very familiar with this model of voting computer, since I performed an in-depth study of these machines in New Jersey. The way these AVC Advantage voting computers work in a Louisiana primary election is this: Each voter, when he or she signs in to vote, is handed a ticket. The ticket indicates which primary election the voter is entitled to participate in. When the voter hands this ticket to the Commissioner (pollworker) who stands by the voting machine, the Commissioner presses an “option switch” button that selects which contests on the ballot that voter is permitted to vote in. The “option switch” button is sometimes called a “lockout” button, because it “locks out” some contests from the voter. For example, if the voter hands in a ticket marked REPUBLICAN, the Commissioner presses a REPUB lockout button. Then the Democratic primary ballot is “locked out” (so those buttons have no effect), and the Republican primary ballot is active. Or, if a registered Democrat approaches the polls, he or she gets a ticket marked DEMOCRAT: the operator pushes the DEM lockout button. This locks out the Republican primary ballot, and activates the Democratic primary ballot. Finally, a registered voter in the Green Party, Reform Party, or Libertarian party gets a ticket marked “No Party.” The Commissioner then presses the option switch marked “Others.” This locks out both primary ballots, so this voter can vote only in contests such as City Marshal.

With this combination of technological setup plus election law, it is clear that the pollworkers at the sign-in desk should hand Independent voters a ticket marked “DEMOCRAT.” Only this way can they vote in the Democratic primary. It won’t do to hand them a ticket marked “No Party” and then have the Commissioner press the “DEMOCRAT” button, because this solution won’t properly handle the Green, Reform, and Libertarian voters. So the question is, “Did the Secretary of State effectively instruct and train the Commissioners so that Independent voters were permitted to vote in the Democratic Primary?” He did not, as I will show.

When the polls are closed, the AVC Advantage prints out a paper tape (like a cash register tape) listing how many votes each candidate got. But in addition the computer prints out a list of “Option Switch Totals”, indicating how many voters were permitted to vote in each of the primary elections on the ballot. That is, the “Option Switch Totals” show how many times the Commissioner pressed each one of the the “DEM”, “REPUB”, and “Others” buttons.

On October 15th, 2008 I visited Caddo Parish’s voting-machine warehouse in Shreveport. I examined all the paper-tape “results report” printouts from the approximately 400 voting machines used in the entire Parish (a parish in Louisiana corresponds to a county in other states). I added up how many voters voted with the “Other” option-switch setting. All of these voters were “locked out” of both the Democratic and Republican Congressional primaries.

In all, 2,167 voters in Caddo Parish voted with the Other option switch. These voters were not able to record a vote in either the Democratic or Republican party primary, that is, they were “locked out” of voting in the Democratic Congressional Primary. The vast majority of these 2,167 locked-out voters are Independents, because Party registration for the Green Party, the Libertarian Party, and Reform Party is negligible. For example, the Green Party has only 1,064 registered voters in the entire State of Louisiana (7 Congressional districts). In contrast, there are about 80,000 Independent voters in the 4th Congressional district alone. Thus, almost all of the 2,167 voters in Caddo Parish who were locked out were almost certainly Independents.

Some independent voters approached the polls and were told that independent voters were not permitted to vote in the Democratic Congressional Primary. Some of these voters left the polling place without signing in to vote. These voters were disenfranchised as well, in addition to the 2,167 that we can count in the option-switch numbers.

Caddo Parish contains about 40% of the voters of the entire 4th Congressional district. If the same proportion of Independent voters were locked out of the Democratic primary in the other parts of the district, that means that more than 5,000 Independent voters were illegally disenfranchised from voting in the Democratic primary. Since the margin between winning and losing candidates was 1,484, that means the number of disenfranchised voters was larger than the margin of victory. Those voters could have changed the outcome of the election, if they had been lawfully permitted to vote.

Louisiana holds its runoff primary election (for both parties) on November 4th. Once again, the Democratic Party is holding an open primary, and the Republican Party is holding a closed primary. I urge the Secretary of State of Louisiana to give clear instructions to Commissioners of precincts, as follows:

“Independent voters are to be given a ticket marked DEMOCRAT. Democratic voters are to be given a ticket marked DEMOCRAT. Republican voters are to be given a ticket marked REPUBLICAN. Green Party, Reform Party, and Libertarian Party voters are to be given a ticket marked NO PARTY.”

Kentucky vs. 141 Domain Names

Yes, that is a title of a real, current legal case and controversy.

(And, no, the links in this post are not spam… mostly gambling news sites seem to be reporting on this.)

The Governor of Kentucky, through his Justice and Public Safety Cabinet, has moved in court to have 141 gambling-related domain names transferred to the Kentucky state government, partially because other legal gambling operations in Kentucky, like horseracing, lose revenue to online gaming. Yes, you read that right: by allegedly violating KY law, the state can move to have property used in these unlawful acts transferred to the state. In this case, the “property” in question is the domain names themselves.

This case is definitely novel in the realm of cyberlaw, but also is a bit controversial for how it originally proceeded. At first, the state met with the judge in a unilateral hearing where the judge granted a seizure order directing the registrars of each domain name to transfer the domain name to the state of Kentucky (a few registrars transferred the domain names immediately upon receiving the order). The judge also then established a date for a forfeiture hearing (think of it as a last chance opportunity for affected parties to appear and dispute the seizure of their property). A phalanx of attorneys for various gambling outfits (presumably, see below) as well as industry and players associations showed up to this original hearing. The judge decided to accept briefing on the various issues presented; his order was due on Wednesday but was delayed until yesterday due to a computer glitch.

Judge Wingate’s order was handed down on Thursday. There’s so much interesting stuff in this case, perhaps it deserves a few more posts; I’d like to highlight a few things:

  • Identifying parties — For obvious reasons related to gambling being illegal in many parts of the United States, many of the 141 Domain Names defendants don’t want to be identified. However, to have standing — that is, to be able to present a legal argument as a direct party to a case — one needs to have an attorney and be identified as one of the named defendants (or anyone could make the case).
  • Domain names as property — Are domain names more like an address or phone number or are they more like a piece of physical property? Here the judge relies on a case from the 9th Circuit in California, Kremen v. Cohen 337 F.3d 1024 (9th Cir. 2003), where Justice Kozinski had to decide if a domain name was property that could be stolen under California law. That case established an “attributes test” for intangible property that includes 1) is there an interest capable of precise definition? 2) can it be excluded from possession or otherwise controlled? and 3) can the purported owner establish a legitimate claim to exclusivity? Applying this test (and some additional muddled reasoning), Judge Wingate found that domain names are indeed intangible property.
  • Devices and chance — The state maintains, and presented expert testimony to the effect, that domain names are a “device or transport device allowing Kentuckians to engage in internet gambling.” In my opinion, this is where Judge Wingate goes a bit off the deep end. The part of Kentucky law that defines a “gambling device” (KRS 528.010 (4)(a) and (b)) as a tangible device manufactured and designed specifically for gambling. Wingate compares domain names to “virtual keys” for “virtual casinos” and finds that reading the law literally is not appropriate here and, rather, Kentucky courts have to uphold the intent of the law. And how much virtual intent can we read into Kentucky law? I would further quibble with Wingate’s assertion that these particular domain names have been designed to attract players; most of the successful gambling sites in the list of 141 seem to have more branding value in their domain names rather than cachet due to clever word choice.

    Also, under KY law, games of chance are explicitly illegal while games of skill are not. The Poker Player’s Alliance, a group that represents players of poker and poker enthusiasts, argued in an amicus brief that the poker-related subset of the 141 Domain Names should not be subject to the forfeiture due to their not being illegal under KY law. Wingate seems on more solid ground with the chance element raised by the Poker Player’s Alliance. The part of KY law relevant here (KRS 528.010(3)) in that it defines chance as only one element of what constitutes “gambling” with risking something of value and the opportunity of winning something of value as the other elements.

What’s the upshot of all of this? To me, it’s pretty scary: A state government moved to order seizure of domain names that it found were illegal “devices” and a judge issued an order demanding the transfer of these domain names before any hearing or opportunity to protest. The state has so far successfully argued that domain names are property and devices used for illegal gambling within Kentucky and that the 141 Domain Names defendants must identify themselves to have standing to contest the seizure and forfeiture. The last shoe to drop is that Judge Wingate, as part of his order from yesterday, ordered the state to rescind any forfeiture for gambling sites that block Kentucky gamers using geographical blocking methods (the wording was, essentially: Defendants who install a “software or device […] which has the capability to block and deny access to [the defendant’s] online gambling sites […] from any users or consumers within the […] Commonwealth [of Kentucky] and reasonably establishes to the [state] or this Court that such geographical blocks are operational, shall be relieved from the effects of the Seizure Order and from any further proceedings [in this action.]”).

What is to stop other local governments from mandating blacklisting of geographical user bases (despite the plain futility of this protection measure)? What’s to stop an authoritarian state from seizing the domain name of a dissident group? I don’t see a good solution.

Finally, the only general amicus brief submitted was from the Internet Commerce Association representing domain name registrars. Where is the public interest voices in this? Where are my friends from the Electronic Frontier Foundation?

Report on the Sequioa AVC Advantage

Today I am releasing an in-depth study of the Sequoia AVC Advantage direct-recording electronic (DRE) voting machine, available at citp.princeton.edu/voting/advantage. I led a team of six computer scientists in a monthlong examination of the source code and hardware of these voting computers, which are used in New Jersey, Pennsylvania, and other states.

The Rutgers Law School Constitutional Litigation Clinic filed a lawsuit seeking to decommission of all of New Jersey’s voting computers, and asked me to serve as an expert witness. This year the Court ordered the State of New Jersey and Sequoia Voting Systems to provide voting machines and their source code for me to examine. By Court Order, I can release the report no sooner than October 17th, 2008.

Accompanying the report is a video and a FAQ.

Executive Summary

I. The AVC Advantage 9.00 is easily “hacked” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County’s Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia’s sloppy software practices can lead to error and insecurity. Wyle’s Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.