In the past several years, liberal democracies have been subjected to a variety of distinct “attack vectors.” They have been used in Germany, France, the U.K. and the U.S. since 2015. Some are linked to Russia. These new vectors include a range of disparate approaches that are sometimes used together, all under the misleading general rubric “election hacking.”
Here’s how they work:
1. Hacking into the servers of political parties, parliaments and political figures
Best known, of course, is the 2015-2016 hack of the U.S. Democratic National Committee by the Russian hacking group APT 28, also known as Fancy Bear. The same group also has hacked into the German Bundestag and German political parties’ think tanks and into the campaign of Emmanuel Macron, then a French presidential candidate. Just this past week, the U.K. Parliament was hacked.
It is tempting to dismiss this as simple espionage that is simply on a higher and more sophisticated level than before. After all, countries have always been interested in what other countries’ politicians think; the tools these days are simply more sophisticated. Today, spy agencies know more about the internal workings of parties in democracies than in decades past. The problem comes when this information is published or when parliaments, think tanks and politicians are unsure of their privacy and restrict their communication. It is hard to work with the nagging doubt that perhaps some foreign intelligence agency is reading all your correspondence, especially when you know they have done so in the past.
2. Publishing hacked emails
Often nowadays, the “doxing” ― publishing hacked information ― is selective, targeted to embarrass only one candidate for another’s benefit. Russian hackers breached both Republican and Democratic servers but only released information on the Democrats. No emails from the Front National, the far-right French party, were doxed. As a new twist, some of the doxed emails from Macron’s servers were clearly fakes, planted there to cause even more damage.
3. Spreading fake news on social media
Social media has become a primary factor in political campaigns. A Pew study from May 2016 found that 62 percent of Americans get their news from social media. Studying the spread of fake or unsubstantiated news, BuzzFeed reported last year that in the three months leading up to the U.S. presidential election, Facebook users shared some 8.7 million “fake” stories. In contrast, users shared 1.3 million fewer true and verifiable stories. This is the human side of enabling the dissemination of false political news and causing electoral disruption. Abetted by non-digital mass media, false stories such as “Pizzagate,” a conspiracy theory about Hillary Clinton, reach even wider audiences. More generally, fake and sensationalist news often goes viral. Real stories often don’t. Fake news is cheap to produce. Genuine journalism is expensive.
Fake and sensationalist news often goes viral. Real stories often don’t.
4. Social media robots or “bots” spreading misinformation
Bots on Twitter repeat false news automatically at a rate no human can possibly hope to achieve, and thus false stories start trending. Trending stories, in turn, are spread further by human users.
5. Algorithms processing big data to target voters with highly individualized political advertisements
Benignly, such practices can be viewed as simply a new marketing tool. However, Facebook’s announcement this week that it will not release data on who paid what for ads contrasts sharply with requirements in the U.S., for example, that mass media make their expenditures public. Even more disturbing is Facebook’s refusal to make public so-called “dark ads,” paid for by political campaigns and viewed only by the targeted user. Just as disturbing: we also remain in the dark about what personal data has been used to target individuals.
6. Hacking voter rolls
The recently arrested U.S. National Security Agency employee Reality Winner allegedly leaked an NSA report that Russia had hacked into voter rolls from 39 U.S. states. The Department of Homeland Security’s acting deputy undersecretary of cyber security, in Congressional testimony, stated later that servers with voter rolls were breached in 21 states. The question is: To what end? To provide more granular data for big data analytics for Facebook ads? To engage in “voter suppression” by eliminating from the rolls voters whose profile indicates they would vote a different way? We simply don’t know.
None of these new “methodologies” or attack vectors were, to our knowledge, used to actually manipulate voting lists. At least not yet. They do, however, represent a dramatic change in the political process from the way elections were run in the past. Clearly, if we want to maintain the integrity of the electoral process, democracies need to enact changes. Some are technological; others are legal and regulatory.
Parties, candidates and legislatures must use far more secure communication technologies. Two-factor authentication is a sine qua non. In the DNC hack, 126 of the 128 people with access to the server used two-factor authentication. Two did not. When hackers have access to powerful computers that use brute force hacking, they can crack almost any password; even one user with insecure access being successfully hacked can result in a major breach.
Parties, candidates and legislatures must use far more secure communication technologies.
The same applies to voter registration rolls. Two-factor authentication is a minimum requirement for access to keep voting roles secure. Moreover, states need to use blockchain technology to ensure that voter registration rolls are not tampered with or changed. For precisely this reason, my own country, Estonia, has put the most important national and personal data — health records and property records — on blockchain.
For doxing, news organizations that want to maintain their reputations as objective reporters of events need to refrain from the voyeuristic propagation of stolen correspondence. The more scurrilous and immoral outlets will use doxed materials, but if news companies wish to maintain the moral high ground, they must not publish people’s private mail, no matter how many clicks they generate.
On the issue of fake news, Twitter bots and big data analytics, news organizations and social media companies will have to police themselves, or they will inevitably be regulated by governments. “Dark ads” have no place in transparent modern democracies; Twitter bots, whatever they spread, do not either. It is in the power of responsible social media companies to prevent such encroachments on the democratic process.
We could legislate social media as monopolies or utilities in need of regulation ― just as we did a century ago with railroads, power companies and water companies.
The impact of fake news on the electoral process will remain the toughest nut to crack. A draconian bill currently under consideration in the German Bundestag would foresee fines of up to 50 million euros (about $57 million) for failure to take down a false news story within 24 hours. Because of Germany’s experience under the Nazis, explosively provocative fake stories worry German lawmakers more than perhaps in other countries.
We could legislate social media as monopolies or utilities in need of regulation ― just as we did a century ago with railroads, power companies and water companies. It is clear, however, that for Facebook or Twitter merely to say “we are just a platform” will not sway governments and parliaments that fear further disruption, either by foreign governments or one’s own homegrown political players.
The digital age, for all its wonders — its empowerment of people and the economy — brings its own challenges, to which we are only now becoming aware. The coming debates on the relationship between two pillars of liberal democracy — free and fair elections and freedom of expression — will keep us occupied for a long time to come.