Don’t Prosecute the Canary: The Case of Reality Winner
We Should Be Addressing Election Security Problems, Not Prosecuting Whistleblowers Who Shed Light On Them
By Rainey Reitman, Internet Privacy Advocate
With another election looming, the U.S. should be working now to secure our election infrastructure, including replacing obsolete voting machines, instituting regular audits, and following commonsense cybersecurity best practices. Instead, our government is prosecuting a public-interest whistleblower who helped us understand the security problems we’re facing.
On June 3, 2017, Reality Leigh Winner was arrested and charged with leaking a document to the Intercept. The leaked document showed that malicious hackers allegedly working for the Russian military engaged in a spearphishing campaign compromising an election services vendor to target over 100 election officials in the United States in the lead up to last year’s presidential election. The document revealed that at least two U.S. election service and voting system manufacturers were the target of similar hacking attempts.
The vendors were not directly named, but the leaked document referenced a product made by VR Systems, a vendor of electronic voting services and equipment serving eight states.
One of those states is North Carolina. That state suffered massive disruptions in voting registration software on Election Day. Poll workers in an entire county were forced to switch to paper systems, which resulted in significant delays for voters—up to 90 minutes in some cases—and an ongoing investigation.
According to NPR, before reading the Winner leak, North Carolina officials weren’t aware of the hacking attempt. The leaked document helped raise the alarm among election officials, who subsequently opened an investigation.
“While there was evidence in the public domain suggesting VR Systems was the target of Russian attacks, publication of the NSA document brought the attack to the attention of the public and election officials. In some cases, like North Carolina, election officials that used VR systems software and equipment, were unaware of the attacks until they were reported in the press,” said Susan Greenhalgh of Verified Voting, a nonpartisan nonprofit promoting accuracy and verifiability in elections.
As Marcy Wheeler of EmptyWheel wrote, “So this may be the first concrete proof that Russian hackers affected the election. But we’ll only find out of [sic] that’s true thanks to Winner’s leak.”
When it comes to fair elections, our country is facing many obstacles, including disenfranchisement of large swaths of the population. But with the move to electronic voting infrastructure, we’re facing a new set of challenges—and many of those come down to digital security. Verified Voting has outlined a number of these issues:
Far too many states use unreliable and insecure electronic voting machines, and many states have made their situation worse by adding some forms of Internet voting for some voters, which cannot be checked for accuracy at all. Even in states where verifiable systems are used, too often the check on the voting system’s function and accuracy is not done. The voting equipment now in use are aging; resources are severely impacted by the state of the economy over the past several years; shortages of both equipment and human resources are likely… Taken together, these problems threaten to silently disenfranchise voters, potentially in sufficient numbers to alter outcomes.
Three weeks after Winner’s arrest, Dr. Alex Halderman, professor of computer science at the University of Michigan, testified before Congress. He cited the Winner leak as evidence that we now know about Russian government efforts “to develop a capability to spread an attack from an election technology vendor to local election offices.” Halderman also noted that, “As far as the public knows, no voting equipment has been forensically examined to check whether it was successfully attacked.”
A month later, dozens of voting machines were taken to the annual hacker conference DefCon. Hackers made short work of the machines, demonstrating that the infrastructure underlying our democracy isn’t secure when faced with competent adversaries. General Douglas Lute, former U.S. Ambassador to NATO, offered these comments to the room via Skype:
Last year’s attacks on the voting process is as serious a threat to our democracy as any I have seen in 40 years…[I]f we lose confidence in the voting process, which is the most fundamental link between the American citizen and his or her government, that is damaging and severe. This is a serious national security issue.
John Sullivan, executive director of the Free Software Foundation, offered over email that there “Are many complex issues to be addressed before we should be confident using electronic voting at all.” He said trusting our security to closed and unauditable systems is a mistake, stating, “All software should be free ‘as in freedom’ so that all users have the rights to audit and modify it, or choose which experts to trust to do so on their behalf. While any software used for voting can have security issues, starting from a proprietary ‘black box’ system under the control of a single company makes bugs harder to find and literally puts our democracy under their control as well.”
The leaks attributed to Reality Winner helped inform the American public about the severe cybersecurity threats our election system is facing. These conversations have helped spur Congressional inquiry, which could, with enough sustained public engagement, lead to new laws and policies ensuring verifiable, secure voting systems.
With another election on the horizon, Congress should move swiftly to enact commonsense safeguards. We should be replacing obsolete and vulnerable voting machines, instituting routine audits, and applying cybersecurity best practices to our electoral systems. We should also be moving our voting systems to free, open, and/or disclosed source software so that security researchers outside of government officials and a small number of vendors can search out vulnerabilities.
But instead of shoring up a fragile election system, the U.S. government is prosecuting those seeking to raise awareness about the digital security threats we are facing. Reality Winner is charged under the Espionage Act, a law designed for spies that the ACLU deems unconstitutional when applied to whistleblowers. Under this law, Winner will likely be prohibited from discussing the public interest value of her alleged leaks during the trial. Which means she will be banned from explaining to the court how the leaks contributed to North Carolina’s investigation into election disruptions, Congressional testimony about improving our election security, and a renewed call for verifiable, auditable, secure voting machines.
The security of our election systems transcends the question of whether or not Russian government hacking influenced the results of the 2016 presidential election. Because whether or not Russia’s hacking attempts affected the outcome of the 2016 election, a whole host of malicious actors could attempt to do so in future elections.
Our democracy is stronger when our electoral system is secure, auditable, and trustworthy. Prosecuting a whistleblower who helped us understand the fragility of our election systems is ethically reprehensible and it could chill future whistleblowers from speaking out on security issues.
And that makes us all less secure.