Category: Computer Security

BlockchainComputer SecurityExpert Witnesslegaltech

Blockchain Voting Election 2018: Expert Analysis of West Virginia’s Plan

This November, West Virginians deployed overseas will have the opportunity to vote via smart phone through a Blockchain-based application. Given the existing concerns of election integrity, I couldn’t help but reach out for expert analysis.

Hey, did you know that election integrity is kind of big deal? Have you been watching any number of news stations in the last few years? Our country has not stopped talking about election meddling, voter fraud, electronic voting, and wide variety of related topics, for two or more years, give or take.

If you are not aware of these concerns, you must be living under a rock. Please make room under the rock as I’d like to join you. I do my best to ignore the talking heads because I’ve found they add no value to my life (anyone else feel that way about the twenty-four hour television news cycle?).

Before I digress entirely, my point is election integrity and vote verification are legitimate concerns and imperative for the success of our democracy. As such, broadcast news covers the subject extensively.

Rarely, however, do these broadcasters address the micro-issues. This is why I choose to get my news from a variety of different publications, most of which I read online. That’s how I found this article: Experts Criticize West Virginia’s Plan for Smartphone Voting, from Ars Technica. Many of my regular readers know I appreciate the legal and policy analysis from Ars Technica. Routinely, I use it as a jumping off point for further research. The publication often acts as a catalyst for blog posts. In this case, I’d been waiting for the opportunity to discuss the Blockchain topic and get insights from expert witnesses on the subject.

The issue of a Blockchain-based application being used, to allow soldiers stationed abroad, the opportunity to vote through their smart phone was the perfect topic. Bitcoin (a Blockchain-based crytocurrency) is already being written and discussed extensively. Voting, through a Blockchain application, is getting less coverage and is therefore more interesting to me.

Much of what I’ve read about the Blockchain is hyperbolic. I’ve read on more than one occasion that “the Blockchain cannot be hacked.” On its face, that statement appears illegitimate. There is no such thing as 100% secure. So, how do we plan on safely using a smart phone app to conduct one of our country’s most sensitive civic processes?

According to the Ars Technica article, West Virginia did a limited run of the system (Voatz is the name of the app) for the primary election in May. The article further provided, “West Virginia’s secretary of state told CNN that the pilot worked well and that the system passed four audits of various parts of the system. So this November, the state is planning to offer the system more broadly to West Virginians deployed overseas.”

Naturally, I have a lot of questions about the security and reliability of the voting application offered by Voatz. So I reached out to one of our computer science experts who has studied the Blockchain and recently published articles on the topic.

Computer Science and Systems Expert Witness – Dr. Stephen Castell

Dr. Stephen Castell is a computer science and systems expert witness with over 30 years of experience. As an expert witness, Dr. Castell has acted in over 100 major cases including the largest and longest computer software actions to have come to trial in the English High Court. Most recently, Dr. Castell contributed to the 200th issue of Computer Law and Security Review (CLSR), with his paper titled, “The Future Decisions of RoboJudge HHJ Arthur Ian Blockchain: Dread, Delight or Derision?Find out more about Dr. Castell by visiting his website: www.castellconsulting.com.

I’ve been working with Dr. Castell for more than eight years. We always have delightful conversations and “geek out” together over emerging technologies. Our recent conversations have, of course, covered the rapidly changing legal technology space.

Here are the questions I posed and the answers provided by Dr. Castell:

Nick: Can you describe Blockchain technology for the lay reader?

Dr. Castell: In its elemental form, a Blockchain is simply a decentralized database system – digital ledgers that store transaction data, distributed across many nodes.  It has a linked list data structure, with each block (an aggregated set of data) containing a ‘hash’ of the previous block.  Each block is formed by a ‘proof-of-work algorithm’, through which consensus of this distributed system is obtained via the longest possible chain.  A ‘traded’ cryptocurrency Blockchain (e.g. Bitcoin) is a shared public chain: in principle everyone has access to the chain, not only to read the information on the chain, but also to append new blocks on the chain.  This is known as an unpermissioned chain.  The West Virginia voting application is likely to be a permissioned chain, where, through public key cryptography, access control can be implemented during setting up of the chain so that differentiated access can apply – both voters and those managing and controlling the voting process can differentially record, and/or interrogate, votes and voting data added to its Blockchain.

Nick: Is a Blockchain-based voting system secure?

Dr. Castell: The Blockchain in and of itself provides strong cryptographic security.  However, ICT expert professionals bear in mind that not only are there no finalised international standards for Blockchain (eight  standards are in development under ISO/TC 307), but also there is far more to specifying, designing, developing, testing, deploying and maintaining an appropriate complete QA’d application than just the Blockchain element.  The security of the complete system needs to be addressed and designed-in from the start, irrespective of the use case for the Blockchain.  And whether to use a Blockchain as a component at all for a given business requirement such as public elections is a critical initial feasibility exercise that the expert knows is essential, as much from a security perspective as any other.

Nick: We know that electronic voting systems are vulnerable to hacking. Can Blockchain-based voting systems also be hacked?

Dr. Castell: Anything can be hacked, and electronic voting systems are no different.  Back in the late 1980s, I carried out a major definitive study, commissioned by the British H M Treasury, on the admissibility of computer evidence in court and the legal reliability/security of IT systems (The APPEAL Report, 1990, May, Eclipse Publications, ISBN 1-870771-03-6).  This concluded with what became known as my ‘First Dictum’:  “You cannot secure an ontologically unreliable technology by use of an ontologically unreliable technology”.  Nothing has changed.  Commercial computer hardware and operating systems, including smartphones, remain essentially ‘open’, and ontologically unreliable.

Nick: Is it the Blockchain that could be compromised or is it more likely a voter’s smartphone would be compromised by a hacker?

Dr. Castell: A well-engineered and implemented Blockchain distributed voting ledger should itself be as immune to compromise as its cryptography can provide.  But the voter’s smart phone security, and the overall voting application, are only as sound as whatever has been designed-in to the whole system – and we know that smartphones have for sure in the past been hacked.  It is not clear that the proposed West Virginia smartphone application would be any more (or less) hackable than anything else hitherto.

Nick: What sort of checks and balances would you expect for a Blockchain-based voting system before implementation?

Dr. Castell: It would seem an obvious (constitutional?) requirement that votes must always be manually-countable in any US election, in the event of suspected error or lack of trust in the reported result, whether through suspected deliberate tampering or compromise, accident or incident, random system malfunction, or whatever else, and particularly if the result is legally challenged in court.  Any smart phone app voting system must therefore always be designed so that its operation, and the voting data recorded, are auditable for integrity, accuracy and reliability ‘by hand’ – that is surely the most basic check and balance.

Lawyer Jonathan Bolls is a Magistrate, and Chief Election Officer, in Fairfax County, Virginia, who had personal experience of the consequences of unreliable computer systems, as a past victim of technical problems saving Bar Exam essays using suspect software provided by the Virginia Board of Bar Examiners (I provided expert opinion on his behalf – see http://jonathanbolls.blogspot.com/).  He notes that US citizens are passionate about the integrity of elections:  “For Blockchain technology, where someone is voting on their phone from overseas, they would want to consider that in doing so they potentially waive their rights to have their vote counted should a re-count be necessary.  We have actually gone the other way: removed our high-tech touchscreen voting systems and returned to the paper ballot.  If ever we need to check voting numbers we hand count”.

Aside from manual auditability, before implementation it is vital that ‘Proof of Concept’ projects be thoroughly executed, carefully trialing any proposed smartphone public voting system, prior to actual ‘go live’ for real.  Such Pilot Trials or Proving Systems are essential, with their scale, planning, operation, data and results, and assessment thereof, monitored and carried out by independent experts.

Nick: In your expert opinion, would you trust a Blockchain-based voting system to accurately register votes?

Dr. Castell: Deliberate hacking or compromise apart, there is no reason why a well-engineered and implemented Blockchain-based voting system, with careful professional expert involvement in its design and trialing before go-live, should not accurately register votes.  However, I do not consider that a so-called ‘trustless’ Blockchain-based voting system removes the need for a Trusted Third Party legally responsible for its operation and security.  ‘Who you gonna sue when it goes wrong?’ is still an essential consideration, and the Blockchain itself, nothing magical, ‘just another computer system’, cannot be sued.

See:

  • https://authors.elsevier.com/a/1XSpq_654J6Hkp  ‘The future decisions of RoboJudge HHJ Arthur Ian Blockchain: Dread, delight or derision?’, Stephen Castell, Computer Law & Security Review, Volume 34, Issue 4, August 2018, Pages 739-753.
  • Commission of the European Community. Green paper on the security of information systems, ver. 4.2.1, 1994.
  • S. Castell, Code of practice and management guidelines for trusted third party services, INFOSEC Project Report S2101/02, 1993.

Conclusion:

What are your thoughts? Would you trust a smart phone, Blockchain-based voting application? Please share your comments below!

UPDATE (08/16/2018):

Our friends over at the Robinette Legal Group, located in Morgantown, West Virginia, wrote a complementary piece to this blog. The author of the piece, Terri Robinette, did an exceptional job elaborating on prior “uses” of Blockchain in Sierra Leone and describing how West Virginia is legitimately the first to truly test this technology. She further described election security and fraud in West Virginia. Take a look at her article below:

Smartphone Voting App for Deployed West Virginia Military

Computer ForensicsComputer SecuritySecurity

Tesla Trade Secrets Lawsuit: Investigators & Expert Witnesses

Did you hear about Tesla suing a former employer for stealing trade secrets?

Early last week, Tesla CEO Elon Musk emailed Tesla employees reporting another employee had done some pretty significant sabotage to the company’s manufacturing operations. According to one Ars Technica article, “In the all-hands email to Tesla staff, Musk wrote that the employee had made ‘direct code changes’ to the company’s production systems, as well as exporting ‘large amounts’ of Tesla’s data to unknown third parties.”

In the same article, Ars Technica quotes Musk’s email further, “the alleged saboteur could have been working with short sellers, oil and gas companies—whom he described as ‘sometimes not super nice’—or ‘the multitude of big gas/diesel car company competitors.’ Of this last group, Musk reminded his employees that, since the traditional OEMs have been known to cheat emissions tests, ‘maybe they’re willing to cheat in other ways.'”

Mr. Musk is not subtle in his indication that he believes the saboteur may have been working with others in a coordinated effort of corporate espionage and theft of trade secrets.

Later in the week, Tesla filed suit against a now-former-employee, Martin Tripp. We can only assume this is the employee to whom Mr. Musk referred in the earlier email, given the civil complaint allegations against Mr. Tripp. The civil complaint link is courtesy of Cyrus Farivar of Ars Technica.

The civil complaint alleges Mr. Tripp violated the Defend Trade Secrets Act and the Nevada Uniform Trade Secrets Act. Further, Tesla alleges of breach of contract, breach of fiduciary duty of loyalty, and violating the Nevada Computer Crimes Law.

To me, the interesting part was the “prayer for relief” (an absurdly arcane way of saying “this is what we want!”).  Here’s the summary. Take note of the first item:

tesla-prayer-for-relief

Section A goes hand in hand with Elon Musk’s comments indicating the saboteur may have been acting with unknown third parties. The legal action seems intended to prohibit the use of any stolen trade secrets and preventing any potential financial or competitive damage resulting from corporate espionage.

What experts played a role or may play a role?

The case being brand new (complaint filed last week), I don’t expect we’ll hear about expert witness involvement for some time. However, I do imagine some experts (working for Tesla) were involved in uncovering the alleged sabotage.

Digital Forensics, Computer Security, Corporate Security, Software, Human Resources…

We know from the complaint there are allegations that Mr. Tripp stole trade secrets from Tesla. According to the complaint, Mr. Tripp “has thus far admitted to writing software that hacked Tesla’s manufacturing operating system (MOS) and to transferring several gigabytes of Tesla data to outside entities.” To someone like me, with fairly basic coding experience, it appears Mr. Tripp was quite advanced. He was able to bypass Tesla’s internal security to install hacking software.

Mr. Tripp has not admitted, but Tesla further alleges, “he also wrote computer code to periodically export Tesla’s data off it’s network and into the hands of third parties.” This sentence alone makes me wonder why Tesla did not add potential JOHN DOES to the complaint. Nevertheless, the complaint continues, “his hacking software was operating on three separate computer systems of other individuals at Tesla so that the data would be exported even after he left the company and so that those individuals would be falsely implicated as guilty parties.” Again, I mention this is a pretty advanced thought process because Mr. Tripp had plans to cover his tracks.

Given this information, I presume Tesla’s corporate security in conjunction with their legal department had to investigate Mr. Tripp’s actions for some time before terminating his employment and filing suit.

This investigation was likely to include those with knowledge and experience in digital forensics, computer security, and hacking software. Since the investigation involved an employee, I suppose there’s a chance human resources was included in the investigation as well.

Why was the investigation likely to include this variety of individuals? Tesla had to identify the breach using digital forensics and computer security experts. After recognizing the hacking software in their system, it’s possible they would have reviewed the code to see how it breached their computer security and I assume they would be able to identify the terminals on which the code resided. Since Mr. Tripp had taken precautions to misdirect Tesla, they may have identified the three other employees as responsible parties early in the investigation, causing them to monitor those employees.

Having watched enough spy movies to pretend I know what I’m talking about, I have to imagine Tesla would want to identify the third party entities mentioned in the complaint. So, they probably allowed some data to be exported while they were monitoring the situation in an effort to identify those who may have conspired with Mr. Tripp. With my spy movie knowledge, prognostications, and five bucks, you can get a cup of coffee.

Of this, I am certain. Tesla had to use investigators familiar with protection of intellectual property and digital evidence collection. Experts listed above would have the appropriate specialization to conduct this investigation in preparation for the recent litigation.

So as the litigation develops and if it goes to trial, I will expect to see software, digital forensics, computer security, corporate security, and human resources experts and consultants assisting in discovery and preparing for trial.

 

 

 

 

 

Computer ForensicsComputer SecurityComputersConsultantsExpert Witness

Google Antitrust Investigations: FTC, EU, state attorneys general… More to come?

The ABA Journal reported this week that Google was subpoenaed by the Missouri attorney general (Josh Hawley) for antitrust and consumer protection violations. Google has been placed on notice and the investigation is ongoing. Earlier this year, the Mississippi attorney general sued Google for similar violations and the European Union fined the company $2.7 billion for consumer protection violations. Are you seeing a pattern? Antitrust litigation against Google seems to be full speed ahead.

According to the article, the Federal Trade Commission (FTC) completed an investigation against Google in 2013. The FTC concluded, “We have not found sufficient evidence that Google manipulates its search algorithms to unfairly disadvantage vertical websites that compete with Google-owned vertical properties.” Evidently, Mr. Hawley does not agree with the FTC finding so he decided to investigate on his own.

When investigating and prosecuting cases involving sophisticated technology and antitrust issues, attorneys depend on experts to perform complex investigations and unravel complex issues. Who will the attorneys general and defense counsel turn to in support of these involved matters? Let’s take a look at the issues:

Antitrust / Consumer Protection:

To understand more about the laws governing antitrust issues in the US please visit the FTC for a brief summary.

Essentially, United States antitrust law is a collection of federal and state laws regulating the conduct and organization of businesses, generally to promote fair competition for the benefit of consumers.  As the FTC page indicates, there are three main laws covering antitrust behavior: the Sherman Act 1890, the Clayton Act 1914 and the Federal Trade Commission Act 1914. For more than 100 years, “The antitrust laws have had the same basic objective: to protect the process of competition for the benefit of consumers, making sure there are strong incentives for businesses to operate efficiently, keep prices down, and keep quality up.” The laws also basically prevent collusion or cartel-like practices and monopolies.

The Missouri attorney general has said, “There is strong reason to believe that Google has not been acting with the best interest of Missourians in mind.” It appears the Mr. Hawley believes Google is doing things which are not promoting, and possibly impeding, fair competition. Further, their algorithms may be directing users to Google-owned properties rather than websites offering services which compete with those Google-owned properties. As Google is the 800 pound gorilla when it comes to Internet searching, any tactics directing users to their own goods or services could be considered a restraint of trade.

In order to prove Google manipulates algorithms for their own benefit, the Missouri attorney general is probably going to have to employ some expert consultants who may later testify as expert witnesses. Google’s defense counsel will probably have to do the same. I assume Google will have many of the pre-litigation consultants in-house.

During the investigation, Mr. Hawley will likely need to consult with antitrust and antitrust economics experts to determine if actions by Google are negatively impacting consumers or restraining trade. Furthermore, he may need to employ consultants to conduct market research to have statistical evidence of the impact on consumers.

Algorithms:

Most of us (is this too presumptive?) have some sort of rough idea about search algorithms and what they accomplish. We understand it to be a mathematical equation used to search data and deliver a result based on the search terms we utilized.

After reading my last paragraph, I have to say there are probably far more accurate and simplistic descriptions of an algorithm. I may not have properly described how they work. That’s because I’m not a computer scientist. Luckily, neither the prosecution nor defense will be calling Nick Rishwain as an expert witness in Missouri v. Google.

The legal representatives from both sides are going to need assistance in understanding search algorithms and how algorithms might be manipulated by Google. They are going to need to know this quite early in the case in order to request and deliver the proper documentation during the investigation and discovery stages should Missouri file a lawsuit.

Both sides will likely need the assistance of information and Internet technology consultants. More specifically, I can see the need for information science & architecture experts as well as search engine optimization experts.

As the ABA Journal article made abundantly clear: Google has faced many legal actions related to antitrust and it appears even more legal actions lie ahead. It should be noted that Google is not alone in this area. There appears to be increased chatter about antitrust actions against Amazon as well. If the US Department of Justice and the Federal Trade Commission avoid taking action, we may see more attorneys general choosing to investigate and possibly prosecute the corporate giants for dominating the market.

For more information, check out the Experts.com Antitrust Articles section.

Computer ForensicsComputer SecurityComputers

Computer Safety and Security Articles

CYBER ABUSE, CYBER CRIME

By: Richard Albee
DataChasers, Inc.

Tel: 877-DataExam (877-328-2392)
Website: www.DATACHASERS.COM

The Internet is a vast universe of discovery, with items of interest for everyone–regardless of your particular curiosity. Unfortunately, this availability often leads to abuse, and sometimes to crime. But, not unlike adolescent discovery, the steps to cybercrime are achieved in stages.

The first stage is availability

Without access to the Internet the potential for abuse becomes a moot point. It was common, several years ago, to simply advise employers against allowing employees access to the Internet; this is no longer practical. Internet access is an integral part of many businesses, and certainly a part of everyday life…
Read the Entire Article

DataChasers, Inc., is a select, exclusive computer forensics and e-discovery company. Our examiners find the evidence, interpret it, evaluate its importance, and articulate those facts to a jury. Computer forensics and e-discovery is our only business, and we welcome your inquiries about the process, or our procedures.

____________________________________________________________________________________________

CSI COMPUTER FORENSICS – Real Cases From Burgess Forensics #9 – The Case of the Teacher and the Trickster

By: Steven G. Burgess
Tel: (866) 345-3345

Website: www.BurgessForensics.com

The stories are true; the names and places have been changed to protect the potentially guilty.

It was a grey October day, the kind of day when a guy likes to cozy up next to a bank of servers to keep warm, when the Teacher first called me. “They think I’m nuts” were the words emanating from the phone. Well, just because you’re paranoid doesn’t mean they’re not out to get you. I sat up and went to my desk, away from the noisy fans cooling off all those Gigahertzes. “What’s the problem, Miss?”

The young woman explained that she was a not-yet-tenured teacher in a New England (greyer there than here) high school with a problem. Seems that a student in one of her classes was repeating things in the classroom that she had uttered only the night before in the apparently illusory privacy of her own living room…
Read the Entire Article

Steve Burgess is a freelance technology writer, a practicing computer forensics specialist as the principal of Burgess Forensics, and a contributor to the just released Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens, et al.

Read More Articles on Computer Forensics