At a glance.
- NetWalker adds Columbia College Chicago to its list of victims.
- University of Utah Health discloses patient data breach.
- Privacy issues surrounding online voting.
NetWalker adds Columbia College Chicago to its list of victims.
A NetWalker infestation has been reported at Columbia College Chicago, which now joins the University of California San Francisco and Michigan State University among the victims of this particular strain of ransomware, the Columbia Chronicle reports. As is now customary, the ransomware operators have not only encrypted college files, but have also threatened to release student and faculty data.
University of Utah Health discloses patient data breach.
On Friday the University of Utah Health announced that it's determined the cause of unauthorized access to patient data third-parties obtained between April 6th and May 22nd. The data breach, the Deseret News reports, was accomplished by phishing university employees. So far the organization says it's seen no signs of the exposed data having been misused, but it's continuing to notify affected patients.
Privacy issues surrounding online voting.
Remote voting online has been used in some US states’ primaries, and may see some limited use in November’s general elections. Delaware, West Virginia, and New Jersey plan to use Democracy Live’s OmniBallot platform, but researchers at MIT and the University of Michigan report that OmniBallot “represents a severe risk to election security and could allow attackers to alter election results without detection.”
OmniBallot isn’t new, researchers Michael A. Specter and J. Alex Halderman write. It’s “ long been used to let voters print ballots that will be returned through the mail.” What’s new this year, they say, is its use for filing ballots online. The three states are using it differently. New Jersey has decided to make online voting available to voters with certain disabilities, and it’s treating that limited availability as a pilot that could be expanded if the need arose. West Virginia lets the disabled, military voters, and West Virginia citizens overseas to vote online with OmniBallot. Delaware is making the most expansive use of the system. As Specter and Halderman write, online voting will be an option to anyone who’s sick, self-quarantining, or engaging in social distancing, which as a practical matter includes close to everyone in the state.
The researchers see four problems with the system.
- First, they conclude that OmniBallot’s ballot return function cannot achieve either software independence or end-to-end verifiability. The system used “third-party services and infrastructure,” including Amazon’s cloud, with JavaScript executed from Google and Cloudflare. Either unauthorized third-parties or Democracy Live itself could alter votes without being detected. The threats could be either malicious insiders or external threats who’ve gained access.
- Second, the version of the ballot marking mechanism that’s being used in Delaware in particular sends the voter’s identity and ballot selections to Democracy Live, even if the voter opts to print the ballot and mail it in. This, the researchers say, needlessly places ballot secrecy at risk.
- Third, even where OmniBallot is used only to deliver blank ballots, the researchers find that the ballots could be misdirected or altered in ways that would cause them to be counted incorrectly. Election officials could mitigate these risks, but only with the expenditure of considerable effort, and in conducting “rigorous post-election audits.”
- And, finally, in all cases Democracy Live, the platform’s corporate parent, collects a great deal of sensitive personally identifiable information. That information includes voters’ names, addresses, dates of birth, physical locations, party affiliations, and partial social security numbers. And when the system is used to submit ballots online, more comes in, including ballot selections and a browser fingerprint. The possibilities for misuse of this information are extensive and obvious. It could be used, for example, for targeted political advertising, equally rifle-shot accuracy in hitting targets for disinformation, and so on. And the researchers point out that OmniBallot seems to have no privacy policy posted, leaving it unclear what, if any, safeguards may be in place.
Securing online voting is a difficult problem, and it would be difficult to object to the goals with which states are planning to use OmniBallot. Enabling disabled citizens to vote, for example, is one, and even mail-in absentee ballots can present their frustrations. The researchers suggest some steps, including a thorough external audit and a well-crafted, enforceable privacy policy, that might improve OmniBallot, but, again, online voting remains inherently challenging.