Facebook and Microsoft briefed state officials on election security efforts today

So much for summer Fridays. Yesterday, BuzzFeed reported that a dozen tech companies, including Facebook, Google, Microsoft and Snapchat, would meet at Twitter headquarters on Friday to discuss election security. For two of them, that wasn’t the only meeting in the books.

In what appears to be a separate event on Friday, Facebook and Microsoft also met with the Department of Homeland Security, the FBI and two bodies of state election officials, the National Association of State Election Directors (NASED) and the National Association of Secretaries of State (NASS), about their election security efforts.

The discussion was the second of its kind connecting DHS, Facebook and state election officials on “actions being taken to combat malicious interference operations.” The meetings offer two very different perspectives on threats to election security. States are largely concerned with securing voter databases and election systems, while private tech companies are waging a very public war against coordinated disinformation campaigns by U.S. foreign adversaries on their platforms. Social media platforms and election systems themselves are two important yet usually disconnected fronts in the ongoing war against Russian election interference.

more 2018 US Midterm Election coverage

“Effectively combatting coordinated information operations requires many parts of society working together, which is why Facebook believes so strongly in the need for collaboration between law enforcement, government agencies, security experts and other companies to confront these growing threats,” Facebook VP of Public Policy Kevin Martin said of the meeting.

“We are grateful for the opportunity to brief state election officials on a recent call convened by DHS and again today as part of our continued effort to develop collaborative relationships between government and private industry.”

Curiously, while Microsoft and Facebook attended the DHS-hosted meeting, it doesn’t look like Twitter did. To date, Twitter and Facebook have faced the most fallout for foreign interference on their platforms meant to influence American politics, though Google was also called to Congress to testify on the issue last fall. When reached, Twitter declined to comment on its absence, though the company was reportedly playing host to the other major tech election security meeting today.

The meeting with state officials sounds like it was largely informative in nature, with Facebook and Microsoft providing insight on their respective efforts to contain foreign threats to election integrity. On Tuesday, Microsoft revealed that its Digital Crimes Unit secured a court order to take down six domains created by Russia’s GRU designed to phish user credentials. Half of the phishing domains were fake versions of U.S. Senate websites.

“No one organization, department or individual can solve this issue alone, that’s why information sharing is so important,” said Microsoft VP of Customer Security and Trust Tom Burt. “To really be successful in defending democracy, technology companies, government, civil society, the academic community and researchers need to come together and partner in new and meaningful ways.”

Google releases a searchable database of US political ads

In an effort to provide more transparency and deliver on a promise to Congress, Google just published an archive of political ads that have run on its platform.

Google’s new database, which it calls the Ad Library, is searchable through a dedicated launch page. Anyone can search for and filter ads, viewing them by candidate name or advertiser, spend, the dates the ads were live, impressions and type. For anyone looking for the biggest ad budget or the farthest reaching political ad, the ads can be sorted by spend, impressions and recency, as well. Google also provided a report on the data, showing ad spend by U.S. state, by advertiser and by top keywords.


The company added a bit of context around its other recent ad transparency efforts:

Earlier this year, we took important steps to increase transparency in political advertising. We implemented new requirements for any advertiser purchasing election ads on Google in the U.S.—these advertisers now have to provide a government-issued ID and other key information that confirms they are a U.S. citizen or lawful permanent resident, as required by law. We also required that election ads incorporate a clear “paid for by” disclosure.

The search features are pretty handy, but a few things are missing. While Google’s database does collect candidate ads in the U.S. it does not include issue ads — broader campaigns meant to influence public thought around a specific political topic — nor does it collect state or local ads. The ads are all U.S.-only, so elections elsewhere won’t show up in here either. Google says that it is collaborating with experts on potential tools that “capture a wider range of political ads” but it gave no timeline for that work. For now, ads that the tool does capture will be added into the library on a weekly basis.

Synack is the latest cybersecurity company to offer state elections its services for free

The cybersecurity firm Synack will offer its penetration testing services to states for free in an effort to secure election systems for the 2018 midterms.

Synack, founded by two former NSA analysts, is best known for its bug bounty program that allows its carefully curated stable of researchers to probe a client’s systems for vulnerabilities. The researchers then disclose those soft spots through Synack’s platform.

The company’s offerings are already tuned to the needs of sensitive government clients, and Synack has worked with IRS and the Department of Defense through its “Hack the Pentagon” bug bounty program. States wary of bug bounties should have some peace of mind knowing that Synack emphasizes the intense vetting and low acceptance rate of its research team.

From now until November 6, Synack will offer free penetration testing for voter registration sites and voter databases through its “Secure the Election” initiative.

The offer’s fine print:

Each eligible recipient will be limited to one (1) free 14-day Synack Crowdsourced Vulnerability Discovery Test of an online voter registration website or remotely-accessible database that is expected to be used in the November 2018 mid-term election.

It’s possible that states wary of the federal government’s involvement in state and local elections will be less skittish of help coming from the private sector. The Department of Homeland security has stepped up its role in securing elections, but federal resources, including cybersecurity audits, remain opt-in.

Synack isn’t the only security company talking to states about securing elections. In late 2017, Cloudflare announced that it would extend it DDoS protection for free to states for their voter databases, voter registration sites and election result sites through what it calls “the Athenian Project.” In April, enterprise security firm Centrify offered states its services at a discount in a similar “Secure the Vote” program.

“Synack’s pro bono service looks for vulnerabilities in remotely-accessible voter registration databases and online voter registration websites from a hacker’s perspective,” the company said in a press release.

“Synack’s crowd of researchers discovers vulnerabilities left undetected by other solutions and then helps to remediate them before an adversary can exploit them on election day.”

What we can learn from the 3,500 Russian Facebook ads meant to stir up U.S. politics

On Thursday, Democrats on the House Intelligence Committee released a massive new trove of Russian government-funded Facebook political ads targeted at American voters. While we’d seen a cross section of the ads before through prior releases from the committee, the breadth of ideological manipulation is on full display across the more than 3,500 newly released ads — and that doesn’t even count still unreleased unpaid content that shared the same divisive aims.

After viewing the ads, which stretch from 2015 to late 2017, some clear trends emerged.

Russia focused on black Americans

Many, many of these ads targeted black Americans. From the fairly large sample of ads that we reviewed, black Americans were clearly of particular interest, likely in an effort to escalate latent racial tensions.

Many of these ads appeared as memorials for black Americans killed by police officers. Others simply intended to stir up black pride, like one featuring an Angela Davis quote. One ad posted by “Black Matters” was targeted at Ferguson, Missouri residents in June 2015 and only featured the lyrics to Tupac’s “California Love.” Around this time, many ads targeted black Facebook users in Baltimore and the St. Louis area.

Some Instagram ads targeted black voters interested in black power, Malcolm X, and the new Black Panther party using Facebook profile information. In the days leading up to November 8, 2016 other ads specifically targeted black Americans with anti-Clinton messaging.

Not all posts were divisive (though most were)

While most ads played into obvious ideological agendas, those posts were occasionally punctuated by more neutral content. The less controversial or call-to-action style posts were likely designed to buffer the politically divisive content, helping to build out and grow an account over time.

For accounts that grew over the course of multiple years, some “neutral” posts were likely useful for making them appear legitimate and build trust among followers. Some posts targeting LGBT users and other identity-based groups just shared positive messages specific to those communities.

Ads targeted media consumers and geographic areas

Some ads we came across targeted Buzzfeed readers, though they were inexplicably more meme-oriented and not political in nature. Others focused on Facebook users that liked the Huffington Post’s Black Voices section or Sean Hannity.

Many ads targeting black voters targeted major U.S. cities with large black populations (Baltimore and New Orleans, for example). Other geo-centric ads tapped into Texas pride and called on Texans to secede.

Conservatives were targeted on many issues

We already knew this from the ad previews, but the new collection of ads makes it clear that conservative Americans across a number of interest groups were regularly targeted. This targeting concentrated on stirring up patriotic and sometimes nationalist sentiment with anti-Clinton, gun rights, anti-immigrant and religious stances. Some custom-made accounts spoke directly to veterans and conservative Christians. Libertarians were also separately targeted.

Events rallied competing causes

Among the Russian-bought ads, event-based posts became fairly frequent in 2016. The day after the election, an event called for an anti-Trump rally in Union Square even as another ad called for Trump supporters to rally outside Trump tower. In another instance, the ads promoted both a pro-Beyoncé and anti-Beyoncé event in New York City.

Candidate ads were mostly pro-Trump, anti-Clinton

Consistent with the intelligence community’s assessment of Russia’s intentions during the 2016 U.S. election, among the candidates, posts slamming Hillary Clinton seemed to prevail. Pro-Trump ads were fairly common, though other ads stirred up anti-Trump sentiment too. Few ads seemed to oppose Bernie Sanders and some rallied support for Sanders even after Clinton had won the nomination. One ad in August 2016 from account Williams&Kalvin denounced both presidential candidates and potentially in an effort to discourage turnout among black voters. In this case and others, posts called for voters to ignore the election outright.

While efforts like the Honest Ads Act are mounting to combat foreign-paid social media influence in U.S. politics, the scope and variety of today’s House Intel release makes it clear that Americans would be well served to pause before engaging with provocative, partisan ideological content on social platforms — at least when it comes from unknown sources.

Centrify gives states a deal on identity management software to secure midterm elections

To secure U.S. election systems from the very real threat of targeted cyberattacks, states might need to reframe their security practices to look more like they would in a tightly controlled corporate environment.

To that end, Centrify, an enterprise cloud-based identity management company, is extending its security offerings to help states cover their bases as part of a “Secure the Vote” initiative. The company is encouraging state and local election boards to employ its services for basic security measures like multi-factor authentication and user privilege management — two easy steps that could thwart potential attacks. To coordinate with states, Centrify is working with the Department of Homeland Security on the budget and procurement processes as states begin to work more closely with the agency on the challenge of election security.

In a conversation with TechCrunch, Centrify CEO Tom Kemp emphasized that states could bolster election security considerably by even undertaking the most basic safety measures.

“There’s some low-hanging fruit that can be done relatively quickly,” Kemp told TechCrunch, noting that this level of precaution would only take “a couple weeks of implementation work.”

As Kemp notes, the hackers targeting state election systems generally try to compromise admin-level accounts with broad system access. Multi-factor authentication requires an external confirmation of user identity in order to log into a system and is widely considered one of the more basic and most robust cybersecurity precautions for individuals and organizations alike. Centrify eschews the “trust but verify” approach, opting instead for a zero-trust security model that verifies user identity at all levels.

State and local election boards can work with Centrify to get free access to the company’s services for eight months, though they’ll need to sign up for an annual plan to get the deal. The company will work with those groups to deploy its services, with discounted on-site rates. Because the company is already registered in the federal procurement system, states have one less hurdle to overcome if they choose to work with Centrify while taking advantage of federal assistance seeking to bolster state election security. According to a federal contractor search, Centrify’s federal contracts have included work with the U.S. Navy and the National Institutes of Health (NIH).

“In order to secure the vote, Election Boards need to protect their election systems, and more importantly, sensitive voter registration information against bad actors,” Kemp said of the announcement. “That starts with adopting a new mindset that compromised credentials are the main attack vector.”

Facebook’s latest privacy debacle stirs up more regulatory interest from lawmakers

Facebook’s late Friday disclosure that a data analytics company with ties to the Trump campaign improperly obtained — and then failed to destroy — the private data of 50 million users is generating more unwanted attention from politicians, some of whom were already beating the drums of regulation in the company’s direction.

On Saturday morning, Facebook dove into the semantics of its disclosure, arguing against wording in the New York Times story the company was attempting to get out in front of that referred to the incident as a breach. Most of this happened on the Twitter account of Facebook chief security officer Alex Stamos before Stamos took down his tweets and the gist of the conversation made its way into an update to Facebook’s official post.

“People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” the added language argued.

While the language is up for debate, lawmakers don’t appear to be looking kindly on Facebook’s arguably legitimate effort to sidestep data breach notification laws that, were this a proper hack, could have required the company to disclose that it lost track of the data of 50 million users, only 270,000 of which consented to data sharing to the third party app involved. (In April of 2015, Facebook changed its policy, shutting down the API that shared friends data with third-party Facebook apps that they did not consent to sharing in the first place.)

While most lawmakers and politicians haven’t crafted formal statements yet (expect a landslide of those on Monday), a few are weighing in. Minnesota Senator Amy Klobuchar calling for Facebook’s chief executive — and not just its counsel — to appear before the Senate Judiciary committee.

Senator Mark Warner, a prominent figure in tech’s role in enabling Russian interference in the 2016 U.S. election, used the incident to call attention to a piece of bipartisan legislation called the Honest Ads Act, designed to “prevent foreign interference in future elections and improve the transparency of online political advertisements.”

“This is more evidence that the online political advertising market is essentially the Wild West,” Warner said in a statement. “Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency.”

That call for transparency was echoed Saturday by Massachusetts Attorney General Maura Healey who announced that her office would be launching an investigation into the situation. “Massachusetts residents deserve answers immediately from Facebook and Cambridge Analytica,” Healey tweeted. TechCrunch has reached out to Healey’s office for additional information.

On Cambridge Analytica’s side, it looks possible that the company may have violated Federal Election Commission laws forbidding foreign participation in domestic U.S. elections. The FEC enforces a “broad prohibition on foreign national activity in connection with elections in the United States.”

“Now is a time of reckoning for all tech and internet companies to truly consider their impact on democracies worldwide,” said Nuala O’Connor, President of the Center for Democracy & Technology. “Internet users in the U.S. are left incredibly vulnerable to this sort of abuse because of the lack of comprehensive data protection and privacy laws, which leaves this data unprotected.”

Just what lawmakers intend to do about big tech’s latest privacy debacle will be more clear come Monday, but the chorus calling for regulation is likely to grow louder from here on out.