Updated Jan 27 2009 with a comment from the Turkish Government. See below
When criminals turn to disk encryption to hide the evidence of their crimes, law enforcement investigations can hit a brick wall. Where digital forensics software has failed to recover encryption passwords, one tried and true technique remains: violence. It is is this more aggressive form of good cop bad cop behavior which the Turkish government is alleged to have turned to, in order to learn the cryptographic keys of one of primary ringleaders in the TJ Maxx credit card theft investigation.
The 2005 theft of tens of million credit card numbers from an unsecured wireless network run by TJ Maxx stores has lead to over 150 million dollars in damages for the company. The two gentlemen behind the heist sold the pilfered credit card information to others online. Eventually, the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and, according to media reports, a "major figure in the international sale of stolen credit card information."
Mr Yastremskiy was later arrested in 2007, while on vacation in Turkey. The US government has formally requested that Yastremskiy be extradited, and has charged him with a number of crimes including aggravated identity theft.
According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.
Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.
The Turkish interrogation seemed to have worked as Mr Cox was even able to share Yastremskiy's encryption password with the audience.
Mr Cox, the Assistant Deputy Chief for the DOJ's Computer Crime and Intellectual Property Section, made the comments during his keynote talk at an invitation only event for academic and industry experts focused on phishing related crimes. This blogger has spoken to four sources, each in independent interviews, who claim to have witnessed Mr. Cox making such statements. However, due to the closed-door nature of the event, and fearing that coming forward publicly would lead to them being blackballed from future information sharing sessions, no one would go on the record to make their claims.
If Mr Yastremskiy is successfully extradited to the United States, it is unclear if the evidence from his encrypted disk could be used against him in court. It also remains an open question as to how much the US knew about the alleged beating of Yastremskiy by the Turkish authorities, and when.
If Mr Cox's alleged comments are indeed true, this is alarming news. The majority of cryptographic tools in use today are designed around the general assumption that an end-user can refuse to disclose his or her key if the computer is seized. While password discovery via torture is something that has been discussed in the academic literature for a number of years (it is commonly known as rubber-hose cryptanalysis), it has for the most part remained a theoretical threat. A few tools, such as TrueCrypt, are designed to resist such attacks, and thus use deniable encryption -- that is, making it impossible for someone to examine a computer and be able to determine if there is anything encrypted on the disk. Some tools even allow for multiple deniable encrypted folders, each with a different password.
Of course, Truecrypt and other tools that have adopted deniable cryptography do not stop government agents from torturing a suspect. It just means that they cannot be sure when to stop the beatings, as there could always be one additional hidden file on the disk.
Multiple requests for comment, by both phone and email to Howard Cox and the DOJ Office of Public Affairs have been ignored. Similarly, the Turkish embassy in Washington DC had not responded to a request for comment by press time.
A Freedom of Information Act request has been submitted for the slides and notes for Mr Cox's speech, however, this could take months or years before any information is returned.
Update:On January 27, 2009, Berkan Pazarcı, the First Secretary at the Turkish Embassy in Washington DC replied to the request for a comment that I sent back in October of 2008:
The Turkish Ministry of Justice informed the Embassy that Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body.
Disclosure:
Mr Cox presented at a closed-door session at the Anti-Phishing Working Group e-Crime summit. I presented at the same conference the next day, at a session open to the general public. My hotel and airplane ticket were paid for by the APWG, as part of a scholarship program for graduate students.
In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.
Finally, due to the fact that the Turkish government is involved, it is worth mentioning that I am 50% Armenian by blood. Several generations ago, a number of my family members died at the hands of the Ottoman Empire (now Turkey). I do not have an axe to grind in this area, but in the interest of honest disclosure, I thought it should be mentioned here.
A new IRS Web site that allows taxpayers to check on the status of their refund checks could lead to users being phished.
The new "Where's my stimulus payment?" site asks taxpayers to enter in their Social Security number, and a few other trivial bits of information before informing the user of the amount of their refund, and the date it will be sent out.
While no doubt useful, this Web site sets a horrible example, and encourages dangerous behavior by users. Furthermore, in the hands of someone who knows the last four digits of a taxpayer's Social Security number, it could be used as an oracle (by submitting multiple requests) to determine the full SSN of a taxpayer.
Screenshot of the IRS Stimulus Website
(Credit: Christopher Soghoian)The IRS is frequently mimicked by phishers. The agency even goes so far as to offer advice on its site, debunking many common phishing attacks. Furthermore, agency has shut down more than 1,600 phishing sites claiming to be the IRS in the past few years.
From a security education perspective, it is a really bad idea to have such a form on the official IRS Web site. The IRS should not be training users (via positive reinforcement) to enter their full Social Security numbers into Web sites. It is bad enough that credit cards and banks require us to do so when signing up. The IRS has an existing relationship with every tax-paying citizen. It does not need to use our SSN to authenticate us, and could use one of many other bits of information.
Secondly, the URL, http://sa2.www4.irs.gov/irfof/IRServlet?app=IRACTC is simply horrible. The vast majority of users will have no idea if this is a legitimate Web site or not. Why could they not select something a bit more readable, such as "www.irs.gov/stimulus".
At the very least, the IRS should authenticate users with additional information (such as the amount of federal taxes paid in 2008). It already does this for users who wish to e-file. This would at least stop the site being used as an oracle to confirm/guess someone else's SSN.
To see why this is such a bad idea--look at the image below of a phishing scam claiming to be an IRS refund Web site. Now look at the image above, the IRS's new refund status site. Can we really expect most users to tell the difference?
Phishing Site targetting IRS
(Credit: Laughing Squid / Flickr)
In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.
While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.
Google Checkout for Political Contributions
(Credit: Google)In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.
The phishing problem is a particular threat to campaign sites, for a number of reasons:
- The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
- Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
- While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
- Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.
In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.
A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.
I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.
Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.
The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.
First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.
Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.
Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.
With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.
It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.
Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.
Update: This blog post was edited after receiving complaints from a number of Mozilla employees. For a list of the edits, go to to the bottom of the post.
The Firefox browser may not be as independent as previously thought. Mozilla essentially owns Firefox, and it proved so when it flexed its muscles last year in forcing Debian to rename its browser IceWeasel.
However, the open secret in the tech sector is that at the end of the day, Google calls the shots. As this blog post will explain, when a pro-user security feature in the browser threatens Google's business model, it is the feature that is made to compromise--not the search engine.
Embrace Google Freedom (TM)
(Credit: Sgrah / flickr)First, a few highlights of the Firefox-Google relationship.
Fact: $56 million of the $66 million that Mozilla made in 2006 came from Google. The vast majority of this was due to the fact that Google is the default search engine for queries entered into the Firefox search bar.
While Apple also gets a nice chunk of change from Google for the search bar in its Safari browser, Apple has enough other sources of revenue that it can easily walk away from Google's cash.
Fact: Users who enter keywords or misspelled URLs into the Firefox 2.0 location bar will essentially be running a Google "I'm Feeling Lucky" search. That is, they will be taken to the first result for a Google search query for those terms.
Fact: In addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the former lead developer, and still a major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser.
Fact: Two key features of the Google Toolbar for Firefox were rolled into the Firefox 2.0 browser and are turned on by default: Google Browse By Name and Google Safe Browsing for Firefox (now the Phishing Protection feature in Firefox 2.0). These two features, while useful, are more than just the application of a useful patch. They result in millions of Firefox browsers regularly polling Google servers for core information.
Fact: The Google Anti-Phishing relationship will be expanded in Firefox 3.0. While Google currently is the default provider of a blacklist of known phishing sites to the browser, this will be enhanced to include a blacklist of sites that serve up malicious software.
Fact: Google pays AdSense publishers (Web site owners) $1 for each new user who installs Firefox + Google Toolbar as a result of a referral link from one of their pages.
The fact that Google wants to encourage a standards-compliant alternative to Internet Explorer is logical, and it makes good business sense for the company. The company's very ability to make money depends upon users being able to access its various Web-based applications. If Microsoft controlled 90 percent of the browser market, and it could "accidentally" break Google's Web sites with a software update, the search giant would be in serious trouble.
Dear Mozilla - remember your priorities.
(Credit: lautreamax / flickr)Of course, from the perspective of limiting the chance of government regulation, antitrust actions and any controversy over the company's acquisitions (such as with DoubleClick), there are some serious strategic advantages to being able to say Firefox is controlled by a bunch of open-source developers--and that is not taking its orders from the Googleplex.
The close relationship between Google and Mozilla leads to a number of serious conflicts of interest. The end result is that users' online privacy and security take a backseat to the protection of Google's revenue streams. I will now explore two particularly chilling examples of this conflict of interest.
Ad blocking
The AdBlock Plus Firefox extension is getting to be extremely popular. It has been featured in The New York Times, and it is regularly included in various "top 10" lists of Firefox extensions on major blogs and other popular Web sites. For those of you who have not yet tried it out, AdBlock Plus (and its essential sidekick, the Filterset G Updater) completely revolutionizes the Web-browsing experience. After surfing without ads for the last few years, having to use a public computer without AdBlock Plus is a frustrating, distracting, and unpleasant experience.
While AdBlock Plus is fantastic at getting rid of most banner ads, it doesn't do the best job of targeting Google's text-based advertisements. This is where another immensely useful extension, CustomizeGoogle, comes in handy.
In addition to blocking Google's text ads (on all Web sites, including Google Web properties such as Gmail and Google Calendar), the extension also protects user privacy. With CustomizeGoogle installed, the search engine's tracking "cookies" are not accepted. This means that users cannot be tracked across multiple sessions. They can deny the search engine knowledge of which links a user clicks on from the results page of a search.
Given the cavalier attitude that the company has to user privacy (tracking users via cookies, unless the user leaves a two-year gap between visits to a Google Web property), CustomizeGoogle is one of the few ways that users can take proactive steps to protect their own privacy online.
This begs the question: why doesn't Firefox adopt the features of AdBlock Plus and CustomizeGoogle? While the terms of Google's contract with Mozilla are not public, even if Mozilla were contractually free to include anti-Google-tracking features, it would not be a wise move, business-wise. After all, it is not too smart to anger the company that provides more than 85 percent of your financing.
This is all conjecture, of course, but why else would the Firefox team not roll in the features of two extensions that are widely popular and that do so much to protect users from annoying advertisements and creepy privacy intrusions online?
Firefox Phishing Protection
(Credit: Firefox/Mozilla)Phishing Toolbars
There is a normal cycle when a new phishing site is created. It works something like this:
- A new phishing site is created and is e-mailed about to thousands of people.
- Someone tips off Google, which adds it to the phishing blacklist.
- Millions of Firefox browsers download the latest blacklist from Google.
- Users who click on e-mails, taking them to the phishing site, receive a clear warning from Firefox, telling them that the site is malicious.
However, what happens when the phishing site is hosted by Google?
This very issue was discussed by noted Web application security expert Robert "RSnake" Hansen in August. RSnake discovered a cross-site scripting (XSS) flaw in Google's gmodules.com Web site. The security flaw, which has yet to be fixed, was dismissed by the Google security team, which claimed that it was, in fact, an intended design feature.
RSnake described the significance of the vulnerability, stating that the exploit would allow someone "to take over other people's Web sites when they embedded the erroneous third-party code. Kinda nasty. Unlikely, but nasty. More likely, it would simply be in phishing sites that didn't want their sites taken down, but wanted Google's to be taken down instead."
This brings us to a really interesting dilemma. Google has a well-known flaw in one of its Web sites that can be (ab)used by phishers and malicious hackers. Google refuses to fix the flaw, as it believes that it is not a problem. Google also operates the Firefox phishing blacklist. Will Google add one of its own domains to the phishing blacklist? Of course not!
RSnake, who worked in the antiphishing blacklist area for some time, makes several claims. On his blog, he wrote that "the browser companies have to maintain a list of sites that aren't phishing sites but often get flagged as phishing sites. Google happens to host a lot of those.
In reality, Google is being used to phish consumers or redirect to them to phishing sites, but Google doesn't really fix this problem. Instead, it tells the browser companies to whitelist its sites, regardless of the fact that consumers are losing their identities as a direct result of Google's actions in two ways: 1) because it has not ended the vulnerability and 2) because of its insistence in being marked as a 'good' site."
Essentially, what he claims is that with Google's rather menacing legal department, no other competing antiphishing company will dare to include a Google-owned domain on a blacklist. In addition, Google's domains get included on a whitelist shipped with antiphishing software, which is a list of domains that will never cause warnings.
RSnake further claims that in addition to intimidating the other firms in the market, Google refuses to include its own Web properties in the Firefox phishing blacklist, which it maintains.
While RSnake does nothing to hide his lack of love for the big G, his reputation in the Web application security arena is top-notch. Furthermore, in the two months since RSnake first made his concerns public, no one from Google has publicly disputed anything he has said.
With Google providing the blacklists for the new antimalware features in Firefox 3.0, we should all be asking: Can we trust Google? To paraphrase the old phrase, who will blacklist the blacklisters? With control of hundreds of millions of Firefox browsers, what incentive does Google have to keep its own Web properties free of phishing sites?
A number of edits were made to this blog post on the evening of November 1 2007, to reflect feedback received from Mozilla Corp employees.
The following edits were made:
Original: "This includes Ben Goodger, the lead developer for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many resources at the browser."
Now: "This includes Ben Goodger, the former lead developer, and still major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser."
The following text was removed from the introductory paragraph: "When the Big G wants some technology in Firefox, a patch gets applied." - Several Google developed features (including Safe Browsing/Phishing Protection) are now in the mainstream browser, however, this sentence could be read in many ways, and so it seemed best to remove it.
This paragraph was removed "Fact: While Mozilla's contract with Google ends next year, it is highly unlikely that Mozilla will shift to another search engine, even if paid more. The simple reason for this is that lots of users like the Google search experience. If Firefox switched, say, for example, to MSN Live Search, many users would be up in arms. Thus, while Mozilla can keep taking Google's money, it can't realistically switch the default search engine to any other Web site." - I erred in placing this in the "Fact" section, when in fact it should have been noted as a conjecture. In any case, it has been removed completely.
Caller ID information is not to be trusted. Judging by the reactions I've gotten from colleagues and friends recently after they've been the victims of spoofed-ID demonstrations, it's not common knowledge that caller ID information, primarily the phone number that often appears on the recipient's telephone display, can be easily faked. Best of all for the mysterious caller, it's not illegal in the U.S. (except in cases where fraud occurs). Calls for the purpose of amusement or revenge are perfectly legal.
This phone is tapped.
(Credit: Andrew McConachie)With the help of easy-to-use Internet calling card services, it's possible to call up your friends, and have the originating caller number be something completely different, say, the White House switchboard (202-456-1414). For many of the services, it's as simple as punching in three phone numbers: your own number, your pal's number, and the number you want to show up on their phone's display when you call.
The calling card companies providing these services charge a fair bit--approximately 60 minutes of calls for $10. One of the major firms, SpoofCard, is nice enough to let users try their service out for free--two minute calls can be initiated for free from the company's Web site. For those of you doing the home-brew VOIP thing using an Asterisk server at home, faking your Caller ID information is as simple as editing a configuration file.
Being able to change the originating call number can actually be really useful--for the bad guys.
Many voice mail systems do not prompt you for a PIN or password when you appear to be calling from the number associated with that voice mail account. Some credit card companies require that new cards be activated upon receipt by calling up an automated phone system from the cardholder's home phone number. Many people screen their calls, looking first at the display before deciding if they will pick up the phone. Such people can be tricked into picking up the phone by someone who would ordinarily get ignored. Caller ID spoofing is a priceless technique when conducting social engineering or industrial espionage. Being able to call someone else in a company and have the number come up as as an internal office phone number can make it much easier to pretend to be "Bob from accounting."
Anonymous
(Credit: Doublebug / Flickr)Using a fake caller ID service, it should be possible for a motivated criminal to stalk someone, listen to their voice mail and then activate a credit card stolen from the victim's mailbox. Creepy stuff
So what about the law? Caller ID spoofing services do not appear to violate any federal criminal law, according to an interview published with Orin Kerr, a law professor at the George Washington University Law School, and a former Justice Department computer crime lawyer. "It doesn't violate the Wiretap Act or the Computer Fraud and Abuse Act or anything like that," said Kerr.
Congress attempted to pass legislation earlier in 2007 making it illegal to spoof caller ID. The bill, The Truth in Caller ID Act of 2007, sailed through the House of Representatives but has yet to make it through the Senate. The law would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempt from the rule.
Ma Bell: Got the ill communication
(Credit: TheTallest / Flickr)With the legislation apparently stalled at the federal level, some states have begun to pas their own laws. According to USA Today: "Florida Gov. Jeb Bush signed a law banning commercial telemarketers from using ID spoofing. Violators can be fined up to $10,000 per incident. Alaska and New York have considered anti-spoofing legislation. Delaware has no law that specifically bars people from misrepresenting their name and number on the recipient's caller ID. If done for commercial purposes, however, the practice could be treated as a violation of the state's Deceptive Trade Practices Act or the Consumer Fraud Act, says Barbara Gadbois, who directs the Consumer Protection Unit of the Delaware Attorney General's Office. Extracting personal information that is then used to steal money or commit another crime is a felony punishable by up to eight years in prison, Gadbois says."
Even the state laws that have been proposed only ban the commercial use of caller ID spoofing and cases of fraud. The use of such services by individuals for amusement or revenge is still perfectly legal. Thus, until the feds can agree upon and pass stronger legislation, fake caller ID is here to stay.
Later today, I will be presenting as part of a panel on the subject of political phishing at the Anti-Phishing Working Group eCrime Researchers Summit.
During the panel discussion, I will be speaking about the threats to the online fundraising model used by political candidates in the United States. While attacks in the wild have yet to be seen, there are a number of factors which make online campaign giving particularly vulnerable to phishing attacks.
To go along with my talk, Professor Markus Jakobsson and I have released a white paper which clearly explains the issues, threats and a solution to the problem. The slides for my talk are also available online at www.politicalphishing.com.
Based on advice from legal counsel, I won't be including any of the screenshots and synthetic examples of political phishing sites in this blog post. This research needs to remain 100% non-commercial, and since I get paid for this blog, I don't want to be seen as profiting from this phishing project. I'll explain the problem of political phishing briefly here, but if you find the subject interesting, I urge you to go and read our technical report or at least look at the slides.Hillary Clinton made headlines earlier this week when it was announced that she raised over $8 million through online donations in the third quarter of 2007. In the grand scheme of online political donations - this is a fairly small sum. After all, in 2004, John Kerry raised $3 million in a single day, and $5 million over a two day period. The reason that Hillary's financial haul is such a big story is that it is over a year before the presidential election, and she has yet to win the Democratic primary. Thus, I feel completely safe in predicting that the 2008 election will result in more online campaign donations than ever before.
The problem with this of course, is that where the money flows, fraudsters and criminals soon follow. While banks and other financial firms regularly urge their customers never to click on links contained in emails, political campaigns preach the opposite message. The regular flood of campaign emails in my inbox attests to the fact that politicians depend on you "acting now" - which usually either involves clicking on and filing out a petition, or donating funds. If Hillary Clinton's campaign (or Mitt Romney's , Fred Thompson's or any other candidate's campaign) can convince users to click on an email that arrives unsolicited in their inboxes, pull out their credit cards, and give money to a website that they have no real way of authenticating - then the phishers can too.
One of the main problems is that candidates use such inconsistent schemes when picking a domain name for their official website. A pop quiz: Should a potential donor visit joinrudy08.com, or rudygiuliani.com, barack.com or barackobama.com, fredthompson.com or fred08.com? If a user clicks on a web advertisement that takes them to hillary08.com, how can they be sure that they are at her official campaign website?
This little taste should be enough to at least explain the risks of political phishing. While 2008 will certainly be the biggest year of online fundraising, it may also be the year that political phishing becomes a serious issue. For more information on the subject, please read our white paper and check out our slides containing synthetic political phishing emails and websites. Both are located at www.politicalphishing.com. Would you be fooled?During my blog posts this week, I'll be focusing on ways in which the Internet can be used to disrupt elections and the political process. On Friday, I'll be giving a talk on the subject at the Anti Phishing Working Group eCrime Researchers Summit on the subject of Political Phishing.
In today's post: What happens when voter suppression calls get outsourced to India? How will law enforcement track down the evildoers, and what will this mean for our elections?
Shortly before the 2006 election, voters across Virginia received calls that falsely claimed that their voting places had changed. According to a sworn statement filed with the Board of Elections, a man said he got a phone message from the "Virginia Elections Commission" telling him that he was registered to vote in New York and would be "charged criminally" if he voted in Virginia. The FBI later opened an investigation into the calls.
Karl Rove
(Credit: Whitehouse.gov / LolCat Builder)In 2004, Michigan Secretary of State Terri Lynn Land had to put out a statement in mid-October about where to send absentee ballots after voters in the Ann Arbor area received calls telling them to mail the ballots to the wrong address.
On election day 2002, computerized hang-up calls jammed phone lines set up by the New Hampshire Democratic Party and the Manchester firefighters' union. Over 800 phone calls were made to a get-out-the-vote phone bank over the course of two hours. James Tobin, the regional director of the National Republican Senatorial Campaign Committee was initially convicted and sentenced to 10 months in prison on charges of telephone harassment, but his conviction was later overturned by the 1st U.S. Circuit Court of Appeals. In total, the Republican National Committee spent over three-fourths of a million dollars to defend Tobin.
While these three incidents are all disgraceful examples of voter suppression tactics, the one silver lining is that the appropriate authorities were able to investigate, track the calls down to the source and, often, make arrests. This was primarily due to the fact that the calls were being made by U.S.-based companies, and thus the FBI was able to obtain call records, and then follow the money trail to the various state political organizations that had contracted out the immoral and often illegal tasks.
Which brings me to the point of today's blog post: My prediction for the next generation of voter suppression tactics.
Hunting down and prosecuting the perpetrators is not going to be so easy the next time around. If Dell and Citibank can outsource calling centers to India, it makes perfect sense that sleazy political activists can do the same. By placing a few thousand miles between the call centers and U.S. law enforcement, the funders of the next generation of dirty tricks will become almost impossible to track down and prosecute. And why not? It works for the phishers. Furthermore, if the call centers use prepaid voice over Internet Protocol (VoIP) services, it should add an additional layer of fog through which investigators will struggle to cut through.
This may not happen in 2008, or even 2010, but I'm fairly certain that it will happen eventually. Voter suppression is an immoral, yet valuable tactic used by both political parties. The only thing stopping them from using it more is the fact that it is often illegal, and at the very least, will make them look bad. If they can sever any links between the offending calls and their own squeaky clean political machines, the calls are bound to increase in number.
I jotted down a few back-of-a-napkin calculations to figure out how much it'd cost to call 1 million U.S. voters and speak to them for 10 minutes. Assuming approximately 4 cents per minute rates for VoIP calls, it'd cost around $200,000 just for the telephone time. To perform this in one day, you'd need access to about 5,500 home DSL lines (800kb upload).
Since the very act of voter suppression is already illegal, it doesn't seem to unreasonable to assume that the companies doing it would rent compromised botnets. I'm sure 5,500 bots could be rented for a very modest sum. Throw in $50,000 for setup and labor costs, and it shouldn't cost you more than $300,000 to initiate pre-recorded voter suppression calls against 1 million U.S. voters. Compared to the cost of a few commercials in Iowa, it's a steal.
The same task could be performed by live people in a foreign call center, although this would of course cost far more. However, by outsourcing voter suppression calls (both human and pre-recorded) to India and the Philippines, these next-gen Karl Roves will be able to make post-election investigation and prosecution of their crimes far more difficult, and save themselves some money in the process.
- prev
- 1
- next
