Why Can't Americans Vote Online?

Many ask the valid question of why we cannot vote like we live in 2016 – online. We bank, shop, work, talk, and do just about everything else online, so why not voting? Some smaller countries do it – Chile and Estonia, for example, but in general there is a substantial risk to hacking.

The unfortunate truth is that our online banking and email are only as secure as they are, which depending whether you have two factor authentication and complex passwords might not be too secure, because most of us aren't important enough to be the focus of targeted hacking. It is often called 'security through obscurity' – we blend into the crowd.

A United States election online would not be secure by blending in, there are too many parties (both internal and external) with vested interest in the outcome of the election. The election would be a major target to hackers from every corner of the planet, and it would bring out the best of the best as private bounties are offered for anyone who can generate a return on that investment. Consider how incentivized a single hacker would be for $10M (I made that number up) and how trivial that sum would be to the person/group offering if they could place investments such that they'd benefit orders of magnitude more than that with a controlled outcome.

The biggest hurdle is in verifying the identity of who is trying to vote. You can either make it really challenging and risk violating privacy as well as prevent a large number of (generally lower income) people from voting, or you can make it less challenging and almost guarantee it is compromised. 

So let's dive into what those might look like. If you made it more secure, you could verify fingerprints which would require the entire nation to be fingerprinted (expensive, time consuming, and a major imposition on privacy). You can do ID scanning which would require having an ID (many don't), a good enough camera to scan it clearly (which many don't have), and this still doesn't address the issue that, as many 19 year olds will attest, IDs are relatively easy to fake. The website would have to be encrypted, of course, but on places like college campuses a bad actor on the network could spoof the SSL certificate and intercept, decrypt, and change, all voting traffic that takes place on that network.

If you made it less secure, then there is nothing to stop people from voting en masse for the millions of American's whose personal information is readily available for sale on the darker corners of the internet. It is unsettling, but nearly everyone has some amount of their personal information for sale somewhere, and if you use common passwords or predictable security questions, it would be trivial to submit a vote on your behalf before you even figure out who you're voting for.

I'm sure this is just the tip of the iceberg. Suffice it to say that even with strict identification practices, it would be a challenge. All of this ignores the nontrivial portion of this country without a reliable internet connection, computer access, or technical wherewithal to actually vote online even if it is an option.

It will be interesting to see what they come up with, but unfortunately the most secure scenarios I can think of will really upset the libertarian-minded citizens, as they'd basically require submitting biometric data to the government (never mind how expensive that effort would be).

Vote To Support Science, Technology, Truth, and Facts - #ImWithHer

There are a lot of things to consider in an election, and this isn't a political blog, so I'll spare you an extended piece on this... unique.... 2016 United States Presidential Election. That said, technology relies on science and facts bound in reality to exist, so therefore I have to defend the spread of science and facts.

Only one major party candidate believes that climate change is a real thing. Science and technology tell us with certainty that climate change is real.

Only one major party candidate believes that telling the truth (as much as any politician does) is important. 

Only one major party candidate believes in treating people of all walks of life fairly and humanely.

Only one major party candidate proposed or supports major constitutional violations, more than any presidential candidate in recent history.

Only one major party candidate is facing charges for committing sexual assault (with multiple witnesses) and is accused, again with substantiated claims, to have raped a 12 and a 13 year old. [Update: While the claim was "voluntarily" dropped on November 4, 2016, the history of the case explains why. Repeated death threats, being terrified of exposure, up against a billionaire (and soon POTUS) is an insurmountable set of circumstances.]

Hillary Clinton is not perfect. She has committed sins, the worst of which (in my humble opinion) were done while defending a man she loves and with questionable drone policies, but to convince yourself of a false equivalence between these two candidates is to abandon truth and facts.

To be clear, there is a defensible position for voting GOP because of taxes and financials, but doing so at the Presidential level this election would lead to a death of morality and science for this country that would almost surely* bring about a downward spiral worse than any 4 years worth of left-leaning policies. So instead of voting in a tyrant, focus on finding and promoting a more intelligent and truthful candidate that represents your values in 2020.

I'm not one for strong political stands, I see deep flaws with both parties, but this isn't a political stand. This is a human stand. As if Trump's policies, which (if they exist at all) are ill-informed, non-scientific, and closed-minded, weren't enough, he is a genuinely terrible person that has really helped to bring out the worst in a lot of people. That is not the type of person who should be running this country.

#ImWithHer and I hope you are too.

*I understand the irony of using such a subjective claim in a post promoting voting for science and truth. It is a challenge to completely ignore the immeasurable human element of this election, though. I admittedly have no sources to substantiate this particular sentence.

An Engineer's Hippocratic Oath

For all of modern history, engineers of many disciplines have needed a certification to practice their trade. This makes sense — you want bridges to withstand wind, you want a city's sewage system to work correctly, and you don't want airplanes falling out of the sky. In most cases, this is the Professional Engineer (PE) License. It requires industry experience and a rigorous test; the result is that your bridges, cars, and cities are safe.

Computer engineers and developers do not have a similar certification, or at least not one that is required to ship hardware or software that can drastically impact millions of people. This has pros and cons. The pros include no bottleneck in the system, a much lower barrier to entry resulting in a wider range of more exciting ideas, fewer opportunities for corruption or prejudice to preclude someone from participating, and more. 

There are cons, too, however. These include a hijacked botnet of Internet of Things (IoT) devices being used to effectively take down the internet.

People will follow incentives, this is unavoidable when looked at on a macro level. When people have the choice of spending nontrivial sums of money or getting what they perceive is the same value from a cheap (or free) alternative, the masses will opt for the cheaper version. To make matters worse, some of the decisions are largely out of consumers' hands. In the case of a set top box from your cable company (hacked DVRs were behind a sizable portion of the DDoS attack), you might not even have any real alternative choices (yes, there is TiVo, but most people use the cable company's setup process/services). Companies follow incentives just like individuals, so if they can save a few bucks per DVR unit their margins on your rental go up substantially.

As with cheaper options of nearly anything, the similarities to the more expensive choices are all skin deep (if that). The security is a joke, in many cases these hacked DVR units had hard coded usernames and passwords, or ports are left open, or there's a public pinging back to China to check for software updates without verifying the response is valid, or any number of other glaring instances of engineering negligence. Not only are products of half-assed engineering proliferating, no one knows what to do about it and most consumers don't even know, let alone care.

This attack didn't cost lives. Not yet. But as more of our lives moves toward having internet enabled components like cars, pacemakers, thermostats (imagine a thermostat being disabled overnight and a baby or very old person freezes to death in a bad storm), this lackluster security can and will cost lives.

It remains true that you get what you pay for. If you know how to telnet into your cheap IP camera and close the ports that were left open by the manufacturer, then by all means, save $20 on the device. Otherwise, anyone else should really consider spending a bit more money and putting your trust in a company with a solid reputation whenever possible. The responsibility lies with consumers, and while liberating for those that know what they're doing, this is damning for those that don't.

There isn't an easy solution on the engineering or product side, unfortunately. The best one I can come up with are optional certification tiers for connected devices, but history has shown that consumers will still choose the free uncertified version often enough that there will always be enough hackable devices to perform a similar attack. At least with certification tiers, we can try to proliferate knowledge of the risks of buying a lower tier of device, though this is far from a cure-all solution. A engineer's oath, synonymous to the hippocratic oath, is wonderful in theory, but in practice, mandating such a thing is at odds with the very free and open nature of the internet that makes it so incredible. 

Update: Paul Sadauskas points out that a set of requirements akin to the UL Certification requirements could be imposed on the software and firmware loaded on hardware products imported into the country in question (I am writing this from the perspective of an American in the continental United States.) This isn't foolproof, since hardware or firmware can be changed after the fact, but it would make a sizable dent by making the default "this will never get updated or configured" devices less susceptible to more commonplace vulnerabilities.

Not Your Father's Bubble

For several years now, a sizable portion of the technology investor and news dialogue can boil down to "There's definitely a bubble!" and "There's definitely not a bubble!"

Far be it for me to weigh in here, I'm no investor, and feel far more comfortable giving my money to Betterment (not an ad, I just really love what they do) than investing (all of it) myself. With that being said, I do think I've got enough of a hold on the technology side to participate on the periphery of the conversation.

I am NOT declaring that there isn't a bubble, let me get that out of the way right now. Startups have been getting scooped up for 100s of millions or billions of dollars for several years now, and sometimes it feels more like people with money to burn desperately trying to get their ticket on the next gravy train. Is it sustainable? Who knows. Is it reasonable or justified? I think that's a mixed bag. Since I'm not sitting on a mountain of billions, I don't think my two cents means much here though.

It seems like a continual case of, and I almost hate myself for saying it, FOMO. With how fast technology can scale right now, a hot new startup can become a behemoth of industry a hell of a lot faster than ever before. A few thousand percent return is a good incentive to write a check; I'm sure it only takes missing out on one or two Facebooks or Ubers to realize that. 

Anybody with a a few weeks to throw together an app can go from a nobody to printing tens of thousands of dollars per day, consider Flappy Bird. So while he didn't go on to get millions of VC funding to stock a $10,000/month office with $4/bottle coconut water, he probably could have. It demonstrates how these ideas are, whether by design or as a result of current VC strategy, lottery tickets for the ultra-wealthy. (Side note: this is not a statement on income inequality - no one should feel entitled to anything and should expect to work hard for everything, anything extra is a bonus, but I realize I'm fortunate to be able to hold this privileged position.)

The last dotcom burst had some startups with good ideas – grocery delivery was introduced and everyone was sure that would be the next frontier; it failed spectacularly with so many losing sums of money the rest of the world only dreams to know. Digital entertainment, music and video, were attempted and we didn't have high resolution cameras with us every second of the day with high speed internet to connect people. Others attempted digital currencies, and again fell short of realizing their dreams. TNW put together a fun list to look through of 17 failed dotcom companies and their modern counterparts.

So why, when valuations appear to be based so heavily on someone adding some zeros to their just just so they don't miss out, would there be any argument that there is not a bubble?  

To oversimplify, it is the first time in human existence that we've had this kind of reach and instantaneous market. We have over a billion potential customers throughout the world on any given platform, double that (or more) when you go cross-platform. Furthermore, the access we have isn't to a shared home computer, it is to the most personal device that this world has ever known, with the extra upside that we carry it with us at all times. The experience of ordering groceries by logging into a website, finding a store, placing an order, typing in your credit card information, and waiting, is vastly different than having your phone on you, know your location, have an app custom designed for doing exactly this, algorithmically determined options based on purchasing patterns, a near-instant Apple Pay transaction, and city infrastructure that is designed to fulfill the order. 

To be fair, the website would also be designed for this task, credit card and location information can be saved, and the hundreds of millions of dollars were being invested to overcome the last mile problems, but that difference matters. The smartphone enables speed and convenience to go from an idea to an order which ultimately provides the escape velocity for these ideas this time around. Think of Uber without the phone, think of social without a good camera and location capability, it just doesn't add up to the user experience momentum that we're currently experiencing. 

Lastly, we now have the computing power and data collection capabilities to really take this to the next level. Location awareness and a rich browsing and purchase history give retailers a much more accurate view of what we want. Retailers can now view these patterns and anticipate things then tailor our experience to drive higher sales. A lot of this existed, or technically could have existed a decade ago, but it either didn't exist or didn't exist at the "hit the ground running" scale that was required. That difference matters. All of these differences matter. They add up to, as only hindsight will be able to confirm, what appears to be the perfect storm for this to be real, and not a bubble.

I don't know if this time will crash and burn like last time, but it is plain to see that this time is different. The phone changed everything, and so it stands to reason it will be sufficient to prevent the fallout we saw in the first bubble. 

Managing Endpoints in a Connected Life

I first noticed a few years ago that as more items are getting connected, the management of that connection becomes a burden. You've got companies putting SIM cards in watches now which seems unnecessary today, but soon we'll look back at it and wonder how we ever lived without it. There are SIM cards in phones of course, but also tablets, cars, home security systems, and more.

Do you manage each of these individually with their own account? Maybe, but probably not. It's a bit scary to think that if the devices are all on one account, a hacker could obtain power over all of the accounts that connect and secure your entire life; but realistically this is only one entry on a long list of horrible things that could happen if you don't take security seriously.

Unfortunately, the billing methods haven't really caught up to our demands on the carriers. For example, I want a SIM card in my iPad for travel, but I don't travel often so I don't enable it most of the time. If I put the iPad on my Verizon account with my phone, I share my phone's data and I have to pay $10/month for something I rarely use. As a result, I have a separate account for my iPad. Then you've got family sharing issues where there's a single primary account holder, how would one of their children add a device to that plan without being a burden on the parent? They can get authorized on the account, but even then the power is limited.

The solution isn't crystal clear yet. Though eventually carriers will have to take a big step forward with much more clear online accounts with easy permission controls so that each user can add/remove devices at-will. The billing needs to support flexibility and non-permanent device additions – even though the carriers have a large vested interest in you adding your iPad to the account then never using the data plan on it.

Another option is for each endpoint to be it's own account with the carrier and carrier billing being invisible to the user. For example, imagine a next generation Nest thermostat with a SIM built in (to guarantee remote control capability in either a vacation home with no wifi or when wifi is down at home). Perhaps I can just pay Nest $25/year for that capability (it is a negligible volume of data, after all). They handle the carriers on their end and the user doesn't have to worry about it.

This is only going to get worse in the short term, and I don't think the carriers are properly motivated to really solve it. People are complacent by their nature, so if you can lure them in, the odds of them ever proactively seeking change is shockingly low.