 Okay. So our next section is on legal considerations of election machine hacking. Joseph Lorenzo Hall is the Chief Technologist and Director of the Internet Architecture Project at the Center for Democracy and Technology, and Candace Hoke is a legal expert and founder of the Center for Election Integrity. And so with that, I will turn it over to you, Candace, to start. Thank you so much. Thanks so much, Jake. Welcome, everyone. I'll stay over here. It may seem strange to have a law professor here. I'm happy to also tell you that I hold an information security degree from Carnegie Mellon, and I've been working with this crowd for over 10 years on election security, which, as you've already discovered, leaves a great deal to be desired. You want to flip to my next part of what I want you to recognize, and maybe you already do, is that law is both a cause and potentially a cure for election security. The way we got into this disaster with e-voting and election tech was from a legal mandate out of Washington, where those who did not understand security vulnerabilities at all assumed that we would solve the nation's problems in voting by simply moving to electronic voting, and it was basically a mandate to the states. And we could say much more in a complex way, but there will be more later this afternoon about that. And of course, it is a matter of state as well as federal law. Let's go to them. So first, I'd like to just quickly flip through some of the consequences of election hacking just to remind us what's at stake. We probably all think we know what's at stake, but let me just remind you. So let's quickly move through these. At the federal level, we have not only Congress and the President, but also by indirect, indirectly we have the whole judiciary, the U.S. Supreme Court, all the way down affected by the election results. All 50 states here are just a few state capitals and of course all three branches of their state governments, plus then local governments such as these we know, but there are the Hamlets, the counties, etc. They are all directly affected by elections and whether they operate correctly. There are vast amounts of money at stake as well as issues such as global warming and environmental policy, military and foreign affairs, healthcare delivery and healthcare systems, surveillance, something that many of us in this crowd care about greatly. We're talking about trillions of dollars at stake plus the greatest military power in the world directly affected by how our elections are conducted. So we do have legal complexity as we saw from the prior panel's discussion. There are many who work under the misconception that the state governments actually control under the U.S. Constitution the entirety of election administration, meaning election tech, election management, etc. And the fact of the matter is that the U.S. Constitution, as I mentioned at the end of the, in the question period in the last session, is that the U.S. Constitution explicitly says that the states shall until Congress chooses to do otherwise. How broad congressional power is, it's really never been fathomed because Congress has tended to be less than active over time. But it's not to say that dormant power could be exercised. And I do want to go on record urging you to understand that by no means do I think the feds are the smartest people in the room and that they can be trusted on election security. To the exclusion or to the detriment of the state officials I think that there are smart people and dedicated people to election security and fairness at every level. The problem often is that we have laws and practices and customs and misunderstandings about technology and security at every level as well. So I did want you to understand the core conflict behind a great deal of what's going on as far as the legal framework for dealing with election security issues. Now a principle in law that many do not recognize is the one on the right and that is the goal of repose or finality. In law and litigation for instance and we recognize that we will not have a perfect system, that we will never be able to obtain 100% of the evidence that's relevant in the time periods as necessary and we may not be able to produce even if there were a theoretically perfect judgment. So we have to get as close as we can and then close the books and move on. Well what if in a particular litigation for instance concerning we'll just say who ran a red light and hit a bus that after the judgment we discovered some conclusive evidence that showed that the verdict was wrong. Can we come back in and reopen five years later and change that judgment? And the answer generally is no. We want to close. So finality is very important in the legal system, settled expectations, but it also as you can see and think in the election context as well it runs roughshod in opposition to accuracy, integrity and sometimes justice. In the election situation it could mean for instance that we choose or a state chooses to move forward into finality and governing and basically inaugurating its new governor or its new state legislature being sworn in rather than having a process that would allow the investigation of the election technology, forensics, whatever that would then possibly cause the election conclusions to be in doubt. Keep going. So we have lots of threats as we know this is only a subsection you're going to be hearing more about threats later in the day. Those of us in this room know the broad range of vulnerabilities they're being exploited right now. One would think that if the election machinery is as vulnerable as it is easily exploitable, easily hacked, that we would have processes for being able to ascertain legal processes to be able to ascertain and correct for errors in the system. You would expect that, right? Companies have that and in fact we require under our health care law, the HIPAA law and our financial services laws, there are mandates for that, when I say mandates, regulatory mandates regarding security and also auditing throughout the systems and disclosure of breaches. None of that exists in the election systems. None. And the states differ substantially in the ways they proceed on particular questions or election challenges. So for instance, some states have an approach that requires in order to even bring a contest for an election where there is the perception or even some reasonable proof of hacking of the election, they require actual proof before even filing or as a condition of filing the litigation. Most litigation, the way we proceed is by filing a lawsuit and then being able to develop the evidence. You can't do that in elections. For these states, you are required to actually have the proof in advance and I ask you how many of us would be able to gather the proof of a hacked election in advance to be able to, as a condition precedent as we would say, to file the lawsuit and to proceed. So in other words, those states are much more about finality and throwing a cloak over the election process and just moving on and you can imagine that that is actually, and I've written about this, that's actually an invitation to hackers. We aren't going to be watching. We aren't going to look. Have a field day because our laws are structured so we will not find out. And even if we do, we won't be able to proceed to correct in time. Then there are other states that actually have a different approach and that is typical litigation. You can file, you can challenge a particular office, it's winter, and that office will not be filled until the litigation has concluded and of course evidence has to be produced. But then the question becomes, can those challengers actually require the systems to be subject to a forensics analysis? And this is where some of the litigations for the 2016 election foundered because the answers frequently were, oh no, you can't look and you can't make us look. So again, it was we'll throw a cloak over what happened, nobody's going to look too closely. We all know in the security world you can operate a secure system if no one's looking. And there are legal barriers to actually analyzing, assessing the conduct and the technology. So the law really is a problem when it comes to election security. At the state level, we have additional problems, some of which, for instance, Jake referred to when he said one of the goals is to erase the word unhackability from the election industry vocabulary. We hear it all the time that our systems are unhackable or we run secure systems. Trust us, you don't need to look, no one needs to look. We would actually endanger our system security by allowing forensics analysis or any other kind of analysis. Now, politically, those who are in charge of the election system by law are often ones who want to run for office again. And they unfortunately believe that if problems are found in the technology, it will then be attributed to them personally that they have failed. They're not running successful elections. Now, let me unpack that again. What happens at the secretary of state level and sometimes at the local level is that the election officials sort of feel one with their technology. They identify with their technology. Their own success, their own sort of integrity rests upon whether that technology is secure and trustworthy. And frankly, we all know it's not. And further, the last presentation and David Zimbabwe's also showed you there's no reason for us to trust that technology, but it is not those election officials fault. This is the only technology that was available and was certified by their predecessors to run, and that was purchased using that 3 billion plus in federal funds. That by the way, by law, by federal law, had to be used by the states to buy technology before the standards and testing system had actually been set up and produced standards. So repeat, Congress required the 3 billion dollars to be spent on legacy systems that we already knew were flawed. They were from the 1990s and the early 2000s with 2003 for $5 before the security standards and the testing apparatus had been set up. Roughly 85% of all votes in the United States are being cast on this technology today. The complicated and much more vigorous federal testing system, and which is a third party independent system now, plus the security standards, very little of our technology has run through that system at all. The certification, the qualification, the testing. And yes, although it's all been voluntary, at least that is some protection. So what we end up with is a terrible situation with voting systems and we'll just say entire election technologies that do not deserve any, we'll say, respect as secure technologies, but election officials routinely consider themselves to be personally accused of having lack of integrity and lack of faithfulness to the voters if they are, if the technology that itself is being accused, being challenged for being insecure. So one of the techniques I would mention to you when underscore is it's very important to separate election officials from the technology and to remind them you were saddled with this. Not you, the most important meaning not your decision. The best you can do is to authorize the transparency, the accountability systems that we use in security operations generally and that way you will be, we will applaud you, we will praise you publicly, but you have to work with this community because you have technologies that cannot otherwise be trusted. Let me see a few other things. So thank you. So the mistake in policy drivers in this field, the assumptions and frequent statements are that votes and registrations can't be easily modified, that any errors that occur in tabulations or voter registrations are small and insignificant. It would be way too expensive to examine elections too closely so we're not going to do it. It would also take too long and that would prevent the orderly process of the system as far as inaugurations and swearing into office and also again that election officials are fearful of being held publicly and sometimes criminally responsible if the elections, if evidence is produced that the elections were not run in an accurate secure manner. And it is true there are some standards in some states that could be read that way and election officials tend to believe that forensics analyses are only used when there is a criminal investigation. Joe's going to go into criminal consequences very shortly, but I do want to underscore again that there are a number of election officials who have set up forensics assessments including some I've been involved in that where important evidence has been produced of network connections, vote changes, other kinds of problems that very would shock and disturb anybody who knows just a little about security. So we have at the state level a number of issues that need to be addressed through the laws. I don't think they're going to be addressed at the federal level. We could and I think we should have laws for recounts that are going to support forensics assessments and David and I and I don't think anybody else on that team is here. We wrote a forensics guide for election officials back in 2008 that the American Bar Association published. It's still available. We do need to have routine post-election auditing. We need to have I would say even routine forensics assessments of elections. I worked with DHS last summer on developing some proposals for how DHS could be involved and network scanning for probes particularly from outside the United States into our election systems but overall we should recognize our systems are vulnerable. They do need to be replaced but in the meantime there are multiple types of security activities that this community and the offices could engage in and we should be working together on that. So Joe. Hi everyone. My name is Joe. I'm from the Center for Democracy and Technology in Washington D.C. and I've been working on this stuff for a long time. You can kind of think of me as half lawyer or half computer scientist but not technically either of those but it's complicated. You're welcome to look me up online and figure out the rest. Just to give you some quick words on motivation. I told Kenneth I wasn't going to talk about this but why not. Elections are really complicated and hopefully if you've been here so far today you've realized that it's a lot of stuff operating in very close proximity to each other and have to be connected well. So we always talk about them as being people processes and technology and you know much of that process is the law and so there are things that have to be done certain ways because the law says it is. It doesn't mean we can't change the laws to do different things and often we do and I can talk about places where we have specifically sought to and change the law to allow for higher security processes and technologies to be allowed to be used in elections. But and so Kenneth just talked about a lot of this general legal landscape and some of the civil law considerations. I'm going to talk about criminal law and some of the more tech law kinds of things that you might run into if you're going to start playing with voting systems. So in terms of the general legal landscape here let me see if I can as we've been talking about elections are mostly governed by states. They all all of them criminal criminalize some form of tampering with voting equipment voting supplies voter ballots and stuff like that as they should. So in general you know if you've ever been in the lock picking village here at Defconn and if you haven't you should go check it out. It's a lot of fun. They always talk about like the tool folks always talk about hey the first two rules of picking locks is you don't pick one that's in use and you don't pick one you don't own and I think that goes for voting systems as well. They're hard to get your hands on which is why this is really awesome today. We have some here. Some of them are no longer used anymore. Some of them are still being used and some vendors have even been gracious enough to bring them and allow you to kick the tires. So please go and even if you've never done any hacking we can show you a little bit about what you can and cannot do with some of these systems. I really think that disclosure here is very different than disclosure in general purpose computing and what I mean by disclosure is vulnerability disclosure and so for example the there was the sequel injection which means someone put special characters into a form field on a voter registration website to get access to the underlying database and we're able to get 90,000 voter records out of that. That's a good example of one where the our intelligence community in the FBI noticed that and then sent a lot of the details of that particular attack to various other states. Some election officials never even heard about that so there's there's still a pretty big information sharing and communication problem here in terms of getting actionable intelligence down to the state and local entities and there's some work I'm going to be doing in the next two years by the way if you're looking for a job and you know something about cybersecurity and election technology come talk to me I have a job. And so I think that's a good that's one way disclosure work. The other way is exactly what Logan came up here and talked about when he was talking about you know poking around and then trying his damnedest to get Kenesaw State to recognize that the shortcomings in a misconfiguration of their own system and it even took another person checking it again and telling them look it's still not fixed before that happened I'd like to believe that it's it's better now but you know only only they will know and hopefully they're doing things that are sort of regular assessments of their infrastructure but we'll have to ask Merle about that and I'm sure he has thoughts. So get into the good stuff some of the criminal stuff here that you could run into if you do things incorrectly you know actually messing with equipment that is going to be used in an election is a really bad idea just to give you an example and I can cite some of this stuff from other states but you know a lot of these things don't even require you to have an intent to commit fraud right they just doing something to hack or tamper with the equipment itself is enough even if you didn't mean to and stuff so for example in California you can check it out California elections code 18564 has this list of things that are criminally criminal offenses for voting equipment and voting supplies that will get you two to four years in prison at a minimum so if you tamper with interfere with the correct operation or you willfully damage a voting machine voting device voting system vote tabulation device or ballot tally software you can get in trouble if you interfere or an attempt to interfere with the secrecy of voting or ballot tally software you can get in trouble and then without authorization modular who can give you authorization to do this makes or has in your possession a key to a voting machine and if you know about voting machines as as Barbara mentioned earlier they're often not keyed in a way that are meant to keep people out of them very long you know the the proverbial voter excuse me hotel minibar key is a good example or you can some of them are they're more like filing cabinet locks but lately I've seen some vendors actually sort of put serious thought into keying their equipment to actually being difficult for someone like me who can you know throw a four pin lock pretty easily to get into anyway and actually putting things like sometimes you can actually move part of the plastic case aside without having to do anything with the lock so putting rigid borders in certain things have been a new thing and then there's stuff like willfully substituting forged ballot tally software that then ends up being used in an election all those things can get you in pretty serious trouble and on the wrong end of a prosecutor in the state of california and many other states have things that are like this some of them are much vaguer which means they may have a little bit more discretion anyway and there's other there's other things this is just equipment right there's other things that they could slap on to add to those charges if they really want to make an example of you so you should be careful and make sure you're talking to someone who knows about the law before you try and do any of this stuff and hopefully you do it in conjunction with an election official because you know we hackers are going to be election officials best friends and election officials love making their stuff better at least the ones I talked to the digital millennium copyright act is something that Barbara mentioned that is definitely a problem here in the sense that it makes it illegal and you can be criminally prosecuted or someone can bring a civil action against you so the like a business that makes voting machines for violating section 1201 of the dmca and section 1201 basically says you cannot it's illegal to circumvent certain kinds of technical measures so to discramble a scrambled work to decrypt and encrypted work or to otherwise avoid god that's a horrible word bypass remove deactivate or impair a technological measure without authorization and there the authorization it's always been a little clear who it needs to be does it need to be the person who owns the system or does it need to be the original manufacturer you can imagine it's difficult to get permission from the original manufacturer to do some of this stuff although we have done it this shirt as a matter of fact oh hi i think oh hi i fixed your voting system is from 2007 when we did the top to bottom review in the state of california along with a bunch of people here like harry hersty and matt blaze anyway um Barbara did mention that there was an exemption granted from this part of the dmca last year and that's actually that's that's wonderful and true and and so the copyright office granted exemptions from being able to circumvent technological measures for voting systems for land motorized vehicles you can think of those as cars um and then something else that i'm forgetting medical devices and so the medical devices and vehicles they said oh we're going to give agencies 12 months before people can start hacking that so you can prepare for this onslaught of wonderful onage you're going to have um but for voting machines they didn't actually they said you can just start hacking those now and so this is something that's actually been alive for a while and it's one of the reasons we can do this here at def con because we don't have to be so worried about people uh getting in trouble just because we have machines and they're uh getting they're getting around them the trick here is that you know the circumvention there's a lot of words in that exemption and the circumvention that you're doing to to get access to these machines has to be on a lawfully acquired device and it has to be um where you do it only for what's called good faith security research and a lot of us that work on the policy side of security and security systems that word good faith makes us feel a little antsy and the reason it makes us feel antsy is that one judge's idea what good faith may be uh completely different than yours or from uh or another judges for that matter so you may actually have two different things going here and here what they talk about in terms of good faith is actually kind of complicated and and I'm actually going to read it sorry accessing a computer program solely for the purposes of good faith testing so they use the word good faith in the definition of good faith um which is sort of a problem uh investigation and our correction of assert security for vulnerability where the information derived from the activities used primarily to promote the security or safety of the classes of the devices or machines so if you're just doing it for fun that's not good faith uh so you have to actually want to be sort of uh uh uh you know uh you actually want to try and help these systems and fix these systems and so if they ask you why you're doing it tell them you want to help and fix the systems um but we're going to have to renew this exemption this year so please contact me at CDT there's a couple people from EF there's a bunch of people from EFF here that are all working on making sure these exemptions are renewed and call your congress critter and tell them that you want to see these things made permanent so that we always have the ability to do this kind of work um so and really quick and then we get the fun part questions the other big uh statute here that you may have heard of uh if you haven't I'm going to talk about it the computer fraud abuse act and it basically criminalizes gaining unauthorized access to certain kinds of computer systems and networks um exactly boo and one of the reasons this is such a uh I mean there's a lot of good done with this law I must say you know recognizing that we want to fight crime online like people who leave their employer and take a bunch of uh credentials and then hack back in and then destroy the system just because they're mad you know that's criminal behavior um but unauthorized access is not defined and so if you may have known about the case of Weave not my favorite person in the world he's now the system in for the Nazis uh but anyway Weave incremented a counter in the URL uh uh with a little program and that was considered enough to to sort of trigger this that's an older case and I think the DOJ folks if there's any in the room would recognize that they're trying not to do things like that anymore but but it has happened it could happen again um the Illinois case from last year that I talked about where supposedly Russian intelligence the the GRU or the FSB um used a sequel injection to both exfiltrate 90,000 voter uh records so not all voters in the state of Illinois hopefully um but a good chunk of them and then they actually tried to use their access to delete and alter tables in the database and so it sounds like they may not have gotten a a root shell through their sequel injection but what they may have been able to do was do sort of arbitrary sequel commands on the data itself and they found that they couldn't do certain things whatever that web process had didn't have the privileges to drop tables um luckily enough I really like the Kenesaw State University story so if you weren't here earlier and heard Logan Lamb talking about what he and Chris Grayson um did I think it's important because this is sort of things that you can do you know looking at uh election websites looking at what the Google cache may have grabbed from an election website um writing scripts that try and uh see what the exposure if there is exposure there is and then reporting it to people is all very important um and here not only did they have a this Drupal Gaten a vulnerable vulnerable version of the Drupal content management um software but they also had Wi-Fi access points that uh were attached to their internal air gap air gap network right so an air gap is great until someone decides to put a Wi-Fi access point on your air gap network that you don't know about that's been there for years right and so there's a really good after action report by the Kenesaw State University IT people that basically says here's all the bad things they that we found them doing here's how it's never going to happen again and um it's kind of a slap on the wrist pretty big slap on the wrist for Kenesaw State um for the election people but at the same time it shows here are all the things that you should never do with the the quantity and quality of sensitive voter data and software you know actual software that Russians would love to grab and decompile and you know make tool chains for things that could you know successively just try things out until they found the right thing to do anyway that's all the love to get your questions Kenes and I um I tried to think of some legal resources um there's a great election law list it's mostly law but they they do entertain questions from novices like me um if you ever find yourself uh in trouble or um getting close to being in trouble you I'd really recommend you talk to someone like me who has a lot of lawyer friends or the EFF's legal intake uh system is very well honed it's a trouble ticketing system where they can um get you some help um especially if you're a good defendant so we'd really love to see some people that um that that are that are uh uh they're good defendants to make some good precedent out here anyway and I have my contact here PGP signal stuff if you don't want to um uh talk directly feel free to to um grab me anyway like that um and we'd love to take your questions sir you want to shout just shout I'll repeat them I'll just say it's so hard to do state legislative work like we're doing it with the broadband privacy stuff now and that's really sort of like putting out fires left and right that we haven't really spent a lot of time thinking about computer fraud at the state level uh but yeah definitely let me know about ones that that are either being used in ways that are over broad or ways that you think there might be people who want to um narrow them down a little bit and it's not like we don't want to make sure the cops can't uh uh you know actually fight crime it's just that these tend to be used in the ways where people who just don't understand the technology um think want to make an example of people like our dear friend Aaron Swartz which is you know very unfortunate that's fine other questions I didn't either excellent to know thank you other questions comments yelling yes it's it's an ongoing problem and you you fingered it quite nicely uh there are there are many worse abuses as you know they're they're so uh but these are they're largely volunteers they're paid a per diem which is is trivial uh they tend to be retirees um and they tend to operate on the basis of um sort of custom rather than law and and many states don't even require them to go to a training uh session that is meaningful when I was um the public monitor of coyoga county Ohio's um election reform and I had been on the election review panel one of the things we recommended was not only to be fought poll worker training but also to have a test afterwards and we were probably the first in the nation to do so and uh it's still ongoing that way and it did boost uh the the morale as well because you can imagine how demoralizing it is for those who have who know how the the law operates to protect voters and and then others who are in the poll worker positions and maybe even running the poll polling location aren't implementing the law and are very cavalier about it um so it it does provide some fodder for uh a new standard and I incur again every I think Joshua where's Joshua is he's still here Joshua recommended that you sign up to be poll workers we need more technically proficient people as poll workers and many counties will have you actually be the ones to set up the technology sometimes to to be the rover to help fix it troubleshoot um to monitor the security operations in the precinct or several precincts we need people with security backgrounds there right Joshua and um and the and also you can then contribute by helping often with poll worker training on some of the security issues because these manuals are developed sometimes at the local level with not very much understanding of some of these points so so again there are many ways that you can be helpful yeah and a couple of things um at least during the general elections there's this massive nonpartisan effort called the election protection coalition and they often need people with different kinds of substantive knowledge either be it political science be it uh uh you know cyber security be it whatever to basically be subject matter experts for when you get crazy calls from from podunk Arkansas or something saying hey should we restart this machine that's actually a pretty hard question usually you know if you've done you know your family IT stuff that's the first thing you tell people to do but some of these machines can lose voter data if you turn them off and so there you know we have what are called rap sheets for voting machines that basically tell you things about whether or not this machine can be treated like that and the other thing I'll say is I have a mixed methods research background when I was in academia before I used to think I could be a professor but anyway that that's long been dashed on the rocks but uh but one study we did that I can point you to was a qualitative study of poll workers in Marin County I don't think I'm allowed to say well I just did sorry uh a county in California we did a qualitative study of their mental models of privacy and security so what did they think was particularly sensitive you know well how did they approach it and we recommended a bunch of things unfortunately there were a lot of juicy but unfortunate tales for example there was one judge the one it's the person who runs the the polling place who there are so many jams with this optical scan machine that he kept the door to the the ballot box open all day long and the reason he did that because it was a pain in the butt for him with his arthritic fingers to turn the key because it about 10 or 12 times a day you had to clear a jam and the thing so he would just keep it open and I just asked him as an observer I was like well what do you think that tamper tape you broke was for and he had to sit there and think about it and later he's like oh you know what I probably shouldn't have busted that till the end of the polls or at least without putting another one over it and he shut it and seal it off and that's a more participative observation and so if you can keep your eyes open and you see something glaring like that happen even just you know asking an intuitive maybe yogic kind of question like hey why is that door open that looks pretty important you know that can often cause people to to think harder about it and maybe not change immediately but and if you have partisan poll watchers in the room they may go file legal pleadings and actually force this to happen quicker but yeah I'll shut up any more questions so the best disclosures I've seen lately have been directly to cert or the FBI and and you know if they the hard part is you can't do everything through them because if we did everything through them they would fall apart we don't want to the fall apart and we wouldn't have public knowledge and part of the problem that we've had in the financial systems as well until we started having breach disclosure laws then the industry was able to say we have no breaches your your money is absolutely secure and we will not obtain better technologies more support for security in elections unless we know the vulnerabilities and the security exploits so I'm a great fan of breach disclosure yeah I do think that the one thing I would say is that it's a really interesting case study because it if you look at what it took to get someone to care it was notifying Kennesaw State's badass university information technology people who like they have I don't know what it is it's it I should show you this after action report because they walk through with signal analyzers and stuff to see what's emanating what from where and all this kind of stuff but that's kind of the case by case nature of some of the stuff is you have to find the one person who can you know care enough to make the change and there it was someone who basically like look this is a rogue IT shop on our campus that's making us look bad and and that's what made it happen there but I the FBI are certain often a really good way to do that like if you look at the stuff that Chris Vickery has done recently with abandoned s3 buckets he often instantly just notifies the FBI unless they take care of it because if the FBI comes to you and says hey you have a problem you're gonna unless you're the DNC pay attention most of the time and I think they will in the future that would take a long discussion but we can say quickly and I'll pass the mic to Joe it would raise the security concerns substantially and and I'll pass to you we really try not to put all the jewels in one place right and and with this with the voter data that the Cobock Commission had requested not only is it putting substantial amount of sensitive data in one place and happy to argue with any of you afterwards about whether or not voter files are sensitive data I think they are so so there's that part but there's also in the letter it was like hey email these records to us and if I mean email is the worst and I wish email would just die but it's also one of the hardest things to secure you know there's not a there's very few ways to do it and most of them are really hard to do correctly and the other one was hey you could use this DOD upload site that if you use in any browser because the DOD uses a certificate that is not part of any of the browser's roots of trust you would see this big red screen that said hey someone's trying to attack you and then the only way to get around it was to click through this and say oh no no I was expecting that which is just there was a lot of bad security what we would call a bad design patterns and security there that were sort of working against anything there being particularly secure and so we don't want all our our jewels in one place and we also want the process of getting jewels to certain places to be highly secured and so there's other groups like Eric the electronic registration information center that does things with multi-state voter registration data in very careful ways using some more advanced cryptography and so you're not actually transmitting anything that could be useful but it's useful for matching and saying hey someone moved from this state to this state you might want to send a postcard to their old address and we would need more transparency and accountability for where that sensitive data is next I'm sorry the deputy CTO okay I'll answer and then I'll pass to Joe I was born in North Carolina I'm aware of the laws part of the history in North Carolina was as you may recall a prior election I think in maybe 2006 or 2008 where there was an election for superintendent of public instruction or something that continued as far as recount processes for a month or two so it was into January maybe later so the fear again as I was suggesting is that we will not have repose that it will keep going and that people will never trust the result because it's taken us so long to get there and another concern frankly is that if we continue to take a lot of time for recount process the evidence may also change some of the votes may be tampered with some of the evidence basically and so there are a number of worries about it my personal belief is that and having studied these laws is that A the recount laws are highly antiquated they were not structured for electronic voting and the needs that we have for protecting elections and assuring and keep in mind we do have a federal right which is reiterated in many state constitutions as well but a right to have our votes counted and recorded and counted accurately constitutional right it has not been really vindicated through litigation the way it's gonna have to be but we should have states conforming or updating their laws to facilitate the forensics analysis or some of the other techniques that you're suggesting to support effective recounts but we haven't even done the thinking about that instead there's this push for throwing the cloak over it get it over with move on let's not look too closely I guess I'll talk to you offline cause I'm already running in my head through playbooks and configuration templates for standing up recount support structure infrastructure but I don't wanna talk about that out loud maybe the last question there's one more question one more question one more question did you have a question sir oh Larry yeah and so Larry asked a question about a lot of the technology now is using ballot images and presenting ballot images as part of audits to an election officials and to voters to show certain kinds of ballots that may be marginal or they have to adjudicate in order to be able to tell it goes one way or another and what's the law with being able to show ballots to people I don't have a real crisp answer for you other than it is sort of unsettled right now one of the main places this is happening is with the ACLU with law with an ACLU has a number of ongoing sort of campaigns about ballot selfies so can you take a picture of your face next to your ballot they claim that's political free speech I just disagree with that I love my ACLU friends but I think that there's a lot of value in having people not being able to display how they voted to people on purpose and maybe a little better when it's not directly associated with the voter's identity like in the case of in a recount I think it would be just totally different I think we're going over but thank you