Election security means different things to different people. Cyber security personnel may think of election security as locking down access to voting machines. Other experts in the field may focus their attention on securing systems that are critical to the day to day operations of organizing elections, such as email and other communication channels, as a means of shrinking the attack surface of our elections. Whatever the focus, one thing rings absolutely true: maintaining free, fair and credible elections in democracies around the world is absolutely key to ensuring the survival of those democracies. With that in mind we can all agree that election security is crucial and complicated given the inherent complexities that lay across every aspect of communications, systems, hardware and the software that powers today’s internet.
Twilio sits in an interesting spot in the complex and layered framework of elections in the United States. As the world’s largest communication platform, Twilio is trusted by numerous political entities to help them engage with voters through SMS, MMS, voice and yes, email. In order to fulfill our commitment to ensure that Twilio’s platform is only leveraged by legitimate entities, for wanted communications, we readily look to industry guidelines that help shed a clear light on what that means in different environments at scale.
Beyond Messaging Policy
Bad actors do not care about messaging policy. Bad actors don’t care about best practices. As such, it is incumbent on all of us to differentiate ourselves from their actions and habits while anticipating those same habits and actions that seek to undermine our legitimate institutions.
The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) recently provided guidance on how those working in the field of elections can go about securing elections from interference. Twilio is also a member of M3AAWG and we sit on their board of directors. Messaging policy is only one thread to pull; granted, it’s an important thread because it affects a vast quantity of information and its dissemination. But it is only one aspect of making sure democracy works for everyone.
The guidance from M3AAWG includes two specific areas of focus that are effectively the low hanging fruit that can great improve the security posture of our local elections officials:
- Use multi-factor authentication wherever possible to prevent attackers from not only compromising sensitive elections machines, but the communication channels and ancillary systems tangential to the machines. No matter how high the walls obtaining a person’s legitimate username and password circumvents the best laid defenses so it’s critical to put as much friction as possible to defend against the theft of credentials.
- Leverage email authentication, specifically SPF, DKIM and DMARC to protect the highly sensitive communication channels that are part and parcel of our daily lives. If a business must ensure that its corporate communications are secure and free from eavesdropping, let alone spoofing, then elections officials must also take advantage of the same tools and technology to ensure that their highly critical communications are not undermined and weaponized to change the outcome of our elections.
M3AAWG’s guidance provides a fantastic resource for elections officials and interested parties who want to better understand the various and seemingly disparate pieces of guidance that exist. Organizations such as the UK’s National Cyber Security Center (UK NCSC) and the National Institute for Standards and Technology in the US (NIST) have issued guidance around elections which can be found in the appendix of M3AAWG’s guidance in addition to other key pieces of information.
CTIA Guidelines for A2P Messaging
CTIA: The Wireless Association also published messaging best practices covering P2P and A2P messaging last summer. Twilio is a member of CTIA and we posted a blog about its best practices. P2P can be thought of as person-to-person communications, or that friend of yours that sends a meme to you and nine other people every Wednesday when he’s feeling like the week will never end. A2P, on the other hand, can be thought of application-to-person and is the mechanism that companies use to interact with a large user base, particularly via call centers. Political parties, candidates and other players within the political ecosystem also leverage A2P to amplify messages, drive get out the vote campaigns and everything in between.
At the heart of CTIA’s guidelines is the concept of consent where A2P messages are concerned. In addition to adhering to the TCPA and FCC regulations, CTIA guidelines specifically call for consent to be a key component of A2P message traffic by:
- Obtaining a Consumer’s consent to receive messages generally;
- Obtaining a Consumer’s express written consent to specifically receive marketing messages; and
- Ensuring that Consumers have the ability to revoke consent.
If this sounds a little bit like the general guidance given to email marketers because of privacy regulations, notwithstanding CAN-SPAM, such as GDPR and CASL, it is. Legitimate email marketing already operates under a framework of consent. It’s also known as the crucial ingredient in growing a legitimate email list because there are mechanisms built into email, and SMS for that matter, that are punitive in nature when messages are sent without consent. Consent is not only a best practice, it is at the heart of how we should interact with our recipients, if not each other.
Political SMS communications are being classified as A2P communications even though volunteers may be the jumping off point for those communications. The fact of the matter is that automated systems and platforms are being employed, and similar to a business contacting you or I, receiving messages from campaigns and elections officials that are promotional should follow suit and leverage consent that is either:
- Implied because the recipient initiated contact
- Express because they entered their number in a web form or replied to a text requesting their consent, or even verbally (harder to prove)
- Or take the form of written express consent
Different use cases will demand different forms of consent; however, what is clear is that consent is required as we move closer to the 2020 general election. We’ve written about CTIA’s guidelines before, if you’d like you can read that post here.
We do not take lightly our position in the industry. I’ll even be cliché and use that Spiderman saying: “with great power comes great responsibility.” It’s true, platforms of scale such as Twilio have to consider the consequences of that scale—used for good it can unite people, inform and encourage civic discourse that we’re so fortunate to be able to freely engage in within the United States. But if we’re not careful, it can have a chilling effect on that discourse. That is why Twilio is working with groups such as CTIA, M3AAWG and other industry bodies to ensure that we - and our customers - are complying with industry best practices while at the same time amplifying crucial messages around security. At the end of the day this is our country and we all have a responsibility to ensure its longevity and legitimacy. If you have the time read the M3AAWG document and share it with your friends and family that may be volunteering as part of their local city or county elections board, or working as poll workers on the day of the election—help them understand what they’re up against. If you have questions don’t hesitate to reach out to me or the organizations I’ve cited.They’ve done amazing work to ensure that this train we call democracy stays on the rails for years to come.
Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. He can be reached at lshneyder [at] twilio.com.