Petitions for Referendum 88
Completed petitions for Referendum 88 (Photographer unknown; from Facebook)

As Wash­ing­ton State geared up to respond to the eco­nom­ic rever­ber­a­tions of Gov­er­nor Jay Inslee’s stay home, stay healthy orders ear­li­er this spring, a Niger­ian fraud ring dubbed “Scat­tered Canary” by the secu­ri­ty com­mu­ni­ty saw an oppor­tu­ni­ty to make out like ban­dits. Armed with the spoils of numer­ous data breach­es, they insti­gat­ed a cyber heist, fil­ing tons of fraud­u­lent unem­ploy­ment claims with Wash­ing­ton State’s Employ­ment Secu­ri­ty Depart­ment (ESD).

We don’t yet know how much they stole, but it’s in the hun­dreds of millions.

“To some degree, Wash­ing­ton and its work­ers are the lat­est casu­al­ties in an era of ris­ing iden­ti­ty theft,” report­ed The Seat­tle Times in a sto­ry on the theft.

“Fil­ing for unem­ploy­ment insur­ance in Wash­ing­ton and many states requires the sort of per­son­al infor­ma­tion — Social Secu­ri­ty num­bers, birth dates, address­es — that is depress­ing­ly easy to steal or buy on the dark web, thanks to mas­sive data breach­es such as the 2017 attack on cred­it report­ing agency Equifax that allowed access to records of more than 145 mil­lion individuals.”

“Indeed, offi­cials at ESD and at WaT­e­ch, the agency that man­ages the sys­tem the state uses to authen­ti­cate users for ESD and oth­er state agen­cies, have repeat­ed­ly insist­ed that when thieves have enough per­son­al infor­ma­tion, it’s dif­fi­cult to stop peo­ple from fil­ing fraud­u­lent claims with­out also obstruct­ing legit­i­mate fil­ers,” the Times sto­ry (by Jim Brun­ner, Paul Roberts, and Patrick Mal­one) went on to explain.

ESD and WaT­e­ch offi­cials are absolute­ly right.

Ever heard the adage “On the Inter­net, nobody knows you’re a dog?”

This is the dilem­ma that Wash­ing­ton State offi­cials are wrestling with.

Wash­ing­to­ni­ans under­stand­ably like the ease and con­ve­nience of doing busi­ness online — includ­ing with their gov­ern­ment, which belongs to them — but online sys­tems are unfor­tu­nate­ly high­ly sus­cep­ti­ble to fraud. It’s triv­ial to mas­quer­ade as some­one else if you have their per­son­al iden­ti­fy­ing infor­ma­tion. Trivial.

The bad guys know it’s hard for the author­i­ties to sort out legit­i­mate claims from ille­git­i­mate ones with­out mak­ing every­one jump through addi­tion­al hoops, which almost defeats the pur­pose of offer­ing peo­ple the abil­i­ty to file for unem­ploy­ment online. They used that knowl­edge to scam Wash­ing­to­ni­ans on a large scale.

On the Inter­net, nobody knows you’re a sophis­ti­cat­ed Niger­ian fraud­ster.

Pub­lic agen­cies aren’t the only enti­ties that are grap­pling with the twin prob­lems of iden­ti­ty theft and cyber­crime. So are com­pa­nies of all sizes in the pri­vate sec­tor. Fraud in ecom­merce is also a huge and grow­ing prob­lem… a prob­lem that has large­ly been left to banks and mer­chants to man­age as a cost of doing busi­ness.

We’ve all become accus­tomed to zero fraud pro­tec­tion guar­an­tees. Spot a fraud­u­lent charge on your cred­it card state­ment? No prob­lem, just call the bank (or cred­it union) and report it. The charge will be reversed, pron­to, and the card re-issued at no cost. At no direct cost to you, that is.

We may have decid­ed as a soci­ety to tol­er­ate a lot of fraud when it comes to our eco­nom­ic activ­i­ties, but that mod­el sim­ply does not work for elections.

That’s why, as I wrote sev­er­al weeks ago, we need to emphat­i­cal­ly reject all attempts to allow online sig­na­ture gath­er­ing.

This dis­turb­ing case of cyber fraud ought to serve as a reminder of how dif­fi­cult it is to val­i­date some­one’s iden­ti­ty over the Inter­net. And val­i­dat­ing iden­ti­ty is the crit­i­cal step in deter­min­ing whether a mea­sure has earned the req­ui­site sup­port from vot­ers need­ed to qual­i­fy for place­ment on the ballot.

Cur­rent law (in Wash­ing­ton State and in most oth­er places) allows peti­tion­ing on paper only. Vot­ers must phys­i­cal­ly sign a peti­tion for their sig­na­ture to count.

That’s the way it needs to stay.

NPI knows of sev­er­al law­suits in which plain­tiffs are present­ly ask­ing judges to issue orders decree­ing that sig­na­ture gath­er­ing should be able to take place online due to the pan­dem­ic. These requests should be uni­form­ly denied. This pan­dem­ic must not be the pre­text for the fur­ther destruc­tion of pub­lic con­fi­dence in elections.

NPI also knows of non­prof­its that are claim­ing to have devel­oped tech­nol­o­gy that can safe­ly facil­i­tate online sig­na­ture gath­er­ing… like MapLight.

No non­prof­it mak­ing such claims is to be trusted.

The Inter­net is unques­tion­ably use­ful for many things, but it is not an appro­pri­ate medi­um for sig­na­ture gath­er­ing. Sig­na­ture fraud (on paper peti­tions) is already a prob­lem. The last thing any­one who cares about the integri­ty of our democ­ra­cy should want to do is make that prob­lem worse by a fac­tor of a zil­lion… which is exact­ly what would hap­pen if online sig­na­ture gath­er­ing were to be permitted.

About the author

Andrew Villeneuve is the founder and executive director of the Northwest Progressive Institute, as well as the founder of NPI's sibling, the Northwest Progressive Foundation. He has worked to advance progressive causes for over two decades as a strategist, speaker, author, and organizer. Andrew is also a cybersecurity expert, a veteran facilitator, a delegate to the Washington State Democratic Central Committee, and a member of the Climate Reality Leadership Corps.

Adjacent posts

One reply on “Massive unemployment fraud reminds us that online signature gathering is a terrible idea”

Comments are closed.