As Wash­ing­ton State geared up to respond to the eco­nom­ic rever­ber­a­tions of Gov­er­nor Jay Inslee’s stay home, stay healthy orders ear­li­er this spring, a Niger­ian fraud ring dubbed “Scat­tered Canary” by the secu­ri­ty com­mu­ni­ty saw an oppor­tu­ni­ty to make out like ban­dits. Armed with the spoils of numer­ous data breach­es, they insti­gat­ed a cyber heist, fil­ing tons of fraud­u­lent unem­ploy­ment claims with Wash­ing­ton State’s Employ­ment Secu­ri­ty Depart­ment (ESD).

We don’t yet know how much they stole, but it’s in the hun­dreds of millions.

“To some degree, Wash­ing­ton and its work­ers are the lat­est casu­al­ties in an era of ris­ing iden­ti­ty theft,” report­ed The Seat­tle Times in a sto­ry on the theft.

“Fil­ing for unem­ploy­ment insur­ance in Wash­ing­ton and many states requires the sort of per­son­al infor­ma­tion — Social Secu­ri­ty num­bers, birth dates, address­es — that is depress­ing­ly easy to steal or buy on the dark web, thanks to mas­sive data breach­es such as the 2017 attack on cred­it report­ing agency Equifax that allowed access to records of more than 145 mil­lion individuals.”

“Indeed, offi­cials at ESD and at WaT­e­ch, the agency that man­ages the sys­tem the state uses to authen­ti­cate users for ESD and oth­er state agen­cies, have repeat­ed­ly insist­ed that when thieves have enough per­son­al infor­ma­tion, it’s dif­fi­cult to stop peo­ple from fil­ing fraud­u­lent claims with­out also obstruct­ing legit­i­mate fil­ers,” the Times sto­ry (by Jim Brun­ner, Paul Roberts, and Patrick Mal­one) went on to explain.

ESD and WaT­e­ch offi­cials are absolute­ly right.

Ever heard the adage “On the Inter­net, nobody knows you’re a dog?”

This is the dilem­ma that Wash­ing­ton State offi­cials are wrestling with.

Wash­ing­to­ni­ans under­stand­ably like the ease and con­ve­nience of doing busi­ness online — includ­ing with their gov­ern­ment, which belongs to them — but online sys­tems are unfor­tu­nate­ly high­ly sus­cep­ti­ble to fraud. It’s triv­ial to mas­quer­ade as some­one else if you have their per­son­al iden­ti­fy­ing infor­ma­tion. Trivial.

The bad guys know it’s hard for the author­i­ties to sort out legit­i­mate claims from ille­git­i­mate ones with­out mak­ing every­one jump through addi­tion­al hoops, which almost defeats the pur­pose of offer­ing peo­ple the abil­i­ty to file for unem­ploy­ment online. They used that knowl­edge to scam Wash­ing­to­ni­ans on a large scale.

On the Inter­net, nobody knows you’re a sophis­ti­cat­ed Niger­ian fraud­ster.

Pub­lic agen­cies aren’t the only enti­ties that are grap­pling with the twin prob­lems of iden­ti­ty theft and cyber­crime. So are com­pa­nies of all sizes in the pri­vate sec­tor. Fraud in ecom­merce is also a huge and grow­ing prob­lem… a prob­lem that has large­ly been left to banks and mer­chants to man­age as a cost of doing busi­ness.

We’ve all become accus­tomed to zero fraud pro­tec­tion guar­an­tees. Spot a fraud­u­lent charge on your cred­it card state­ment? No prob­lem, just call the bank (or cred­it union) and report it. The charge will be reversed, pron­to, and the card re-issued at no cost. At no direct cost to you, that is.

We may have decid­ed as a soci­ety to tol­er­ate a lot of fraud when it comes to our eco­nom­ic activ­i­ties, but that mod­el sim­ply does not work for elections.

That’s why, as I wrote sev­er­al weeks ago, we need to emphat­i­cal­ly reject all attempts to allow online sig­na­ture gath­er­ing.

This dis­turb­ing case of cyber fraud ought to serve as a reminder of how dif­fi­cult it is to val­i­date some­one’s iden­ti­ty over the Inter­net. And val­i­dat­ing iden­ti­ty is the crit­i­cal step in deter­min­ing whether a mea­sure has earned the req­ui­site sup­port from vot­ers need­ed to qual­i­fy for place­ment on the ballot.

Cur­rent law (in Wash­ing­ton State and in most oth­er places) allows peti­tion­ing on paper only. Vot­ers must phys­i­cal­ly sign a peti­tion for their sig­na­ture to count.

That’s the way it needs to stay.

NPI knows of sev­er­al law­suits in which plain­tiffs are present­ly ask­ing judges to issue orders decree­ing that sig­na­ture gath­er­ing should be able to take place online due to the pan­dem­ic. These requests should be uni­form­ly denied. This pan­dem­ic must not be the pre­text for the fur­ther destruc­tion of pub­lic con­fi­dence in elections.

NPI also knows of non­prof­its that are claim­ing to have devel­oped tech­nol­o­gy that can safe­ly facil­i­tate online sig­na­ture gath­er­ing… like MapLight.

No non­prof­it mak­ing such claims is to be trusted.

The Inter­net is unques­tion­ably use­ful for many things, but it is not an appro­pri­ate medi­um for sig­na­ture gath­er­ing. Sig­na­ture fraud (on paper peti­tions) is already a prob­lem. The last thing any­one who cares about the integri­ty of our democ­ra­cy should want to do is make that prob­lem worse by a fac­tor of a zil­lion… which is exact­ly what would hap­pen if online sig­na­ture gath­er­ing were to be permitted.