Hacking Democracy

Image Source.

The scoop of the month was just published in Bloomberg Businessweek. It chronicles the story of Andrés Sepúlveda, a man who claims to have hacked elections in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela. To give you a flavor of the piece: 

…Rendón, says Sepúlveda, saw that hackers could be completely integrated into a modern political operation, running attack ads, researching the opposition, and finding ways to suppress a foe’s turnout. As for Sepúlveda, his insight was to understand that voters trusted what they thought were spontaneous expressions of real people on social media more than they did experts on television and in newspapers. He knew that accounts could be faked and social media trends fabricated, all relatively cheaply. He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”

…Sepúlveda’s team installed malware in routers in the headquarters of the PRD candidate, which let him tap the phones and computers of anyone using the network, including the candidate. He took similar steps against PAN’s Vázquez Mota. When the candidates’ teams prepared policy speeches, Sepúlveda had the details as soon as a speechwriter’s fingers hit the keyboard. Sepúlveda saw the opponents’ upcoming meetings and campaign schedules before their own teams did.

Money was no problem. At one point, Sepúlveda spent $50,000 on high-end Russian software that made quick work of tapping Apple, BlackBerry, and Android phones. He also splurged on the very best fake Twitter profiles; they’d been maintained for at least a year, giving them a patina of believability.

Sepúlveda managed thousands of such fake profiles and used the accounts to shape discussion around topics such as Peña Nieto’s plan to end drug violence, priming the social media pump with views that real users would mimic. For less nuanced work, he had a larger army of 30,000 Twitter bots, automatic posters that could create trends. One conversation he started stoked fear that the more López Obrador rose in the polls, the lower the peso would sink. Sepúlveda knew the currency issue was a major vulnerability; he’d read it in the candidate’s own internal staff memos.

Just about anything the digital dark arts could offer to Peña Nieto’s campaign or important local allies, Sepúlveda and his team provided. On election night, he had computers call tens of thousands of voters with prerecorded phone messages at 3 a.m. in the critical swing state of Jalisco. The calls appeared to come from the campaign of popular left-wing gubernatorial candidate Enrique Alfaro Ramírez. That angered voters—that was the point—and Alfaro lost by a slim margin. [1]

Read the whole thing

I am not a specialist in Latin American politics, nor can I claim any special expertise in cyber security. I am not the man to evaluate whether or not Sepúlveda’s claims are credible or not. I will assume that the folks at Bloomberg have done their due diligence and that this expose is the real deal (I encourage readers who believe otherwise, or have found worthy critiques of the piece, to comment in the comments section below).

This news story has blown up in the Latin press but has garnered little commentary from the Anglophone side of the internet. This story is not being taken with the seriousness it deserves.

I will be blunt: Andrés Sepúlveda is a challenge that neither our political institutions nor our political philosophy have prepared us to meet. Democratic politics has always been, to one extent or another, a game played by manipulating the passions of the masses, and I suppose one could claim that what Sepúlveda is doing here is no different than what Alcibiades did when speaking before the Athenian assembly. There are key differences, however. Alcibiades and the demagogues who follow in his footsteps today walk by daylight: when they manipulate the masses, be it through soaring oratory or most violent mobbery, they act in the open. All can see what they do, though only the wise will discern why they do it. Sepúlveda and his kind are different. They are creatures of the night, unknown and unaccountable. Like puppet masters are they, pulling at strings only those closest to the stage can see. But the metaphor only goes so far: all who watch a puppet show know that no matter how life-like it may seem, behind every puppet is a puppeteer. Not so with those who hack democracy. If their performance is done just right no one in the audience will know if the electoral victories they witness were justly won or were delivered by puppeteers in the shadows.

It is this ambiguity that makes Sepúlveda’s methods so dangerous. His is a poisoned dart aimed at the heart of liberal democracy. For the governing regimes of the Western world are built on a myth, and it is a myth that goes like this: in democracies, decisions of state are made by the will of the people. That actual policy making in democratic regimes is only tenuously connected to popular will is immaterial. A belief in the ‘consent of the governed’ preserves the peace. It allows for factions to compete for control of the state without violence. It is a useful myth (and if limited to the selection of candidates, one that has some truth to it), but one that depends of a transparent system of electioneering to sustain it. The democracy of the election hackers is not transparent. They muddy the system. The more infamous cases like this become, the muddier the system gets. It is important to understand that no team needs to consistently succeed in hacking their preferred candidates into victory for this to be true–all that is needed for democracy to lose its luster is a belief that a given electoral system could be hacked. 

John Robb describes the disruptive potential of these developments in a post written a week before the Bloomberg story broke. It’s title is laconic: “How the US Ends Up in a Real Civil War This Fall.” 

Here’s a simple scenario.

It’s November 8th and the choice is between Trump and Hillary.

Both candidates have negatives approaching 70% (Hillary is currently at 56% and Trump is at 60%). The campaign has been vicious. Like a rematch of Hitler vs. Stalin in US politics.

For months, there has been violent protest in every US state. Protesters vs police vs. each other. Voters are edgy when they head to the booths on November 8th. Everyone is ready to put this campaign behind them.

However, things are about to change for the worse.

Early in the afternoon (EST) a small group of global guerrillas spring an N-1 trap (N-1 is a last moment action or betrayal) on the US:

  • A dozen faux bombs in suspicious packages are placed at heavily (Rep or Dem) polling locations resulting in evacuation and widespread concern.
  • Robocalls pour in to police departments and polling places in heavily (Rep or Dem) polling locations with bomb/terrorist threats. Widespread poll closures occur. Calls continue until late.
  • Election results are skewed. Electoral college swings to the candidate helped by the threats.

One candidate declares victory. The other cries foul. Protests go national. Violence, looting and active engagement with police soon follow.

Calls for calm ignored. Martial law is declared in different areas. The Internet is turned off in problematic areas.[2]

Robb suggests that this could be pulled of by five people. A team with the resources Sepúlveda had could do far more. Sepúlveda hacked elections because he wanted his side to win. Foreign teams with an interest in American elections could very well do the same. That should be enough to give you pause: just what does American democracy look like when foreign syndicates and intelligence agencies can manipulate social media and internet platforms to boost the candidates they prefer?  An even more important question: what does American democracy look like when Americans believe foreign syndicates and intelligence agencies are manipulating them to boost the candidates they prefer? What happens when the losing side of any electoral contest believes they lost because someone on the other side hacked the election to their advantage? 

We will soon find out. 


[1] Jordan Robertson, Michael Riley, and Andrew Willis, “How to Hack an Election,” Bloomberg Newsweek, 30 March, 2016 (print edition, 4 April, 2016).

[2] John Robb, “How the US Ends Up With a Real Civil War,” Global Guerillas, 20 March 2016.

Leave a Comment


I doubt the impact will be as big as all that. Democracy has been hijacked many times before, in high profile ways, and the public's faith in democracy inevitably returns. Vote-rigging and other hijinks have been exposed in many places, and once the direct perpetrators are punished and some measures are taken to prevent future occurrence, all is well again. That doesn't mean public faith in democracy will always bounce back, but I think it is more resilient than we assume.

And violent political riots, clashes with the police, etc often ultimately serve as catalysts for positive change, as they did in Taiwan. Not advocating them of course, but that's the nature of political catalysts.

Heh. I did not go easy on the drama here.

The big question will be whether or not future occurrences can be prevented, and whether we can trust the system meant to prevent them. In this I am out of my league; cyber security is not my beat. But that is another interesting thing about this–everyone knows how vote buying, corruption, etc. works. Most people don't really understand how this kind of electoral hacking happens. That may change in the future. But the unknown is scary, and fear breeds mistrust (and much else besides). The danger of this is entirely in its ambiguity and fuzziness.