So Much Worse Than I Thought
By that, I mean the news a mere seven days ago that the Eisner voting had been extended, amid rumors of a technical problem with the voting site. We hear that voting was entirely scrapped and has been re-opened until the 30th at a new site.
Y’all. This was a fucking fiasco from top to bottom, and here’s why: at the piece that ran at The Beat, at the Eisner voting site itself, there is no mention of the fact that the individual accounts were completely unsecured:
The Eisner’s voting site was closed because the people of the Marginalized Genders and POC of Comics Discord channel discovered that we could see and adjust each other’s votes and personal information, including addresses, while we were all talking about sexual assault in comics.
and that the Eisner folks seem to be falling down on a necessary part of the cleanup:
The fact that I found out about this from twitter third-hand and not directly from them… yeah
Okay, let’s back up. There appears to have been a misconfiguration in the website that allowed easy access to the personally identifying information (PII) and votes other registered users, including the ability to change them. The voting issue is actually secondary, the PII issue is primary.
As I’ve mentioned previously, I teach for a technology company; in fact, day job today involves teaching students in two countries how to secure a database from intrusion and keep it secure. I am not a web stack security or incident response expert, but as near as I can tell, I have two legs up on the folks at the Eisners/Comic Con International:
- I know that there are technical and legal requirements that apply in circumstances like this.
- I know what I don’t know.
With respect to item #1, the Eisners/CCI (Eisners from now on for short) are likely in violation of at least one strong mandated data-reporting law.
See, Comic-Con International (of which the Eisners are a part) is incorporated in California. California has a stringent law regarding data breaches¹. Any incident that affects California residents must be reported to those residents; because it can often be difficult to isolate just the CA residents, this practically has the effect of making a national reporting requirement. Further, any breach that involves more than 500 Californians must also be reported to the state Attorney General. It’s all spelled out clearly at that last link.
But people are publicly saying (see second quote block above) that they haven’t been notified by the Eisners. And according to the search form that the State of California provides, there have been no breaches reported by any spelling variation of “Comic[-]Con International” or “Eisner[s] [Awards]” that I could come up with over the past year.
Oh, yeah, and the European voters? GDPR. I’m not knowledgeable enough on their requirements to say what the Eisners are obligated to do (see point #2 above), but I do know that they need to consult legal counsel (not to mention some experts in crisis communication) in Cali and Europe and act on their advice yesterday. This is not a situation where you can say Whoopsie! Revote and it’s all good!
It’s not a case where you can shut down a site and open a new one back up in less than a week and have any credibility. There needs to be a full explanation of what happened (crickets so far), whatever is presently known about how it happened (with the caveat that a proper investigation takes time), and why the new system is to be trusted. Oh, yeah, and what the Eisners will do to make up for the risk of identity theft that’s been going on for who knows how the hell long.
Incident response for situations like this is a specialized, skilled discipline; it’s not a job for amateurs (and I’m including myself in that statement: see #2 above again). It’s going to take serious money, serious time, and credentialed experts, before I would recommend that anybody vote for the Eisners in any form other than paper ballot.
If you haven’t yet created a new account to vote, do not do so without a fuck-ton more explanation and transparency than has been in evidence so far.
I’m utterly serious. As of right now, the organization has zero credibility when it comes to the integrity of this vote, and has shown no evidence that they understand the responsibility for safekeeping PII that they owe to their voters.
I have submitted a written request for comment about the incident response and when voters can expect a formal explanation as to what, how, and why. I will update this page with any response.
Update #1: (25 June 1800EDT) Jackie Estrada, longtime administrator of the Eisner Awards, was the listed point of contact on the Eisner vote page. She replied to me within seven minutes, referring me to the communications & strategy department of CCI. Remember what I said above about there being specific skills? Responding to a reporter² is a specific skill not for amateurs and she did the exact correct thing. Kudos to her for her prompt, courteous, and professional reply.
A fresh request has been sent to the C&S department.
Update #2: (26 June 1812 EDT) It’s been 24 hours and no response from CCI. I will, however, note this tweet from last night:
im an eisner voter and guess what i just found out from THIS tweet
Not the only Eisner voter I’ve seen online saying they’ve received no notification from CCI. The tweet that Jamey Bash is referring to is one by prominent creator/editor Steenz, who tweeted to respond and agree to the points I made above. As the old saying goes, If Steenz agrees with you, you’re probably doing something right.
The other common thread I’m seeing online is people want to know why the revote is being crammed into a week, when there isn’t a set date for the awards anyway. It would be no problem to delay, get all the proverbial ducks in a row, and do some disclosures prior to running a vote. The alternative is, as my wife put it, for this year’s winners to feel there’s an asterisk next to their names in the history of the awards: Hey, you won an Eisner? That’s great! Oh, it was in 2020? That’s … great?
Further updates as warranted.
Update #3: (29 June 1622 EDT) This is likely the last update. The CCI Communications & Strategy officer has not responded, even with a “no comment”. I have not seen a general discussion in social media about CCI communicating the details of the breach, the specifics of remediation, or the reason that a revote had to be wedged into a week’s time.
For those that trust the voting system, the deadline is tomorrow. I stand by my opinion that the only trustworthy means for voting for the Eisners, in the absence of transparency, is via paper ballot.
Update #4: (25 July 1433 EDT) Take a look at what a proper response to a data breach looks like.
Spam of the day:
Spam doesn’t share the page with actual journalism, only random embloggenation. Sorry.
_______________
¹ The law actually mandates reporting regardless of where the company is; the fact that CCI is incorporated in California means that they really should know about their obligations to that state.
² Shut up, I am too.
[…] The Marginalized-Genders BIPOC of Comics Discord discovered that the Eisner voting website was malfunctioning, allowing for votes to be manipulated and personal information like full name, address, and email to be revealed. The leak occurred during the same week that a number of comics professionals were exposed as alleged sexual predators. The voting website was initially shut down on June 17, before the original cut-off date of June 18. On June 24, the voting portal reopened with the message that only those who attempted to log in during the [confirmed] compromised security period of June 3 through June 18 would be eligible to re-submit their votes. Gary provided some thoughts on the “anomaly” here. […]
By Weekly Roundup: July 3, 2020 – tomorrowsnews.net on 07.04.20 7:28 am
The above comments are owned by whoever posted them. The staff of Fleen are not responsible for them in any way.