The big news in the world of hacking is surrounding Russian interference with the US election. As that plays out there’s something going on closer to home we need to also get to the bottom of.
We recently read that the Town of Aurora’s budget survey had been successfully hacked. Town’s CFO states:
We received what we thought was almost 200 survey submissions. Unfortunately, after it closed on the Monday we found someone had sort of stuffed the ballot box with the same IP address about 50 times or more, so we have now removed that so that you have a clearer picture of what was represented in those 132 survey responses.
The Town used SurveyMonkey, likely because it is a free service. For it to notice that the survey was filled out multiple times by the same IP address it collected IP addresses as a unique identifier. More on the issue that raises later.
SurveyMonkey acknowledges that IP addresses can be traced to a computer but not a person:
If you see multiple responses for your survey with the same IP address, it may be that a single person is responding to your survey multiple times, or it may be that multiple people in an organization are accessing your survey from within that organization’s computer network.
So in the case of the budget survey which is it?
How would such a determination be made?
What is the integrity of a survey if legitimate entries coming from mixed residences or organizations are simply discarded?
In the scenario described above the survey registered multiple surveys to the same IP address so its not as though an effort was made to spoof said address to stuff the ballot box, although that remains a possibility of occurring if cookies were not enabled to thwart multiple entries.
We saw how successful that measure was when the Auroran ran a poll that was hacked to show a solid victory of John Gallo, Alice Lalas and others that all had their asses solidly handed to them when the real votes were counted
While all of that is a hot mess the town needs to get on top of, there’s another issue that comes into play and that is the fact that SurveyMonkey’s servers are located in the U.S. and as Terry Lavender points out there are concerns with I.P. addresses stored on U.S. servers given the U.S. Patriot act. This was caught back in 2011 and Lavendar points to alternatives. One being an open source solution that is run on town servers, or if the IT is too daunting they could opt for a Canadian hosted solution
Given that this council drones on and on about the importance of engaging the public and directs staff to conduct opinion polls this book from back in 1946 asks a very direct question, to which I doubt no member of council could answer:
If nothing else, the town’s budget survey results indicate one immediate need and that is to ditch the monkey and apply more budget to the town’s survey toolset.