A hacker in Florida exposed security vulnerabilities in one county’s elections web domains so officials could fix the problem — but, instead, he ended up behind bars.
Hacker David Michael Levin, owner of Vanguard Cybersecurity, was arrested on Wednesday after the Florida Department of Law Enforcement received a referral from the Lee County Sheriff’s Office after his apparently misguided attempt to help prevent election fraud by pointing out online vulnerabilities.
After spending six hours in jail, where he was held on $15,000 bond, Levin now faces three counts of gaining unauthorized access to a computer, network, or electronic instrument — despite the fact he had not only been doing his job, but also alerted the county to a potentially serious security concern.
To hack the Lee County Elections Office and the Division of Elections in Tallahassee, Levin performed Structured Query Language (SQL) injection attacks - which he documented on video and later uploaded to YouTube. According to the somewhat redacted police report, Levin’s associate, Daniel Sinclair, sent a security report about the SQL vulnerability - including details of the security flaw and a screenshot — to “an employee within the Department of State, Division of Elections.”
That employee then forwarded all the information to Special Agent Christopher Tissot, and the investigation began.
"The FDLE came to Dave, and then to me about the case," Sinclair said. "We believed they were investigating the holes in the servers and the Gross Negligence. We both gave them the only information they have now that is accurate. While interviewing me, and Agent Chris Tissot kept cutting me off when I answered his questions."
"I quickly realized Tissot was not investigating any of the claims. His sole goal was to find an obscure law they could hit Dave with, to discredit the information Dave went public with (after he helped them fix the holes)."
Though superficially, the case appears to be one of an unwelcome security breach despite that it was attempted for otherwise laudable purposes. But some aspects of what led to Levin’s arrest deserve further consideration.
Levin’s associate, Sinclair, is currently running against incumbent Sharon Harrington, Lee County Supervisor of Elections - whose name and password were used in the SQL hack. In the YouTube video about the attack, Levin and Sinclair explain how they obtained data from the elections website, which wasn’t even encrypted.
The possibility Levin chose Harrington’s account to perform the SQL injection as a publicity stunt to make Harrington’s job performance appear untenable must be taken into consideration. That being said, Levin’s foray into the elections data had not been undertaken with the appropriate permission — and because he didn’t alert the authorities as soon as he discovered vulnerabilities, law enforcement is required to be blind to his good intent.
However, in Levin’s defense, the privacy concerns of millions of voters — and any other potential issues with unencrypted and unsecured information — on the official Elections website should perhaps trump the strictures of law. Levin cooperated fully during a raid of his property — during which electronics were confiscated — and has in no way been deceitful regarding the hack.
Considering the sheer volume of complaints so far during the 2016 election cycle, it would seem counterproductive for law enforcement to go after a credentialed individual who obviously has the voting public’s best interests in mind.
With rather overt fraud disenfranchising voters across the country, arresting the one hacker who attempted to help secure elections seems oddly ironic.