On Thursday, July 27, I spoke at the U.S. Election Assistance Commission (EAC) Election Data Summit. The summit appropriately coincided with the release of the Election Administration and Voting Survey (EAVS) Comprehensive Report, the main source of comprehensive election administration data in the United States. I’ve attended two previous Election Data Summits and, as expected, this one was excellent; the speakers and panelists were experts in their respective fields and disciplines, they were engaging, and I learned a considerable amount. While I could continue to gush about the conference itself, that’s not (entirely) why I’m writing this blog post. In this post, I’d like to share my experience presenting on a panel, to correct the record a bit, and to apologize.
What would you say you do here
Sometimes you wonder how you were invited to a particular party. Sure, I know a thing or two about election administration and the related data, but when you’re sandwiched between some really brilliant folks, you start singing that Sesame Street song to yourself. The panel moderator was Dr Nichelle Williams, Director of Research at the EAC. Dr Krysha Gregorwicz, Senior Researcher at the Fors Marsh Group, sat on my right and Kendall Hodson, Chief of Staff for the King County Elections office, was to my left.
Imposter syndrome doesn’t really affect me when I’m on stage by myself. I’ve researched, prepped, and prepared for those presentations. However, panels are different. Sometimes you get questions beforehand; sometimes you don’t. Even when you receive questions before the event, the point of the panel is an evolving discussion based on earlier panels and responses from your co-panelists. I’m confident I have domain knowledge, but I’ve never been one for quick, on-the-spot responses. Recalling exact facts and figures is not one of my strong suits, even when they’re from reports I’ve written. When I’m surrounded by accomplished people with great statistical recall, I can get visibly nervous, which becomes apparent in my responses. My thinking and responses get a bit muddled, which brings us to our next section...
Correcting the record
On a line of questioning about cybersecurity for voters that fall under the protection of the Uniformed and Overseas Citizen Absentee Voting Act (UOCAVA), Dr. Willams asked a question about low-cost approaches to help secure electronic ballot transmission. Last year The Turnout, with generous support by the Democracy Fund, produced a report on mitigating risks in electronic ballot transmission to UOCAVA voters.
We made a number of recommendations to reduce—not eliminate—the potential for tampering with election materials being transmitted through some electronic means, such as fax, email, or web portal. Now, the first thing from the report that always springs to my mind is “DMARC”, which stands for “Domain-based Messaging Authentication, Reporting, and Conformance.” As you might guess from the name, it’s a very complex, technical subject, and I was sitting in front of a roomful of people who may not have been overly technical. Additionally, as I mentioned above, I’m not great at thinking quickly on my feet.
As you might imagine, everything went flawlessly. Flawlessly, I say.
(EDITOR’S NOTE: I’m kidding.)
I launched into a few confusing attempts to explain DMARC—first without explaining what the acronym stood for, and then again by quickly glossing over some of the more key details—and then, ultimately, closing with “…but that doesn’t actually help you,” which is still the most honest response I can give. I could have mentioned simply turning off the loading of remote content in email clients, which helps prevent a potential attacker from gleaning information about the user and network and loading potentially harmful content…but I didn’t.
After the panel, I spoke to Amy Cohen, Executive Director of the National Association of State Election Directors (NASED) and we talked a little bit about how awful it is to easily explain DMARC in an accessible way, which I’m going to try to do now. DMARC is largely meant to prevent email spoofing, the act of an email looking like it comes from a domain known to the recipient when it doesn’t. If you’ve ever received an email that looked like the email address was from your bank, or Facebook, or Apple—but wasn’t—you’ve seen email spoofing.
DMARC is built on top of two other security measures: DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). DKIM is the “stamp of authenticity” that a domain places on the mail being sent. SPF is a way for servers receiving email to check if the email is coming from an approved domain or IP address. DMARC adds another layer on top of these to tell other mail servers how to deal with spoofed emails. For example, if Mail Server A receives an email that looks like it comes from Mail Server B, then Mail Server A checks the DMARC policy for the domain to determine whether Mail Server B has DKIM and/or SPF in place. If the email fails DKIM and/or SPF validation, Mail Server A follows the DMARC policy which determines whether to reject and/or report the email to Mail Server B.
(EDITOR’S NOTE: As you may imagine, I’m glossing over a lot of the details here; If you’re interested, Global Cyber Alliance has an excellent write-up and video.)
None of what I said was easy to understand, even the concept of spoofed emails. Amy mentioned she had a fantastic picture to represent email spoofing and—because it is legendary—I’m including it here. With permission, of course.
If a similarly weird, hilarious image exists for the entire DMARC process, I haven’t seen it yet.
Weird niche humor doesn’t work
Delivering content is hard. I want people to enjoy listening to the information. Of course I’d like them to also learn something new, but I find that’s easier if the presentation is enjoyable. Somewhat due to my nature and personality, presenting information in a fun way is harder on panels. I’m also weird and enjoy weird humor, which typically doesn’t translate well outside of a core group of friends. Take all of those things into account on a panel and it’s generally a recipe for disaster.
I don’t think “a disaster” occurred on the panel, but I did do something that needs addressing. A question came up on the panel that would have required a long, involved, and difficult answer. The question was asked because, on a previous panel, John Dziurlaj mentioned a potential form of verifying voters. I (half-)jokingly said I didn’t want to answer the question and redirected the room to John, who was sitting in the back. Now, while I was saying it in jest, I was talking in a Senate Hearing Chamber, serving on a panel at the request of the U.S. Election Assistance Commission, at an event that’s being live streamed, and I’m making a joke at the expense of one of my employees. If there was a definition for “not cool,” this would be it.
Considering the very public nature of the event, my penance as an owner/employer is to publicly apologize for it. So with that: I’m sorry, John, and I will do better.
What to do, what to do…
I firmly believe in constant self-improvement, whether it comes in the form of self-study or expert assistance. As my business started to grow, I needed to improve my (non-existent) management skills, so I attended the So Now You’re a Manager training run by Plucky. (NB: It’s not possible for me to say enough nice things about Jen Dary’s program. Someday, I’ll write a blog post about the experience.) But I digress. In reasonable doses, shame and disappointment can be great motivators and these issues showcase a few mental muscles that need exercise.
In the future, when I prepare, I’ll start by acknowledging my strengths and prepping for my limitations, developing canned answers for questions I may want to avoid, and focusing all jokes inward rather than outward. I may seek out more panels and opportunities for improvisation, since those activities improve the skills—quick-thinking and spontaneous creativity—I currently lack. All things remaining the same, with experience and sincere hope, my performance should improve.