Russia or not, the vulnerabilities are there: let’s fix them

Disinformation campaigns, dubious practices on social media, murkey financing of political campaigns and lobby groups, timed hacked and leaks: new structural vulnerabilities to our democracies are there for anyone to exploit. It’s time to focus our public conversation on new policies and practices that can mitigate these risks

Originally published on OBCT’s website

Recent electoral contests in established Western democracies have been followed by media reports, research efforts, and inquiries suggesting that Russian political actors may have interfered with the integrity of democratic processes through various means (including through non-transparent funding of political forces, disinformation campaigns, computational propaganda, as well as targeted hacking).

There has been a highly polarised public conversation about alleged or confirmed interference from Russia, which has however been of little consequence. Some small steps have been taken at the EU level, or in specific countries, but, fundamentally, those worries have not opened the way for a substantive debate leading to new policies and practices addressing the vulnerabilities allegedly exploited by the Kremlin or its proxies.

And yet, policy responses to the threat of Russian interference should not be separated from debates on the structural vulnerabilities that enable it. On the contrary, by focusing on these vulnerabilities rather than any given external actor which may exploit them, it is possible to make democratic processes more transparent and robust, reducing the threat coming from both domestic and external spoilers.

What does this mean in practice? Let’s make some examples.


In recent years, media have been frequently reporting about hacks and leaks, some of which involved politicians, parties, and may have had an impact on elections. Victims included the campaign team of former US presidential candidate Hillary Clinton, the French president Emmanuel Macron, and, most recently, as was revealed in January 2019, hundreds of German members of Parliament . Italy has not been immune, with both parties forming the current government exposed to hacks in the last couple of years. In February 2018, unidentified hackers released tens of thousands of emails belonging to Lega staffers . Vulnerability of the platform used by M5S to take decisions and evidence that it had very low standards of cybersecurity has hit the news in 2017, and has led to action by Italy’s Data Protection Authority . Is this the kind of actor that should intervene in this context? What cybersecurity standards should be demanded of political organisations? Do we have reason to believe that other parties in Italy are using computer systems that are any more secure than those of M5S, Lega, the US Democratic Party, or Macron’s staff in France? What actions should be taken to ensure that private communication - a key ingredient of a democratic society – is effectively ensured?

The response to these hacks and leaks has been varied, but, perhaps surprisingly, the conversation about them has not revolved around ways to prevent these things from happening. There are regular calls to improve our password habits and to keep updated the software we use, but putting the blame and responsibility on the individual is clearly not enough: if a server of a political party is hacked, the personal data hosted there are likely compromised, no matter the quality of the passwords of any given users.

If we believe that private communication is a key component of a democratic society, and that hacks and leaks involving political movements are a substantive threat to the integrity of elections and other democratic processes, then certainly there are measures that can be taken to minimise these threats.

Should, for example, national political parties be required to have a certified degree of digital security on their systems? Should the state sponsor cybersecurity-enhancing measures for political parties and perhaps other organisations involved in decision-making or policy debates? Should training or public information campaigns be part of the solution? Should the state (or the European Union) support more generously the open source bits of software that are crucial component parts of the digital infrastructure that we all use? What practical policy options are there to mitigate the threats to our democracy and privacy deriving from poor cybersecurity practices?

These are the kind of questions we would like to see. If there is a vulnerability which has been repeatedly exploited by a number of actors, then there is no excuse for inaction. Pragmatic solutions that would mitigate this problem exist.

Transparency of funding and lobbying

The funding of political parties has long been object of regulation. However, a number of trends make current legislation less effective. On the one hand, foundations or think tanks informally related to political parties absorb an increasing share of resources that used to be channelled through political parties, but are not subject to the same transparency requirements. On the other, the structural lack of transparency of the financial world, as well as the massive use of shell companies and offshore jurisdictions, makes it more difficult to understand where does the money come from.

Besides, through the internet and social media, political messages can be posted and promoted directly by individuals, making it more difficult to ensure that regulations on the financing of electoral campaigns is respected. In the meantime, social media giants such as Facebook have proved their inability to cope with these issues even in the US ; it is by now easy to imagine Facebook CEO Mark Zuckerberg apologising and making promises again and again for years, without meaningful improvements in this field.

Disinformation and social media

Hate speech and fabricated news stories are nothing new, but they have been exacerbated by a context in which unmediated access through the internet and social media facilitate their spreading, often under the cover of (presumed) anonymity. The centralisation of social media further contributes to this vulnerability: on the one hand, it gives undue power to companies in the Silicon Valley to decide which news millions of citizens will read on any given day; on the other, it provides the centralised infrastructure that - at least potentially - gives the chance to external actors to have a disproportionate visibility in the domestic public sphere.

A debate on the regulation of what have effectively become privately-owned public spaces that are central to democratic processes, as well as to the news-consumption habits of millions of citizens, is thus necessary in order to favour an enabling environment for open democratic processes. Such debates will likely revolve around the potential extension of current regulations to work effectively in an online context where the borders of national jurisdictions may be fuzzy, and will include aspects such as the regulation of hate speech, political advertisements, and micro-targeting.

Peculiarities of the social media environment must also be acknowledged. Targeted advertising existed well before the internet, but social media allow to bring lack of accountability to a whole new level: electoral promises and false claims can be shown to users as “dark posts” which are shown to selected users without being published anywhere else. Lack of transparency of algorithms is an aspect with effectively no equivalent in the pre-internet age. Finally, the extreme centralisation of social media that characterises the present should also not be taken as a given, but rather be debated in the context of anti-monopoly legislation and threats to free speech. People (as users, as consumers, as citizens) should be able to feel they are in control of what appears on their screen, and why it is there.

Solutions, what else?

In recent years, Russia has been routinely accused of meddling into electoral processes in Europe and the US. Not only Russian state television , but also serious experts are on the records suggesting that Kremlin-led operations may have determined key electoral outcomes such as Donald Trump’s victory in the 2016 US presidential elections and the vote on Brexit. Alleged tactics involve disinformation campaigns, divisive messages promoted on social media, targeted hack, timed leaks, and funding of friendly forces .

It may be impossible to ascertain if these efforts did swing voters in any meaningful way, and recent studies challenge the dramatic conclusions of early media reporting. Ultimately, however, while investigations about these issues continue, it may be best to focus the public conversations on some of the things we have learned. Recent developments have brought new (or perhaps, newly-shaped) challenges to our democracy, including issues related to disinformation, social media, non-transparent funding, and cybersecurity. These vulnerabilities can be exploited by external actors, or, perhaps more often, by domestic spoilers, for political reasons or for profit. But these are not insurmountable challenges, and a combination of pragmatic and visionary policy-making, of tough and flexible solutions, can go a long way in reducing these vulnerabilities. Let’s think about the solutions. Right now, this is the public conversation we need to have.

In the next few months, OBCT will run a number of articles, interviews, guest posts, and reports on the new structural vulnerabilities to democracy in Europe and Italy, focusing in particular on the policies and practices that can mitigate these risks.

Giorgio Comai
Researcher, data analyst