Taking part in a democratic process to elect leadership in our association is vital for making our voices heard and enacting positive change for PASS. The election process started months ago when the Nomination Committee was formed to review the voting process, vet candidates, and submit the final slate of candidates for approval to the Board of Directors. I had the honor to serve on the Nomination Committee as the Board representative. I'm also Director over both the Membership and the Information Technology portfolios. Both have impact on and from the election process. What benefits we can develop and provide for our members come from the visions and passions of those elected representatives of our association.  Information Technology builds the functional processes for the vote casting. It is as the Director of Information Technology that I come to you now via this blog post.

The security of our voting process was called into question by a concerned community member earlier today. This individual reached out to PASS with concerns about sharing of the voting link behind the "VOTE NOW" button created from a hash of their login and password from the MYPASS website. This link is unique to each member and was never intended for sharing. Though PASS is unable to see the votes cast by a member we do need to know that a member, should they vote, only votes once. This link takes you to the secure SimplyVoting site allowing you to cast your vote and take part in our democratic process. If a member were to take purposeful steps to share the unique URL exposed through the hover action on the button or by saving the URL associated with the button through a right click action their votes could be seen if the original member had voted already or could be cast as that original member if they had not yet voted.

As Data Professionals we advocate for proper security behavior as a core message of our roles. These concerns that were raised could be easily mitigated by simply not sharing personal information. However, our community was formed around the mission of connecting and sharing. Members may not be aware that this link is unique for each member. A member who is trying to help a fellow member by providing them with the URL to vote for the PASS Board would inadvertently provide insight into their voting activity.

Our IT staff, in addition to security-focused community members, looked into the matter independently of one another. They all concluded the concern over these issues came down to making mindful decisions about how you share personal information and not violating basic security principles.  While this means that using generally-accepted guidelines to avoid sharing personal information would prevent any intrusion we also understand our community's penchant for wanting to help one another. It's feasible that in doing so consideration about security could be overlooked.

Therefore, to prevent any unintentional sharing of personalized URLs for voting our IT staff took actions immediately to implement a change to hide the URL completely from the "Vote Now" button. The hover action on sqlpass.org will no longer display the personalized URL and the target address is obfuscated from the button all together. They have already successfully made the change in the staging site for testing and will be deploying the change to production by the end of the day. I've been assured there will be no downtime incurred or negative impact on the ability of our members to continue to vote.

Please do take the time to vote and also remember it's not too late to attend the PASS Summit this month!  It's also never too late to volunteer or consider running for the Board of Directors the next election cycle.

Thank you,

Tim Ford