How I Cracked Proxy-Vote Security
from January/February 2003
by John R. Engen
Online proxy voting is becoming all the rage: In 2002, 14% of all ballots were cast over the Internet, and the number is sure to increase. But just how secure is it?
The question is more than academic. In April I was given the chance to vote on the proxy proposals of Progress Software Corp., a Bedford, Massachusetts, maker of
e-business software. The thing is, not only had I never heard of the company, I also didn’t own any of its shares. Nevertheless, I was free to pick from among seven director nominees and give a thumbs-up (or down) on a proposed amendment to the company’s stock incentive plan.
I owed this electoral clout to my own clumsy fingers and, obviously, a chink in someone’s security firewall. Intending to vote on the proposals contained in the proxy of another company—one in which I actually was a shareholder—I went to the ProxyVote.com website, entered the 12-digit “control number” assigned to me, and voilà! a ballot appeared on the screen. It was the wrong one. It turned out that I had transposed two of the numbers in the code, and up had come a Progress ballot belonging to some nameless shareholder.
No, I didn’t vote—but I could have. Beyond the control number, the ProxyVote site didn’t ask me for any identity verification to make sure I held shares in the company. When I called Progress, it was understandably miffed. “There should be better security in place,” grumbled vice president and corporate controller David Benton, promising that he’d be talking to ProxyVote about the matter.
I decided to talk to ProxyVote too, and was put in touch with Bob Schifellite, a senior vice president at Automatic Data Processing Inc., whose Investor Communication Services division runs ProxyVote. He said that the odds of accidentally accessing someone else’s online ballot are about “one in 120 million, and that’s in the busy season,” and that to his knowledge it had never happened before. “You should have played the Lotto that day,” Schifellite said.
Carl Hagberg, a Jackson, New Jersey, consultant and the publisher of a newsletter on shareholder services, speaks well of ProxyVote’s security. He recently hired hackers to see if they could get into the system. “We tried using a lot of different tricks, but couldn’t crack the code,” he says. But Hagberg still thinks online voting calls for greater security. He recommends that directors make sure an election inspector examines voting procedures to ascertain that proper security precautions are in place. “The inspector should be able to assure them that the system has integrity,” he says.
Such assurances will probably be increasingly important in the future. More companies are sure to offer online voting, because it affords huge cost savings. Automatic Data Processing charges 3 cents per electronic ballot, vs. 40 cents for a business reply envelope. At companies like AT&T, which has about 1.8 million shareholders, the numbers add up fast.
Do the savings justify an added security risk, no matter how small? In theory, no. But as one proxy solicitor who works with ADP notes, about 70% of shares are owned by institutions. While they also vote shares online, the systems they use include direct-line access from a specific terminal, and votes are electronically confirmed. “As long as the institutional votes come in, most companies don’t care about retail investors,” he says.
Meanwhile, ADP is lengthening the odds that strangers will stumble into electronic voting booths. “We’re changing our algorithms by modifying one of the check-digit routines,” says Schifellite. “This will increase the odds to 1 in 400 million.”
I’m glad I called.
