Cybersleuth's hacking of Florida elections websites draws criminal charges

David Levin says he exposed vulnerabilities in the sites.   [Lee County Jail]
David Levin says he exposed vulnerabilities in the sites. [Lee County Jail]
Published May 5, 2016

TALLAHASSEE — The young cybersleuth says he exposed security lapses on Florida elections websites, but the state says he committed a crime.

David Levin, 31, of Estero, a political consultant and owner of a computer security firm, was booked Wednesday on three felony charges of unauthorized access to computer systems. Each count carries a maximum five-year prison sentence.

The Florida Department of Law Enforcement said Levin illegally gained internal access to websites of the state Division of Elections and the Lee County elections office, which together hold data on more than 12 million Florida voters.

The FDLE said that after Levin gained access to the Lee County site in December, he used the login credentials of supervisor of elections Sharon Harrington to access the state elections website.

"He took user names and passwords from the Lee County website and gained further access to areas that were password protected," FDLE Special Agent Larry Long told the Times/Herald on Wednesday. "The state statute is pretty clear. You need to have authorization before you can do that."

Levin, who runs two consulting businesses, Political Precision and Vanguard Cybersecurity, was briefly held on $15,000 bond. He was released Wednesday afternoon.

The case carries political overtones and surfaces at a time when the security and reliability of the statewide voter database is a subject of debate.

Levin appeared on a YouTube video in February, casually explaining how he performed what's known as a structured query language or SQL "injection attack" on the two websites by "tricking" the system into giving him access.

"You can be in Siberia and still perform the attack that I performed on the Lee County supervisor of elections website," Levin says on the video. "I'm looking for a vulnerability."

Levin explains on the video how he easily located the page that lists staffers' user names and passwords.

On the video, Levin is seen sitting next to Dan Sinclair, who's running against Harrington for supervisor of elections, and who praised Levin for performing a "public service."

Sinclair, who has an IT background, has criticized Harrington for failing to improve elections technology.

On the video, Sinclair voices surprise that information on the two websites is not encrypted for security reasons.

"It's extremely flawed," Sinclair says. "It should have been protected."

Sinclair said Levin did not commit a crime because he had no criminal intent. "He didn't create the holes. They were there," Sinclair said. "It's completely legal to test a computer system."

Sinclair expressed outrage at Levin's arrest and said that after Lee County Sheriff Mike Scott declined to investigate the case, the FDLE hit Levin with trumped-up charges to protect Harrington.

"FDLE is not involved in the business of politics," Long said. "FDLE is involved in investigating criminal activity, and that's what we did in this case."

Long declined to comment on whether information on any voters was compromised.

Neither Harrington nor spokeswoman Vicki Collins responded to requests for comment Wednesday.

Secretary of State Ken Detzner said no voter data was affected.

"The Florida voter registration system was not accessed and is secure," spokeswoman Meredith Beatrice said in an email. "The department received notice in February 2016 that an individual had attempted to gain unauthorized access to an ancillary website containing archival data. Once the Department was notified, we immediately referred the matter to FDLE."

Beatrice said Levin gave the state a written report on his injection attack. The state declined to release the report, saying it must be reviewed to remove any information that's confidential under state law.

Contact Steve Bousquet at Follow @stevebousquet.