Election officials are pushing back against a new Harvard study saying hackers could disenfranchise Americans in 35 states and the District of Columbia by exploiting vulnerabilities in online voter registration systems.
The study published Wednesday in the journal Technology Science says hackers could buy — either from commercial data brokers or more cheaply from cybercriminals — all the personal data they need about millions of Americans to fraudulently alter voter registration records online. Calling it “voter identity theft,” journal Editor-in-Chief Latanya Sweeney, who is also a Harvard professor, and co-authors Ji Su Yoo and Jinyan Zang say a broad scale attack on several states could be carried out with data costing just a few thousand dollars.
But state elections officials told CyberScoop the report was overblown. “The study doesn’t reflect the safeguards that the states have in place to guard against this sort of thing,” said Indiana Secretary of State Connie Lawson, this year’s president of the National Association of Secretaries of State, or NASS. “I’m disappointed that a Harvard professor would put out such a study with incomplete research and inaccuracies like that.”
The study says that in order to impersonate a voter, “an attacker would need to acquire a voter’s name, date of birth, demographics, and government ID information such as Social Security number or driver’s license number.”
Online registration systems typically ask for that kind of information when performing knowledge-based authentication of a voter who is trying to register or change their registration.
“A voter identity theft attack could potentially disrupt an election by submitting incorrect address changes, deleting voter registrations, or improperly requesting absentee ballots on behalf of targeted voters,” effectively disenfranchising affected citizens, the authors conclude. They say the attacks could be automated and carried out at mass scale fairly easily.
The study comes amid continuing concern about ongoing efforts by Russian intelligence services to disrupt, discredit and influence western elections.
Elections officials said the report, although amended after comments on initial drafts from NASS and the National Association of State Elections Directors, or NASED, did not adequately reflect the measures states already had in place to protect the integrity of their voter rolls — like mailing written confirmations to people who change their registrations online.
The authors recommend a series of security measures and mitigations to guard against such attacks, including regularly reviewing records of registration changes and logs of computer activity to look for suspicious activity; and keeping all those records until after an election, in case voters want to contest changes.
“The vast majority of states mentioned in the report already do the things [the authors] recommend [as mitigations] and take security measures … to prevent bulk changes to voter records,” said Judd Choate, elections director for Colorado and president of NASED.
He noted that the vulnerabilities highlighted — essentially that someone with enough personal data could impersonate a voter and change their registration record — had nothing to do with the online availability of the process but were inherent in any system of voter self-registration.
Similar identity theft issues also exist with paper registration through the mail, Choate added.
“There’s no difference in the [voter] data you need to make those [registration] changes in an offline way … If this is a vulnerability, it’s a voter registration vulnerability, not an online voter registration vulnerability.”
Indeed, Lawson said Indiana had last year detected an effort at mass fraud in voter registration and registration change — but that was offline, through the paper-based system. Earlier this year, Marion County prosecutors in the state brought charges against 12 employees of the Indiana Voter Registration Project for allegedly submitting falsified voter registration applications on paper. County officials had become suspicious after noticing irregularities in a set of forms submitted by the group.
The question, officials say, is whether these kind of attacks can be scaled or automated online against real voter registration systems.
“Yes, they can be automated,” co-author Ji Su Yoo told CyberScoop by email. “A few lines of Python code are able to input and harvest information online,” she added. “Even if there are captchas on the website that are meant to prevent automation, we describe how an attacker could bypass certain types.”
Officials say they have safeguards in place to prevent that.
Recently, Choate said, an election official trying to check online whether voters on the Colorado roll still lived in her district was flagged and kicked off the registration portal by an automated security feature.
“She was looking up multiple voter registration records one after the after,” Choate said. “That much activity, that quickly … the system cut her off in minutes.” Choate said his agency was able to restore her access after she reached out and “we determined her activity was legitimate.”
“It is a great first step that current security measures can track if there are multiple changes from the same [IP internet address],” said Yoo, but she added, “You can use rotating IP proxy servers or bot networks from infected machines if you wanted to mask your identity.”
Nonetheless, officials remain confident, noting there is no evidence these kinds of attacks have ever happened in real life. Both Colorado and Indiana introduced online voter registration the same year, 2010. Both officials said there had not been a single case or allegation of fraudulent online registration or address change since.
Choate said Colorado had one complaint from a voter whose party registration had been changed without her consent. “From the detailed records we keep, we were able to locate the IP address from which the change originated,” he said. As the voter suspected, the culprit appeared to be her ex-husband. “We turned that over to the state police,” Choate said.
Choate said Colorado and other states had mitigations in place to prevent exploitation, especially on a mass or automated basis, of such vulnerabilities.
“Every new registration or amended registration is reviewed by a live election worker,” he said. Lawson said the same was true for Indiana. And both states mail notices to the new address when an address change is made, either online or on paper.
If the paper notice comes back undeliverable, than the change doesn’t go through, Lawson said.
“Most states do have back office processes and election practices that could detect or limit an attack, but there is room for improvement,” Sweeney, the Harvard professor, said in a press release. She added that she would host a workshop where elections officials could discuss her findings with researchers.
Joo told CyberScoop the authors hoped to “start the conversation that will bring brilliant minds in computer security to work on robust solutions specific to this area” of online voter registration.
Sweeney is a former Federal Trade Commission chief technologist and a recognized expert on privacy and technology, but officials said she had begun her research not knowing enough about the way voter rolls are managed.
“She doesn’t understand the amount of work we do to keep these systems secure,” said Choate. He added that he respected the fact that Sweeney had made “substantial changes, including to the title,” following comments from NASED and NASS.
“There’s a fine balance between securing the process and allowing voters access to register and change their address,” said Lawson. She added that exaggerating vulnerabilities presented risks of its own. “We’re concerned with security, but we’re also concerned about public confidence in the system,” she said.