For several years, a nationwide voter-fraud prevention coalition has been using poor security methods in sending and storing millions of voter registration records, according to an advocacy group’s examination of official emails pertaining to the program.
Officials running the Interstate Voter Registration Crosscheck Program have been using email to send state election officials usernames, passwords and decryption codes for databases containing records of all voters in about 30 states, reports Indivisible Chicago, a nonprofit progressive advocacy group.
The states participating in Crosscheck — which originated in the office of Kansas’ secretary of state more than a decade ago — use the program to cross-reference voter registration records and determine whether individuals are registered in multiple states.
Indivisible Chicago, which has been leading a campaign to end Crosscheck, found that the voter records shared by the program are hosted on an insecure server and that login credentials are sent in plain text in emails to and from state officials. Indivisible Chicago obtained the emails through freedom-of-information requests to Illinois and Florida and posted them on its website last week.
The Arkansas secretary of state’s office hosts the FTP server. Other states log into the server annually and upload all their voter registration data, after which the office of Kansas’ secretary of state flags duplicate registrants and sends the information back.
Indivisible Chicago said that the emails it obtained showed unredacted usernames and passwords to the Arkansas server for several years of the program. The group had to redact the information itself before publishing it. The credentials were in emails that Arkansas IT administrators would send to individual states. The administrators also sent database decryption codes in mass emails to the various participating states. Login credentials also occasionally went unchanged year-to-year, the group found. The office of Arkansas’ secretary of state did not respond to request for comment.
Cybersecurity experts told ProPublica that competent cyberattackers can easily exploit Crosscheck’s security practices, leaving private information of about 100 million voters — such as addresses, dates of birth and partial Social Security numbers — vulnerable to hacking as long as the data is left there.
Crosscheck began in 2005 in the office of Kansas’ secretary of state. Indivisible Chicago describes the current holder of that office, Kris Kobach, as having a history of voter suppression efforts, and says that Crosscheck is used to further those efforts.
Kobach has backed President Donald Trump’s unsubstantiated claims that millions of illegal votes were cast in the 2016 election. As vice chairman of the Presidential Advisory Commission on Election Integrity, Kobach requested complete voter roll data from all 50 states and the District of Columbia earlier this year.