To hack a U.S. election, the bad guys don’t necessarily need to do anything on election day. They could just tamper with voter registration rolls of likely supporters of an opposition candidate during the weeks and months before the election. That was the finding of a new report that studied how alarmingly simple and inexpensive it could be to unleash a campaign of what its authors call “voter identity theft.”
The good news is that the one known possible case (the California Republican 2016 presidential primary in the town of Riverside) inspired a statewide response. California took steps to protect itself against voter ID theft, and indeed, the state did not see any evidence of such activity in the general election last November.
But even if California had the model legislative response—and it doesn’t, say the researchers who produced the new report—that would still leave another 49 states whose voter ID theft problem remains unaddressed. This is in addition to countless countries that remain unaware that voter ID theft is even an issue.
In the new report published in the journal Technology Science, researchers from Harvard University share their discovery that 35 U.S. states, plus the District of Columbia, had websites that provided all-too-easy access for malicious actors. The infiltrators were free to collect enough identifying information about individual voters to be able to go to the website of the state agency that acts as voting registrar and change specific voters’ registration information.
Later, when that voter shows up to the polls, he or she might be unable to cast a ballot because the name or address on their ID doesn’t match the state’s records. Or perhaps their address has been changed to a different precinct, at which point some voters just give up and stop trying to cast their vote. Some file provisional ballots, but sometimes those ballots aren’t counted, says Latanya Sweeney, a co-author of the report and professor of government and technology at Harvard.
As an example of the problem, Sweeney points to Delaware. “With Delaware, you have a choice,” she says. “You can either provide the person’s name, date of birth, and zip code; or you can provide the person’s driver license number and date of birth. If you were playing the role of the attacker, the question is where could you get a Delaware voter’s zip code. And the answer is the Delaware voter list.”
The Delaware voter list is available online for $10, Sweeney says.
To get a voter’s date and year of birth, a hacker could go to data brokers who provide their members (with some memberships as low as $40 per month) with this information. And that’s all an attacker would theoretically need to wreak havoc on one state’s voter registration system.
The only other hurdle preventing an automated attack that could mess with thousands or more voter registrations, Sweeney says, is a Captcha system that Delaware state websites have inserted to ensure automated scripts don’t get onto their system.
But, she adds, most Captchas are woefully behind the times. Python scripts and other AI code that defeat most Captchas are widely available online. And even for those few that haven’t been compromised yet, micro-work order services like Amazon’s Mechanical Turk could help attackers defeat anti-bot provisions at the scale required to assail voter registration sites.
However, says Sweeney, there are countermeasures to face down automated attacks. Any attack on a voter registration system done at scale might be more detectable at a municipal and county level, she says. So requiring a precinct or county registrar to verify voter ID changes before approving them could be one fix.
Also, according to the researchers’ surveys of state voting records officials, ten states (Arizona, California, Indiana, Louisiana, Minnesota, New Jersey, Utah, Vermont, Washington, and West Virginia) store information about web access and change logs for voter registration information. So if a suspicious IP address keeps cropping up in voter re-registrations or a peculiar change appears on multiple voter records, then state officials can revert to previous versions.
Ji Su Yoo, coauthor and research analyst at Harvard’s Institute for Quantitative Social Science, says their work may have identified the problem but she and her collaborators are also offering assistance to states wanting to implement a fix.
“We are having a workshop where we are inviting state officials and their IT department[s],” Yoo says. “We’re not trying to say get rid of voter registration websites. We’re trying to push everybody to have a good and productive conversation about how to implement them in a way that is really secure.”
Margo Anderson is the news manager at IEEE Spectrum. She has a bachelor’s degree in physics and a master’s degree in astrophysics.