Voting-roll vulnerability

“Most states do have back-office processes and election practices that could detect or limit an attack. But there is room for improvement,” Sweeney said.

Obtaining the information needed to make those changes, Sweeney said, is far easier than most observers would believe because, contrary to popular opinion, voter information isn’t private.

Data sets containing voter names and demographic information such as addresses, party affiliations, and gender can be purchased or downloaded, often from government sites, for reasonable sums. For just $18,000, the researchers were able to buy voter lists from all of the 35 states, plus Washington, D.C., that allowed online registration.

Those lists don’t contain the personal information, such as Social Security or drivers’ license numbers, that most states use to confirm voters’ identities online. Yet obtaining the missing data, Sweeney said, was as simple as forking over $40 per month to access a commercial data broker site.

“The law says only people in certain situations are able to buy this data. One choice is if you want to search for your own data or for fraud investigations. But it’s based on a self-attestment,” Sweeney said. “That gives the brokers coverage, so if the government says you shouldn’t have sold the data to that person, they can say it’s not our fault, they said they were using it for this purpose.”

While it is possible to find the information needed to alter voter information through legal means, Sweeney said the dark web offers a major advantage in low cost.

For just $1,002, an attacker could purchase two data sets — one believed to have come from a massive data breach of the credit bureau Experian — with the names, addresses, birthdates, gender, and Social Security numbers of most adult Americans.

Armed with that information, Sweeney, Yoo, and Zang found, attackers could theoretically access and alter the voting information of many individuals. In some states, they found, it would cost a mere $1 to change 1 percent of voter records, while the median cost was just $41.

“The money, I think that’s a real shocker,” Sweeney said. “When we first talked about this project with a Washington insider, he told us we were wasting our time because voter data is so expensive. His prediction was that we would only succeed on a few sites … and that was because he thought the only way to get the data was from the state.

“But it turns out you can get it from many states, and only a handful charge a per-voter cost, which dramatically increases the cost,” she added. “In Ohio, the data is free. You can download it from the web. And others who have purchased the data have made it freely available in an attempt to add transparency to the election process. Even [for] data brokers who specialize in voter lists, $2,000 was the maximum, and they covered all 50 states.”

Still, Sweeney conceded, altering voter information may not be as simple as finding the data.

Although it may be relatively easy to gain access to Social Security and drivers’ license numbers, Sweeney said states may have additional security — such as having officials review and confirm address changes — that could halt an attack before major damage is done.

While those efforts may prove successful, Sweeney, Yoo, and Zang are urging states to take additional steps to protect against attacks. “A human may notice if a larger than usual number of changes appear, but what if the number is only a few more a day? A computer program might do better,” said Sweeney.

“Our paper is not trying to be critical of the government or suggest that the government didn’t invest enough money or resources into security,” Yoo said. “But it’s just the nature of government that it moves at a different pace than commercial technology does.”

Among the key steps researchers urge states to take, if they have not already, is logging all site visitors, which could show whether a single visitor is responsible for multiple voter information changes and track the source of any attack.

“We also recommend states keep logs of the changes that are made,” Sweeney added. “That would enable them to roll back through the changes and see what changes were made and how they were changed. Some states have been doing this. We recommend all states do so.”

Ultimately, the question the study asks is: How can the government ensure it’s actually dealing with citizens when it conducts business online? That question is important, Sweeney said, because although commercial fraud is a problem, the stakes are far higher for the government.

“If a commercial site is compromised, the downsides are not the same, because it doesn’t compromise our entire democratic process,” Sweeney said. “When people talk about voter fraud, what they usually mean is additional votes being cast by one party. But this is different. It’s about people who should have been able to vote, but can’t. This fits into the larger discourse of election security in a unique way … because it could allow for a particular group to be disenfranchised.”

— Read more in Latanya Sweeney et al., “Voter Identity Theft: Submitting Changes to Voter Registration Online to Disrupt Elections,” Journal of Technology Science (6 September 2017)

This story is published courtesy of the Harvard Gazette, Harvard University’s official newspaper.