Voter Data and Election Integrity

A Simple Guide to Controlling the Narrative

In the months before the 2016 US presidential election, there were news reports that as many as 20 state voter registration databases had been probed by hackers. In September 2016, the Department of Homeland Security (DHS) confirmed this but downplayed the news.

Both the Senate and House Intelligence committees concluded by mid-2016 that the Russian government was behind many election-related hacking attempts.

For the next year, DHS maintained that only 21 states were attacked. In February 2017 they denied reports that some state systems had been breached. In June 2017 they denied that 39 states had been attacked. Only in September 2017 did DHS finally inform 21 states that they had been identified as targets over a year previously.

DHS and state officials have consistently asserted that these attempts were largely ineffective.

Not until the middle of 2018 did the news finally emerge that in fact most likely ALL 50 state voter registration and election management systems were attacked in the run-up to the 2016 presidential election.

Why would an election hacker target state voter registration databases?

In part of a larger series on Broward County Florida’s voter rolls, the Christian Science Monitor asked the question, ‘What could a hacker achieve by attacking voter registration?’

The most obvious answer is disenfranchisement. If voters are deleted, or if their address or identifying information is changed in such a way that they don’t show up in the poll books when they attempt to vote, they will need to cast provisional ballots, or will simply walk away confused, without casting a vote.

If a large number of voters are missing from the poll books in a particular precinct the ensuing chaos can effectively disenfranchise dozens of voters by causing them to leave without casting a ballot. This interview with an Pennsylvania election judge shows what happens locally, at the precinct, when people show up to vote only to find that they are mysteriously missing from the poll book.

Still, these potential crimes are somewhat abstract, because when most people think of “election hacking” they think of vote totals being changed. But as with any sophisticated crime, there is always a cover-up. From the Christian Science Monitor article:

Anyone changing election outcomes also needs to make sure everyone thinks nothing happened. They need us to feel like any unexpected results are rational. Disgruntled voters? Changing demographics? A poor campaign? Nothing to see here. Please move along.
Any semi-plausible explanation that keeps us from questioning our election systems will suffice.
Here’s where voter rolls are key, because we rely on voter registration data to answer questions like:

  • How many voters are registered in each precinct?
  • Are they Democrats? Republicans? Unaffiliated with either major party?
  • How many voters went to the polls?
  • Was there low turnout in some areas? Higher turnout in others?

After the 2016 presidential election, researchers and journalists turned to registration data to make sense of the unexpected outcome.
But what if the voter registration data has been altered? What if data that seems to show a shifting political landscape is phony? What if “zombie” voters were added to the voter rolls in order to alter apparent demographics, in order to explain an outcome that would otherwise have been hard to believe?

What if these zombie voters could actually return ballots?

From the Christian Science Monitor article:

Control the registration data — control the narrative.

How can an online database be hacked? Let us count the ways.

We have described some motives for maliciously altering a voter registration database. Now let’s talk about the opportunity.

When we speak of hacking a voter registration database, what does that mean? In a nutshell it means getting access to voter data and stealing it — or worse, changing it.

SQL Injection

There are several ways this might be done. A hacker might take advantage of code vulnerabilities to alter a database by sending code through a form input (SQL injection) or even through the web address (URL).

We know that Russian hackers gained access to the Illinois voter registration system via SQL injection and stole voter data.

The Illinois attack has been fairly well documented and examined. A timeline provided by the state gives a substantial amount of detail on the attack and the response to it. The attack was used to compromise the database — accessing, and possibly altering an unknown number of records. Wisconsin, in a response memo written after the DHS report, noted that either the same SQL injection vulnerability or a similar one was present in their systems but had been addressed during upgrades conducted in January 2016.

Stealing Administrator Access

But there are other ways to penetrate these systems beyond these hacks detected by DHS.

For instance, a voter registration system could be compromised by an employee or contractor working on one of these systems via a built-in “backdoor” in the code. In other words, a small snippet of malicious code can be hidden in the systems that database administrators use to add, update, or access data. This code can steal passwords or enable remote database access by unauthorized parties.

Alternatively — and perhaps most devastatingly — a phishing email could be sent to a county clerk or election systems vendor in an attempt to steal the login credentials of someone who has access to one or more state databases. At least one such cyber-attack is well documented — against employees and clients of the election technology company VR Systems.

If any logins were compromised in such an attack, the database of any state serviced by this vendor could have been opened up to nefarious players. Depending on the level of permissions the compromised user had, the intruders could have added, deleted, and changed voters without detection, as the hijacked login would have made the changes look like legitimate work.

Or the Simple Way…

But what about doing it the easy way? An attacker using publicly available online registration forms doesn’t even need specialized computer skills. Many state voter registration databases are wide open to modification via the “Change Your Registration” web form. A study published in September by Harvard researchers shows how easily voter data can be altered using these forms.

Researchers showed that many states allow you to purchase enough information about voters for anyone to impersonate them and change information — address, party preference, or even name — using these online forms. A helpful tool built to encourage genuine voter participation unfortunately provides criminals with conveniently easy way to damage voter rolls.

We quickly found at least one state where we could easily manipulate voter data this way. We made no actual changes — because that would be a felony. The state we looked at was Pennsylvania, where Trump edged out Clinton by under 45,000 votes out of 6.2 million cast (0.0073). The smallest hiccup in the electoral process could have affected this thin margin.

Pennsylvania sold us a snapshot of their voter registration data for $20. Over 8.5 million records. Names, addresses, dates of birth, political affiliation, voting history, are available to the public, here.
 Armed with this information, we went to the “Change your Registration” page of the Pennsylvania State website. Information marked with red is mandatory. Everything else is optional. Our $20 investment gave us all the information we need to manually impersonate a voter, or many voters. According to the instructions, this form can be used to change the party of a voter. Or his or her name or address.

Using this form we could move a number of voters to different polling places. We could outright prevent these voters from voting, by moving them away from their local precincts. Or we could look through the data for voters with no recent history of voting. By changing the addresses or political parties of people who are unlikely to actually vote, we could change the perceived demographics of a precinct without ever being detected.

In this article, Jonathan Albright documents some Python scripts that were posted to the code-sharing website github by an employee of Cambridge Analytica (a company which stands accused of microtargeting US citizens via social media). One of the scripts finds the geographic coordinates for a given address. Suspiciously, this script specifically mentions “VoterID”. VoterID is not a user field in Facebook, but clearly it IS a field in voter rolls.

This script is computer code that creates new addresses and assigns voters to them. Using this script and the information contained in our purchased data set, voters could be assigned to different precincts. This could even be done automatically via a browser plugin that could mechanically fill out the Pennsylvania “change your registration” form to modify every address for a list of voters who would never know it happened.

But how do we figure out which addresses are assigned to which polling places? We simply use this nifty online polling place locator interface, brought to you by the ever-helpful state of Pennsylvania.

How Do We Know Nothing Happened?

An article in the New York Times, from September 2017 describes the chaos at the polls in Durham NC on election day 2016.

The article quotes Susan Greenhalgh, of Verified Voting:

“What people focus on is, ‘Did someone mess with the vote totals?” she said. “What they don’t realize is that messing with the e-poll books to keep people from voting is just as effective.”

Journalists and politicians, and even the Department of Homeland Security, reassure us that despite these obvious vulnerabilities, voter registrations weren’t changed and the election outcome was unaffected. But how do they know that for sure? To date, no officials have explained how or even whether they have tried to prove hackers changed nothing in voter registration databases despite attacking all 50 state systems.

NOTE: I published an earlier version of this piece here . This updated version includes new research and edits by @quatraingleam.