Hackers Could Purchase Enough Personal Information To Alter Voter Registration Files In 35 States
A vulnerability in voter registration websites could be exploited to disenfranchise voters in key states and precincts.
Harvard researchers have discovered a vulnerability on government websites that may let hackers and other malicious actors change your voter registration information and potentially cause chaos on election day.
The study, which surveyed official state voter record websites, found that in 35 states plus the District of Columbia, voter registration websites allow users to log on and change information such as home addresses, party affiliation, and gender. While this provides a convenient way for voters to update their registration information, it also gives malicious actors an easy way to impersonate voters and submit address changes, delete voter registrations, or request absentee ballots. With a simple change of address, hackers could even assign voters to an entirely different precinct.
Later on, when the voter shows up to the polls on election day, he or she may be unable to cast a ballot because the name or address on their ID doesn’t match the state’s records, or because poll workers think the voter has shown up to vote in the wrong precinct. Voters may be turned away from the polls or asked to file provisional ballots — but sometimes those ballots aren’t even counted, said the study’s co-author Latanya Sweeney, Professor of Government and Technology at Harvard University.
The fear is that this vulnerability could be used either to undermine confidence in elections and depress voter turnout, or even to swing the results in favor of a specific candidate.
“If the goal is to undermine any belief in the electoral system, then they might very well want to target a particular community at large…[because] that could cause a kind of hysteria,” Sweeney said. “People will say what kind of system is this? We didn’t get a chance to vote, our whole community didn’t get a chance to vote.”
This appears to be exactly what happened in Riverside County, California’s primary election in June 2016, when a number of voters had their party affiliations switched without their knowledge or consent. According to a report by Time magazine, “the changes had been made by hackers who had used private information, like Social Security or driver’s-license numbers, to access the central voter-registration database for the entire state of California.”
The California secretary of state and Riverside County District Attorney Mike Hestrin launched an investigation, but because the state’s system hadn’t recorded the IP addresses of the computers that made the changes, there was no way to figure out the identity of the hackers. It’s unclear to what extent tampering actually prevented voters from casting ballots, but “[t]he lingering mystery of the voter registration changes bred doubt among members of both parties,” Time reported.
Over the next several months, federal investigators uncovered evidence that Russian hackers had targeted election systems in at least 21 states. The cyberattackers didn’t target the systems that actually count the votes — instead, they targeted the voter registration rolls and, in some cases, attempted to alter voter registration information.
Looking back at the events in Riverside County in June 2016, federal officials began to speculate that it may have been a “test run” for future attacks by Russian hackers. One former cybersecurity official who looked into the case told Time that the Riverside County hack “looked like a cyberattacker testing what kind of chaos they could unleash on Election Day.”
According to the Harvard study, which was published this month in the Journal of Technology Science, state voter registration systems could allow hackers to replicate the Riverside County hack on a much larger scale.
“We found that in 2016, the District of Columbia and 35 of the 50 states had websites that allowed voters to submit registration changes. These websites determined whether a visitor was an actual voter by requesting commonly available personal information. Some websites gave multiple ways for a voter to self-identify. Of these, {name, date of birth, address} was required in 15, {name, date of birth, driver’s license number} was required in 27, and {name, date of birth, last 4 SSN} was required in 3.”
The study found that the information needed to impersonate voters on all 36 voter registration websites could be acquired relatively cheaply from government offices, data brokers, the deep web, or darknet markets. For just $1,002, a hacker could purchase two datasets — one believed to have come from a massive data breach of credit bureau Experian — that contained the names, address, dates of birth, gender, and Social Security numbers of most American adults.
Using that information, cyberattackers could theoretically access and alter the voter registration files of thousands of Americans. In some states, the study found, it would cost as little as $1 to change one percent of voter records. In the 2016 election, “there were several states where the margin of victory was within one or two or five percent,” Sweeney noted.
The study authors pointed out that most states have safeguards in place to prevent widescale attacks on voter registration systems. For example, many states use Captcha systems to ward off attacks using automated scripts. However, as Sweeney noted, most Captchas are behind the times and are becoming easier to crack. Python scripts and other codes that can defeat most Captchas are available online, and services officered through work order sites like Amazon’s Mechanical Turk could help hackers breach uncompromised systems.
Some states have additional security — such as requiring officials to review and confirm address changes — that could halt an attack before major damage is done. Also, 10 of the 35 state voter registration sites at least keep a record of web access and change logs, so officials can switch back to the old copies of records if tampering is suspected.
Still, the authors are urging states to take additional steps to protect against potential attacks. “A human may notice if a larger than usual number of changes appear,” Sweeney said, “but what if the number is only a few more a day?”
The ultimate question is how the government can ensure it’s actually dealing with citizens when it conducts business online. While commercial fraud is obviously a problem, the stakes are far higher for the government.
“If a commercial site is compromised, the downsides are not the same,” Sweeney said, “because it doesn’t compromise our entire democratic process.”
