Voters in heavily-populated New Jersey and Pennsylvania can conveniently change their voter registration information online, including their home address and party affiliation. The ease with which the Equifax database was hacked this year, exposing Social Security numbers and the private information of 143 million Americans, may indicate how easy it would be for hacking into voter registration databases. But 33 other states are also vulnerable to hostile hacks that can have political results.

According to a new study, an amount as little as $1,934 could have allowed online submissions of false information on 10 percent of voter registrations in Pennsylvania, which happens to be one of the pivotal battleground states in the 2016 presidential election. In New Jersey, such a cyber-attack would have cost but $1,069, according to the researchers. According to researcher Harvard professor Latanya Sweeney, imposters can easily launch such attacks against voter registration websites. 

Sweeney and co-authors of the study found that the cost of false submissions continues to drop inasmuch as computing costs are also declining. The Equifax hack of early September also made it clear. The study was published on September 6 at Tech Science.

The study showed how changes can be made online for thousands of voters online at the New Jersey and Pennsylvania websites. The researchers estimated the cost of obtaining the information to be submitted. Black market sources were consulted to compute the cost of submitted false information in an automated cyber-attack, as well as the cost of circumventing computer security systems.

In response to the study, Pennsylvania authorities claimed that their system has several ways of checking voter registration changes and flagging unusual activity, including the sending of sending notices to voters via postal mail. Jonathan Marks of the Bureau of Commissions, Elections and Legislation at the Pennsylvania Department of State responded to the study by claiming that his agency has already put into place most of the study’s recommendations.

While the submission of fraudulent voter information has always been feasible, the change to online systems has made it easier for hackers. While civic organizations, political parties, and pressure groups have sought to make registering to vote as easy as possible, online data breaches have exposed large amounts of personal data and thus brings into question the current security of voter registration databases. 

Marks contends that Pennsylvania continues to improve its defense against hackers. Ray Murphy of Pennsylvania Voice and a former staffer at the progressive MoveOn.org is satisfied with the state’s efforts, according to a report by Philly.com. Murphy described the Keystone State’s online registration system as “the premier online voter registration system in the country.” 
 

The abstract of the article at Tech Science read:

“Abstract: Could an attack impact U.S. elections by merely changing voter registrations online? This reportedly happened during the 2016 Republican primary election in Riverside County, California. What about elsewhere? We surveyed official voter record websites for the 50 states and the District of Columbia and assessed the means and costs for an attacker to change voter addresses. Relatedly, an attacker could also change party affiliations, delete voter registrations, or request absentee ballots online. A voter whose address was changed without her knowledge, for example, in most states would have a polling place different than expected. On Election Day, when she appeared at her presumed polling place, she would have been unable to cast a regular vote because her name was not on the precinct's register. She may have been turned away or given a provisional ballot, and in many cases, a provisional ballot would not count. Perpetrated at scale, changing voter addresses, deleting voter registrations, or requesting absentee ballots could disenfranchise a significant percentage of voters, and if carefully distributed, such an attack might go unnoticed even if the impact was significant. So, how practical is it to submit false changes to voter registrations online?"

“We found that in 2016, the District of Columbia and 35 of the 50 states had websites that allowed voters to submit registration changes. These websites determined whether a visitor was an actual voter by requesting commonly available personal information. Some websites gave multiple ways for a voter to self-identify. Of these, {name, date of birth, address} was required in 15, {name,date of birth, driver's license number} was required in 27, and {name, date of birth, last 4 SSN} was required in 3. We found that an attacker could acquire the voter names, demographic information and government-issued numbers need to impersonate voters on all 36 websites from government offices, data brokers, the deep web, or darknet markets."

The total cost of changing 1 percent of the voters on all 36 websites, the researchers projected, would range from $10,081 to $24,926 depending on whether attackers used data from government, data broker, darknet or other sources. The cost for attacked an individual state was much lower. These would range from $1 for Alaska to $1020 for Illinois.

The researchers noted the ease with which some security measures on the various states’ websites could be defeated. They noted that while some websites use CAPTCHAs, which require a human input, they can be defeated by available programs. Hackers can also automate their attacks on the voter registration websites, using computer code that is relatively simple to write. Thus making large-scale attacks easy once appropriate information and processes have been determined. Voter information, they wrote, can be obtained from voter files, while other information can be obtained from illicit sources or through computer programs that use predictive analytics to ascertain driver’s license numbers.

In the article’s conclusion, the authors said that they had been asked by several parties not to publish their study. They decided to publish, having decided that only hackers would be protected by secrecy, while providing false confidence to officials that their security measures remain sufficient. “Our goal in exposing problems and solutions is to help voters and state officials use new technologies to help assure the integrity of elections.”


 



SHARE

Short Link

Martin Barillas is a former US diplomat and the editor of Spero News.

Comments

RELATED NEWS