Voting-roll vulnerability

For as little as a few thousand dollars, online attackers can purchase enough personal information to perhaps alter voter registration information in as many as 35 states and the District of Columbia, according to a new Harvard study.

Dubbed “voter identity theft” by study authors Latanya Sweeney, professor of government and technology in residence, research analyst Ji Su Yoo, and graduate student Jinyan Zang, the vulnerability could be exploited by internet attackers attempting to disenfranchise many voters where registration information can be changed online. Armed with personal information obtained through legitimate or illegitimate sources, hackers could learn enough to impersonate voters and change key information using the online registration systems.

One tactic, researchers said, would be to simply change voters’ addresses, making it appear — to poll workers at least — as though they were voting at the wrong locations. Those voters might be forced to cast provisional ballots, which in many circumstances are not counted.

The study is described in a Sept. 6 paper published in the Journal of Technology Science.

Though the researchers don’t report evidence of attackers already exploiting the vulnerability, Sweeney, Yoo, and Zang said the fear is that it might be used to undermine confidence in elections or even to swing the result in favor of a particular candidate.

“If the goal is to undermine any belief in the electoral system, then they might very well want to target a particular community at large … [because] that could cause a kind of hysteria,” Sweeney said. “People will say: ‘What kind of system is this? We didn’t get a chance to vote. Our whole community didn’t get a chance to vote.’

“If you look at the outcome of the 2016 election … there were several states where the margin of victory was within 1 or 2 or 5 percent,” she continued. “If you want to change the result in a state that was determined by less than 1 percent of the votes, what is the smallest number of changes you can make, and where do you make them?”

Hoping to prevent attackers from exploiting the vulnerability, Sweeney, Yoo, and Zang notified election officials in the at-risk states of their findings prior to publication, attended a national convention of such officials to discuss the findings, and will hold a workshop, to which election officials have been invited.

“Most states do have back-office processes and election practices that could detect or limit an attack. But there is room for improvement,” Sweeney said.

Obtaining the information needed to make those changes, Sweeney said, is far easier than most observers would believe because, contrary to popular opinion, voter information isn’t private.

Data sets containing voter names and demographic information such as addresses, party affiliations, and gender can be purchased or downloaded, often from government sites, for reasonable sums. For just $18,000, the researchers were able to buy voter lists from all of the 35 states, plus Washington, D.C., that allowed online registration.

Those lists don’t contain the personal information, such as Social Security or drivers’ license numbers, that most states use to confirm voters’ identities online. Yet obtaining the missing data, Sweeney said, was as simple as forking over $40 per month to access a commercial data broker site.

“The law says only people in certain situations are able to buy this data. One choice is if you want to search for your own data or for fraud investigations. But it’s based on a self-attestment,” Sweeney said. “That gives the brokers coverage, so if the government says you shouldn’t have sold the data to that person, they can say it’s not our fault, they said they were using it for this purpose.”

While it is possible to find the information needed to alter voter information through legal means, Sweeney said the dark web offers a major advantage in low cost.

For just $1,002, an attacker could purchase two data sets — one believed to have come from a massive data breach of the credit bureau Experian — with the names, addresses, birthdates, gender, and Social Security numbers of most adult Americans.

Armed with that information, Sweeney, Yoo, and Zang found, attackers could theoretically access and alter the voting information of many individuals. In some states, they found, it would cost a mere $1 to change 1 percent of voter records, while the median cost was just $41.

“The money, I think that’s a real shocker,” Sweeney said. “When we first talked about this project with a Washington insider, he told us we were wasting our time because voter data is so expensive. His prediction was that we would only succeed on a few sites … and that was because he thought the only way to get the data was from the state.

“But it turns out you can get it from many states, and only a handful charge a per-voter cost, which dramatically increases the cost,” she added. “In Ohio, the data is free. You can download it from the web. And others who have purchased the data have made it freely available in an attempt to add transparency to the election process. Even [for] data brokers who specialize in voter lists, $2,000 was the maximum, and they covered all 50 states.”

Still, Sweeney conceded, altering voter information may not be as simple as finding the data.

Although it may be relatively easy to gain access to Social Security and drivers’ license numbers, Sweeney said states may have additional security — such as having officials review and confirm address changes — that could halt an attack before major damage is done.

While those efforts may prove successful, Sweeney, Yoo, and Zang are urging states to take additional steps to protect against attacks. “A human may notice if a larger than usual number of changes appear, but what if the number is only a few more a day? A computer program might do better,” said Sweeney.

“Our paper is not trying to be critical of the government or suggest that the government didn’t invest enough money or resources into security,” Yoo said. “But it’s just the nature of government that it moves at a different pace than commercial technology does.”

Among the key steps researchers urge states to take, if they have not already, is logging all site visitors, which could show whether a single visitor is responsible for multiple voter information changes and track the source of any attack.

“We also recommend states keep logs of the changes that are made,” Sweeney added. “That would enable them to roll back through the changes and see what changes were made and how they were changed. Some states have been doing this. We recommend all states do so.”

Ultimately, the question the study asks is: How can the government ensure it’s actually dealing with citizens when it conducts business online? That question is important, Sweeney said, because although commercial fraud is a problem, the stakes are far higher for the government.

“If a commercial site is compromised, the downsides are not the same, because it doesn’t compromise our entire democratic process,” Sweeney said. “When people talk about voter fraud, what they usually mean is additional votes being cast by one party. But this is different. It’s about people who should have been able to vote, but can’t. This fits into the larger discourse of election security in a unique way … because it could allow for a particular group to be disenfranchised.”

This research was supported by funding from the Ford Foundation in support of the Data Privacy Lab at Harvard University, and by grants from the John D. and Catherine T. MacArthur Foundation and the Knight Foundation.