Computer security experts have identified vulnerabilities in Washington state’s voter registration databases, raising concerns about the ability of hackers and others to disenfranchise voters.
The state’s voter registration system makes it easy for people to register to vote and update their address information online. The problem is that all the information required from voters to log in to the system is publicly available.
It took The New York Times less than three minutes to track down the information online needed to update the registrations of several prominent executives in the state. Complete voter lists, which include a name, birth date, addresses and party affiliation, can be easily bought – and are, right now, in the hands of thousands of campaign volunteers.
Computer security experts and voting rights activists argue that a hacker could use that information to, say, change a person’s address online to ensure the voter never receives a ballot in the state, where voting is now done entirely by mail.
Another concern, critics say, is that large numbers of voters from one political party, or demographic, could have their information changed by automated computer programs. A program that could change tens of thousands of voter records at once, they say, would require only a dozen lines of code.
Rebecca Wilson, co-director of Save Our Votes, a voting rights nonprofit, said her organization did not initially track how states set up their online systems.
“We thought, ‘How badly could you mess that up?’ Well, we learned,” Wilson said. “Now, anyone in the world can write a computer program that commits absentee ballot fraud on a mass scale.”
State officials say concerns of a widespread cyberattack are exaggerated. They pointed out that voters who do not receive their ballots still can print them online, and they say they have never received a complaint about an address being unknowingly changed.
Officials also cite their use of “captchas,” which are meant to help weed out humans from computer programs. Captchas – those puzzles used by e-commerce sites that require people to type in a set of distorted letters and numbers – are easy for humans to read and retype but difficult for machines to decipher.
But security experts say the measures are not enough to prevent a determined hacker from disenfranchising scores of voters and influencing an election. Critics say hackers could use botnets, networks of infected computers, to change voters’ addresses. And new machine learning technologies can beat captchas, or people can be paid to type them in, in real time, for as a little as a penny per captcha or less.
“They could influence an election with 20,000 votes for less than a penny a head,” said J. Alex Halderman, one of the computer scientists who discovered Washington’s loophole. “That would be a great return on investment for them.”
In Florida last month, Republican state officials paid a company $1.3 million to register voters, but county election officials noticed several registrations contained unauthorized address changes and names of dead people. Laws in the state make it difficult to vote if an address is recently changed.
“In theory, the same scenario is possible online, where it is much easier to do,” said Charles Stewart III, a political scientist at the Massachusetts Institute of Technology.
Recently, David Jefferson, a computer scientist at Lawrence Livermore National Laboratories, Barbara Simons, a retired IBM computer scientist, and Halderman sent a letter to Washington election officials with seven recommendations for security, including authenticating voters with nonpublic information like the last four digits of their Social Security numbers and setting up disaster plans that would let them shut down their systems during an attack.
Shane Hamlin, Washington’s co-director of elections, said the state’s registration has closed, but that his team planned to review transaction logs for unusual activity. “Their suggestions are all reasonable and doable,” Hamlin said. “Some we have in place and can build on, some are longer term.”
JOIN THE DISCUSSION | Register here
We welcome comments. Please keep them civil, short and to the point. ALL CAPS, spam, obscene, profane, abusive and off topic comments will be deleted. Repeat offenders will be blocked. Thanks for taking part — and abiding by these simple rules. A thorough explanation of rules of conduct can be found in our Terms of Service. If you have any questions, including why your comment may not be showing immediately after you submit it, be sure to visit the commenting FAQ.