Arrow-right Camera

Eye On Boise

Mon., Nov. 13, 2017, 5 a.m.

Idaho shared voters’ private info with Kobach’s ‘Crosscheck’ system, despite cyber vulnerabilities

Idaho Secretary of State Lawerence Denney told Kris Kobach, vice chairman of the Presidential Advisory Commission on Election Integrity, earlier this year that he wouldn’t turn over non-public information from Idaho’s voter rolls, including voters’ dates of birth and the last four digits of social security numbers, but he’d already handed that information over to Kobach for the Kansas secretary of state’s “Voter Crosscheck” program each year since 2014, and that program has serious cybersecurity lapses. Here’s Statesman reporter Cynthia Sewell’s full report, via an AP member exchange:

By Cynthia Sewell, Idaho Statesman

BOISE, Idaho (AP) — Much ado was made earlier this year when the Trump administration asked all 50 states for their voter-registration rolls.

Idaho Secretary of State Lawerence Denney told Kris Kobach, vice chairman of the Presidential Advisory Commission on Election Integrity, that the commission could have only the voter registration information available under Idaho law — name, address, party affiliation and election-participation history.

Denney assured the public that other personal information collected on Idaho's voter registration forms — a voter's date of birth, driver's license number and the last four digits of their Social Security number — is not releasable under Idaho's public records law. Kobach, he said, could not have it.

In fact, Denney had already given it to Kobach.

In February, Denney gave Kobach information on all registered Idaho voters, including two pieces of voters' non-public personal information — their birth dates and abbreviated Social Security numbers.

And that was not the first time. Kobach received the same information about Idaho voters in 2014, 2015 and 2016.

Why did this happen?

Kobach wears two hats: In addition to his role on Trump's commission, he since 2011 has been the Kansas secretary of state. In Kansas, he runs a program that collects voter registration records from around the country and compares them to ferret out voters who may be gaming the system.

The Kansas Secretary of State's Office accepted its initial year of data for the Interstate Voter Registration Crosscheck Program in 2006. Idaho voluntarily joined that program in 2013 and has sent it voter data since 2014. Since then, the state has been sending Kobach voter rolls each year, including protected personal data.

Denney's predecessor, Ben Ysursa, first signed Idaho up for the program. Now, amid news of security risks tied to the program's management, Ysursa says it's time for Idaho to leave.

Here's how Crosscheck works:

Each state uploads its voter rolls to a computer server hosted by the Arkansas (not Kansas) Secretary of State's Office. The Kansas Secretary of State's Office then pulls the data and compares all the records, looking for matching first and last names and birth dates.

The results are uploaded to the server. Each state retrieves its respective report of possible duplicates or multiple votes. Once that process is complete, the data is deleted from the server.

Participating states are not obligated to do anything with the Crosscheck data.

The initial four participating states — Kansas, Nebraska, Iowa and Missouri — collectively submitted 9 million voter registration records in 2006. This year, Crosscheck collected 98.5 million records from 28 states, including 797,534 from Idaho.

___

Crosschecking Crosscheck

There is worrisome evidence that Crosscheck is doing too little to safeguard that data from hackers.

Under Crosscheck's agreement with each participating state, "all data will be transferred to and from the Kansas Secretary of State using industry-standard encryption technology and passwords." But that doesn't seem to be happening.

In a story published last month, ProPublica, an investigative-reporting nonprofit, reported that Crosscheck's data is uploaded to an unencrypted FTP server. The industry standard is to use SFTP servers, which are encrypted.

Joe Hall, chief technologist for the Center for Democracy and Technology, a nonprofit that advocates for online privacy and security, "compared FTP servers to a postcard and SFTP servers to a letter sealed in an envelope and locked in a vault," ProPublica wrote.

Crosscheck also typically provides the server's address, user name and password in a group email to participating states. That is "completely, unbelievably irresponsible," Hall told ProPublica. "You should consider all of that stuff in the hands of people who are clever enough to intercept someone's email."

Through a public records request, the Idaho Statesman obtained emails between the Crosscheck program and Idaho officials. The emails confirm that Crosscheck has repeatedly sent the server's address and login information, all in one email, to more than 50 people around the country. The practice was followed as recently as this year.

The unredacted login information was clearly visible in the documents the Idaho Secretary of State's Office gave the Statesman.

The Statesman was not the only one to receive via public records request unredacted login credentials for Crosscheck.

Indivisible Chicago, an anti-Trump group, also received the unredacted Crosscheck credentials through an Idaho public records request, tech news website Gizmodo reported on Thursday.

Gizmodo asked several security firms to examine the server. "The results are troubling, to say the least," the website reported. "They not only confirm the findings contained in ProPublica's report, but further reveal an alarming array of previously unreported weaknesses in the network hosting the Crosscheck server."

This year, according to one of the emails provided to the Statesman, Crosscheck was having trouble with its encryption software because it had been updated, and Crosscheck's version was no longer compatible. Instead of upgrading its software, Crosscheck switched to "a free download" file compressor and encryption program and, again, sent the access information and password out via group email.

What do Kansas and Idaho officials have to say about this?

The Kansas Secretary of State's Office did not respond to repeated emails and calls seeking comment about Crosscheck's security protocols, why its server is housed in Arkansas, whether its database is subject to Kansas or Arkansas public records laws, or if Trump's Advisory Commission on Election Integrity has requested or received Crosscheck's database and records.

Idaho Secretary of State Lawerence Denney did not respond to emailed questions about Idaho's sharing of personal information and Crosscheck's apparent security shortcomings.

___

Idaho already did what it said it would not do

Under state and federal law, the Idaho secretary of state is required to implement and maintain a centralized computerized statewide list of registered voters.

In February, as it quietly has done every spring for the last three years, the Idaho secretary of state's office uploaded its statewide voter registration roll to the server in Arkansas, per instructions from Kobach's office. And, as in prior years, Idaho included voters' personal information not publicly available under Idaho law.

State Elections Director Betsie Kimbrough, who works for Denney, confirmed the sharing of the personal information.

"Yes, we provided the date of birth and last four digits of the Social Security Number's as required to participate in the Crosscheck program," Kimbrough said.

But four months later, on June 28, when Kobach sent his letter to Denney and the other 49 secretaries of state, asking to "provide to the (Trump) Commission the publicly available voter roll data" for each state within two weeks, a statewide and nationwide kerfuffle broke out.

Trump's election fraud commission has been under fire because Trump created it after repeatedly charging, without citing evidence, that three million to five million people voted illegally during the last presidential election. Some critics say its request for information on America's 200 million registered voters could be a fishing expedition to try to limit voter access.

The commission, created by executive order in May, is a defendant in at least seven federal lawsuits, including one filed Thursday by one of the commission's members, Maine Secretary of State Matthew Dunlap, a Democrat. He said the commission is breaking federal laws by denying him access to commission documents, and other violations.

Most states refused to provide their voter registration information to the commission. The Electronic Privacy Information Center, a Washington, D.C.-based organization focused on data and information privacy, asked a federal court to grant a temporary restraining order against the commission, alleging the requested voter roll data would not be secure. The Idaho Democratic Party sued too, seeking a temporary restraining order to prevent Denney from releasing the information.

In response, Denney's office put out a news release July 3 that said: "While additional information is requested in (Kobach's) letter (such as driver's license and the last four of a voter's social security number), that information is not considered public and Secretary Denney could not be compelled, outside of a specific court order detailing the need for and intended use of such data, to provide that information under Idaho Public Records statutes."

The release quoted Denney: "In the end, I will look to fulfill the requirements of the law under Idaho Statute while continuing to protect both the Idaho Voter, their nonpublic, personal information."

Kobach withdrew the commission's request and then sent Denney a revised one asking only for publicly available information. The commission submitted a public records request to Denney and paid the required $20 fee. His office then sent the Trump commission Idaho's voter roll on Sept. 5, without birth dates or shortened Social Security numbers.

___

More concerns

In September, the Department of Homeland Security announced it had identified 21 states whose voting systems were targeted by hackers in the 2016 election. Idaho was not among them.

The Statesman asked Kansas if its Crosscheck system had been targeted by hackers. Kobach's office did not respond.

One of the challenges for hackers is America's elections are decentralized: Each state maintains its own voter roll and conducts its own elections. What Crosscheck has done is create a central database of multistate voter records, albeit perhaps just temporarily, since it claims all files are deleted once the records are crosschecked.

Not all states have been pleased with Crosscheck. Alaska dropped out in 2014; Florida, Oregon and Washington dropped out in 2015; earlier this year Massachusetts dropped out. The states raised concerns about the validity of Crosscheck's data. A Harvard University study released in October found that one of Crosscheck's proposed voter registration purging strategies would eliminate about 300 registrations used to cast a seemingly legitimate vote for every one registration used to cast a double vote.

Then-Secretary of State Ben Ysursa signed the agreement to join Crosscheck in August 2013.

At the time, Ysursa said Friday, it seemed like a good thing to do. Washington and Oregon were participating and the main reason to join was to "clean up our lists."

Ysursa said a lot has changed since then — identity theft, hacking, voter fraud, election interference. "It was a whole different time. The whole atmosphere has changed," he said.

Given the current cybersecurity risks alone, he said, "the obvious thing is to get out of the program."

Upon Ysursa's retirement, Denney was elected secretary of state in 2014. This year, in a memo to all Idaho county clerks, Chief Deputy Secretary of State Tim Hurst wrote, "Secretary Denney decided that it would be beneficial to participate again this year in an attempt to clean up our voter registration database."

Kimbrough said the secretary of state does not need legislative or other approval to send Idaho's voter rolls to Crosscheck or to release voters' personal information because "it was a decision by the secretary, as a constitutional officer, dealing directly with his statutory duty."

Idaho House Majority Leader Mike Moyle, R-Star, told the Statesman he was unaware Idaho had been providing dates of birth and Social Security numbers to Kobach through the Crosscheck program. Moyle said he had questions and wanted to know more before commenting.

House Minority Leader Mat Erpelding, D-Boise, also was surprised to learn the details.

"It shocks me that Denney did not let on that he has been giving the secretary of state of Kansas, who also is the chairman of Trump's commission, Kris Kobach, the last four digits of my Social Security number and my birth date, which he said he wasn't going to give to Trump's commission," Erpelding said. "Those are critical pieces of my private identity."

While Erpelding called the Trump commission "a sham," he said the greater threat is from hackers, as massive hacks in recent years have proved.

"Given that Secretary Denney assured the public that he would not be providing Trump with Social Security numbers and data like that, I would hope that Crosscheck is not uploaded (to the Trump commission)," he said.

Erpelding said he would introduce legislation next session to remove Idaho from the Crosscheck program, citing voter privacy, cybersecurity issues and other concerns.

"I think it is time for the Legislature to look at whether or not we want to be sending our information into a system that a majority of the surrounding states of Idaho don't participate in, so finding substantial voter fraud is highly unlikely, and at the same time increases our vulnerability to hackers."



Betsy Z. Russell
Betsy Z. Russell joined The Spokesman-Review in 1991. She currently is a reporter in the Boise Bureau covering Idaho state government and politics, and other news from Idaho's state capital.

Follow Betsy online: