Online voter registration systems around the country may be vulnerable to hackers intent on disrupting an election, a study by Harvard researchers concludes.
But Secretary of State Kim Wyman says Washington uses the safeguards the study recommends, and more, in its efforts to keep hackers from changing the information of voters in the state’s all-mail balloting system.
“An attacker could impersonate voters and submit address changes that, if accepted, could disenfranchise significant numbers of voters or disrupt elections,” researchers said in a study released Wednesday.
After a report that a large number of voter registrations were changed online in a Riverside, California, Republican primary last year, the group of experts in government, technology and data sciences at Harvard University studied the 35 states and District of Columbia with online systems allowing residents to sign up to vote and change their registration to show a new address or party affiliation.
Washington was one of the first states to adopt online registration, in 2008.
While an effort to change voter registration in days before online registration would have been time-consuming and expensive, that’s not necessarily the case anymore because information is readily available – inexpensively or for free – on the Internet from various legal and illegal sources, researchers said.
States typically require voters changing their voter registration online to provide personal information beyond their name, address and date of birth. Washington requires a state driver’s license or state ID card number. But the state uses a formula for generating those numbers, which hackers could easily figure out, researchers said. Or they could buy information like that or Social Security numbers from data collection services; from data breaches of large companies, retail outlets or government agencies; or from the darknet.
With the proper computer skills, a person or organization might be able to change the voter information for 1 percent of the nation’s voters for as little as $10,000, researchers estimated. That could disrupt an election as ballots are mailed to different addresses or people arrived at polling places where they should be registered but had been taken off the rolls by hackers.
Researchers emphasized that they weren’t saying this has happened, only that it could. In mentioning allegations of Russian meddling in the 2016 presidential election, they said those reports generally involved the hacking of email servicers and propaganda campaigns. But, they added, “a state actor would have the resources needed to perpetrate the attack at scale.”
They suggested eight steps state elections officials should take to shore up the security of their online registration systems, including keeping records of access to the website and requests for changes, reviewing them for unusual activity, tracking changes over time, sending a postcard to the old and new address when a change is made, and allowing contested voters to cast a provisional ballot.
Washington does all of those things in its effort to have a system that’s convenient to use but protected from malicious activity, Wyman said. It also locks out an IP address that tries to access the registration system multiple times, and has staff review registrations and address changes. Voter registrations can’t be changed within 29 days of an election, and ballots are mailed about 18 days before Election Day, so a voter who doesn’t get a ballot in the mail can ask for a replacement ballot by mail or in person.