unlocked.door.jpg

[Image courtesy of lisanotes]

In recent weeks I’ve spent a lots of space singing the praises of online voter registration (OVR) – and rightfully so, given its potential to help streamline the process by which voters and election officials populate and maintain the voter rolls.

Recent stories, however, have pointed out potential vulnerabilities that will need to be addressed in order for OVR to continue and expand to new states.

In the last week, both the New York Times and Washington Post have identified soft spots in OVR systems in Maryland and Washington. Quite simply, it appears that both states make it far too easy to locate – and thus change – individuals’ registration records. As the Times observes:

In the last five years, Maryland and Washington State have set up voter registration systems that make it easy for people to register to vote and update their address information online. The problem is that in both states, all the information required from voters to log in to the system is publicly available.

It took The New York Times less than three minutes to track down the information online needed to update the registrations of several prominent executives in Washington State. Complete voter lists, which include a name, birth date, addresses and party affiliation, can be easily bought — and are, right now, in the hands of thousands of campaign volunteers.

The problem is similar in Maryland, as the Post found:

According to … researchers, the crux of the problem is that Maryland linked its voter registration files to the state’s database of driver’s license numbers.

That move was designed to add a layer of security and to weed out suspicious voter files. But in Maryland, driver’s license numbers are derived from a resident’s name and birth date. Several Web sites can decode a driver’s license number using the latter two pieces of information.

The threat these vulnerabilities raise is the prospect of voter records being changed without the voter’s knowledge or consent, whether through mischief or malice. Such changes could not only frustrate individual voters but could also, in the right scenario, be used to mount “denial of service attacks” by flooding polling places with voters whose records have been changed and who must therefore cast provisional ballots. These threats are described in greater detail in a letter from three prominent technology experts to the Maryland State Board of Elections. The letter also describes several potential safeguards, including allowing voters to use nonpublic information (like the last four digits of the SSN) to authenticate their identity.

Unfortunately, we already know that mischief and malice are plentiful in the voter registration space; recent stories have seen allegations of registration fraud involving alterations or dumping of otherwise valid registration forms. We have also seen evidence that “hacktivists” are not only able but willing to attack voter registration systems if they deem it necessary to spotlight security problems.

These problems aren’t insurmountable; other states appear to have designed and deployed OVR systems that don’t have the same vulnerabilities.

As we have already seen, OVR has great promise for the field of election administration. Here’s hoping that jurisdictions and technologists can work together to address the vulnerabilities identified and make the process more secure for voters and election officials alike.