To HAVA or HAVA not: Secure voter registration data

(Photo credit: Justin Grimes/Flickr)

Protecting privacy and encouraging openness is a balancing act, especially when it comes to voter data. Last year, we looked at ways that different kinds of election data could be made more open. Earlier this year, we described the way that this openness must be limited to appropriately protect individual privacy. Given this week’s news implicating the Russian government in hacking Arizona and Illinois voter registration databases, we have another aspect of election data management to consider: its security.

Ensuring the security of the voting process, which has always been a complex, multi-faceted issue, now has a new area of concern in the form of an apparently coordinated attack on our voting lists by foreign state actors. Voting lists have historically been open, in some way, to the public. Their openness is intended to help ensure a fair and accurate voting process. Given that history, why would access to this list – even by non-Americans – pose a problem?

Simply put, a new requirement to digitize all voter list activity, plus inadequate funding, has created the possibility of coordinated attacks where this possibility never existed before. We have created a new risk by increasing the digitization of the voting process over the last fifteen years without adequate investments in the system’s security. In the past, we haven’t worried about coordinated electronic attacks on voter registration data because our national voter registration system was neither coordinated nor fully digitized. Now that it is, we need to consider the new risks, and new expenses, more seriously.

Coordination is new for American voter registration because it was never previously mandated. Election administration is among the government powers which were not constitutionally assigned to the federal government and are therefore “reserved to the states.” America’s voting processes are overseen by the 50 states, operationally run by local governments and function with relatively minor federal oversight or assistance. As a result, these processes vary widely. Everything from how people vote (by mail, in person or online) to when they vote (for a varying period of days or weeks, or only on election day) and even how the results are tabulated is something that is determined by state and local officials.  

That began to change in 2002. After a presidential election in which Florida’s tabulation of a few hundred votes determined the U.S. presidency, Congress passed the Help America Vote Act (HAVA), which provided a one-time infusion of cash and requirement for electoral administration digitization. Unfortunately, that funding that was never followed up with additional financial support nor direction.

HAVA incorporated a number of different provisions which responded principally to the issues raised in the 2000 election – namely, the difficulty of rapidly and accurately processing paper ballots and the fear of individual-level voter fraud – creating a wave of new requirements for state election administration. Among other provisions, HAVA required states to end their use of punched card ballot and lever machines, required every state to create a centralized digital database of voters which could be used to prevent multiple votes, and funded the purchase of electronic voting machines.

It established the Election Assistance Commission (EAC), an entity that for the first time provided a central source of oversight, recommendations and funding to America’s 13,000 election administration entities.

HAVA’s largest effect was to dramatically speed up the digitization of American elections. Between 2003 and 2006, the EAC distributed nearly $3 billion to the states to improve their election technology, a massive amount in the context of the perennially underfunded world of elections administration.

Before HAVA, more than half of American voters voted using entirely nondigital processes — either paper ballots, punch ballots or lever machines. By 2013, nearly all Americans voted using either optical scan machines (which read bubbled-in paper ballots) or all-electronic machines.

Unfortunately, while the new technology did address the most visible issues of the 2000 election, critics found that it created new forms of insecurity in the voting process. Money came to states before the EAC had settled on voting machine standards. Early voting machine purchases included many electronic touch-screen devices, which lacked verifiable paper trails; subsequent investigations of the possibility of changing election results revealed that the machines were fairly easy to compromise. While there is no evidence that any votes were tampered with during an election, the apparent ease with which the machines could be hacked created significant public distrust. Now, experts are also concerned that many machines are outdated (or have yet to have their original issues with verifiable voting trails addressed) and that states have no money to replace them — without another major infusion of federal funding.

The risk of vote manipulation through attacks on voting machines and voting machine data has been the main point of focus for electoral security experts so far. However, the recent hack points to the fact that there are many points of weakness beyond the voting machine itself.

First, HAVA required that every state create a database of registered voters, “a single, uniform, official, centralized, interactive computerized statewide voter registration list defined, maintained, and administered at the State level.” This database was also mandated to be broadly available in read-write form to election officials all across the state, requiring every state to ensure that the list is immediately accessible to any local election official and to ensure that all new voter information is able to be “electronically entered into the computerized list on an expedited basis at the time the information is provided to the local official.” A database which must be broadly available for many people to alter digitally has more points of potential weakness than the old database structure, which was either more varied (and partially paper) or less broadly distributed.

Second, HAVA also mandates that these files be linked to social security offices and to state motor vehicle agencies in order to integrate voters’ identity information, including social security numbers and drivers’ licenses, with their voter file. This was also different from the old process, where voter information was separated from other identity databases. While the new system reduces the potential for multiple voting fraud, something we know to be exceptionally rare, it greatly increases the amount of personal information that a hacker can obtain through a single attack.

Third, the EAC has also pointed out that the centralized, digital voter lists enable the creation of electronic poll books — digital versions of the list of registered voters which get marked off as people come to vote, giving an accurate number of voters and ensuring people cannot vote twice. Electronic poll books are currently in use in 32 states. Although it would be more complicated than a single hack, the connection of electronic systems for determining whether someone has voted or not suggest the potential for coordinated vote denial — identifying a certain subset of voters as “already voted” when they hadn’t actually cast a vote. We need tests of electronic poll book software to prove that this cannot be done.

These additional elements of the voting system – the registered voter files, as well as the electronic lists of people eligible to vote – create additional areas of vulnerability that we are just beginning to think about. Just as we now know that voting machines are vulnerable to hacking, and therefore we need to find ways to provide secure back-up, auditable paper-trails and to separate voting data collection from the internet, we must also create that security for files containing information about individual voters and their voting status.

As a result of HAVA, voter registration databases have more power to create problems for individuals and the voting process than they did under the old, paper-based voter registration system. Problems that could stem from voter list hacking are slightly different than the ways that votes could be changed through hacking voting data. Voter registration databases could be held for ransom, as has been occurring with American hospitals’ data systems throughout the year. Access to voters’ identity information is made easier through linked statewide databases, and this information is now clearly linked to voters’ party registration, making it easier for politically minded hackers to select political targets for identity theft. Finally, connections to digital poll books potentially allow hackers to falsely identify individuals as having already voted, preventing people from being able to cast their ballot.

If our voting systems are under attack, it’s frustrating to note that there had been some benefit to the old, entirely disaggregated system. Under a paper-based, disconnected model, there was no “single point of failure” for American elections. While the digitization of our electoral system has given us new efficiencies, it has unfortunately also given us new vulnerabilities. Just as private companies do, we’ll need to invest in securing the critical digital assets we’ve created.