How to Control an Election by Hacking a Voter Registration Database

In September 2017, the Department of Homeland Security (DHS) warned at least 21 states for the first time, that their voter registration databases were targeted a year ago by Russian government hackers.

In late February 2017, well over a year after the election, there was a report, quickly denied by DHS, that the voter registration databases of seven states were actually penetrated.

Why though? How could hacking a voter registration database be part of hacking an election?

The most obvious answer is disenfranchisement. If voters are deleted, or if their address or identifying information is changed in such a way that they don’t show up in the poll books when they attempt to vote, they may cast a provisional ballot, or simply walk away confused, without casting a vote.

An article in the Christian Science Monitor highlights this potential danger.

But the article continues. There is another, even more ominous, way that a hacked registration database could contribute to election hacking.

When most people think of “election hacking” they think of vote totals being changed. But as with any sophisticated crime, there is a second part. The cover-up.

Anyone changing vote totals needs also to make us think nothing really happened. They need us to feel like there is a reason for the results. Disgruntled voters? Changing demographics? A poor campaign? Nothing to see here. Please move along.

Any semi-plausible explanation that will keep us from rethinking our election systems and ending the game for good will suffice.

We rely on voter registration data to give us information about voters. We use this data to answer questions like:

How many are registered in each precinct?
Are they Democrats? Republicans? Not affiliated with either major party
How many voters went to the polls?
Was there low turnout in some areas? Higher turnout in others?
The answers to these questions create explanations for election outcomes, particularly when an outcome is surprising. In the case of the 2016 presidential election, researchers and journalists turned to registration data to make sense of the unexpected outcome.

But what if the voter registration data itself has been altered? What if the data that seem to show shifting political landscape are false? What if “zombie” voters were added to the voter rolls in order to alter apparent demographics?In order to explain an outcome that was almost unbelievable?

Control the registration system. Control the voters, control the votes, control the narrative.

The Vulnerabilities Nobody Talks About
When we talk about hacking a voter registration database, what does that mean? In a nutshell it means getting access to the data, and stealing it.

Or worse. Changing it.

There are several ways this might be done. There is SQL injection, for instance, where a hacker takes advantage of code vulnerabilities to alter a database by sending code through a form input or even through the URL.

During the 2016 campaign season, access was gained to the Illinois registration system via SQL injection. At least one report indicates that some registration records were altered during the breach.

The Illinois attack has been fairly well documented and examined. A timeline provided by the state gives a substantial amount of detail on the attack and the response to it. The attack was used to compromise the database — accessing, and possibly altering an unknown number of records. Wisconsin, in a response memo written after the DHS report, noted that either the same SQL injection vulnerability or a similar one was present in their systems but had been addressed during upgrades conducted in January 2016.

But there are other ways to penetrate these systems beyond an obvious “hack” like those detected by DHS.

For instance, a voter registration system could be compromised by an employee or contractor working on one of these systems via a built-in “backdoor” in the code. A small snippet of malicious code could be hidden in the systems that allow privileged users to add, update, or access data in these databases. This code could be used to steal passwords, or simply to allow remote database access for selected outside users.

Finally, a voter registration database can be altered maliciously by any member of the public via the “Change Your Registration” form on the websites of many states. A study published in September by Harvard researchers shows how easy it would be to manipulate voter data using these forms.

The researchers found that many states allow you to purchase enough information about voters that anyone can impersonate that voter and change information — address, party preference, or even name — using these online forms.

We quickly found at least one state where we could easily manipulated voter data this way. We made no actual changes, because that would be a felony. The state we looked at was Pennsylvania, where Trump edged out Clinton by under 45,000 votes out of 6.2 million, or 0.73%. Where the smallest hiccup in the electoral process could have affected this thin margin.

We purchased a snapshot of the Pennsylvania voter registration data for $20. Over 8.5 million records. Names, addresses, dates of birth, political affiliation, voting history. A wealth of data. These data sets are available to the public, here
Armed with this information, we went to the “Change your Registration” page of the Pennsylvania Department of State website. The information marked with red is mandatory. Everything else is optional. Our $20 investment gives us all we need to impersonate a voter, or many voters.

According to the instructions, this form can be used to change the party of a voter. Or his or her name, or address.

Using this form we could move a number of voters to different polling places. We could outright prevent these voters from voting, by moving them away from their local precincts. Or we could look through the data for voters with no recent history of voting, perhaps the very elderly. By changing the addresses and perhaps the political parties of voters who are unlikely to actually show up at the polls we could change the apparent demographics of a precinct without ever being detected.

In this article, Jonathan Albright documents some Python scripts that were posted to the code-sharing website github by an employee of Cambridge Analytica. One of the scripts finds the geographic coordinates for a given address. Oddly, this script specifically mentions “VoterID”.

This script is capable of creating valid new addresses to assign our voters to. Using this script and the information contained in our purchased data set, voters could be electronically moved to new precincts. This could even be done automatically via a browser plugin that could read a list of voters and desired addresses and fill out the Pennsylvania “change in registration” form automatically.

But how do we figure out which addresses are assigned to which polling places? We simply use this nifty online polling place locator interface, brought to you by the ever-helpful state of Pennsylvania:

This convenient public-facing voter registration hacking API is very well documented. Even a non-Russian could probably figure it out!

Finally, and perhaps most devastatingly, a phishing email could be sent to a county clerk or election systems vendor in an attempt to steal the login credentials of someone who has access to one or more state databases. At least one such cyber-attack is well documented — against employees and clients of the election technology company VR Systems.

If any logins were compromised in such an attack the entire database of any state serviced by this vendor would have been opened to nefarious players who could easily have added, deleted, and changed voters.

Journalists and politicians, and even the Department of Homeland Security, insist that despite these obvious vulnerabilities, voter registrations weren’t changed. But how do they know that for sure?