How convenient for voters: Pennsylvania and New Jersey allow them to change registration information online, including address and party affiliation.
How convenient for wannabe attackers, too: With more personal information available online, it could be cheap and easy to falsely submit thousands of changes online to voter registrations, making some legitimate voters ineligible to cast ballots.
A new study found that it would have cost as little as $1,934 last year to falsely submit online changes to 10 percent of registrations in Pennsylvania, a political battleground state that was pivotal to the 2016 presidential election. A similar attack on 10 percent of New Jersey voters' registrations would have cost just $1,069, the researchers found.
"It's clear that impostors can definitely launch these attacks, and it's not particularly expensive to launch these attacks against these websites," said Latanya Sweeney, a government professor at Harvard University and one of the study's authors.
"This is a brave new world. I think it's been easy to see the benefits of online shopping and online data, but I think this is a reminder of some of the serious questions that we have to grapple with in exchange for that freedom of information and access," said David Thornburgh, the president and CEO of good-government group Committee of Seventy.
And the cost of submitting false changes is likely getting lower and lower, Sweeney and her coauthors said, as computing costs fall and data breaches like the Equifax attack disclosed last week continue.
The study walks through the steps required to submit changes online to thousands of voters' registration, beginning with determining what information is required in each state. Researchers then estimated the cost of obtaining that information, including from black market sources; the computing cost of submitting that information in an automated attack; and the cost of getting around security systems.
Of course, submitting changes doesn't mean they would take effect. Sweeney and her coauthors are quick to note they looked only at the ease of submitting changes. Success depends on what systems are in place for such things as logging visitors and requests, tracking changes, and flagging unusual activity. State officials said Pennsylvania's system is protected by several of those measures, including sending notices by postal mail to voters whose information is changed.
"The good news, as I read the recommendations, I was, like, 'Hey, you know what, we're already doing the overwhelming majority of the things they recommended,' " said Jonathan Marks, the commissioner for the Bureau of Commissions, Elections and Legislation at the Pennsylvania Department of State.
The study was published last week in Technology Science. (Sweeney and her coauthors, Harvard research analysts Ji Su Yoo and Jinyan Zang, are editors of the journal and were not involved in the peer review process.) The study was begun last year, prior to the election of President Trump and investigations into alleged election tampering by Russia.
Marks described the study as valuable for pointing out potential vulnerabilities; attempted attacks are not new, he said, and it's important to be aware of new methods for messing with election systems.
"When we developed online voter registration, we were thinking about these threats," Marks said. He emphasized the preventive work the state has already done, including tracking all changes to a voter's information over time. If a problem is detected, those changes can be reversed. "People can rest assured that this is not new news to us, we are doing our due diligence and will continue to look for ways to improve our services and the security that surrounds them."
Falsely submitting voter information has always been possible. What's new is the shift to online systems, making things easier for the citizenry but also for saboteurs. State and civic groups have sought to make registration as simple as possible, lowering the barriers to submitting changes. Meanwhile, data breaches are becoming so common and so large that personal information is available in bulk — consider the Equifax attack that exposed information including names, dates of birth, Social Security numbers, and addresses for 143 million U.S. customers.
Thornburgh said that his group and others have traditionally focused on street-level issues on Election Day, itself, but that this study, along with concerns about Russian interference, highlights another issue: Tampering with vote totals is not the only way to meddle with the system.
Elections need to instill trust in voters, Thornburgh and others said. People need confidence in accuracy — their votes are counted, and false ones aren't — and in security.
Marks, the elections commissioner, said the state is continuing to upgrade its defenses, and experts said the state's voters appear to be well protected. Ray Murphy, the deputy director of civic advocacy group Pennsylvania Voice, described the state's online registration system as "the premier online voter registration system in the country." New Jersey officials told the researchers they use most of the best practices recommended in the study, according to the report. (They did not respond to multiple emails and calls for comment.)
Election expert Charles Stewart, a political science professor at Massachusetts Institute of Technology, had this advice for voters: Don't panic, but pay attention. If you get a notification in the mail, read it. And don't forget that the convenience for would-be bad guys is convenience for you, too: Go online. Check your information.
"It's just like a bank account," Marks said. "I'm not by nature a very nervous person, but even I check my bank account online periodically."
The study itemized the following steps to execute the attack:
Identify voter registration sites. Researchers found that 35 states and the District of Columbia allow online submission of changes to voter registrations.
Determine personal information required. States require varying information for authentication, such as part or all of a voter's Social Security number, date of birth, and address. Pennsylvania requires name, date of birth, address, political party affiliation, and driver's license number, or name, date of birth, address, party affiliation, and last four digits of Social Security number, the study found. New Jersey requires a zip code, driver's license number, and Social Security number.
Find voter information. Some information, such as names and party affiliations, is available to the public through voter files. Other information is available from illicit sources or computer programs that can predict things such as driver's license numbers.
Beat CAPTCHAs. Pennsylvania uses a CAPTCHA, those tests asking users to prove they are human by doing a task such as reading an altered number or word. These can be defeated by some programs, the researchers said.
Automate the attack. The code for such an attack could be written relatively easily, the researchers said, making a large-scale attack simple once the appropriate information and processes have been determined.