Days after Pennsylvania Republicans subpoenaed Gov. Tom Wolf’s administration for millions of voters’ personal information, including the last four digits of their Social Security numbers, the head of the Senate GOP acknowledged the request was “intrusive.”
But, Senate Majority Leader Kim Ward said, the subpoena simply demanded the same records the administration had already disclosed to third parties. Not only that, but those outside groups could have compromised the voter rolls, she suggested last month: “We don’t know what information they could add to the system. We don’t know what information they could take from the system.”
It was a striking claim. Trump supporters have been pushing similar claims for months, and the Republican senator leading the party’s new election review has said lawmakers will be “digging into” the issue.
But there’s no evidence to support it. A top Pennsylvania elections official said in sworn testimony earlier this year that outside groups had no such access. House Republicans investigating the matter accepted his explanation.
Rep. Seth Grove (R., York), House Republicans’ point person on elections, said he’s concluded there’s nothing to it: “Just because you read it on the internet doesn’t mean it’s true.”
The statements from Ward and other Republicans — which run contrary to all available evidence — show why experts fear the Pennsylvania Senate’s investigation of the 2020 election won’t improve voter confidence, as its proponents argue, but rather sow doubt and spread more misinformation.
Elections experts and nonpartisan pro-democracy groups have condemned Pennsylvania’s review, which began 10 months after Donald Trump was defeated, as part of a national movement to discredit Joe Biden’s victory. Since the Jan. 6 attack on the Capitol, the “stop the steal” movement has focused on efforts by GOP-led legislatures in swing states to conduct what they call “forensic audits” of the election.
“These kinds of audits are not audits … they are partisan efforts to try to delegitimize a past election,” said David Becker, head of the nonprofit Center for Election Innovation & Research.
Ward’s office stood by her claims and said the investigation may soon provide proof.
Ward spokesperson Erica Wright said the administration’s “unwillingness to be forthright” and years of “mounting public questioning” of the electoral system “have led us to this point.”
“There is so much more that is being investigated,” she added, “and we look forward to sharing as able.”
Pennsylvania’s voter database
The claims center around the Statewide Uniform Registry of Electors, commonly known as the SURE system — the statewide voter database established two decades ago as part of nationwide modernization efforts after the 2000 election.
Before that, Pennsylvania’s 67 counties maintained separate voter rolls. The centralized database is easier to oversee, including processing changes when a voter moves between counties.
It’s run by the Department of State, which oversees elections, and officials are in the process of replacing it.
In 2016, the Department of State rolled out what’s known as an application programming interface, or API. APIs are a way for computers to share information and are widely used by websites and apps across the internet. This API allows other entities, such as political parties and advocacy groups to create custom voter registration apps and websites.
Such groups have long run registration drives using paper applications, and the API allows them to effectively do the same online.
Once sent to the state, applications are held in essentially a digital waiting room in the SURE system and treated the same as those sent directly through the Department of State website: The department checks some information, then sends applications to counties to process. Counties can reject applications if they find problems.
Approved applications are moved into the full database.
What Senate Republicans said
Since the Senate began its inquiry in late August, Ward had stayed mostly silent. But on a Sept. 20 call with reporters, Ward said, “the Department of State gave outside third party groups access to our SURE system.”
“We don’t have any idea how many third-party vendors or people had access to the system,” she said. “We do not know how much access they had to the information in the SURE system.”
The subpoena “asked for the same information” she said the state had already given to third-party groups.
Two days later, Wright wrote in an email that the department “has already compromised the voter registration system” by granting third parties “access to individual driver’s license numbers, last four digits of social security numbers, and signatures.”
Asked for evidence, Wright provided three documents.
The first, a manual, describes API usage and how data is sent to the system. It doesn’t say third parties can interact with the official database itself, such as to automatically add voters or change existing voters’ data.
The second, a 2016 statement from a nonprofit using the API, says Pennsylvania allows third parties “to directly upload registrations and signatures to its voter registration database.” But while third parties can upload applications, they don’t immediately enter the database: They’re first reviewed by elections officials.
The third is a 2019 SURE system audit by then-Auditor General Eugene DePasquale that criticized the administration’s lack of cooperation. But that audit doesn’t discuss the API and doesn’t claim third parties have access to SURE.
Sen. Cris Dush (R., Jefferson), who chairs the committee that issued the subpoena, said his panel will be “digging into” the issue of third-party access to the voter database. “Everybody’s aware already that that’s happened,” he told a conservative activist in a September interview. “We’re going to be investigating what impact that had on the process.”
A Dush spokesperson acknowledged that the Department of State has previously addressed the issue but said the senator “and others in the caucus still do have questions about that.”
“Following up on that to make sure that information is accurate is an important part of oversight,” spokesperson Jason Thompson said.
Testifying before a state House committee earlier this year, Jonathan Marks, deputy secretary for elections and commissions at the Department of State, was asked by multiple lawmakers whether outside groups had access to the voter registry. He was unequivocal.
“No, they don’t have access to the SURE system,” Marks testified under oath.
“We upload the data provided by the third party so that the county has that in their workflow,” Marks said. “But at no point does the third party have access to the SURE system.”
A department spokesperson reiterated in a statement: “There is no access — or opportunity — to retrieve or view any voter registration information. Any claims to the contrary are false.”
Grove, the chair of the committee, said he was satisfied.
“There was a fear that those entities had direct access to the SURE system so they could manipulate data: add names, remove names, change stuff,” Grove said. “So we asked, in multiple hearings … and we did learn that there’s not direct access to third parties.”
Grove said Senate Republican leaders have not asked him about the issue.
On Sept. 15, the GOP-led Senate Intergovernmental Operations Committee voted along party lines to issue the subpoena.
Senate Democrats filed a lawsuit to block the subpoena, arguing it violated voters’ privacy. They also asked a judge to order Republicans not to hire a vendor for the review until the litigation concludes.
In response, Republicans noted the Department of State contracts with a vendor to help run the SURE system and that Pennsylvania is a member of a consortium of states that share data — including driver’s licenses and last four digits of Social Security numbers — to help maintain accurate voter rolls.
Republicans’ court filing says nothing about the API.
Which groups used the API?
Dozens of groups have partnered with Rock the Vote, a nonprofit that works to get young people registered to vote.
They include advocacy groups across the political spectrum, including the ACLU, AFL-CIO, the League of Women Voters, the Mike Bloomberg-backed Everytown for Gun Safety, and the National Rifle Association affiliate Trigger the Vote, according to the Department of State.
There are security risks, but they’re not specific to the API
Republicans have raised concerns about the possibility of third-party groups using the data they’ve collected to, for example, falsely submit mail ballot applications or commit other fraud.
But that isn’t unique to the API. Consider voter registration drives using paper: After voters fill out the forms, it’s possible to, say, make photocopies or write the information down somewhere else.
Similarly, a third-party group can hand people tablets to fill out the Department of State’s online form — and if there’s keylogging software, it can log the personal information.
So there are ways for a malicious actor to exploit the system, but it’s not through direct access and it’s not a new problem.