Trump Election Commissioner’s Voter Database Is a Ripe Target for Hackers

Kris Kobach calls the program a model for the country. It has major security problems.

Kansas Secretary of State Kris Kobach talks with a reporter in his office in Topeka, Kan. Orlin Wagner/AP

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

Kansas Secretary of State Kris Kobach has called his Interstate Crosscheck Program, which compares voter registration lists among states to search for fraudulent double voting, a model for the nation. Kobach is the vice chair of President Donald Trumpā€™s controversial election integrity commission, which is seeking to find evidence of voter fraud and use it to impose new restrictions on voting. Crosscheck ā€œillustrates how successful a multistate effort can be in enhancing the integrity of our elections and in keeping our voter rolls accurate,ā€ Kobach said at the first meeting of the commission in July.

Yet newly released documents show that the program touted by Kobach has major security vulnerabilities that could lead to sensitive voter data being hacked, released, and even modified. States that employ the program upload their voter data to an unsecured server and exchange usernames and passwords to access the server over unsecured emails. They have also released sensitive, unredacted information on voters to the public.

Crosscheck was founded in 2005 to compare registration lists among Midwestern states but has been dramatically expanded by Kobach, and it’s now used by 32 states. Participating states upload their voter lists to a server run by the Arkansas secretary of state, and then Kobach’s office analyzes the data to search for illegal double voting. However, those files are being uploaded to a server that is not encrypted and could be hacked, according to documents released to the grassroots anti-Trump group Indivisible Chicago following a Freedom of Information Act request by the group. (Indivisible Chicago is lobbying Illinois to leave Crosscheck.)

Typically, sensitive data like this would be handled using a secure file transmission network called an SFTP, but Crosscheck uses an unsecure system, according to the documents. ā€œThis is a FTP site and not an SFTP,ā€ Bryan Caskey, deputy assistant secretary of state for elections in Kansas, wrote to Clayton Nicholson, an information specialist with the Illinois State Board of Elections, on June 28. Moreover, the usernames and passwords used by state election officials to upload voter data are being sent in the body of unsecured emails to more than 80 people. That makes these communications a ripe target for hackers, says Shawn Davis, director of digital forensics at Edelson PC, a Chicago-based law firm specializing in technology issues.

ā€œItā€™s completely vulnerable and wide open,ā€ says Davis. ā€œThe largest issue is that theyā€™re emailing the credentials back and forth. Thatā€™s a huge vulnerability.ā€

If a hacker sent a ā€œphishing emailā€ to Kansas pretending to be from another state thatā€™s part of Crosscheck, Davis says, he or she could potentially get access to the voter files of every state participating in Crosscheck. That information could be stolen, released, or even modified, Davis says. ā€œItā€™s not very secure at all,ā€ he says of Crosscheck.

States are also not always protecting the data they have. After Florida received a FOIA request from a voting rights activist in Kansas, it released unredacted personal information on 1,400 voters, including their names, birth dates, and the last four digits of their social security numbers. This information could be enough to make them targets of identity theft, says Davis.

Crosscheckā€™s security vulnerabilities are particularly noteworthy because Trumpā€™s election commission has requested voter data from all 50 states, leading to fears about how secure that data is and how it will be used. Kobach has repeatedly cited Crosscheck as a template for the commissionā€™s work.

In addition to the risk of hacking, Crosscheck has been found to produce false matches 99 percent of the time. Academics from Stanford, Harvard, Yale, and the University of Pennsylvania who studied Crosscheck found that ā€œ200 legitimate voters may be impeded from voting for every double vote stopped.ā€ Because the program searches for double voting using only votersā€™ first and last names and date of birth, it generates thousands of false matches, which makes double voting seem far more common than it is and can cause people to be incorrectly taken off voter rolls and even wrongly prosecuted for illegal voting.

In the newly released emails, Kansas election officials admit that Crosscheck can lead to mistaken cases of alleged fraud. ā€œIn a majority of cases of apparent double votes, in the end they do not turn out to be real double votes due to poll worker errors, mis-assignment of voter history, voters signing the wrong lines in poll books, etc,ā€ wrote Brad Bryant, the state election director for Kansas, to Kyle Thomas, director of voting and registration systems at the Illinois State Board of Elections, in 2011. 

Following the release of the new documents, 20 state legislators in Illinois have called on the state board of elections to withdraw from Crosscheck. ā€œWe urge the Board to end the stateā€™s participation in the Interstate Voter Registration Crosscheck System (‘Crosscheck’) and to refuse to comply with the Presidential Advisory Commission on Election Integrityā€™s second request for voter registration data,ā€ they wrote. 

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We canā€™t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who wonā€™t let independent, investigative journalism down are the people who actually care about its futureā€”you.

And we need readers to show up for us big timeā€”again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We canā€™t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who wonā€™t let independent, investigative journalism down are the people who actually care about its futureā€”you.

And we need readers to show up for us big timeā€”again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate