Part 1: Can the vote be hacked?
The possibility of voter fraud has made recent headlines, with some arguing it is a widespread problem. While statistics suggest that voting fraud in the US is quite rare, it is not unprecedented. As we rapidly approach Election Day, it is worth considering the role technology can play in enabling isolated acts of voter fraud scale to unprecedented level.
In a three-part blog series, I will examine a variety of traditional voter fraud techniques, how hackers could conceivably adapt these techniques to today’s digital context to undermine the integrity of our voting system, and what solutions can be put in place to prevent this.
A 1982 Report of the Special Grand Jury into voter fraud allegations following an election contest between Republican Governor James Thompson and Democratic Party challenger Adlai Stevenson III provides one of most comprehensive overviews of voter fraud in the United States preceding the Internet era.
After results were in, a precinct worker in Chicago claimed to have witnessed voter fraud. The subsequent investigation by the US Attorney and FBI uncovered several methods used by a precinct captain to ensure his precinct would be won by the Democratic Party, including a system for creating false votes which involved the use of early vote-counting machines.
The Grand Jury’s report exposed how checks and balances were circumvented and is considered instrumental in the creation of many of the election reforms still in place today.
What is especially interesting to consider is the types of voter fraud outlined in the report – the absent voter; false registration; fraudulent use of absentee ballots; vote buying; altering the vote count; and taking advantage of the elderly and disabled – most of which remain possible attack vectors over 30 years later, but which can now be executed on a much broader scale thanks to significant advances in digital technology.
Taking each type of voter fraud outlined, let’s look at how it can occur and how a hacker could employ a similar method on a much large scale in today’s digital environment.
The Absent Voter
Non-active voters are an ideal target for fraud. They are legal residents, registered to vote, they just choose not to.
In Illinois, the law requires a survey to determine if voters are still alive and living at their registered address. The Grand Jury report outlined how some precinct captains used the Illinois-mandated canvas survey to compile “eligible voter” lists showing which legitimate voters would not be available for the vote. In some instances, canvassers would ask potential voters whether they were likely to vote and even survey boarding houses to establish who was too sick, too drunk or otherwise not able to vote. The precinct captain or delegated representative would then “vote” for the people who hadn’t or couldn’t vote.
In today’s world, it is arguably easier to access this kind of voter information. In June 2016, Chris Vickery, a security researcher at the cybersecurity firm MacKeeper, uncovered a database with the voter registration records of 191 million voters which had been exposed online. Voter registration lists include name, address, political party, telephone number, and whether the voter voted in the last elections and primaries. Subsequently, the FBI reported that state voter lists were hacked in Arizona and Illinois.
For fraudster’s today, creating eligible but no show voter lists would be much easier to create with voter registration data corroborated against apps and social media activity. Even perfectly legitimate banner-ad-based or email-based web surveys could be used to flesh out information.
A hacker able to access tabulated vote records would make this data even more actionable. For example, knowing the history of a voter’s behavior would allow a hacker to pick absentee voters who are likely to “vote” a certain way with minimal risk of signaling an unusual pattern – a person who has consistently voted Democrat for example, suddenly voting Republican would be unusual. The list of non-participating voters could be monetized, either through in-person false representation or, more efficiently, by a direct feed of “votes” into the tabulation system.
This type of fraud would be difficult to detect without the presence of a similar correlation effort like intensive analysis of a voter’s past behavior or via a direct survey of voters. From a risk mitigation standpoint, big data analysis of voting patterns could uncover unusual last-minute voting activity compared to past votes, but ultimately direct and expensive investigation would be necessary to identify fraud of this kind.
In the next part of this blog series we will explore the additional voter fraud methods as outlined in the Grand Jury’s Report.