A year after a presidential race roiled by allegations of attempted Russian meddling, the Monitor is seeking to answer the question: Just how vulnerable are the mechanics of American elections? In a three-part series that begins today, we examine how an attack by hackers might happen, the tensions between preventing fraud and securing voters’ rights, and the means to safeguard an accurate vote.
Election officials in Florida have apparently tapped into the regenerative powers of Ponce de León’s fabled Fountain of Youth.
The proof is available on voter rolls in Broward County.
Among those on the official list of registered voters is Henny M. Nelson, age 131.
So is Lillian E. Nicoletti of Davie, at 128 years old. And Sophie C. Golub of Sunrise, 118.
The oldest known living person on Earth is believed to be 117. So something truly remarkable must be afoot in the voting precincts of Broward County.
Lawyers for a conservative election integrity group say there is a more plausible explanation: Broward’s voting rolls are bloated with deceased voters, duplicate registrations, and people who moved away long ago without notifying the elections office.
In a court case in Miami, officials with the American Civil Rights Union charge that the county’s supervisor of elections is violating a federal law that requires the county to maintain “accurate and current” voter rolls.
The case is significant because it seeks to establish a national standard for the maintenance of voter registration lists as a way to guard against election fraud. Voter list maintenance is no small issue. The US Supreme Court is set to take up a similar case from Ohio early next year.
But the case is significant for a second reason. It arises at a time of intense national concern over alleged Russian-backed efforts to meddle in the November 2016 presidential election. A special prosecutor is investigating election interference, including whether there was any collusion with Donald Trump’s campaign. At least one former campaign adviser is cooperating in the probe. In addition, Senate and House committees are also investigating that politically explosive charge.
Against this backdrop, The Christian Science Monitor set out to examine key vulnerabilities in the US election system and whether they might allow someone to secretly manipulate the vote. What we found was an election system whose very modernity and reliance on voter-friendly technology has made it staggeringly vulnerable to manipulation. In the same vein, we found that at least a partial solution may be remarkably simple. But a year after the presidential election, little has been done to effectively address these threats.
Broward as a target
In 2016, computer hackers tasked by Russia attempted to break their way into America’s election system, according to US intelligence officials. There is no evidence that they compromised vote tallying software to electronically award more votes to one candidate or shave votes from another.
But there is evidence of repeated attempts to break into another critical part of the election system: voter registration rolls.
The implications are potentially severe. Whoever controls the list of registered voters controls who gets to vote.
Which brings us back to Broward County and the quality of its registration rolls.
Is it possible that 131-year-old Henny Nelson could become an unwitting pawn in Vladimir Putin’s alleged attempt to undermine the essence of American democracy?
There are easier ways to fix an election, but experts acknowledge that a large number of deceased or otherwise dormant voters on a registration list could help give cover to a malicious attack that might be exceedingly difficult to detect.
It doesn’t necessarily have to be linked to Russia. North Korea, for instance, has demonstrated an ability to strike at its adversaries – like Sony Corp. – with cyber intrusions. Iran and China are known to possess similar expertise. Anarchists, hackers-for-hire, or a hacker with a strong party preference might also possess the ability to swing votes or sow chaos during an election, experts say.
How might the Russians or others try to do this? Broward County offers an example. It was ground zero in the disputed 2000 presidential election that ended in Florida with a margin of 537 votes.
With 1.2 million registered voters, Broward has more card-carrying Democrats than any other county in Florida, a key swing state that is a must-win for any candidate seeking the White House. To carry Florida, a Democratic candidate would logically have to carry Broward by a very wide margin, while a Republican would benefit from making inroads among, or minimizing the turnout of, Broward Democrats.
The county is also the location of the congressional district of former Democratic Party Chair Debbie Wasserman Schultz, who lost her party leadership on the eve of the 2016 Democratic Convention following a series of embarrassing emails that were leaked to the media after being stolen by computer hackers allegedly working at the behest of Russia.
Cybersecurity experts warn that hackers – Russian or otherwise – could change or erase voter registration records, including those of the most active and loyal voters for one party or the other.
Such an all-out attack could plunge an election into chaos. But it would also blatantly tip off officials that the election was under assault.
A more subtle attack might seek to identify pools of dormant voters – registrants such as Nelson who haven’t voted in years but who remain on the rolls fully eligible to vote. Under this scenario, the hackers could harvest individual names, submit online change of address forms, and request that absentee ballots be sent to a new address.
The scenario depends on an essential circumstance: that there is a large enough pool of other “Henny Nelsons” on the voter rolls.
In recent years there have been a number of investigations into the state of Broward’s list of registered voters. Some have been undertaken by conservative special interest groups like the ACRU and the Public Interest Legal Foundation. Other inquiries were initiated by ordinary citizens wondering why their deceased neighbors or those who moved away were still eligible to vote years later.
Among their findings:
- During much of the past decade, Broward has had more voters listed on its registration rolls than there are citizens eligible to vote in the county. In 2016, there were an estimated 61,000 more registrants on the rolls than eligible voters living in Broward.
- In 2016, there were 107,278 individuals in Broward who remained on the voting rolls and fully eligible to vote even though they hadn’t voted or responded to any election office mailings in four years or more.
- Although there are an estimated 560 centenarians currently living in Broward County, the county’s voter registration list contains the names of 3,044 voters who are recorded as 100 years old or older. Of those, 1,450 are identified as “active voters,” meaning they voted in at least one of the last two federal elections.
- Researchers found 48 registered voters who are older than the oldest living person in the US.
- A May 2016 examination of the voter rolls found 2,082 likely duplicate registrations.
- The same 2016 review found 2,208 individuals who appear to have voted more than once in the same election in Broward.
- Researchers discovered an active voter whose recorded date of birth suggests he is 12 years old. According to voter registration records, he registered to vote at age 8.
- A computer analysis found 1,226 registered voters in Broward who listed a UPS Store as their legal address. Florida law requires that a legal residence be an actual residential structure – a home.
(When the existence of the UPS store voters was reported to the supervisor of elections, the voters were instructed to update their registration with a valid address. If they failed to do so within 30 days, they were advised that their legal address would automatically be changed to “102 Government Way.” That is the supervisor of elections office in Fort Lauderdale. After that change, requested absentee ballots continued to be sent to the UPS store postal boxes.)
A cautious approach
Broward’s supervisor of elections, Brenda Snipes, and her lawyers insist that she complies with all state and federal requirements for voter roll maintenance. In addition, she says she feels a strong responsibility to never remove someone from the registration list who may still be eligible to vote.
“We exercise a lot of caution when we are moving a person to another status,” she testified in federal court in July. “We reach out to them. We never just take a person off the rolls.”
In an interview, Dr. Snipes says the bulk of registration list maintenance is handled by state officials, including information about a voter’s death, citizenship, felon status, and whether they are registered to vote in other states.
“We have a regular list maintenance program, but much is subject to interpretation,” she says. “We try to stay within the statute so we are being fair, first of all, to the voter.”
The issue of how best to maintain voter registration rolls is politically divisive.
Republicans charge that sloppy registration lists lay the groundwork for election fraud. They favor robust efforts to police voter rolls and remove those who are ineligible to vote.
In contrast, Democrats maintain that voter fraud in the US is exceedingly rare and that efforts to purge voters from the rolls are often part of a Republican scheme to suppress the votes of likely Democratic voters rather than protect them.
Now in the wake of the 2016 presidential election, many Americans are expressing acute concern about a specific kind of election fraud – the kind that might be perpetrated by Russian-backed hackers.
There is no evidence that hackers broke into Broward’s voting rolls. But there is evidence that they may have tried.
Attempted hacks, allegedly at the direction of Russian military intelligence, targeted registration systems in as many as 21 states during the 2016 campaign season, including a successful penetration in Illinois, according to US intelligence officials. Hackers also posed as employees with a Florida-based voter registration software company, VR Systems, and launched a spear-phishing campaign against 122 officials in jurisdictions served by that company. (Spear-phishing involves sending decoy emails to entice a target to click on a file and unleash a malicious program that can corrupt and manipulate data systems.)
VR Systems provides voter registration and voter verification services in 64 of Florida’s 67 counties, including Broward. At least one of those phishing emails was addressed to an official in Broward.
“To our knowledge, according to our IT person, that did not get through to anyone,” Snipes says.
VR Systems’ poll books – computerized lists used to check voters in at the polls before they vote their ballots – contain substantially more than the public information listed on the voter rolls, experts say. The electronic poll books hold sensitive information about each voter as well as a photograph and digital signature.
Much remains unclear about the nature and scope of the attempted 2016 cyber intrusions.
The Illinois hack
In Illinois, the attack began on June 23. But information technology staff did not recognize it as an attack until July 12 – about 19 days later.
The attackers, working through foreign-based IP addresses, were bombarding the state’s paperless online voter application website at a rate of five times per second, 24 hours a day.
They were able to view multiple database tables and gain access to 90,000 voter registration records. The records were not altered, but the state notified 76,000 registered voters that their personal data might have been compromised.
Officials are not certain what the hackers were trying to achieve. The Russians have long sought to attack and undermine trust in American democracy. Given the current level of partisan enmity and distrust of election systems among Americans, that effort appears to be succeeding.
But there could be a second goal.
The 2016 election hacking may have been a scouting mission to lay the groundwork for future covert efforts to actually rig a US election, security experts say.
In June, former FBI Director James Comey delivered a stark warning about Russian intentions to the Senate Intelligence Committee.
“They will be back,” he said.
No one is sure why the hackers were attempting to gain access to voter rolls. In most states, some portion of the voter rolls is public information. They can include name, date of birth, home address, telephone numbers, party affiliation, and voting history. Some include Social Security numbers or driver’s license numbers, but those details are kept in more secure files.
It is possible the hackers wanted to tap into a large database to see if they could capture information useful for identity theft. It is also possible that they were seeking to gather a large mass of data to analyze the proclivities of specific voters to allow them to better wage campaign-related information warfare: personalized fake news.
“More sophisticated attacks weaponize the [registration] logs against the population and against democracy itself,” James Scott, senior fellow at the Institute for Critical Infrastructure Technology, wrote in an email response to questions from the Monitor.
“Voter registration logs can be used to precision target voters based on their demographic (age, sex, area, income, etc.) and psychographic (party, voting record, etc.) characteristics,” he wrote. “Attackers leverage the information in Big Data algorithms, which are powered by machine learning and artificial intelligence, to tailor malicious fake news lures to specific voters.”
That approach would dovetail with the theft, leaking, and online discussion of embarrassing emails that were used to attack Representative Wasserman Schultz and undercut Hillary Clinton’s election prospects in the final weeks of the campaign.
There are also many less sophisticated ways to use unauthorized access to voter rolls to undermine an election, Mr. Scott says.
“A mid-range attack might alter or delete registration logs in an attempt to disrupt voter turnout by adding time constraints and administrative overhead to election processes,” Scott wrote. “If the registration of each voter has to be manually looked up [on Election Day], and if some of those registrations are incorrect, less people will be able to vote that day.”
He added: “If nothing else, voters will question the integrity of the process and may question the results of the election regardless. Perceived election fraud can be just as harmful as actual fraud if it is adeptly weaponized.”
This type of attack might be as basic as covertly changing a voter’s party affiliation on the registration rolls.
In July 2016, officials in Riverside County, Calif., received a number of complaints from voters who said someone had changed their party affiliation in the online voter registration list. The change meant they were not eligible to vote in their party’s primary election. Those who complained were provided a provisional ballot, but it is unclear how many others simply went home frustrated.
Computer forensic specialists were unable to trace who might have made the changes within the state’s voter registration rolls. At the time, the state did not record the IP address of someone seeking to amend a voter registration file.
According to a report in Time Magazine, officials in the Obama administration believed the Riverside County incident may have been a Russian-linked operation. But more than a year later, there is no hard evidence attributing responsibility. The incident remains a mystery.
A Harvard study
Alarmed by the prospect of such attacks, a group of researchers at Harvard University in Cambridge, Mass., examined how difficult it might be for someone to exploit internet-based registration systems to essentially steal the identity of voters and potentially steal their votes.
The researchers specifically examined registration databases that allowed voters to make changes online to a statewide registration list. They found that online registration systems of 35 states and the District of Columbia were vulnerable to an imposter posing as a voter to submit changes to that voter’s registration information. (On Oct. 1, Florida became the 36th state with a statewide online registration system.)
“These aren’t breaches. This is not somebody breaking into a computer,” says Latanya Sweeney, professor of government and technology in residence at Harvard and one of the report’s authors. “This is somebody going in through the front door impersonating someone else.”
The attackers are merely posing as a voter to quietly and deceptively change the real voter’s information.
Although they didn’t study it, the researchers say this same vulnerability extends to any county or local jurisdiction that permits a voter to make online changes to registration information.
The study was published in September. The report’s conclusions are shocking. It turns out it is neither difficult nor expensive to surreptitiously change someone’s voter registration information. With moderate computer programming skills, malicious changes could be made to voter registration files nationwide in an attack that could affect thousands or even millions of votes, the report says.
“A voter identity theft attack could disrupt an election by imposters submitting address changes, deleting voter registrations, or requesting absentee ballots,” the study says.
To do so, the imposter must possess a few sensitive personal details about the voter to be able to gain access to and change the registration information. That information includes name, date of birth, gender, address, Social Security number, and/or driver’s license number.
The Harvard researchers found that those critical pieces of information were not difficult to obtain. They could be acquired from government databases, private data brokers, or markets selling such information on the darknet.
“An attacker could have spent $1,002 from darknet sources to acquire 2 datasets that jointly contained the names, addresses, dates of birth, genders, and Social Security numbers of most adult Americans,” the report says.
An automated attack changing 1 percent of registrations in all 35 states and Washington, D.C., could be carried out for about $10,000, they estimate.
“Perpetrated at scale, changing voter addresses, deleting voter registrations, or requesting absentee ballots could disenfranchise a significant percentage of voters.” The report continues: “If carefully distributed, such an attack might go unnoticed even if the impact was significant.”
Such attacks would not require particularly sophisticated programming skills, the report says. The authors say one challenge would be to defeat CAPTCHAs, onscreen visual puzzles that seek to block robotic access to information in a database. But they say programs exist that can bypass such obstacles.
“Changing hundreds of voter records could be done manually, without any programming whatsoever. Automation becomes necessary at scale if the goal is to change thousands or millions of voter records,” the report says.
One voter per minute
“We assume that a computer could impersonate a voter on a state website and make an address change within 1 minute,” the report adds.
The imposters would likely rely on a large bank of computers working simultaneously over a period of weeks or months to carry out a national-scale attack, the report says.
“We were asked by several parties to consider not publishing this study,” the Harvard authors acknowledge in their report. “We decided to do so because whether we publish or not, does not make the possibility of these attacks go away.”
One safeguard against this kind of voter impersonation attack on election systems is that a random selection of victim-voters would almost certainly trigger an immediate outcry by citizens who show up to vote and discover the unauthorized changes. That outcry would disrupt the voting process and undermine confidence in the fairness of the election, experts say. But it would also alert election officials to potential meddling and prompt an investigation into how so many registrations could be changed without the voters’ knowledge.
A more insidious attack might seek to identify people on voter registration lists who are unlikely to complain if their registrations were changed and their votes stolen. The challenge in launching this kind of attack would be in identifying large enough numbers of dormant registrations still listed as valid, analysts say.
Some experts are skeptical that the Russians would take such a risk.
“First, the Russians would have to have a capability that even we don’t have – that is, confidently matching dead people and people who have moved out of state with 100 percent accuracy,” says David Becker of the Center for Election Innovation and Research in Washington.
“If you take someone and ask for their ballot and that person shows up to vote, you are busted. There is an investigation,” he says. “You have to be perfect.”
Others disagree about the difficulty of identifying reliably dormant registrations.
“They are very easy to find,” says Gregg Prentice, founder of the group Election Integrity Florida.
Voter registration data in Florida includes voter history dating back 10 years. A would-be attacker could run a program to identify anyone in the state, or in a particular county, who hadn’t voted and/or updated their information in the past five years, 10 years – or longer, Mr. Prentice says.
Another tactic, he says, would be to conduct a computer analysis counting the number of registrations per residence. In some rental apartments with frequent tenant turnover many tenants move away without canceling their voter registrations.
“Sorting for residential addresses with say more than eight registrations can provide a list to start narrowing for likely abandoned registrations,” Prentice says.
Relying on abandoned voter registrations that are still listed as valid on the voter rolls offers a key advantage to would-be attackers. “They are not going to show up to vote and be turned away and told you already voted, because they are not voting anyway,” Prentice says.
Other analysts suggest a potential lucrative cache of dormant registrants may be found by searching for the addresses of health-care facilities listed by senior citizens on their voter registrations.
“How many people are in a long-term care facility or even a terminal care facility,” asks Professor Sweeney. “In that situation the change of address might well go unnoticed because the purpose of the care facility is not monitoring your mail to say, ‘Oh, there is a change in your voting record.’ Depending on your mental, physical, and medical condition, even if you got the mail yourself it is not clear it would be a priority.”
In Broward, there are five continuing care communities for seniors, 33 hospice care facilities, 53 nursing homes, and 149 assisted living facilities.
Any new activity in dormant registrations (changes of address, absentee ballot requests, absentee ballot votes cast) would re-activate those registrations in the eyes of election officials and further insulate them from any potential list maintenance scrutiny, analysts say.
Broward County offers an additional convenient service. Voters can sign up to automatically receive absentee ballots for all future elections. There is no endpoint to this service. The ballots will arrive at the listed address until the elections office is told to stop sending them. More than 215,000 Broward voters are currently participating in this perpetual vote-by-mail program.
In the November 2016 election, the Broward elections office distributed 283,000 absentee ballots. More than 77,000 were never returned. An additional 4,442 were returned as undeliverable.
“If a voter roll is dirty and poorly kept, would that county clerk know they were even being hacked? Probably not,” says Logan Churchwell, a researcher with the Public Interest Legal Foundation.
“If their voter roll is already in a state of shambles, a foreign threat coming in may not trip any alarms,” says Mr. Churchwell, whose group is working with the ACRU in the Miami lawsuit against Broward Supervisor Snipes.
A vigilant election supervisor might notice a pattern of changes to her voter roll. For example, a large number of absentee ballots being sent to certain locations overseas or a large number of address changes followed by absentee ballot requests could raise a red flag. But experts say such an attack spread over many months might blend in with legitimate voter registration activity.
Another potential bottleneck for an attack is how to redirect procured absentee ballots. “You need to have a place where these ballots are going to be sent. If there is one place where a ton of ballots are to be sent that is going to be easily flag-able,” Mr. Becker says.
“If it is a lot of different places, it is going to be harder to flag but you are going to need human beings in each of those places,” he says. “You can’t ask for all of them to be sent care of The Kremlin, Moscow, Russia.”
For these and other reasons Becker says he is skeptical such a plot would be pursued. It would require hundreds or thousands of people on the ground in the US, he says. “That is pretty darn close to an act of war, if not over the line,” he adds.
Nonetheless, logistics and manpower may not be an insuperable issue. In recent decades, a significant number of Russians have purchased condos in seaside communities in southeast Broward and northeast Miami-Dade Counties. One oceanfront city, Sunny Isles Beach, is known among locals as “Little Moscow.” Such communities could offer cover for an election fraud operation directed from Moscow.
Snipes says any effort to hijack absentee ballots would be discovered because county officials compare the signature on each absentee ballot with an electronic signature on file.
“If the signature does not match then we send correspondence out to the owner of that ballot and they have an opportunity to send us the corrected signature,” Snipes says. “We’ve not had any of that occur.”
The importance of signatures might partly explain the attempted hack of VR Systems in 2016. The company provides voter verification services to Broward and other counties – including maintaining a database of voters’ signatures.
“I don’t think a person hacking into the system could go in and pull up signatures and recreate a signature in our system,” Snipes says. “I don’t believe they could do that.”
Others disagree. “If you have access to that system you have access to people’s signatures because that is how they verify you at the polls,” says Mary Garber of the Florida Fair Elections Coalition, an election watchdog group.
“It is everything that would be needed to phony-up a request.”
Where is Henny Nelson?
There is no evidence that Henny Nelson or Sophie Golub, both registered Democrats, or Lillian Nicoletti, a registered Republican, voted in the 2016 election – or even the 2006 election. But that doesn’t mean their continued presence on the voter rolls might not be useful in a hacker attack.
The Monitor sought to identify the whereabouts of Nelson, Nicoletti, and Golub.
Nelson’s last known residential address was the Margate Health Care Center, a skilled nursing facility. A receptionist checked the register of current patients and verified that Nelson was no longer a resident.
Nelson’s date of birth is recorded as Jan. 14, 1886. That year Apache leader Geronimo surrendered to US troops in a dusty canyon in Arizona and President Grover Cleveland dedicated the newly erected Statue of Liberty in New York Harbor. Nelson was 101 years old in 1987 when she listed the skilled nursing facility as her residential address.
Attempts to locate Nicoletti were also unsuccessful. County real estate documents show that she moved from her listed address in Davie to nearby Weston, but apparently failed to update her 1988 voter registration. That was in June 1994.
Both cases underscore the challenges facing election supervisors in tracking down and verifying that a voter is no longer eligible to vote. But critics say a simple computer search could easily identify registrants with birth dates in the 1800s. Such a check would at least raise a red flag and justify additional investigation, these analysts say.
In contrast to Nelson and Nicolletti, Golub’s whereabouts were relatively easy to discover and verify.
Golub also apparently failed to notify election officials when she moved from her two-bedroom, one-bath home in Sunrise, Fla., to Brooklyn, N.Y. According to real estate documents, the white ranch-style home in Florida was sold in May 1996.
In an interview, the current owners of the house say Golub was in her 90s when they moved in and she moved out. According to records maintained by the Social Security Administration, Golub passed away in Brooklyn later that year in November 1996. She was 97 years old.
Nonetheless, in August 2017, nearly 21 years later, Golub’s voter registration file proclaimed optimistically: “You are currently eligible to vote in Broward County.”
In recent weeks, with a pending lawsuit and facing public criticism, election officials apparently noticed something was amiss. But rather than investigate registrations based on implausible ages, the officials simply added a new notice to the online registrations of Golub, Nicoletti, Nelson, and others.
The notice is highlighted in bright red lettering: “We have been unable to verify that this is your correct address. Please confirm or update your address with our office or use this website’s ‘change of address’ feature before voting in the next election.”