CHERRY HILL, N.J.— Officials from both major political parties had a consistent answer last year when asked about the security of voting systems: U.S. elections are so decentralized that it would be impossible for hackers to manipulate ballot counts or voter rolls on a wide scale.
But the voter fraud commission established by President Donald Trump could take away that one bit of security.
The commission has requested information on voters from every state and recently won a federal court challenge to push ahead with the collection, keeping it in one place.
By compiling a national list of registered voters, the federal government could provide one-stop shopping for hackers and hostile foreign governments seeking to wreak havoc with elections, critics say.
“Coordinating a national voter registration system located in the White House is akin to handing a zip drive to Russia,” said Kentucky Secretary of State Alison Lundergan Grimes, a Democrat who has refused to send data to the commission.
Trump, a Republican, appointed the commission, led by Vice President Mike Pence, to examine integrity of the voting system, including practices that “could lead to improper voter registrations and improper voting.” The president has asserted repeatedly and without evidence that several million fraudulent votes were cast in last year’s election. Voting experts say that there is not widespread election fraud in the U.S. But Russian meddling in the 2016 campaign and Russian attempts to meddle with state election systems have raised concerns about U.S. election security.
In June, commission Vice Chairman Kris Kobach, the Republican secretary of state in Kansas, asked state election officials for information about registered voters. The request included details such as driver’s license and partial Social Security numbers — if they’re considered public in the states. Several officials interpreted the request as saying that all the data would be made available publicly; the commission has since said that individual voters’ information would be kept private.
Fourteen states plus the District of Columbia say they won’t hand over the information, according to a tally by The Associated Press. Those that are complying have said that not everything on the commission’s checklist could be shared under their state laws. Social Security numbers are widely off limits; in several states, birthdates and political party registrations are, too.
The IRS, the Social Security Administration, banks and internet companies, among other entities, have far more information about many citizens. Political parties and other organizations have access to some voter registration information, though that permission often comes with restrictions on how they can use it and how widely they can share it.
Still, security experts and fair election advocates say that any records stored on computers are susceptible to attacks.
“It’s creating more security vulnerabilities in our election system that don’t seem to be necessary,” said Barbara Simons, president of Verified Voting, an organization that advocates for transparent, accurate and verifiable elections.
Still, Bruce Schneier, the chief technology officer at the online security firm IBM Resilient, said hacking into a federal database can’t affect voters’ information in their home states. He said having a copy of data that’s already on a federal hard drive “doesn’t make it that much worse, assuming the federal government isn’t idiotic about it.”
A massive database of the U.S. Office of Personnel Management was hacked in 2015, compromising the personnel records of millions of federal employees as well as the security clearance information for many of them, which included personal information about their friends and relatives. The hack compromised the information of up to 21 million people. U.S. officials have said there were attempts by Russians to hack into election systems in 21 states. The FBI has confirmed intrusions into voter registration databases in Arizona and Illinois.
Louisiana Secretary of State Tom Schedler, a Republican, said last month that “the release of private information creates a tremendous breach of trust with voters who work hard to protect themselves against identity fraud.” But in a statement this week, the Republican said he is not deeply worried about how the data the state is sharing will be guarded. “Because this data is public information, we have limited concerns regarding sharing it with the commission in terms of how it is housed,” he said.
Andrew Appel, a Princeton University computer science professor who studies voting technology, said a new federal voter information database probably would not allow a hacker to manipulate data to make it look like some eligible voters are ineligible. “If someone hacked their database, they could come to believe things that aren’t true,” Appel said.
Commission spokesman Marc Lotter said states will send the data through a secure connection and it will be encrypted and kept on a White House system “designed to handle sensitive information.”
Appel said states have all made some efforts to protect their own voter registration data from hacks. “At least initially,” he said, “the president’s commission didn’t seem to have in place any organized way to secure this data.”
In Maine, Secretary of State Matthew Dunlap, a Democrat who is a member of Trump’s voting commission, is not handing over the information.
Dunlap said the information the commission is getting from other states “isn’t wicked intimate” and may be too sparse to identity ineligible registered voters. Another commission member, Indiana Secretary of State Connie Lawson, said in a statement that the commission is aware of limitations of the data. But Lawson, a Republican, said the commission’s work using the information could help find ways to help states improve the “quality and integrity” of their voter rolls.
But it could still be hacked, Dunlap said.
“The best way to protect people’s private information,” Dunlap said, “is not to have it in the first place.”