Voter Registration Rolls in 2 States Are Called Vulnerable to Hackers

In the last five years, Maryland and Washington State have set up voter registration systems that make it easy for people to register to vote and update their address information online. The problem is that in both states, all the information required from voters to log in to the system is publicly available.

It took The New York Times less than three minutes to track down the information online needed to update the registrations of several prominent executives in Washington State. Complete voter lists, which include a name, birth date, addresses and party affiliation, can be easily bought — and are, right now, in the hands of thousands of campaign volunteers.

Computer security experts and voting rights activists argue that a hacker could use that information to, say, change a person’s address online to ensure that the voter never receives a ballot in Washington, where voting is now done entirely by mail. In Maryland, hackers could ensure that a voter is not listed on the precinct register at a designated polling station. In that case, the voter would be redirected to another precinct, or asked to fill out a provisional ballot. In both cases, the person would not be able to vote in local, or possibly, Congressional races.

But the real concern, critics say, is that large numbers of voters from one political party, or demographic, could have their information changed by automated computer programs. A program that could change tens of thousands of voter records at once, they say, would require only a dozen lines of code.

Rebecca Wilson, co-director of Save Our Votes, a voting rights nonprofit, said her organization did not initially track how states set up their online systems. “We thought, ‘How badly could you mess that up?’ Well, we learned,” Ms. Wilson said. “Now, anyone in the world can write a computer program that commits absentee ballot fraud on a mass scale.”

Maryland and Washington are not considered swing states in next month’s election, but as other states move to online registration systems, security experts worry that they will follow Maryland and Washington’s example.

Officials in the two states say that concerns of a widespread cyberattack are exaggerated. Washington officials point out that voters who do not receive their ballots can still print them online, and they say, they have never received a complaint about an address being unknowingly changed.

In Maryland, officials say they consult with their own security experts to pick up unusual patterns in online traffic, like an effort to change thousands of addresses from a single Internet address. They point out that address changes require a confirmation letter be sent to the new address. If that bounces back, the change is deemed invalid.

Washington officials also cite their use of “captchas,” which are meant to help weed out humans from computer programs. Captchas — those puzzles used by e-commerce sites that require people to type in a set of distorted letters and numbers — are easy for humans to read and retype but difficult for machines to decipher.

“What is technically possible and what realistically could happen are very different,” said Ross Goldstein, the deputy administrator for Maryland’s Board of Elections.

But security experts say that these measures are not enough to prevent a determined hacker from disenfranchising scores of voters and influencing an election. Critics say that hackers could use botnets, networks of infected computers, to change voters’ addresses. And new machine learning technologies can beat captchas, or people can be paid to type them in, in real time, for as a little as a penny per captcha or less.

“They could influence an election with 20,000 votes for less than a penny a head,” said J. Alex Halderman, one of the computer scientists who first discovered Washington’s loophole. “That would be a great return on investment for them.”

In Florida last month, Republican state officials paid a company $1.3 million to register voters, but county election officials noticed several registrations contained unauthorized address changes and names of dead people. Laws in the state make it difficult to vote if an address is recently changed.

“In theory, the same scenario is possible online, where it is much easier to do,” said Charles Stewart III, a political scientist at the Massachusetts Institute of Technology.

Last week, Mr. Halderman, David Jefferson, a computer scientist at Lawrence Livermore National Laboratories, and Barbara Simons, a retired IBM computer scientist, sent a letter to Washington and Maryland election officials with seven recommendations for security, including authenticating voters with nonpublic information like the last four digits of their Social Security numbers and setting up disaster plans that would let them shut down their systems during an attack.

Shane Hamlin, Washington’s co-director of elections, said that the state’s registration closed last week, but that his team planned to review transaction logs for unusual activity. “Their suggestions are all reasonable and doable,” Mr. Hamlin said. “Some we have in place and can build on, some are longer term.”

The computer scientists say that they have yet to receive a response from Mr. Hamlin’s counterparts in Maryland, where online registration remains open.

“We want to make voting as accessible as possible,” Mr. Goldstein said. But “there’s always risk in all systems.”