The letter warned that anyone with access to a Maryland voter’s full name and birth date could exploit a simple online tool to change the voter’s address, party affiliation or other information. Such changes, especially a change of address, could lead to a voter’s ballot not being counted normally on Election Day.
Despite the urging of at least one board member to respond to the researchers, officials at the Maryland State Board of Elections said they never did so. The officials told The Washington Post they considered the hacking scenario outlined in the researchers’ letter highly unlikely.
Ross K. Goldstein, deputy administrator of the elections board, said the state had taken steps to protect voter files, such as monitoring patterns of changes made to voter files online, but he declined to provide specifics.
“I am not going to disclose what security steps we have taken or not taken,” Goldstein said. “We are confident the system is secure.”
As of Tuesday afternoon, the voter files of more than 107,000 Marylanders had been changed or created online since July, according to the board.
Goldstein and others at the board could not readily say how that number compared with similar periods before prior presidential elections, but they said said it probably represented a significant increase. The state sent postcards to more than 1 million residents alerting them that they could register online.
The researchers shared their correspondence to the board and detailed the potential vulnerabilities to The Washington Post on the condition that the information not be published until 9 p.m. Tuesday, when Maryland’s voter registration period closed and voter files could no longer be manipulated online.
According to the researchers, the crux of the problem is that Maryland linked its voter registration files to the state’s database of driver’s license numbers.
That move was designed to add a layer of security and to weed out suspicious voter files. But in Maryland, driver’s license numbers are derived from a resident’s name and birth date. Several Web sites can decode a driver’s license number using the latter two pieces of information. The researchers discovered Maryland’s problem after finding a similar vulnerability in Washington state’s new online voter registration system.
“It means if you know someone’s full legal name and birth date, you know their driver’s license number and you have all the information needed to tamper with their voter registration,” said Rebecca Wilson, a chief elections judge in Prince George’s County and co-director of the nonprofit Save Our Votes.
Wilson said that could be done easily in Maryland because the state sells voter rolls to campaigns seeking to canvass for votes.
Researchers said that with a relatively simple code, a computer attack could change the voter registration files of thousands of Maryland residents, and probably do so in a way that could avoid detection.
“These problems leave the system open to large-scale, automated fraud, and make the Maryland system among the most vulnerable of all the states’ new online voter registration systems,” wrote Michigan professor J. Alex Halderman, Lawrence Livermore cybersecurity expert David R. Jefferson and former IBM researcher Barbara Simons.
Goldstein disputed that assertion, saying that a hacking incident would be extremely difficult to pull off.
The researchers said the state had exacerbated the potential for tampering by not instituting basic safeguards.
When the address for a voter is changed online, for example, a postcard verifying the change is sent to a voter’s new address, but not the old one.
Wilson said the system is made even less secure because Maryland does not conduct any signature verification.
“We’re against ID requirements because they disenfranchise voters,” Wilson said. “But I have to be honest, Maryland is creating a lot of problems for the integrity of its voter registration — it could turn Maryland into the poster child for why we need voter ID.”