Tag Archives: Cross Check

They’ve Only Just Begun: Hacking the Silver State?

If the President of the US isn’t all that interested in how the Russians hacked and meddled in the 2016 election, voters and voting officials in the US should be, and this includes the state of Nevada.  There are several layers to the issues, the voting itself and the processes which are elements of the total election system.

Voting Machine Vulnerability

The good news is that Nevada has a relatively robust voting system in place that is more difficult for a foreign power — read Russian operatives — to hack, the bad news is that the Sequoia (Dominion) system could still have some issues most related to “insider” attacks

“The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overflows, format string vulnerabilities, and type mismatch errors. In general, the software does not reflect defensive software engineering practices normally associated with high-assurance critical systems. There are many instances of poor or absent error and exception handling, and several cases where the software behavior does not match the comments and documentation. Some of these problems lead to potentially exploitable vulnerabilities that we identified, but even where there may not be an obvious vulnerability identified, the presence of such errors reduces our overall confidence in the soundness of the system as a whole.” [VerifiedVoting]

The problems associated with Nevada’s voting machines are mostly of the variety perpetrated by “insiders,” those who have control of the machines during set up, maintenance, and handling.  This is good news for preventing ‘rigging’ issues in terms of election outcomes being vulnerable to outside forces.  A statement from the Secretary of State describes the election audit system. (pdf)

Voter Registration Record Security

The election voter data isn’t quite so reassuring.  Nevada is a “member” of the Cross Check system.   The system certainly can be used to remove individuals from the voter rolls with deleterious effect, and the exchange between

voting officials and the Nevada ACLU isn’t all that comforting:

Wayne Thorley, Nevada’s deputy secretary of state for elections, counters that the program just matches data and doesn’t target anyone. “Just because someone comes back as a match on the Interstate Crosscheck list, it doesn’t automatically trigger cancellation of their account,” he said. “And then, further investigation is done by the state.” He said Nevada also uses the Electronic Registration Information Center to match names from the Crosscheck list with DMV records. Voters then get a postcard to verify their address and if they don’t respond and don’t vote in two elections, they’re dropped from the rolls. Tod Story, executive director of the Nevada ACLU, worries that the postcard system could be problematic. “It does not seem to be fair and certainly would affect more low-income and minority voters, who tend to be more transient, who are going to move more frequently,” he said. Thorley said that is certainly not the intent. “If that has a disparate impact on members of minority communities, I’m not aware of that,” added Thorley. “But it’s not targeted that way at all. We’re simply following the federal law.”

First, Mr. Thorley should be aware of “that” — there is, and has been demonstrated to be a disparate impact on members of minority groups.  Secondly, the post-card system is, and has been demonstrated to be, an ineffective way of contacting individuals who are ‘challenged’ under the Cross Check system.  [RS]  The results of using the Cross Check system are also not reassuring:

“The program has since expanded to 30 states, according to the National Conference of State Legislatures (NCSL), but it’s been controversial from the start. For one thing, it’s resulted in very few actual cases of fraud being referred for prosecution, as alleged cases of double voting in multiple states turned out to be clerical and other errors. One tally found that while the program has flagged 7.2 million possible double registrants, no more than four have actually been charged with deliberate double registration or double voting. Meanwhile, some states including Florida dropped out of the program due to doubts about the reliability of its data — though others, including the swing state of North Carolina, joined despite those issues.”  [TVN]

Get that? Out of 7.2 million ‘flagged’ 4 individuals have been charged with double registration or double voting.  In addition to obviously being ineffective (A 0.00005.5% catch rate doesn’t seem worth the effort) the collection would appear to be a grand place for a hacker to start if he or she has mischief in mind.

Initial Russian assaults are still a matter of confidentiality, no Secretaries of State have yet been cleared to receive the reports of hacking collected by our security agencies although there is testimony that 21 states were subjected to attacks of some kind. [LAT]  We do know that Illinois was one on the states in which voter registration rolls were hacked.

“The hack had nothing to do with counting the votes in elections in Illinois. The hackers looked at voting registration data: name, address, date of birth, gender and the last four digits in the Social Security number.

The hackers searched through about 80,000 records overall, with the elections board confirming that the records of just under 3,000 voters were viewed by the hackers.” [CST]

The Chicago Sun Times reported how the hack was accomplished, and how it was detected.   The state of Arizona also had a major scare, as reported by Michele Reagan, AZ Secretary of State:

Reagan said she was alerted to the hack after the Federal Bureau of Investigation found a credential — a username and login — for the state system for sale on the dark web.

“It was really frightening and scary considering we’re in charge of almost four million people’s information,” Reagan said.

Reagan said her office had a lot of decisions to make in short amount of time to protect voter safety and took the system offline.

“At that moment in time, the most important thing was what do we do with that database,” she said. “How do we inspect it? We need to make sure that no information was taken, no information was altered, a virus wasn’t inserted into that system.”

She said, while the voter database was hacked, the voting registration system was not.

“We got lucky once,” she said, adding that the state has added multi-factor authentication, required the changing and strengthening of passwords and made other tweaks to better protect the system. [KTAR]

It would be reassuring to know if Nevada has implemented “multi-factor authentication” and other measures to better secure Nevada voter data.

I’ve not read any reports to date assuring me that the Russian hacking was a “one-off” and unlikely to be replicated.  Indeed, nearly every article asserts that what we’ve seen in 2016 was only the beginning.  A few intrusions in anywhere from 21 to 39 states, a peek into voter information data, some attempts to ‘phish” their way into systems — and many warnings that this indicates increasing interest in going deeper into US elections rather than any foray for temporary recreational purposes.

Recommendations

Retain the sanctions placed on the Russians by the Obama Administration, and enact new and greater sanctions on them as proposed by the U.S. Senate.  House Republicans have stalled the bill which passed the Senate on a 98-2 vote. [NYT] As of June 23, 2017 the White House indicated it would step up lobbying efforts against the Russian sanctions bill. [WP]  Those tracking the progress of this bill will want to follow GovTrack S 722.

Review and potentially revise Nevada voter data security processes and products.  Have issues revolving around the infamous Cross Check program been resolved?  Have procedures been adopted that would prevent access such as happened in Illinois and Arizona?

Russian probing, and interference, will not stop…it will be up to the US Congress and the 50 states, to reject their efforts.

 

1 Comment

Filed under Nevada politics, Politics, Vote Suppression, Voting

Good Morning: The Administration wants all your voting data, and wants to make it public

The President’s “election commission,” established to cover his allegations that millions of illegal voters prevented His Vulgarity from attaining triumph in the popular vote, is requesting voter roll data from all 50 states. Nevada is included in this list.

“On Wednesday, all 50 states were sent letters from Kris Kobach — vice chair for the Presidential Advisory Commission on Election Integrity — requesting information on voter fraud, election security and copies of every state’s voter roll data.

The letter asked state officials to deliver the data within two weeks, and says that all information turned over to the commission will be made public. The letter does not explain what the commission plans to do with voter roll data, which often includes the names, ages and addresses of registered voters. The commission also asked for information beyond what is typically contained in voter registration records, including Social Security numbers and military status, if the state election databases contain it.” [ProPublica]  (emphasis added)

There are many layers of just how wrong this is.   First, and most obviously, why worry about Russian hacking into voter roll information for the purpose of making mischief if everything they want is right out there in public view?  Nothing like One Stop Shopping for voter data for the Kremlin?

Secondly,  conspicuously absent from the letter is any indication about what processes and procedures will be applied to protect voters’ privacy.  Mr. Kobach’s documented sloppy handling of his Cross Check program data is not reassuring.

Third, while full Social Security numbers may not be included, even partial number releases may be a bridge too far for those concerned with identity theft; and, does the Pentagon really want the status of members of the Armed Forces right out there for all the world to see?  How handy for the Bad Guys to have an instant way of finding out a soldier’s home address?

Finally (for the moment) there’s the purpose for which all this data is sought — rest assured, it’s NOT for the purpose of “election integrity,” in fact given the participation of Kobach and Von Spakovsky the obvious intent is to scramble the data for inclusion in a “report proving” that there’s a “need” for more voter suppression.

Nevada citizens who do NOT want their voter data/records shared in this haphazard and insecure way should call the office of Nevada’s Secretary of State: 775-684-5708, fax 775-684-5725; or e-mail at <sosmail@sos.nv.gov>

1 Comment

Filed under Nevada, Nevada politics, Politics, von Spakovsky, Vote Suppression, Voting

Warning: Vote Suppression Scheme includes Nevada

Crosscheck Nevada For those happily thinking that vote suppression schemes like CrossCheck are happening somewhere else, and that Republicans might be pulling shenanigans in lands far away – be WARNED as of 2013 Nevada joined the CrossCheck system.  And, not to his credit then Secretary of State Ross Miller bought into it.

First, consider the source, Kris Kobach. “So far, in his career, Kobach has been the guy that John Ashcroft tasked with weeding out foreign travelers in the wake of 9/11—and Kobach’s program was so deeply involved in racial profiling that it was shut down. He also was the author of Arizona’s notorious “Papers, Please” law.” [Esquire]

Second, consider HOW operation Cross Check works.

“Election officials in more than two dozen states have compiled lists of citizens whom they allege could be registered in more than one state – thus potentially able to cast multiple ballots – and eligible to be purged from the voter rolls.” [RS] (emphasis added)

The “could be” part of the sentence is important because it forms the basis of the vote suppression efforts.

“Crosscheck has tagged an astonishing 7.2 million suspects, yet we found no more than four perpetrators who have been charged with double voting or deliberate double registration.”  [RS]

How do 7.2 million people get to be “suspects?”  The methodology is incredibly sloppy.  If this isn’t by design then it’s at least a way to get the “most suspects possible” from a limited number of registrations.

“We found that one-fourth of the names on the list actually lacked a middle-name match. The system can also mistakenly identify fathers and sons as the same voter, ignoring designations of Jr. and Sr. A whole lot of people named “James Brown” are suspected of voting or registering twice, 357 of them in Georgia alone. But according to Crosscheck, James Willie Brown is supposed to be the same voter as James Arthur Brown. James Clifford Brown is allegedly the same voter as James Lynn Brown.” [RS]

It’s easy, if all the James Browns are lumped into one group then all become “suspect” and their voting rights denied on election day, as potential fraudulent voters.  Now imagine being a Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore, or Taylor in the United States – the top ten surnames in the 1990 census.  If Robert C. Brown moved to Nevada and didn’t bother to de-list his name from the Ohio rolls, Robert F. Brown could be struck from the list as a “potential” fraud. And, even if Robert C. Brown had absolutely NO intention of voting in Ohio, he’d still be viewed as a “potential” fraud.

RollingStone’s report continues:

“We had Mark Swedlund, a database expert whose clients include eBay and American Express, look at the data from Georgia and Virginia, and he was shocked by Crosscheck’s “childish methodology.” He added, “God forbid your name is Garcia, of which there are 858,000 in the U.S., and your first name is Joseph or Jose. You’re probably suspected of voting in 27 states.”

Including Nevada.  And who gets caught in this trap?

This inherent bias results in an astonishing one in six Hispanics, one in seven Asian-Americans and one in nine African-Americans in Crosscheck states landing on the list. Was the program designed to target voters of color? “I’m a data guy,” Swedlund says. “I can’t tell you what the intent was. I can only tell you what the outcome is. And the outcome is discriminatory against minorities.” [RS]

Why is this important? Because 27% of Nevada’s population is Hispanic.  9.3% of the Nevada population is African American. 8.5% is Asian. [Census]  What of the Social Security numbers and birthdays that were supposed to rectify this weakness in the Cross Check database?  The Social Security numbers weren’t on the lists Rolling Stone found.

According to the report, those entrapped by the Cross Check scheme are notified by a small print postcard which requires a response to the Secretary of State’s office.  It’s no secret who is less likely to return the post card – the young, the unemployed, those who move from job to job, minorities, women, and those in lower income brackets.  Precisely the people the Republicans don’t want voting.

The ACLU of Nevada has some voting tips for citizens of the state:

Check your voter registration status at least 30 days before the election. Locate your polling place and note the hours of operation.

Vote before Election Day, through early voting or absentee voting if possible. If you plan to vote at the polls, go early in the day to avoid the last-minute rush.

Bring identification even if it’s not required.

Read all instructions carefully. Take your time. Ask for help if you need it.”

We might want to add some additional tips – If you have a very common last name – If you have a surname which is common among ethnic minority populations – If you are a student – If you have moved recently – If you live in a neighborhood or precinct with a significant percentage of ethnic minority group population – Mark your calendar, perhaps on October 4th, and make certain of your voter registration well before the November 8th election.

Your vote counts – make sure it’s counted!

Comments Off on Warning: Vote Suppression Scheme includes Nevada

Filed under Vote Suppression, Voting