Election officials are pushing back against a new Harvard study saying hackers could disenfranchise Americans in 35 states and the District of Columbia by exploiting vulnerabilities in online voter registration systems.
The study published Wednesday in the journal Technology Sciencesays hackers could buy — either from commercial data brokers or more cheaply from cybercriminals — all the personal data they need about millions of Americans to fraudulently alter voter registration records online. Calling it “voter identity theft,” journal Editor-in-Chief Latanya Sweeney, who is also a Harvard professor, and co-authors Ji Su Yoo and Jinyan Zang say a broad scale attack on several states could be carried out with data costing just a few thousand dollars.
But state elections officials told CyberScoop the report was overblown. “The study doesn’t reflect the safeguards that the states have in place to guard against this sort of thing,” said Indiana Secretary of State Connie Lawson, this year’s president of the National Association of Secretaries of State, or NASS. “I’m disappointed that a Harvard professor would put out such a study with incomplete research and inaccuracies like that.”…
“The vast majority of states mentioned in the report already do the things [the authors] recommend [as mitigations] and take security measures … to prevent bulk changes to voter records,” said Judd Choate, elections director for Colorado and president of NASED.
He noted that the vulnerabilities highlighted — essentially that someone with enough personal data could impersonate a voter and change their registration record — had nothing to do with the online availability of the process but were inherent in any system of voter self-registration.
Similar identity theft issues also exist with paper registration through the mail, Choate added.
See also this statement from the BPC’s John Fortier and Matt Weil.