Welcome back to Securing Digital Democracy. The security of elections isn't just about the security of computer hardware and software. It's also about the security of the procedures involved and securities Precautions that are taken by the people who are executing those procedures. These are the election officials and the volunteer poll workers, the entire process. In today's lecture we're going to shift our attention and focus on a few of these procedural elements of election security. By applying the security mindset, we're going to see some of the important trade offs involved and how some of these procedures, if they're not done correctly, can create new opportunities for fraud. The first kind of procedure I want to talk about is voter registration. And people who are not from the U.S. Might not have much of an idea what this is because voter registration is something that's required in very few other countries. But in the U.S. Voters are required to register in advance to send in some paperwork to, to secure their ability to participate in the election. Registration was introduced originally as a security feature. It helps to secure the, the election by, by making sure there's some way for poll workers and election officials to make sure that everyone who shows up is eligible to vote. It also provides a way to guard against duplicate voters because you can have a list of all the eligible voters and just cross them off that list. Today all states except North Dakota require voters to register in advance although you just have to register once unless you move. So the, the burden is less than if you had to register for every election. In the past in the past two decades there have been a number of initiatives to try to make the process of registration easier for voters. The motor voter law which required voters, which required states to give voters the opportunity to register for voting when they renewed their driver's licenses is one example. A few states allow you to register right up until election day but in most states you have to register 30 days in advance. Usually registration requires filling out a form and for instance sending it in, in the mail. But a few states as we'll see have introduced forms of online voter registration that sometimes introduce their own new security issues. Let's think a little bit first though about some of the trade offs involved in voter registration. As I said voter registration can be thought of as a, a security feature. It's a way to try to cut down on duplicate voting and fraudulent voting by people who were not eligible. On the other hand, registration induces a barrier to enfranchisement because it adds obstacles to taking part in the election process. The sad fact is that in the US today almost one-third of eligible citizens are not registered to vote. This is one way to, to see what an impediment this might be creating. So let's look at a voter registration application. Voter registration forms have been largely standardized by federal law, but each state handles the process of registration separately and has its own voter registration lists. The voter registration form is going to ask for your name, your address, your phone number, your date of birth. And in most places you also have an opportunity to declare a party affiliation. This is because the parties in many states conduct closed primaries where only members of that party can vote in the particular party's primary. There are also two fields on here that are collected in order to later authenticate voters when they go to the polls. These are an ID number, which in most state is either a driver's license number or part of your Social Security number. There's also a box for your signature. And as we'll see signature validation is part of the voter authentication process. The form though has, has some very interesting features that show how it's designed also to try to make the process as inclusive as possible. This on the, the second half of the form is just one of these really incredible features. If you don't have an address and can you imagine who wouldn't have an address but if there's no street address where you live, say you live in an extremely rural area or you, you don't have a proper home, you can draw a map to the place where you reside. And this will be used then by the election officials to find you later if they need to follow up or to make sure that you are placed within the right election district and, or voting for the candidates who are running for office in the place where you live. So what happens to the information you fill out on these voter registration forms? In each state, it goes into a voter registration database and states each maintain their own database of registered voters, and these databases raise a number of security issues. One question about voter registration databases is how is the data authenticated, even though they request an ID number for instance, and a name and address. What can states do to make sure that this data really belongs to someone who is eligible to vote? They can make sure that your declared birth date is old enough to be someone who's eligible. They can, what else can they do? Well, what some states do is they try to match that data that you filled out on the form against other databases they have, like the database of, of driver's licenses. But matching this data can be difficult. If you try to match it too strictly, like require that the name be exactly the same, this can lead to cases where people are falsely rejected perhaps just the data has been keyed into the databases in different ways. Maybe the name's in a slightly different form Alex versus J. Alex, for instance. And so matching too strictly result in voters be rejected. On the other hand if you match too leniently maybe some people who really aren't eligible aren't going to be caught. So there's another kind of trade off there between voter authentication and enfranchisement. Another place where this kind of trade off comes up is having to do with the fact that most states prohibit people who have been convicted of, of serious crimes, of felonies, from participating in, in further elections. At least for a period of time after their convictions. And some states implement this by going, by producing a list of people who are convicted felons and trying to match that list against the data in their voter registration databases. This creates the same kind of matching problem. Obviously there are going to be some false positives if you just take names of convicted felons and remove anyone with that same name from the list but that's exactly what some states do. So, anyone if John Smith is a convicted felon, then perhaps with anyone with that name is going to be purged from the voter database. Most of the people however aren't the persons that the state is looking for. In some cases, states even apply approximate matching. They'll accept, any form, any variant of the name. John Smith or Jonathan Smith, for instance, would both be removed if John Smith is a convicted felon. Unfortunately, most voters who are purged from the records in this way won't notice until they come on election day and are told that they're no longer registered. So this creates a, a big possibility for shenanigans and, politically motivated, manipulation of the voter rolls. Another kind of trade off that's introduced by voter registration databases has to do with a tension between security and privacy. The information that's collected, name, address, signature, date of birth, telephone number, gender, party affiliation, ID number, all of this is, is stored in this massive database of voter registration and there's a question of who can then access that data. Most of those fields are generally made public. Voter registration databases for, for each state can, can usually be obtained a, as a matter of public records or even in some cases purchased from the state or perused on the state website. But how, who can use this data? Is it going to be repurposed for other things? Can it be used by the government for other purposes, for instance? In, in many states the voter registration list is also used to select people for jury duty. So, this creates a trade-off. If you don't want to, to be asked to perform jury duty, then that's a reason not to register to vote. Seems like an, an unfortunate drawback to introduce. Another question is used by political parties and in, in almost all states, this data is available to parties and they can repurpose it for campaign purposes. Let me show you an example of that. This is an application that was introduced this year by the Obama campaign. It's called Is Your Neighbor a Democrat? All they're doing is collecting the state voter registration databases and tying it together with some mapping software, so that they can show you who lives in a certain area near where you are is a registered Democrat. And then they're encouraging volunteers to go out and campaign to those people, encourage them to vote on election day, and so forth. But I think a lot of people find it creepy that this information about them is, is so easily accessible and just available in available to anyone who wants. Commercial reuse of the data in the voter registration databases is another privacy issues. So can, can companies who are assembling profiles of people tie this data to other databases. And that's allowed in most states and is fairly easy to do. You could then combine the voter's party they're registered for with other information about say how much their, their home is worth, or how much, how much credit card debt they have to form a more complete picture of them for, for marketing purposes, say. This is another sort of thing that creeps people out about these databases that are being assembled. Another security question that's raised is, who can modify and change the data? Are the access controls that are in place strong enough to prevent malicious insiders, for instance, or hackers who breach the system? From corrupting the voter registration database and perhaps making certain people who should be eligible to vote no longer appear in that data. We're going to see one example of how limited access control can create security problems in just a second. But first, I want to give you a reminder about ethics. So a big part of the security mindset that I, I want to teach in this course is about thinking like an attacker. And in order to think like an attacker, you need to understand the attacker's methods, the attacker's techniques. You have to understand how security can fail. But sometimes when you learn this, these things, this can be dangerous knowledge. If you applied it in a way that was, that was unethical or illegal, you could do a lot of trouble, you could get do a lot of harm. You could get into a lot of trouble. So I, I want to remind you first, that the information that you learn in this class, just, you're under a tremendous ethical obligation to use it wisely, to not cause real world harm with this information. Second, I want to remind you that there are very, very strict laws about computer hacking and about election fraud and you, if you use this information in a way that is not appropriate, for instance, trying to, to breach a real system, you can be convicted under those laws, you can be fined, you can go to jail and this is very serious stuff. That said, this information that I'm about to tell you is information that I think is highly relevant to the course and to your understanding of some of the threats to digital democracy. So I want to give you an example now of a place where a voter registration database is not being securely controlled and this example is the voter registration database in Washington State. Other states' voter registration databases likely have similar problems, but I'm going to use Washington State as an example because it's one that's been documented. Washington State one, one thing you need to know about it is that all the votes, almost all of the voters in Washington State vote by mail. Unlike most states they don't do in person polling instead you receive a ballot in the mail in advance, fill it in and mail it back to the election officials. So the voter registration database in Washington state plays a dual role. First th-, it maintains the list of eligible voters, and second it lets the election officials know which address they should send your ballot to. So let's see what it takes to log in to the voter registration database in Washington state. They provide an online application to let voters see and update their records. And we're going to use the data for a fictitious voter but let's think like an attacker and just think that you know the name of someone who lives in Washington State and want to try to attack them. Let's say you want to try to have their ballot misdirected to another address so that they won't have an opportunity to participate in the election. How strongly does the system protect against this sort of attack? Well, first of all, to log into the online system, the voter puts in their name and date of birth. So we don't know their date of birth, we just know the person's name. So how can we, the attacker, figure this out? Well, the date of birth is one of those fields collected during the voter registration process. And the voter registration database is a public record. So we can just find a website where we can search the voter registration database. Put in the name of, of our target. And we can see the voter registration record which includes the voter's date of birth. With that, let's go back to the voter registration and update website. We can put in the date of birth. And the website will show us more information. It's going to show us basically the, the address they have on file and ask whether we want to update it. So our target as the attacker is to misdirect the ballot. So what we want to do is update the address. When we go to the update address page we see that it's asking for just a bit more information. This might be an impediment to our attack. What it needs is a middle name, a gender, which we presumably know from the name and a driver's license number. So the driver's license number seems to be the field that they are actually relying on to make it so we can't just change this person's registered address by public information. So are we stuck? This is your chance to think about what could go wrong? How could we proceed with the attack? So all we need to know now to change the voter's registered address is the middle name and driver's license number. How could an actual attacker fraudulently change this voter's registration information? Well it turns out that Washington State is one of a handful of states where the driver's license number is actually not a piece of secret information. Instead, it's calculated from other information about the person. It's not just assigned randomly or in order of when you get your driver's license. There's a computer algorithm, a series of steps. That works forward from the voter's name and other information to produce the driver's license number, and that algorithm is publicly known. You can go to websites like this and put in some information about the person. Just their full name, date of birth, and that's it and compute their driver's license number. Here it shows the site is going to show us two possibilities. The first one is the license number that the person would have got if there was no one else with the same name and date of birth. The second one is an alternate if there was someone else. So we can guess that this person is the first John Q. Public born on that date to apply for a license and just try that first number and go and put it into the state voter registration database update form and proceed to a page that will let us change his address. So this kind of attack is pretty scary. In a state that votes entirely by mail it's very serious thing if criminals can go into the election database through the web and change people's addresses where they are going to receive their ballots. You can even imagine a wide scale attack where someone tried to automate this process and change the voter registration information automatically through large numbers of people right before the deadline for mailing out those ballots. This could be one way of disrupting and corrupting the electoral process. Clearly voter registration databases like this need stronger protections. One way that the state could protect against that would be to mail out confirmation before changing your address say send a card to your old address and new address saying that your address is going to be changed and telling you to call up the officials if something seems amiss. As far as I know Washington state has not implemented a protection like this but, but it seems like a key part of the validation process in order to maintain the integrity of the registration system.