The Many Problems of Crosscheck
Crosscheck's matching algorithm is fundamentally flawed, predominantly producing false positives. This is likely not a bug but a feature of the system as it generates far higher numbers of "matches" than truly exist, fueling Kobach's false narrative of wide-spread voter fraud. The nature of the algorithm disproportionately impacts people of color, putting them at risk of accidental purge from the voting rolls. On top of the time wasted by election officials processing data that is largely garbage, states have sometimes sent the wrong data, causing a complete do-over of the Crosscheck analysis. If all of this isn't bad enough, the system is fundamentally unsecure, carelessly exposing 100 million registered voters to hackers and potential identity theft.
Crosscheck's fatal flaws:
- Poor matching algorithm, bad data quality
- Security\Data Privacy
- Discriminatory Impact
- Voter Suppression
A fundamental flaw of Crosscheck is the simplistic matching algorithm, which leads to a large number of false positive "matches". The system runs a simple two-point match across voter records: first name and last name plus date of birth. This means people with common names or Jr./Sr. pairs are more likely to end up on states' Crosscheck "match" lists. The system takes no steps to use other data points or data sources to improve the accuracy of it's results. For example, in cases where a middle name or last four digits of a social security differ, Crosscheck still counts this as a match. Crosscheck could take simple steps to improve data quality, such as utilizing the U.S. Postal Service's National Change of Address system or it could exclude records where SSN4 doesn't match, but it does not.
Based on data reported out by participating states (see state-by-state analysis), 75% to 90% of the data produced by Crosscheck is low-quality, meaning data such as SSN4 differs or is missing in Crosscheck's "matches". Given that most states receive hundreds of thousands of "matches" to process, this is an enormous burden on state and county election officials to process out the small percentage of actual matches.
When it comes to finding actual double votes, a recent study found that when a pair of "matches" indicates both registered voters voted in a given election, 99.5% had different SSN4s! This means in a state where Kobach might imply 1,000 double votes were cast based on Crosscheck data, in reality, no more than 5 of these are likely to be instances of illegal double voting. Other studies, by Republicans, have found the real percentage of double votes to be substantially smaller.
The security protocols and procedures employed by Crosscheck are, in a word, terrible. Here is a high-level summary of the data exchange process and then we'll cover what they do right and what they do wrong.
- Every year, in January, Arkansas' IT staff sends an email to the primary contacts within each participating state. This email includes the IP address to their File Transfer Protocol (FTP) server and that state's unique username and password to login to the system.
- Each state then exports their voter data, including the last four digits of social security number, to the prescribed Crosscheck file format. They encrypt the file, upload it to the Arkansas FTP server, and then send an email to Kansas personnel with the password used to encrypt the file.
- Kansas downloads each state's voter file from the Arkansas FTP server to an internal system and decrypts it with the password they received via email. Kansas claims they delete the full voter file from the Arkansas server at this time.
- Once all states' files have been downloaded by Kansas, they run the Crosscheck analysis which generates a result file of potential matches for each state.
- Kansas encrypts each of the state's result files - using the same password for every state's file - and then uploads all of the results files to the Arkansas FTP server.
- Kansas sends a single email to all of the contacts in all of the participating states letting them know that the analysis is complete, that their file is available for download, and the encryption password.
- Each state logs into the Arkansas server to download their result file. They decrypt the file and then, depending on the state they "pre-process" the file to filter out the obvious false positives or they load the full result set into their systems for manual processing. Kansas claims that states then delete their result file from the Arkansas server.
What Crosscheck does right
- The voter file and result files are encrypted.
- The Arkansas FTP server is IP-restricted, meaning only systems within each election authority or state government can access the server.
What Crosscheck does wrong
While some of this is documented in the Crosscheck Participation Guide, most of this detail has been discovered via FOIA requests to participating states.
- Arkansas IT emails the FTP server IP address/URL and the username and the password every year to each state's election authorities. The passwords are not encrypted.
- The FTP server is not SFTP or FTPS. This means the transmission from states to Arkansas is not encrypted. Just like your web-browser would warn you about never sending names, passwords, or credit card information to a website not running HTTPS, no one who cares about security would send sensitive data to a simple FTP server. This means every state's username and password is sent in the clear across the internet every time they login to the server.
- The username and password used by states to access the Arkansas FTP server often do not change from year to year.
- Every state emails the encryption password to their voter file to Kansas personnel. The passwords are not encrypted.
- Some states do not use complex passwords and follow predictable patterns in their passwords used to protect their entire voter file. For example, we know Illinois encrypted their 2012 voter file with the password election$2012 and in 2014 they used election$2014. Seriously.
- Kansas uses the same password to encrypt every participating state's result file.
- Kansas then emails the encryption password for results files, in a single email, to every participating state's contacts. The email with this password typically is sent to 40 to 80 recipients.
Robust security is built on layers. Crosscheck's security puts almost exclusive trust in the IP-restriction. If a state's systems were compromised where a hacker could control a system to contact the FTP server, all of the other information they need is sitting in emails.
Disproportionate Impact on People of Color
Because of cultural naming norms, people of color are more likely to be over-represented in a list of most common surnames. Since Crosscheck uses a simplistic name-matching scheme, voters with common surnames such as Gutierrez, Kim, Martinez, and Washington will appear on Crosscheck result lists with greater frequency than would otherwise be expected.
Voter Suppression Propaganda
Kansas Secretary of State, Kris Kobach, ran in 2010 on the notion that voter fraud was rampant in Kansas. Kobach has claimed and supports President's Trump ludicrous claim that millions of illegal votes were cast in 2016 and . He seems to base these claims on the number of "potential duplicate voters" produced out of Crosscheck, which we know to be largely false positives.
When running for Secretary of State in 2009, the Wichita Eagle reported:
Kobach was granted the power to prosecute instances of voter fraud in 2015 - he is the only Secretary of State in the nation with prosecutorial powers. Using a decade's worth of voter history, Kobach has successfully prosecuted nine people for double voting. Most of these were voters who were confused about election law, who thought it OK to vote in one jurisdiction for a national election, while voting in another jurisdiction in local elections or on local referenda. Eight of these nine turned out to be Republicans. He has never found a case of anyone voting ten times in an election.
Kobach uses his false statistics to push for voter ID laws and proof-of-citizenship requirements. He's recently been fined by a federal judge for lying to the court about his intentions to try to change federal law to allow states to implement more stringent laws to make it harder to vote.