FOIA Documents - Security Failures
Below you will find documents obtained by Indivisible Chicago as a result of Freedom of Information Act (FOIA) requests. Most documents are from Illinois - we've noted where docs were obtained from other states. Where you see photos of documents, these generally have "yellow paper" redactions instead of the black marker redactions. The "yellow paper" are our redactions of usernames and passwords that states inadvertently released to us. While the Illinois State Board of Elections (SBE) says they are unconcerned about these passwords being known, we're less certain about that so we are refraining from publishing. Unfortunately, we take data security more seriously than our government officials.
The primary problem though is not that we have these passwords, but that every official and IT department involved in this process sends usernames, login passwords, and encryption passwords in clear text in email - sometimes with up to eighty recipients. Anyone could have these passwords and could have had them at a time they could have been used - and our election authorities would be none the wiser.
Crosscheck also asks states to login to an FTP server that does not encrypt traffic to then upload their entire voter file. This means that every state's username and password to this central server housing 100 million voter records is sent in clear text across the Internet. These are astounding security lapses, and yet, following an unprecedented rash of hacks against voter registration systems in 2016, Crosscheck and the our election authorities changed nothing and continued their poor security practices in 2017.
Documents on this page include:
- Illinois SBE IT asks Kansas how Crosscheck works and if it's secure, July 2017
- Arkansas & Kansas confirm they do not use secure FTP protocols, July 2017
- Kansas Director of Elections stating FTP username/passwords are not emailed (they are), 2010
- Arkansas decides not to change passwords, 2011
- Emails with the FTP server username/passwords, 2012 through 2017
- Passwords to Crosscheck Results files for all states, 2011 through 2017
- Illinois State Board of Elections, full voter file encryption password, 2012 through 2017
ILLINOIS SBE'S BASIC QUESTIONS...
Only after Indivisible Chicago started asking questions, the Illinois SBE asked Arkansas and Kansas how the system works and how it's secured.
Why weren't these questions asked in 2011 before we started sending voter data? We know they weren't, because we have all of their emails about Crosscheck.
NOT SECURE FTP
In one of the most shocking revelations, Arkansas and Kansas acknowledge that what they've called "secure FTP" for years is in fact, not "secure". Traffic to this server is not encrypted at all, meaning every state's username and password has traveled in plain text across the internet.
This is entirely consistent for Kobach. In the Commission's first request for data, he asked states to send entire voter files, including SSN4, via unencrypted email or they could send to this "secure FTP server". As of Oct 2017 accessing the site warns the site is not secure and is using an invalid SSL certificate. Seriously.
KANSAS SAYS FTP PASSWORDS ARE NOT SENT VIA EMAIL
Officials seem to know emailing usernames and passwords is a terrible practice, yet in the same email Kansas asks states to email their encryption passwords.
As we'll see, they do in fact email the FTP username and password every year - and it seems to never change.
DECISION NOT TO CHANGE PASSWORDS
Arkansas let's states know that they will not change passwords to the FTP server as previously planned, because they are too busy.
NOTE: This is what happens in a "free" program...
USERNAMES AND PASSWORDS TO ARKANSAS FTP SERVER (2012 TO 2017)
Arkansas emails every state the URL to the server, their username and password (all in a single email) to access the FTP server which housed 45 million voter records in 2012 and 98 million voter records in 2017.
Not only does this username/password sit in email, it's emailed every year, it seems to be the same every year, and the server connection is not encrypted, meaning this username and password is transmitted across the internet in plain text.
CROSSCHECK RESULTS ENCRYPTION PASSWORDS (2011 TO 2017)
Kansas sets the encryption password for every participating state's results file to the same password. They send this password to dozens of people on a single email ever year. In total these files contain 2.4 million (2011) to 14.4 million voter records, including SSN4. We actually have all of these passwords now, assembled from other open records requests.
ILLINOIS VOTER FILE ENCRYPTION PASSWORD (2012 TO 2017)
Illinois emails Kansas the encryption password to the state's entire set of 8.8 million Illinois voter records, including last four digits of social security numbers. This is how Kansas instructs states to send their encryption passwords, so every Crosscheck state is almost certainly doing this.