Illinois State Board of Elections Punts on Protecting Voters
Activist-researchers issue warning
November 20, 2017 - Illinois voter data is still at risk of misuse and hacking, after the Illinois State Board of Elections (SBE) failed today to approve a motion to exit the controversial Interstate Voter Registration Crosscheck program (“Crosscheck”). The vote broke down along partisan lines, with four members voting to leave the flawed program while four members voted to remain.
The four who voted to stay were appointed by Governor Bruce Rauner, who in March announced a major state cybersecurity initiative.
Crosscheck is a national voter verification program operated by Kansas election officials. It collects voter registration information from participating states and “crosschecks” the data to find duplicate registrations. Recent research by Indivisible Chicago has exposed numerous security flaws and raised questions about how the data is used.
In response to Indivisible Chicago’s revelations, Kansas officials have just announced plans to redesign their system. Notwithstanding this redesign, which will involve unknown changes and unknown costs, Indivisible Chicago says Illinois’ continued participation is a mistake.
Indivisible Chicago suggests that to protect Illinois voters, the Board should:
Focus on ERIC, the Electronic Registration Information Center, another voter verification system in which Illinois already participates. ERIC is free of Crosscheck’s security and data-quality flaws. Illinois should continue to use it and encourage surrounding states to do the same.
Refrain from sending any Illinois voter data to Crosscheck until its flaws are repaired, an independent security assessment is completed, the new costs of the system are known, and a new vote is taken on whether to continue participation in the modified program.
If remaining in the program, ensure that the known data quality problems are rectified, that participating states are following the National Voter Registration Act, and the system is managed by a non-partisan body.
Indivisible Chicago’s research on this issue has revealed major security problems with Crosscheck. Usernames and passwords to critical systems and encrypted files have been emailed in plain text; the server used to transmit and store 100 million voter records does not implement any encryption protocols; the firewall protecting this data misconfigured. While the SBE and Kansas have previously sought to minimize the seriousness of these security lapses, the fact that policies and systems are now being changed clearly acknowledges that for years the system has in fact operated under outdated and irresponsible security practices.
Indivisible Chicago also found serious deficiencies in the quality of Crosscheck data. Illinois receives approximately 230,000 “potential duplicate registrants” records every year that do not match on the last four digits of social security number. This would be a simple matter for Crosscheck to correct. The failure to remedy such an obvious flaw only helps to perpetuate the impression that one aim of the program is to produce highly inflated numbers of “potential duplicate registrants” to serve Kansas Secretary of State Kris Kobach’s fantasy of wide-scale voter fraud.
Indivisible Chicago thanks the SBE for considering this important matter and for taking seriously the security vulnerabilities of the Crosscheck program. We will continue to work with the SBE to monitor upcoming changes in the system. Likewise, we will continue to work with our legislators and the SBE to ensure voter data is adequately protected, to increase transparency in how voter rolls are maintained, and to ensure that Illinois’ data is never used to disenfranchise voters in neighboring states.
Contact: Steve Held