News of Russian hackers targeting Illinois adds urgency to signing of SB 2273
The Russian hacking of Illinois’ voter database is further galvanizing activists in support of a bill which would close a massive security vulnerability in Illinois’ voter database. SB 2273, currently awaiting Governor Rauner’s signature, will add new protection to voters’ personal data, apparently already at risk based on yesterday’s Justice Department indictment of twelve Russian military intelligence officers who “conspired to… interfere with the 2016 U.S. presidential election”. The indictment sheds new light on the scope of the attack against Illinois’ voter registration database, in which the Russians obtained names, addresses, partial social security numbers, dates of birth, and driver’s license numbers for approximately 500,000 Illinoisans.
SB 2273 modifies existing law to stop Illinois from sharing voter data with the Interstate Crosscheck system, which is riddled with security holes, according to research by Indivisible Chicago and others. As written, SB 2273 would allow Illinois to exclusively share voter data with either the Electronic Registration Information Center (ERIC) or through one-on-one agreements with bordering states for the purpose of maintaining voter rolls as citizens move in or out of the state.
Upon passage of SB 2273, Governor Rauner called the bill “troubling”, indicating his support of the state’s use of Crosscheck and suggesting he prefers to ignore the system’s security vulnerabilities. At least eight other states have abandoned the voluntary Crosscheck program, citing these security gaps, a blatant lack of accuracy, and the amount of manpower required to parse through bad data. Illinois participation in ERIC fulfills the objective to maintain accurate voter rolls, with modern security protocols and a greater degree of accuracy.
“I’m hopeful that our Governor now sees the risks of exposing our voter data in a new light and will sign SB 2273,” said Steve Held, one of the leaders of the Indivisible Chicago team fighting for data privacy protections and voter rights. “As we learn more about the scope of the 2016 hacks, it’s time to put partisanship aside and take election security and data privacy seriously. Illinois has already been the largest victim of state election hacks; it would be reckless to continue along the same path by sharing our data with those who have proven they are unable to secure it.”
The Sun-Times Editorial Board recently urged Governor Rauner to sign SB 2273 citing, “The system’s data, not always rigorously accurate, has been cited by the administration to make specious claims of voter fraud, justifying anti-democratic limits on voter registration.”
Crosscheck is ostensibly used by election officials as an additional source to maintain voter rolls; however, it has been plagued by a series of security vulnerabilities which has resulted in the suspension of the program while the Department of Homeland Security conducts a security audit following the release of voters’ private information. Crosscheck is managed by Kansas Secretary of State Kris Kobach, who was chosen by President Trump as the vice chairman and spokesperson for his failed commission on voter fraud, and last spring was held in contempt by a federal judge for failing to notify thousands of Kansans in 2016 that they were registered to vote.
In recent months other states have quit the Crosscheck program. They’re responding to increasing evidence that Crosscheck leaves voters vulnerable to identity theft through the insecure handling of sensitive data. In just this past month:
- Both Massachusetts and Kentucky have announced that they are abandoning the Crosscheck program.
- Last month a federal judge blocked Indiana’s use of Crosscheck to purge voters.
- The ACLU of Kansas is now suing Kansas for exposing nearly 1,000 Kansans voter data in its management of the Crosscheck program. Florida election officials acknowledged that the personal data for nearly 1,000 Kansans was compromised as a result of their participation in the Crosscheck program, prompting Florida to offer to pay for LifeLock protection to all impacted Kansans. This data had been shared with a Kansas-based Voters Against Crosscheck as a result of a public records request and subsequently shared with Indivisible Chicago.
- Missouri, one of the original founding states in Crosscheck, along with South Carolina and Florida have announced that they are joining the ERIC program to maintain voter roll.
- After months of assurances from Kansas Secretary of State Kobach and Director of Elections Bryan Caskey that Kansas’ systems were secure, Netragard, a security research firm found that the Kansas government’s network was “significantly exposed”, posing a risk to all Kansas systems, including the Crosscheck database.
- Gizmodo reported the careless exposure of the last four digits of social security numbers for thousands of Kansas state employees, including 90% of Kansas legislators and Secretary Kobach himself.
Crosscheck is a program created and operated by Kansas election officials. It collects voter registration information from participating states and “crosschecks” the data to find duplicate registrations. This program is the primary source for Kobach and Trump when citing “millions of illegal voters”. Yet, the program’s algorithm to identify illegal voters has been widely discredited and Kansas authorities who oversee the program have refused to take basic steps to improve the accuracy of the results. Therefore, Crosscheck generates intentionally-inflated statistics that exaggerate the instances of actual voter fraud by a factor of over 1,000.
Recent research by Indivisible Chicago has exposed numerous security flaws and raised questions about how the data is used. This includes:
- Usernames and passwords to critical systems and encrypted files emailed in plain text;
- A lack of encryption protocols for the server used to transmit and store 100 million voter records; and,
- A misconfigured firewall protecting this voter data is misconfigured.
Illinois is among 25 states that share personal information such as date of birth and partial social security numbers directly with Crosscheck, which puts voters at risk of identity theft. While the SBE has the authority to leave the Crosscheck program, a December vote on the question was defeated when all four Republican SBE Board Members voted to remain in the program. That’s when Indivisible Chicago intensified grassroots efforts to pass a state law to protect voter data from insecure, centralized databases such as Crosscheck.
Crosscheck is known to be misused by some participating states. Indiana currently faces multiple lawsuits alleging violations of the National Voter Registration Act of 1993 (NVRA) based on their over reliance on Crosscheck, because the system is widely known to be highly inaccurate. Indiana purges voters from the rolls without sending proper cancellation notifications based solely on Crosscheck matches. Indiana purged over one million voters from the rolls between 2014 and 2016 and has purged over 500,000 voters since the 2016 election.
Indivisible Chicago is leading the call for every state, including Illinois, to withdraw from Crosscheck both to protect sensitive data that can lead to identity theft and as a moral stand against voter suppression efforts. To learn more and to join this fight, visit https://endcrosscheck.com.