Crosscheck is ineffective and insecure. But states aren’t withdrawing

The program was meant to weed out ineligible voters but instead makes sensitive voter information vulnerable

Published April 28, 2018 12:59PM (EDT)

 (AP Photo/David Goldman)
(AP Photo/David Goldman)

This article originally appeared on Reveal from The Center for Investigative Reporting

reveal-logo-black-on-white
At least eight states have stopped using Kansas’ anti-voter fraud program because of its ineffectiveness, but put citizens’ personal data at risk by not formally withdrawing.

The Interstate Voter Registration Crosscheck Program was supposed to help states scrub ineligible voters, but many states have for years found the program’s data to be inaccurate and burdensome to verify. Rather than immediately cancelling the free program, these states continued to send sensitive voter information — in one case, for nearly a full decade — through a system with serious cybersecurity vulnerabilities.

Sending data through this insecure system had the potential of opening up millions of American citizens to identity theft.

Based on interviews with state election officials and communications obtained through public record requests, the following states have sent voter registration data to Crosscheck without using the analysis received in return to clean their voter lists: South Carolina, Kentucky, West Virginia, Georgia, North Carolina, Nevada, Louisiana and Colorado.

None of the states listed have submitted voter data into the Crosscheck program since these cybersecurity vulnerabilities were made public late last year.

Every year or two, participating states sent the full names and birthdays of their registered voters to Kansas Secretary of State Kris Kobach, who led President Trump’s short-lived voting commission, pushed false stories about voter fraud in New Hampshire and advocated for strict new rules to make registering to vote more difficult, the justification for which was eviscerated in court in recent days. In some cases, states have sent additional information like the last four digits of Social Security numbers.

Kansas has extended the window of time for submitting data in 2018 as it deals with security issues. No states have pulled out since the discovery, but at least a handful are now considering leaving the program over fears that they will expose their citizens to identity theft.

“Concerns about personal information being exposed have come to light only recently, and we are having internal discussions on how to proceed with that information in mind,” North Carolina election official Patrick Gannon said in statement. “If security concerns are addressed, receiving the data is helpful, but we cannot participate or provide data if we can’t be certain it is secure. No final decisions have been made.”

On the other hand, Colorado Director of Elections Judd Choate said his state currently has no plans to alter its participation in the program.

An evaluation recently conducted by the cybersecurity firm Netragard on behalf of Gizmodo discovered significant holes in security practices of the Kansas Secretary of State’s office, which manages Crosscheck. Netragard wasn’t able to penetrate Kansas’s computer networks, since it wasn’t hired by the state and breaching the system without explicit permission is against the law. Nevertheless, Netragard CEO Adriel Desautels was scathing in his analysis of the state’s cyber defenses.

“We have never had a client that had a network that was as grossly vulnerable as what we saw when looking at the open-source information for Kansas’s network,” he said. “The only word I can really use is ‘carelessness.’”

In addition, the secretary of state’s office sent citizens’ personal data in unencrypted emails to local election officials and both personal information and passwords to access voter registration data were turned over in public records requests.

While the security holes are serious, Kansas officials have insisted that there is no hard evidence hackers have successfully circumvented Crosscheck’s security for nefarious purposes. However, successful breaches can go undetected, especially from sophisticated attackers.

As of last year, 28 states in total were sending data into the program.

In return for sending their information to Kansas, local election officials receive reports flagging the names of voters who are registered in other states. Voters are only allowed to be registered in one state at a time.

However, that data is riddled with inaccuracies. A 2017 study from researchers at a coalition of leading universities found that for every one illegitimate voter it finds, Crosscheck flags 300 false matches.

Until the recent publicity about Crosscheck’s cybersecurity issues, states saw little risk in providing voter data to Crosscheck. If state and local officials didn’t feel like using the data, they were under no obligation to do so. Recent revelations about Crosscheck’s security have changed that reasoning dramatically.

Local officials have previously made mistakes with Crosscheck data. In 2014, Ada County, Idaho incorrectly removed over 750 voters from the rolls by taking Crosscheck data at face value without doing their own secondary verification. This mix-up was rectified before voters cast their ballots.

Election officials take great pains to avoid these errors, but doing so can put a strain on election offices, which often struggle to fulfill their primary function of simply running elections. Numerous state election officials told Reveal from The Center for Investigative Reporting that having local election administrators verify Crosscheck data wasn’t a good use of resources.

“The issue with Crosscheck data is that it doesn’t match enough variables, so it requires a lot of county clerks to look at registration records manually, which is extremely arduous,” West Virginia Elections Director Donald Kersey said. “We haven’t used it really at all to clean our records.”

Representatives from Kansas did not respond to multiple requests for comment.

Here’s why the eight states have stopped using Crosscheck data:

  • West Virginia and Louisiana ignore Crosscheck when scrubbing their lists in favor of data provided by the Electronic Registration Information Center, a similar program widely seen as providing more reliable data. Officials say they share their voters’ information to help other states.
  • Kentucky stopped using Crosscheck’s data five years ago, but it wasn’t until last June that it quietly pulled out of the program entirely. Bradford Queen, a spokesperson for the Kentucky Secretary of State’s office, wrote in an email that the state, “has not used Crosscheck data as part of its process to purge voters under the current administration, dating back to 2012. We did not find the data reliable for matching purposes.”
  • Georgia, which has sent data into Crosscheck since 2013, has never used Crosscheck results for list management. When it joined, Georgia had to pre-clear electoral system changes with the Department of Justice to ensure it didn’t violate the voting rights of racial and ethnic minorities. As part of that pre-clearance process, Georgia agreed not to use the data for list maintenance, although the state still sent information into the program to assist other states.
  • South Carolina election official Chris Whitmire said the state stopped using Crosscheck data last year, “due to issues with verification and concerns about cybersecurity.”
  • Nevada, North Carolina and Colorado only use Crosscheck for a secondary purpose: trying to identify double voters. Research has shown such activity is rare and almost always accidental.

Kansas officials have announced changes in the program designed to assuage security fears, but many states remain skeptical about future participation.

Illinois has said it will stop sending data into the program until security concerns are addressed. Lawmakers in New Hampshire and Idaho have introduced legislation withdrawing their states from Crosscheck, but both efforts were unsuccessful. The debate has even popped up in Kansas, where Crosscheck is based.

A bill introduced into the Kansas state Legislature last month would force Kansas to cease participation in its own program.


By Aaron Sankin

MORE FROM Aaron Sankin


Related Topics ------------------------------------------

Crosscheck Cybersecurity Reveal News Voter Fraud Voter Data