Read on to learn about technology involved in voter registration and where these systems might be vulnerable.
Voter registration is the gateway to well-run elections. Because of this, the registration process and management of voter lists are always on legislators’ and administrators’ minds. The 2016 attempts by bad actors to intrude into state voter registration systems simply increased this interest.
The states’ registration systems are where data on the nation’s 200 million registered voters are stored, and therefore these systems can be targets for cyberattacks. Indeed, voter registration is the most public-facing part of a full elections system. While any disruptions to voter registration may be disruptive to an election, they won’t change vote totals or the outcome of an election.
Statewide Voter Registration Systems
In 49 states, an eligible citizen must be registered to vote.
Even though details on how voter registration systems are created and maintained varies among the states, they can be divided into two main models:
- Top-Down. In top-down systems, the state election office handles much of the voter registration functions and pushes voter registration information down to the local or county level.
- Bottom-Up. In bottom-up systems, local- or county-level election officials handle voter registration responsibilities for their jurisdiction and send their information up to the statewide system.
Each has its own security advantages. Top-down systems can minimize the attack surface, making it easier to defend since there are fewer access points for malicious actors. In bottom-up systems, counties have their own copy of the voter list so there are multiple backups if the central one is attacked. See this breakdown from the U.S. Election Assistance Commission (EAC) on which type of system your state has.
Regardless of the system in place, voter registration is the first interaction most voters have with the election administration. For more information on voter registration, see NCSL’s Voter Registration page.
How Voters Get Registered
Voters are added to statewide voter registration systems in a variety of ways. Nationwide, the most common method for new voters to register, or for existing voters to update their addresses, is through the state department of motor vehicles (DMV).
After the 1993 enactment of the National Voter Registration Act (NVRA), also known as Motor-Voter, in most states the DMV and other state agencies were required to offer citizens the chance to register to vote while interacting with the agency. As technology progressed, not only did the voter registration process get digitalized, so too did the system to transmit that information directly from the DMV to the state voter registration system.
States fall on a spectrum of how automated this process is. At one end of the spectrum, it is a manual process where DMVs provide applicants with paper forms that are then sent to local or state election officials to be keyed into the voter registration system. In other states, the DMV sends the voter information to the election authority digitally.
The states that have embraced even more automation include those with Automatic Voter Registration, although other states have automated the process as well. Automatic or automated voter registration involves the electronic sharing of information between DMVs and state election offices to verify new voters for eligibility (citizenship, age and residency), compare that to the information already in the statewide voter registration database and, if there is no existing registration, add the applicant to the voter rolls.
Other common state agencies that may send records, whether physical or digital, to the voter registration system could include social service agencies as required by the NVRA, the departments of health (for death records), corrections/courts (for felony convictions) or the departments of revenue.
Increasingly, Americans are registering online. In 2002, Arizona was the only state that had initiated online/paperless voter registration. As of 2018, 38 states and the District of Columbia have online voter registration systems, making this policy one of the fastest-moving elections policy trends in the last 20 years.
Online voter registration follows essentially the same process as traditional registration, but instead of filling out a paper application, the voter fills out an online form, which is submitted electronically to election officials. In most states, the application is reviewed electronically; if the request is confirmed to be valid, the new registration is added to the state’s voter registration list. In most states, online voter registration systems are an option for people who have state-issued driver’s licenses or identification cards, although a few states provide online access for other potential voters, as well. In all states, paper registration forms are available for anyone, including those who cannot register online.
Electronic Poll Books
As states explore new technologies to facilitate the voting process, the use of electronic poll books (e-poll books) is becoming increasingly prevalent. Traditionally a paper poll book, a list of eligible voters in the district or precinct is kept in each voting location. An e-poll book, usually a tablet or desktop computer, replaces the paper list and can provide other functions, such as updating voter information on the spot. To learn more about what e-poll books can do and things to consider, visit NCSL’s Electronic Poll Books page.
For examples of state e-poll book requirements, visit the U.S. Election Assistance Commission page on E-pollbook Requirements.
Since voter registration systems are the way that the list of eligible voters for each polling place is generated (either on a paper poll book or an e-poll book), an attack on a state’s voter registration system could wreak havoc at polling places on Election Day. With access to the voter registration list, a malicious actor wanting to disrupt an election could delete voters from the list, or change voter information, and therefore prevent eligible voters from voting. Done on a large scale, it could disenfranchise many voters, create long lines, and generally sow confusion and mistrust.
Because of the amount of data kept in voter registration systems, and because these systems sometimes connect with other networks, voter registration systems can be a target of cyberattacks. The goal could be to disrupt Election Day, or it could be to get information on a large number of people. Any large data sources are vulnerable in this way—businesses and other governmental entities such as Target, the Office of Personnel Management and Equifax, have all had their data systems breached. If malicious actors can get access to personally identifiable information by getting access to a statewide voter registration system, they may be able to use this information for other criminal activities.
Outlined below are general cybersecurity practices that many states are using to protect and defend their voter registration systems against potential cyberattacks. Most of these are managed administratively and do not require legislation. Still, policymakers benefit from understanding the choices their election officials are making.
Access Controls. “Access” refers to the ability of an individual to enter a system and retrieve or change data, particularly sensitive information. For voter registration systems, local election officials are likely to have access to create new registrations or to change names, addresses, party affiliations, etc. on existing registrations. Authorized technology providers are likely to have access to the background code to make updates. All these are normal activities and happen on a regular basis. However, it is doubtful that a local election official would need to access the background code. Establishing access controls and giving varying degrees of access to individuals based on their roles, and perhaps for different time frames, is an easy step toward securing voter registration systems and data.
Passwords. To gain access, users have passwords. Although there are varying requirements, most require a minimum number of characters, the use of varied characters types (letters, numbers and symbols) and frequent password updates. Many also prevent the use of common passwords, such as “password.”
Multi-factor Authentication (MFA). Multi-factor authentication is another method to help secure access to a system. MFA generally requires that an individual use not only a password, but also another authentication method (hence, “multi”). An everyday example would be withdrawing money from an ATM. You not only need your physical card (the first factor), but you also need your passcode (the second factor). The same principle applies while accessing a computer system. The factors might be a combination of a password, a code sent to the email or phone associated with the account, a fob, or a number determined from a “bingo card” that cycles or changes at given intervals (for example, today your password is found in box “A3”).
Logging and Monitoring Activity. Many voter registration systems maintain an internal log that tracks not only what changes are made, but who made them and when. An audit log can help identify if there is unusual activity and who may be performing those actions. It can be established to provide alerts in cases of unusual activity. Some things that may be monitored are:
- Successful and unsuccessful login attempts.
- Unauthorized or abnormal database queries. In 2016, the Illinois voter registration was compromised by an SQL injection. This means the attackers exploited a search feature on the website and were able to input a command code to gain access the system. SQL injections use malicious code to manipulate your database into revealing information. (Illinois’ existing detection system found the SQL injection, and staffers were able to take appropriate action. No voter records were changed.)
- Traffic patterns. Although a spike in internet traffic to a voter registration system in not inherently bad—it could be a voter registration drive, for example—it could also be the work of intruders.
- Albert sensors. Because elections have been deemed critical infrastructure by the federal government, states and local jurisdictions have increased access to resources, such as low-cost Albert sensors. These are intrusion detection systems that can identify and report malicious activity to users and are provided by the Department of Homeland Security.
Training. Often, humans are the weak link in cybersecurity. By training election officials and staff in basic cybersecurity, it is possible for those individuals to identify and avoid potentially damaging actions, such as phishing.
Regular Back-Ups. Data in a voter registration system, or any system, must be backed up regularly, and that back-up copy must be stored separately from the rest of the voter registration system. Plans to restore the system in the event of a successful intrusion are vital. Backed-up data must be tested regularly to ensure it is complete, uncorrupted and usable.
Provisional Ballots. Also referred to as “challenge ballots” or “affidavit ballots” in some states, provisional ballots are required by the federal Help America Vote Act of 2002 (HAVA) and can also act as a “backup” measure. When there is uncertainty about a voter’s eligibility—the potential voter’s name is not on the voter roll, a required identification document isn’t available or other issues—the election official is required to offer the voter a provisional ballot instead of a regular ballot. Provisional ballots ensure that voters are not excluded from the voting process due to an administrative error. They provide a fail-safe mechanism for voters who arrive at the polls on Election Day and whose eligibility to vote is uncertain.
In the age of potential cyberattacks, provisional ballots have the added advantage of providing a mechanism to vote for those who have been affected by an attack on the voter registration system. If their names have been deleted, or their information changed by a cyberattack, they still have the option of casting a provisional ballot.
In nearly all states, after being cast, the provisional ballot is kept separate from other ballots until after the election. A determination is then made as to whether the voter was eligible, and therefore whether the ballot is to be counted. Generally, a board of elections or local election officials will investigate the provisional ballots within days of the election.
States vary greatly in how provisional ballots are handled and in the number that are issued and rejected, and both the processes and the data are tracked by the U.S. Election Assistance Commission (EAC). States can have as few as 100 provisional ballots cast statewide, or as many as 100,000. For more on provisional ballots, visit NCSL’s webpage on Provisional Ballots.
Communicating with Other States. After the 2016 election, the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) was created as a subset of the already existing Multi-State Information and Sharing and Analysis Center operated by the Center for Internet Security. The EI-ISAC helps election authorities by sharing, at no cost, information on potential cyber incidents, threats and vulnerabilities so that they can help support and defend each other. It also provides threat intelligence, monitoring, trainings and other services to help beef up the cybersecurity know-how of election officials. At least some jurisdictions in all 50 states are participating, and all jurisdictions are encouraged to join.
Some states also participate in programs that compare voter information between states, such as the Electronic Registration Information Center (ERIC), to help keep voter lists up to date. While not addressing cybersecurity, participation helps keep voter rolls clean, by flagging records of voters who may be registered in more than one state. Clean rolls reduce the risks of double voting and the use of provisional ballots in cases where the rolls are not accurate. It also seeks to identify voters who are not already on the rolls to engage them in the process.
Steps State Legislators Can Take
- Ask state election officials how their voter registration systems are structured. Are they top-down? Bottom-up? A hybrid of the two?
- Ask state elections officials about existing prevention, detection and mitigation strategies. Include questions about how they back up their data, and how they test the back-ups.
- Examine policies around security for online voter registration systems. Because online voter registration offers a way for the public to interact, it can be a target for bad actors. Security policies may appear in statute but may also be established through administrative policies implemented by the state election or technology office.
- Examine state policies for protecting the personal information of voters. What voter information is made available to campaigns and the public? States may redact voter’s Social Security numbers and date of birth, for example, or put restrictions on who is able to request a voter list (see NCSL’s webpage on Access to and Use of Voter Registration Lists for more information).
- Ask about security for data exchanges between your state’s election authority and other state agencies. Automating the transferal of data is more secure than typing in information from a hand-written form. What security measures are in place around that process?
- Consider joining an interstate voter list comparison program. Joining the Electronic Registration Information Center will provide your state with information about people who are registered in more than one location, so your state can take follow-up action.
- Look at policies that create back-up options for voters. If there was a large-scale attack or disaster, would your state be prepared for a large number of voters to cast provisional ballots? How are those ballots processed and counted in your state? States that have same-day voter registration may be able to accommodate voters more easily in this situation (See NCSL’s webpage on Same-Day Voter Registration.)
- Consider what your state does to periodically “audit” the voter registration system. This ranges from examining the log of changes made to voter registration files to monitoring the system for evidence of unusual activity. Installing Albert sensors, available for a minimum cost from the Department of Homeland Security, can help.
- Consider statutory requirements or a testing and certification process for e-poll books. The federal government sets voluntary guidelines for voting equipment, but that does not cover voter registration systems. A few states have established their own requirements.
- Think about election security during the appropriations process. Does your state election office have the staffing, technological expertise and resources necessary to meet today’s cybersecurity challenges? Generally, funding for elections is a local responsibility, but states are providing assistance more often than in previous decades. (See NCSL’s The Price of Democracy: Splitting the Bill for Elections.)
- For additional information, see the Center for Election Innovation & Research report on how states are protecting their statewide voter registration systems.