Arizonans still vote on paper but much of an election unfolds online, from finding a polling place to requesting a mail ballot.
Cyber security experts worry election officials in some of the state’s counties are not doing enough to secure their websites and prevent fraudsters from sowing disinformation or spreading confusion. Most of the county recorders in Arizona are not using one of two basic safety measures that cyber security firm McAfee is encouraging local governments adopt. The company is urging election officials to use web addresses ending in .gov as well as secure sockets layer — encryption commonly used on websites that handle passwords, credit card information and other sensitive data. Without these measures, it could be easier for saboteurs to hijack a website and steal users’ data or provide false information, particularly heading into an election that experts anticipate will be targeted with disinformation.
Manipulation ‘can swing an election’
Steve Grobman, chief technology officer at McAfee, envisions a scenario in which bad actors target a county where election results will be close and send a mass email to voters directing them to a fake website with misinformation about when and how to vote.
Even if only a small share of voters fall for it, he says such a campaign could cause problems.
“Two, three percent manipulation can swing an election,” he said.
Taking a couple of basic steps already used by many local governments could help prevent such a campaign, Grobman argues.
Secure sockets layer, or SSL, ensures information that users submit through a website is encrypted. It also acts like a sort of secret handshake, showing an internet user they are on an authentic website, not an imitation.
Internet users can tell a website is using SSL by looking for a padlock symbol next to the website’s address and by looking for the prefix “https://” instead of “http://”.
Five counties with a combined 460,600 registered voters have election websites that do not use SSL at all or only use it in part: Yavapai, Pinal, Navajo, La Paz and Gila.
Many of these sites point visitors to the state’s official voter registration portal — servicearizona.com — to register as a voter or update registration.
But some county websites not using SSL still accept requests online for a mail ballot, like Pinal County, or to work at a polling place, like Yavapai County.
Recorders in those counties either did not respond to questions about their websites or said the websites are managed by other departments within county government.
McAfee also has encouraged county election officials to use websites ending in “.gov”.
Anyone can buy a website ending in .com. But only local, state and federal government websites end in .gov.
While the Secretary of State’s website is AZSOS.gov, AZSOS.com currently is for sale.
The state’s official voter registration website, where Arizonans can sign up to vote, is ServiceArizona.com. But the website ServiceArizona.net appears to be owned by someone else.
Grobman says it would not be difficult for anyone to set up a fake but convincing voter registration or voter information website using addresses that seem official but are easily purchased on the open market.
Companies, politicians, celebrities and others have long played a sort of digital real estate game, buying web addresses similar to their own in an effort to block off competitors and fraudsters.
The homepage of The Arizona Republic is azcentral.com. But the newspaper also owns azcentral.net, ArizonaRepublic.com, TheArizonaRepublic.com and AZRepublic.com. Each of those addresses redirects visitors to azcentral.com.
Change coming? Effort underway to significantly change elections in Arizona
There is no requirement that state or local governments use .gov web addresses or SSL, leading to a patchwork of practices from one county to the next.
But Grobman encourages state and local governments to use .gov. Users could then have confidence they are on an official government website.
Five Arizona counties do not currently use a .gov web ad
The lack of these measures may not affect the way votes are tallied or the way voters are registered. But Grobman argues a lack of basic safety measures should raise questions about the other ways in which local election authorities may be vulnerable to disinformation and attack.
“We would expect the outward facing technology to be the most secure,” he says.
Many states have same issue
McAfee checked the websites of local election authorities in 20 states last year and found most lacked either SSL or a .gov address, or both.
Maricopa County uses SSL and .gov web addresses. It also has registered Maricopa.Vote, which redirects visitors to the county recorder’s official website.
Maricopa County Recorder Adrian Fontes declined to discuss the details of protecting his office’s website, citing security concerns.
But he is blunt about the high stakes of preventing tampering and misinformation.
“We’re at war with people who want to do those websites harm,” Fontes said.