The voter-fraud-checking program championed by the head of the Presidential Advisory Commission on Election Integrity suffers from data security flaws that could imperil the safety of millions of peoples’ records, according to experts. Indivisible Chicago, a progressive advocacy group in Illinois, filed a public-records request with Illinois and Florida for information on the Interstate Voter Registration Crosscheck Program. Crosscheck was created and run by the Kansas secretary of state’s office and is often cited by Kris Kobach, Kansas’ secretary of state, as a way to identify voters casting ballots in more than one state. Indivisible Chicago then posted emails and other documents it received, including messages exchanged between elections officials in Illinois and Florida and Crosscheck. The emails and records revealed numerous security weaknesses. Crosscheck’s files are hosted on an insecure server, according to its own information. Usernames and passwords were regularly shared by email, making them vulnerable to snooping. And passwords were overly simplistic and only irregularly changed.
“It blows my mind — this is complete operational security incompetence,” said Joe Hall, the chief technologist for the Center for Democracy & Technology, an organization that promotes internet freedom. “You should consider all of that stuff in the hands of people who are clever enough to intercept someone’s email.”
The Kansas secretary of state’s office did not respond to emailed questions about Crosscheck’s security.
Crosscheck was conceived in 2005 as a way to, as the name implies, let states compare their voting rolls to prevent people from registering in multiple states. Kansas operates the program at no cost to the states that participate. Crosscheck assures them — about 30 states use the program as of now — that it employs “industry standard encryption technology and passwords.” Hall disputes that. “It’s a complete lie,” he said.