Cybersecurity specialists are warning that President Donald
Trump’s voter-fraud commission may unintentionally expose voter data to
even more hacking and digital manipulation.
Their concerns stem from a letter
the commission sent to every state this week, asking for full voter
rolls and vowing to make the information “available to the public.” The
requested information includes full names, addresses, birth dates,
political party and, most notably, the last four digits of Social
Security numbers. The commission is also seeking data such as voter
history, felony convictions and military service records.
Digital security experts say the commission’s request would
centralize and lay bare a valuable cache of information that cyber
criminals could use for identity theft scams — or that foreign spies
could leverage for disinformation schemes.
“It is beyond stupid,” said Nicholas Weaver, a computer science professor at the University of California at Berkeley.
“The bigger the purse, the more effort folks would spend to
get at it,” said Joe Hall, chief technologist at the Center for
Democracy and Technology, a digital advocacy group. “And in this case,
this is such a high-profile and not-so-competent tech operation that
we're likely to see the hacktivists and pranksters take shots at it.”
Indeed, by Friday night, over 20 states — from California to Mississippi to Virginia — had indicated they would not comply with the request, with several citing privacy laws and expressing unease about aggregating voter data.
“Mississippi residents should celebrate Independence Day and
our state’s right to protect the privacy of our citizens by conducting
our own electoral processes," said Mississippi Secretary of State
Delbert Hosemann, a Republican, in a statement.
ADVERTISING
Trump took to Twitter Saturday morning to bash the reticent states.
"Numerous states are refusing to give information to the
very distinguished VOTER FRAUD PANEL. What are they trying to hide?" he
wrote.
Trump launched the "election integrity" commission in May,
tapping Kansas Secretary of State Kris Kobach to lead the charge. The
commission’s main task was to study voter fraud, a subject of interest
to Trump, who has baselessly claimed that millions of people voted illegally in the 2016 election.
White House officials also said
the commission would recommend steps to help secure the “integrity” of
the voting systems. In this vein, the letter asks how the commission can
help local officials address “information technology security and
vulnerabilities.”
But cyber specialists say the missive and its directions has
the exact opposite effect. And the commission’s request comes at a time
when the Trump administration is already under fire from Democrats who
say it is doing little to protect the electoral process from hackers.
Technical experts say the voter data that the commission
wants to assemble would quickly become a single treasure trove for cyber
criminals and foreign intelligence services. Identity thieves could use
information such as addresses, birth dates and the last four digits of
Social Security numbers for digital impersonations, and foreign spies
could use it to fill out dossiers on Americans they hope to blackmail.
“This information is particularly sensitive because it can
be matched up with other stolen or publicly available information to
build a more complete profile for an individual and target them for
fraud or other exploitation,” said Jason Straight, a data breach expert
who serves as chief privacy officer at the business solutions firm
UnitedLex.
Specifically, researchers have shown that voter rolls are
“the most useful external source of data” when fraudsters hope to
identify people in anonymized health or medical records, Hall said.
Security specialists told POLITICO they were especially
perturbed about Kobach’s claim that the commission would publish all the
voter data it receives.
While much of the data the commission requested — including
addresses and dates of birth — is already publicly available in states
or from third-party vendors, states restrict access to that information
in various ways.
If the commission publishes all the voter data it receives,
it “could result in the commission making voter data more widely
accessible than it otherwise would be from the state itself,” Straight
said.
The White House pushed back on these fears.
"Information being requested is already publicly available
according to state law from which it would be released," noted Marc
Lotter, a spokesman for Vice President Mike Pence, who is leading the
panel with Kobach.
“The federal government takes cybersecurity very seriously,”
he added. “No publicly identifiable information will be released to the
public and the information will be managed consistent with federal
security guidelines.”
Kobach’s office did not not respond to requests for comment.
Ways exist to secure large quantities of voter data — Hall pointed to the Electronic Registration Information Center,
a state-run nonprofit that helps officials clean their voter rolls, as
one example. But that organization uses strong encryption to protect its
information, he noted.
“It's hard to imagine all the work that went into making
that private and secure is happening in the week before the commission's
first meeting,” said Hall.
Experts also criticized the commission’s two options for
states to submit their data: via a White House email address and a
Pentagon-run file-hosting service.
“Email is the worst; it's like sending all your postal mail
using postcards instead of letters in envelope,” Hall said. “It’s one of
the harder methods of communication to secure.”
The commission’s alternative option, a file-hosting service run by a branch of the Army, isn’t currently configured
to properly encrypt web traffic, which Hall said was “a massive red
flag for their ability to properly secure other forms of secure file
transfer.”
The perceived digital security miscues left many specialists stunned.
“Nothing about this letter appears to take information
security into account,” said Matthew Green, a computer science professor
and cryptography expert at Johns Hopkins University. “If I didn't know
this letter was real, I would assume it was a clever spearphishing
campaign.”
No comments:
Post a Comment