Over the past 16 years, only 10 cases of voter impersonation—out of 146 million registered voters—have ever been identified. And yet each election, a vocal political contingent made up primarily of Republicans complains about an alleged epidemic of voter fraud and impersonation. To combat it, they propose—and in many cases successfully pass—laws requiring voters to provide verification of their identity with an ID card, along with verbal confirmation of various pieces of personal data, before they are permitted to vote.
As election officials become more reliant on electronic databases, the potential for hackers to commit voter manipulation and election fraud has gone way up. But it’s these very voter ID laws that are partly to blame, despite legislators’ claims that they would make elections safer, according to Joseph Kiniry, CEO of Free and Fair, a provider of secure election services and systems.
“The best thing [hackers] could do is to screw up that data prior to the election,” says Kiniry.
Not that there were many good reasons to trust in voter ID laws in the first place. Critics of the laws argue that they make voting unnecessarily difficult or burdensome for Americans who simply want to exercise their right in a democracy. Moreover, they argue that the reason Republicans support voter ID laws is not because they wish to stamp out voter impersonation, but because such laws have a disproportionately negative impact on black and Latino voters who are statistically less likely to possess a photo ID, and more likely to vote Democrat.
But states that passed voter ID laws didn’t just threaten to disenfranchise voters. They made their elections more vulnerable to hackers. And unlike the fearmongering you might hear from security experts over insecure Internet election systems that would allow domestic or foreign hackers to change votes with the flip of a switch, voter ID manipulation is far scarier because it could happen as soon as this year’s election. Maybe it already has.
“Any Internet expert will tell you that Internet voting is a bad idea,” Kiniry says. “But it’s a tiny fraction of the vote. There wouldn’t be massive opportunity for fraud. But I do hold a concern for states with voter ID laws.”
Here’s how such a scheme could work, Kiniry explains:
So in voter ID law states, you must present ID when you do a voting check-in, which means that certain key information has to match what’s on the record: Your name, your gender—your perceived gender—party affiliation, home address. But if you want to cause trouble during an election, where trouble only means doing a distributed denial of service (DDoS) attack on an election, then all you do is change, in an unsurprising fashion, some pieces of that data. Change the spelling of their name. Add 10 to every address. All those kinds of things are going to trigger provisional votes that will slow the process. A 30-second check-in becomes a several minute check-in.
But unless you’re a nonpartisan anarchist, what would be the point of launching what Kiniry describes as a “distributed denial of service attack on an election”?
The point is that a group of hackers could massively influence an election by targeting historically Democratic or Republican districts, and through these physical DDoS attacks, bring these districts’ polling stations to a standstill on Election Day.
“Now if I were a truly malicious actor,” Kiniry adds, “I could simply delete people from the electoral role or add people to the electoral role and attempt to do something more novel.” But simple manipulations of voter ID verification data, especially if they were made to look like glitches, would likely be chalked up to government inefficiencies by most observers.
“The authorities won’t notice it, and there will be lines 10 times longer that we saw in New Mexico,” Kiniry says, referring to five-hour waits in Sandoval County during the 2012 elections.
And the irony, of course, is that the states with the most stringent voter ID requirements would those most susceptible to the fraud its laws were supposedly designed to stop.