Experts worry about election fraud threat

Maryland online registration, absentee ballots raise alarms

State House

The money spent on at least two referendum campaigns will likely be in the millions. (August 18, 2012)

By now, just about everyone connected to the Internet is familiar with this process: Required to fill out and sign a form of some kind, you ask for and receive a hyperlink via email. You open the link, find the form you need (perhaps a pdf), download it, print it, fill it out and mail it off.

That's a common practice, though increasingly old-school by today's online standards. There doesn't seem to be anything particularly risky about the transaction; few would think twice about conducting business that way.

But while integrity is important in all transactional realms, it rises to precious when we're talking about voting.

And that's why a similar process, new this year and slated to be part of Maryland's primary election in June, has some civic-minded computer security experts sounding alarms about the potential for fraud.

A small group of them, including three researchers based in other states, has also warned Maryland's Board of Elections about vulnerability in the state's online voter registration process. In fact, more than two years ago, they found the Maryland system to be susceptible to "large-scale, automated fraud" and said so in a letter to the board.

The concerns of these experts, however, have not led to major changes. Online registration has been available since before the 2012 elections. The new plan for absentee ballots — making them available electronically to any Maryland voter who requests one — is in place.

Regarding the latter, here's what the Board of Elections website says:

"Election officials can mail or fax your ballot to you, or you can download your ballot from the States website. If you want to download your ballot, make sure you provide your email address. ... We will send you an email when your ballot is ready. The email will include your ballot tracking number and a link where you can print your ballot and instructions. You must enter the ballot tracking number to access your absentee ballot."

This is what has security experts concerned. They say there is no way to know for certain that the person requesting the absentee ballot is the one filling it out and mailing it in.

Michael Greenberger, the University of Maryland law professor who serves as director of the Center for Health & Homeland Security, says the identification system currently in place is not an effective way to authenticate a voter; in fact, it's vulnerable to fraud.

Therefore, he says, "bad actors" could impersonate real voters, have the tracking numbers sent to them by email, then fill out and return ballots to local election boards without any meaningful check for fraud. Voter signatures are not checked against those on file, Greenberger points out.

A member of the Maryland Commission on Cybersecurity Innovation and Excellence, Greenberger advocates dropping the current plan and going old-school — that is, mailing absentee ballots to "brick and mortar addresses."

The other major concern was the potential for fraud in online registration.

The three experts who wrote to the board about this in 2012 were David Jefferson, a computer scientist based at the Lawrence Livermore National Laboratory in California; J. Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan; and Barbara Simons, a retired IBM computer scientist and an expert on electronic voting.

They are part of network of vigilant computer security experts who independently assess state elections systems and report their concerns.

"We have identified severe security vulnerabilities in Maryland's online voter registration system," Jefferson and his colleagues wrote state elections officials in September 2012. "These problems leave the system open to large-scale, automated fraud, and make the Maryland system among the most vulnerable of all the states' new online voter registration systems."

The letter said, in boldface: "Given the grave potential for harm, we urge the State of Maryland to take immediate defensive steps to safeguard the online voter registration system or else shut down the system."

That statement was reiterated in a follow-up letter last February.

In an interview Tuesday, Jefferson said he and his colleagues have never received a response.

For its part, the elections board says the system has been adequately tested by an independent consultant who found it to be secure. Teams of testers tried to hack into the system but couldn't, says Nikki Charlson, deputy administrator of the board. And, she says, there are additional measures in place to alert officials to any unusual transactions during the three-week absentee voting period.

Del. Jon Cardin, a candidate for attorney general in the June primary, serves as chairman of a House of Delegates subcommittee on election laws. He is well aware of the concerns that were raised about the new absentee system when the General Assembly considered and approved it last year. On balance, he says, the legislative mandate to make voter access as convenient as possible outweighed the security concerns. He says the system will continue to be scrutinized for any irregularities.

OK, I guess we'll see.

Here's hoping, for the sake of our precious democracy, this works better than the state's health insurance exchange.

drodricks@baltsun.com

Dan Rodricks' column appears each Tuesday, Thursday and Sunday. He is the host of "Midday" on WYPR-FM.

 
your neighborhood

TOP VIDEO

  • Twitter
  • Facebook
  • Instagram
  • Google Plus
  • RSS Feeds
  • Mobile Alerts and Apps

PHOTO GALLERIES