Like many Michigan Democratic Party members I had serious concerns about the new electronic voting process, back in April. They had tablets, they had voter-specific QR codes — what could go wrong?

On 4/17, on my lunch, I took a break from my usual work on b2b logistics and glanced at my MDP badge. There’s an obvious pattern in the QR code, which doesn’t necessarily mean anything in and of itself, but it got me curious.

I decided to scan my badge with a QR code reader to see just what they were doing and I was shocked: there was a bunch of plaintext (unencrypted data) indicating my member ID, my SCC delegate status (“Alternate”), my name, my county, and my CD. All information that anyone working for a caucus, campaign, or even one of our unions might have access to. Fortunately, the code also ended with a number that I did not recognize.

(Please note: I am not a “Mr.”, and having to use my given name makes me uncomfortable, but I haven’t yet asked the MDP to change my gender or salutation, so we can just ignore that for now.)

A QR reader, software which is free and widely available, scans this and produces the following text:

“-4802431|Alternate|Joseph|Fournier|Oakland|14|628049”

Download a QR reader on your smartphone, and try it for yourself!

In this example 802431 is my member ID number — something which is readily available in the member list data that is made available to campaigns (for a price). The “-4” and “628049” appear to be common to many of the badge QR codes.

(Please note: the -4 and 628049 did not change for the August convention.)

This is a serious problem, and shows an astounding lack of attention to security. What if someone could waltz into early registration for a significant convention, get credentialed, scan their own QR code — and have everything they needed to produce hundreds (or thousands) of fakes overnight? What if they voted with them? What if they brought non-members in to wear fake badges?

It is likely that a person would need to be credentialed at the convention in order to vote, but what’s to stop someone from farming UAW votes if a large number of them leave early like they did in April?

Suppose for example that a person took the name of a known UAW / MDP member, and generated hundreds or thousands of fake QR codes for anyone who registered within a few days of that person. Then, if a number of UAW members left before or during a major vote like many did in April… A entity with fake QR codes for those members could absolutely orchestrate a huge number of fake votes. My sample suggests that the vast majority of the QR codes would be equivalent from the voting system’s perspective — many of those MIA UAW members would have been legitimately credentialed — and at least some of those votes would not be duplicates.

It is also likely that the MDP goes to great lengths to identify non-credentialed voting attempts, duplicate votes, and the like — but what do we really know about what happens behind closed doors? It is very hard for me to have faith in the system when they will not even release vote counts.

There is no doubt in my mind that Dana won April by a landslide — the difference in the size of the lines was overwhelming and obvious. Some of the numbers I heard tossed around were in line with my projections (based on campaign data) too, but no matter how you look at it this system is not secure.

At the very least it is possible for a (credentialed) member to have someone else falsify their QR code and vote in their place… And the lack of security with the IDs makes me wonder what myriad things are probably wrong with this system under the hood.

Do they actually verify that a person was credentialed? Do they cross check against the official MDP membership listing? The official data, as far as I can tell from my campaign work — where I received periodic comprehensive updates on membership information leading up to the April convention — probably exists as an un-sanitized excel document full of duplicates, missing or malformed geographical information (County and CD — please refer to the SADV rules to see why this is a huge problem)… and other such blatant issues.

A friend (Ryan of ReformMiDems) suggested that, given that we know that the tallies are taken from the tablets via SD card and summed in an excel spreadsheet for the proportional voting calculations, then perhaps — if conditions are right — it might even be possible to use excel expression injection to manipulate the final tally. Perhaps I was the first to discover this and everything is fine — but we absolutely need changes to this system for future conventions if we want to have any faith in the process.

Do we have any reason, given the lack of security here, to believe that they are even tallying duplicate votes between tablets, attempted voting by non-credentialed members, and the like?

My boyfriend-at-the-time let me scan his ID. To my dismay what I thought would be a unique number associated with my ID for that particular election was the same. I talked to some friends and scanned a few more codes — but they were the basically same. There’s just no security.

This meant that a person didn’t need to go around the convention taking snapshots of people’s badges to fake their vote — by arranging the proper data ahead of time, as many motivated campaigns do, it would be possible to fake a great many QR codes. And vote with them.

I am not 100% confident that 100% of badge IDs could be faked, or that this could actually lead to a stolen election. Some (not all) of the badge codes have another mystery number appended to the member id number. Assuming the MDP keeps track of attempts to vote twice, they would probably flag those votes as suspicious — perhaps forcing a tedious second or third vote… But it looks to me as if some votes could be faked in the future.

We know that the MDP is not actually on the bleeding edge, but this level of oversight is truly astounding. Of the thousands of credentialed voters at the convention, few were probably completely comfortable with the electronic voting system. Granted it is hard to fake the size of a line of people waiting to vote for a particular candidate, and if a number of people complained that the system “erroneously” indicated that they had tried to vote twice — which would only happen immediately if they tried to vote twice on the same tablet — one would hope that the MDP would catch on and correct the issue before any serious damage was done… but given the lack of attention shown to the security of the credentials — they don’t even appear to have an event-specific ID — why should we think they’re being careful behind the scenes?

There are so many freely available ways of encrypting this data, many of which are also open source. If I had scanned my badge and gotten an illegible hash key back, I probably wouldn’t have known what to do with it.

But another couple of lines of code was apparently too much effort for the MDP. For the amount of money they are hemorrhaging to keep up with the ever increasing membership and corresponding voting and credentialing systems, we deserve bare minimum security.

They supposedly spent tens of thousands of dollars dealing with the mass voter registration system I personally designed for Dana’s campaign back in early 2018, but apparently they didn’t think the credentials themselves needed to be secure. It’s so insecure that it might not be absurd to call it a facade…

Keep in mind that the MDP didn’t actually release the official vote count back in April, and ask yourself why. Officially Miles moved to endorse Dana by unanimous consent.

I have no reason to think that anyone has taken advantage of this vulnerability yet, and with some minor tweaks to the MDP’s new system nobody ever will.

Jojess Fournier