Overall, the total cost of an attack varied based on the number of voters to impersonate, data sources used, whether the websites had CAPTCHAs, and specific states of interest. We found that the practical costs of changing 1 percent of the voters on all 36 websites could range from $10,081 to $24,926 depending on whether the attacker used data from government, data broker, darknet or other sources. Costs for an attack on a specific geographical area or state were much less, such as $1 for Alaska or $1,020 for Illinois. Back office processes and election practices, which varied among states, could have possibly limited attack success rates.

Results summary: We found that in 2016, the District of Columbia and 35 of the 50 states had websites that allowed voters to submit registration changes. These websites determined whether a visitor was an actual voter by requesting commonly available personal information. Some websites gave multiple ways for a voter to self-identify. Of these, {name, date of birth, address} was required in 15, {name, date of birth, driver’s license number} was required in 27, and {name, date of birth, last 4 SSN} was required in 3. We found that an attacker could acquire the voter names, demographic information and government-issued numbers needed to impersonate voters on all 36 websites from government offices, data brokers, the deep web, or darknet markets.

Could an attacker impact U.S. elections by merely changing voter registrations online? This reportedly happened during the 2016 Republican primary election in Riverside County, California. What about elsewhere? We surveyed official voter record websites for the 50 states and the District of Columbia and assessed the means and costs for an attacker to change voter addresses. Relatedly, an attacker could also change party affiliations, delete voter registrations, or request absentee ballots online. A voter whose address was changed without her knowledge, for example, in most states would have a polling place different than expected. On Election Day, when she appeared at her presumed polling place, she would have been unable to cast a regular vote because her name was not on the precinct’s register. She may have been turned away or given a provisional ballot, and in many cases, a provisional ballot would not count. Perpetrated at scale, changing voter addresses, deleting voter registrations, or requesting absentee ballots could disenfranchise a significant percentage of voters, and if carefully distributed, such an attack might go unnoticed even if the impact was significant. So, how practical is it to submit false changes to voter registrations online?

This paper assesses what is required for an attacker to impersonate a voter at a state website and then submit a change to the voter’s personal information that would either render the voter unable to vote on Election Day or keep the voter’s ballot from being fully counted. This paper ends with a Discussion section, which summarizes significant results, broader impacts, and examples of states’ current back office practices. A reader could advance to the Discussion section , at the end of this paper, for an expedited read and return to the body of the paper for details as needed. Elections rely on trust and transparency. Technological vulnerabilities will emerge and when they do, it is important that they be addressed swiftly and understood publicly in order to maintain public faith in the democratic process. Ignored and secret problems only enable attackers to exploit vulnerabilities freely.

In this writing, we make a sharp distinction between registering new voters and changing existing voter registrations online. Voters can change their records online even if they did not originally register online. The ability to edit voter records is offered by many voter registration websites and some driver’s license websites, depending on the state. So, this paper does not find a concern specific to voter registration websites, only with the ability to submit changes to voter records online, regardless of the purpose of the website.

This was one primary whose investigation remains open based on a factual basis for allegations. Regardless of the outcome, it begs the question: could hundreds of thousands of voters around the United States have experienced the same kind of disruption at the polling place on November 8, 2016 during the general presidential election in the United States that Republican voters in Riverside County reportedly experienced on June 7, 2016, during the Republican primary? The answer depends on how many state websites allowed voters to submit changes to their own voting records online, whether those websites were vulnerable to attack, and if attacked, whether back office processes or state practices could have possibly limited the attack.

Changing the party affiliation of a voter before the Republican primary on June 7 was especially problematic because only registered Republicans can vote in the Republican primary in California, and reportedly some voters only learned about their registration change at the polling place. Most of those voters received provisional ballots rather than regular Republican ballots at the polls, but those provisional ballots did not count because the voters were not registered as Republicans [1]. Some voters saw their affiliation go from Republican to the Green Party [2]. The county branch of the Republican Party called attention to the issue after receiving a couple hundred calls from individuals who had their party affiliation changed with no notification process [2]. Only Republican Party registrations seemed affected. Investigations were made more difficult by the fact that California state officials reportedly did not retain sufficient website and database logs that would identify the Internet addresses of the machines visiting the California voter registration website [1], [2].

Imagine impersonating a voter online in order to submit voter record changes to prevent the voter from voting. Now imagine doing that for hundreds or thousands of voters in an attempt to impact outcomes or to add uncertainty or chaos to the voting franchise. The idea may sound far-fetched, but local area newspapers reported that one such incident occurred in Riverside County, California in the United States before the Republican Party primary on June 7, 2016 [1], [2]. The Riverside County District Attorney confirmed that someone with access to voters’ Social Security numbers and other personal information went to the state’s voter registration website, pretended to be a voter, changed that voter’s party affiliation, then did so seemingly for up to hundreds of voters without the knowledge of those voters [1].

An automated way an attacker’s computer program could defeat a CAPTCHA is to use a dictionary of all the CAPTCHA images that could possibly appear on the web page. This approach assumes that the number of CAPTCHA images available at the website is small. The attacker records each image along with the proper response for each image in a dictionary. Later, when the computer program encounters the CAPTCHA, it looks up the image in its dictionary and responds with the pre-stored answer to respond to CAPTCHAs automatically. The ticket-scalping scheme described above created a dictionary of about a thousand CAPTCHAs found at popular ticket selling websites. Their program then used the dictionary to bypass the CAPTCHAs.

As we just described, CAPTCHAs may increase the effort required to automate an attack, but a CAPTCHA does not necessarily slow or prevent automated attacks. As an example, consider a 2010 criminal case in which a hacker reportedly wrote a computer program to impersonate thousands of individual ticket buyers on websites of online ticket vendors such as Ticketmaster, Musictoday and Tickets.com in order to automatically purchase premium event tickets and then resell the tickets later at higher prices [57]. The websites asked for personal financial information for the purchase and used CAPTCHAs to help thwart automated ticket buying [57]. The program defeated the CAPTCHAs presented and ran on a network of computers simultaneously to scale the attack. According to prosecutors, the program grabbed more than 1 million tickets for concerts and sporting events, and the resale of those tickets between 2002 and 2009 yielded more than $25 million in profit [57].

Figure 1 shows the voter registration pages used by Delaware registered voters to submit address changes. Voters have one of two choices, to either enter name, date of birth, and ZIP (Figure 1a) or enter driver’s license number and date of birth (Figure 1b). Both options display a CAPTCHA at the bottom of the page. The voter in the example shown has to enter “LANARK” in the CAPTCHA field to proceed. Visiting the web page again requires the voter to enter different text in the CAPTCHA field.

A CAPTCHA (Completely Automated Procedures for Telling Computers and Humans Apart) can slow automated attacks. CAPTCHAs are a security scheme first proposed in 2000 and now widely used online to determine whether a user is more likely to be a human than a computer program [53], [54]. A CAPTCHA displays an image or group of images on the web page and asks the viewer to enter the text displayed in the image or to answer a question about the displayed image(s). Humans can usually respond easily to a CAPTCHA, but computer programs tend to have a difficult time interpreting images, making the proper response to a CAPTCHA more difficult for a program to achieve. Therefore, if a voter website has a CAPTCHA, the attacker has to find a way to automate or semi-automate responses to the CAPTCHA in order for his computer program to iterate its execution over multiple voter records [54], [55].

An impostor can manually submit address changes on a voter website, one voter at a time. To increase the number of voter record changes per hour, he could employ more people to do the same or automate the process by having a computer program submit the kind of changes at the website that he would submit by hand. Once configured, a computer program could conduct a change of address attack or an absentee ballot attack without human intervention, iteratively impersonating each targeted voter. In addition, a computer program can operate on multiple machines simultaneously. Automation can dramatically increase the number of voter record changes submitted per hour.

Webserver logs can record the date, time, and Internet addresses of mobile devices and computers connecting to a website. Database logs can record all changes made to the voter database over time. Maintaining these kinds of audit logs will not prevent a change of address attack or an absentee ballot attack. However, audit logs can help determine, after the fact, whether an attack actually occurred and could possibly provide information about the attacker and the extent and nature of the attack.

All states provide copies of voter rolls to political campaigns and others. These data often include the name, address, date of birth, party designation and voting history for each voter. These data do not usually include the SSN or driver’s license number of voters, however. Some states provide the data for a fee, while others provide it freely online. For example, anyone can download a copy of the voter registration data for Ohio [48]. Data brokers that specialize in voter data, such as Aristotle [49] and L2 [50], also make voter registries available.

University of Wisconsin–Madison researcher Alan De Smet has published online the methodology to predict the driver’s license numbers of 11 states: Florida, Illinois, Maryland, Michigan, Minnesota, Nevada, New Hampshire, New Jersey, New York, Washington, and Wisconsin [46]. These states use a combination of encoded first name, last name, middle initial, and date of birth [46]. Maryland uses driver’s license numbers as part of its verification check before delivering absentee ballots online to voters, but it is also a state with predictable driver’s license based on a voter’s last name, first name, middle initial, and birth month and date [19], [20], [47].

In May 2016, Arizona officials took the statewide voting registration system offline after the FBI alerted the Arizona Department of Administration of a credible threat [41]. Arizona officials discovered that a county election official’s username and password had been posted online. That official’s account could only access county-level data rather than the entire state system. State investigations of the incident found no evidence that any data in the system was compromised or any malware installed.

There have been breaches of voter data from state agencies and from political campaigns. In June 2016, the United States Federal Bureau of Investigation (FBI) investigated a hacking attack against a database of 15 million voter records at the Illinois Board of Elections, with the attackers using a SQL injection to steal tens of thousands of records [41], [42], [43]. The database was 10 years old and included voter’s names, addresses, sex, birthdates, with some records including the last 4 digits of the voter’s SSN or the voter’s entire driver’s license number. Board of Elections officials declared that they were “highly confident [the hackers] weren’t able to change anything” [42]. Investigators believe the hackers were likely based overseas, and suggested Russia as a possibility [44].

These breaches and many documented others provided personal data on Americans sufficient to enable black-market vendors to sell personal credentials such as Social Security numbers at fairly low prices. One survey in August 2016 found Social Security numbers sold discreetly on the web for $1 per record [38]. Security researchers also found web sites such as SSNDOB that sell Social Security numbers for $1 and driver’s license number for $4 [39]. In two years, SSNDOB served more than 1.02 million Social Security numbers and more than 3.1 million birth records to its customers [40]. SSNDOB allegedly acquired the personal data by infiltrating the internal systems of data brokers LexisNexis and Dun & Bradstreet and the background check company HireRight [40].

In recent years, multiple major data breaches have affected millions of Americans. A 2015 survey by the American Institute of CPAs found that 25 percent of Americans fell victim to information security breaches in the past year [32]. The number of data breaches, as tracked by the Identity Theft Resource Center, reached an all-time high in 2015 of 338 breaches involving Social Security Numbers and a combined total of 164.4 million records [33]. Victims of major breaches include: (a) the 21.5 million current and former federal workers affected by the Office of Personnel Management breach in July 2015 [34]; (b) the 78.8 million current and former customers and employees of Anthem, a health insurance company, who had their names, birth dates, Social Security numbers (SSNs), home addresses, and other personal information stolen in an attack on February 2015 [35]; and, (c) the 15 million customers of T-Mobile, the wireless service provider, who had their names, dates of birth, addresses, Social Security numbers, and driver’s license numbers exposed through a breached Experian server that T-Mobile used for credit assessment in October 2015 [36]. Even public figures such as former First Lady Michelle Obama, former Vice President Al Gore, and the singer Beyoncé have had their credit reports and Social Security numbers posted online in March 2013 as a result of attacks against the three credit bureaus Experian, Equifax, and TransUnion [37].

There is a significant ecosystem of data brokers and vendors that legally acquire sensitive personal information such as Social Security Numbers or driver’s license numbers to sell to clients for background checks, fraud checks, or other purposes [27]. These companies include credit report bureaus such as Experian and data brokers such as Acxiom [28], [29]. Some companies sell their data to others who may then, in turn, use it for identity theft purposes [30],[31]. For example, in 2013, Experian discovered that one of its subsidiaries, Court Ventures, sold 3.1 million personal records of Americans including Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data to a Vietnam-based identity theft service, Superget.info, from at least 2011 to February 2013 [30]. The Vietnam company earned $1.9 million by selling its subscription to Court Venture’s data to its 1,300 clients for use for identity theft [30]. In February 2016, the Federal Trade Commission won $5.7 million judgments against two data brokers, LeapLab and Leads Company, for gathering personal information from payday lending applications. The information gathered was a consumer’s name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number. These companies sold the data to non-lenders, who had no need for this information, for $0.50 a record [30].

Social Security numbers (SSNs) are issued by the federal U.S. Social Security Administration to people who work in the United States, babies born in the United States, and people who are tax dependents of U.S. workers. Driver’s license numbers refer to the numbers that appear on identification cards issued by states as a requirement to drive a motor vehicle in the United States. Many states issue identification cards, through the same department that issues driver’s license numbers, to those state residents who do not drive.

The intent is to require voters to provide “information that others will not have,” according to the bipartisan National Conference of State Legislators [4]. However, in today’s data-rich society, is it reasonable to believe that a Social Security number or driver’s license number, or in the Delaware example (Figure 1) date of birth, is only known to the voter?

Figure 1. Information required to identify a voter at the Delaware website is either: (a) name, date of birth, and ZIP; or, (b) driver’s license number (or State ID if not a driver) and date of birth. In the example shown, the voter also has to enter “LANARK” in the CAPTCHA field to proceed. Visiting the web page again would require the voter to enter different text in the CAPTCHA field. See Figure 4 for the source URL.

A May 2015 survey by Pew of 20 states found that each of the states surveyed used a combination of either driver’s license Number/State ID number, last 4 digits of the Social Security Number (SSN), and/or the full Social Security Number to authenticate website visitors for voter registration [3]. Louisiana also required the audit code of the driver’s license or State ID in addition to the driver’s license Number or State ID number, and Washington required the issuance date of the driver’s license or State ID in addition to the driver’s license Number or State ID number [3].

In the case of the Riverside County attack, described earlier, registration changes may have occurred as early as two months before the election. At least one voter reported seeing his party affiliation changed online when he checked on April 11, almost two months before the June 7 primary [1]. However, complaints did not become prominent until the Republican primary on June 7, reportedly when voters found themselves receiving unexpected provisional ballots at the polling place.

In order for a falsified absentee ballot attack to succeed, an attacker needs to request the ballots on behalf of voters before the absentee ballot request deadline of each state. After the deadline passes, voters filing absentee ballot requests may be required to vote in person. Deadlines for absentee ballot requests range from 21 days before the election for Rhode Island to noon of the day before for 7 states [26].

For a hypothetical change of address attack to succeed, the attacker would need to focus on those states that host websites that allow changes to voter rolls and perpetrate the attack on those websites before registration deadlines. According to the NVRA, states may set registration deadlines of up to 30 days before an election [22]. In the days before the deadline, voters can submit personal information to the state on physical or electronic voter forms for change of address, which the state can then act on by immediately updating the voter rolls before the election [22]. After the registration deadline, states close the voter rolls to updates until after the election. Voters are expected to vote at the designated precincts based on the addresses that appear on the rolls [25].

The National Conference of State Legislators (NCSL) in the United States conducted a survey in June 2015 of the nation and found 24 states (updated to exclude Illinois) do not count provisional ballots that were cast in the wrong precinct [23]. Illinois counts provisional ballots in some cases. Table 1 has a summary. Twenty-one states and D.C. include in their vote tallies a partial count of provisional ballots cast in the wrong precinct by only counting votes for federal races, statewide races, or local races that are shared between the new and old precincts [23]. Maine does a full count of all races from all provisional ballots cast in the wrong precinct only if the number of provisional ballots cast is large enough to affect the outcome of an election [23]. Idaho, Minnesota, and New Hampshire do not issue provisional ballots since they offer same-day registration. North Dakota does not have voter registration and only issues provisional ballots when poll hours are extended [23]. In 2016, 2.5 million provisional ballots were cast nationally, and 62 percent were counted in full [24].

A malicious attack that changes a voter’s home address in most states can adversely impact the voter’s experience at the polling place. The voter may be prohibited from voting, required to somehow locate and visit the precinct assigned to his new address—an address that is unknown to him—or obliged to cast a provisional ballot at the precinct that is no longer assigned to him [23]. If the new address set by the attacker is still in the same Congressional district as the old address of the voter, then the NVRA requires states to permit the voter to vote either at the previous polling place, the new polling place, or a designated central location upon “oral or written affirmation by the registrant of the new address.” A voter will find it difficult to affirm a new address if the new address on file results from an attack rather than an actual move [22]. If the attacker chooses a new address in a different Congressional district, then the voter would likely receive a provisional ballot at her old precinct on Election Day, but provisional ballots are often not counted, depending on the state and circumstances.

An attack can combine the first two methods by first changing a voter’s address to an attacker-preferred address and then requesting that an absentee ballot be sent to the new address. In this case, the attacker might submit a false absentee ballot on behalf of the voter. This was one of the main concerns of security researchers regarding Maryland’s decision on September 14, 2016 to move to a new online ballot system [19], [20], [21].

Cyber-attacks involving identity theft do not require technical penetration of the computers that power the websites, nor do they require the kind of computer “break-ins,” data breaches, or compromised passwords traditionally discussed as computer security concerns. Instead, cyber-attacks involving identity theft rely on access to personal information, which today is widely available on Americans. Impersonating a registered voter online merely requires having personal data on the voter and knowledge of election specifics. It involves little or no computer hacking expertise.

Other government services encounter identity theft as a challenge as they operate and secure systems to serve the needs of Americans. For example, the Internal Revenue Service (IRS) regularly confronts identity theft in connection with tax fraud. The attacker impersonates a taxpayer and files a false tax return to obtain a tax refund before the actual taxpayer files her own legitimate return. When the actual taxpayer files subsequently, she receives a notice of double filing from the IRS and begins a lengthy administrative review process [11]. According to the U.S. Government Accountability Office in a report to Congress, the IRS estimates that in 2014, it paid $3.1 billion in refunds for 1.3 million false tax returns filed by identity thieves [11]. Anti-identity theft measures such as the IRS’s Identity Protection PIN and e-File PIN, which were given only to taxpayers who have already been victims of identity theft, were found to have been compromised by identity thieves and were suspended in 2016 [12], [13]. In May 2015, the IRS suspended its Get Transcript service, which allows taxpayers to view their old tax returns online, after identity thieves attacked the service and used the personal information of 100,000 taxpayers to log in and acquire the taxpayers’ returns [14].

The paragraphs below describe identity theft, sources of personal information, ways that changing voter registrations can disenfranchise voters or undermine confidence in elections, and the kinds of back office logs state administrators may keep to limit an attacker or help track one down. Afterwards, we use these concepts to figure out what sources of personal information and which websites would have allowed impostors to submit changes to voter registrations in the 2016 presidential election.

An attacker who pretends to be a voter online engages in a form of identity theft. The attacker’s goal is to disenfranchise the impersonated voter or to discredit the election system, which is possible if the impostor can convince the website that he is the actual voter and is therefore eligible to submit online changes to the voter’s registration record and his submitted changes are accepted. How does the website know a visitor is a particular voter? A website considers anyone, or anything, that provides the correct personal information about a voter to be the voter. So, an impostor needs to have personal information about voters in order to impersonate voters online.

While encouraging states to deploy online voter registration systems, the PCEA report also cautioned that “questions about security will require close attention to ensure that unauthorized changes to voter registration cannot be made” [8]. These concerns were reiterated by the Congressional Research Service (CRS) in a report on October 18, 2016, which stated that “successful attacks could compromise the confidentiality, integrity, or availability of election information or processes…For example, voter registration lists could be deleted or altered” [10]. If so, how could it be done?

One of the major motivations for states to provide an online voter registration tool is to reduce cost. While an online tool costs approximately $240,000 on average to build, with the highest cost of $1.8 million for California [4], [6], voter registration websites can significantly reduce costs. For example, Arizona reported a per-registration processing cost of 83 cents for paper registrations but only 3 cents for online registrations [4]. Beyond cost reductions, improved accessibility and visibility of registration data are additional benefits of online registration systems to voters and election administrators [7].

In many states, the ability to change existing voter registrations online is provided along with the ability for new voters to register online (“online voter registration” in this writing). The first state with online voter registration was Arizona in 2002, followed by Washington six years later [3]. There were 11 more states offering online registration by 2012, 7 more by July 2014 [3], and a reported total of 31 states and D.C. by June 2016 [4]. Kentucky was among the most recent, launching its system on March 1, 2016 [5].

In this step, we compared the relative costs of implementing the change of address attack on state voter websites based on information and facts acquired in the prior steps. Personally-identifying information has acquisition costs. Techniques to defeat CAPTCHAs have varying programming costs and may also have human costs if semi-automated. We itemized these and other costs per state to compute the “total attack cost” for the change of address attack. Here are the methods used:

For each of the websites having a CAPTCHA, we entered data in all required fields except the CAPTCHA field, and then left the web page idle for 2 and again for 5 minutes. If the web page just waited for a response and then accepted a response to the CAPTCHA after the 2 or 5 minutes expire, then we considered the website ripe for semi-automation, because 5 minutes would be more than enough time to get an answer to the CAPTCHA from a network of human helpers. On the other hand, if during the 2 minutes the web page refreshed the CAPTCHA to displayed another image, or terminated the session altogether, we considered the website resilient to semi-automated responses to the CAPTCHA.

We captured 100 instances of the CAPTCHA from each of the websites to understand the nature of the images used. We then surveyed to see whether computer programs existed that would provide proper responses to the kind of CAPTCHA displayed or whether simple computer programs could have been written to defeat the CAPTCHA.

Figure 2. Ways an attacker can acquire the personal data needed to impersonate voters. On the left, top to bottom, is a sequential build-up of demographic information (including date of birth, or DOB) and government-issued identifiers (namely, Social Security numbers, or SSNs, and driver’s license) from named sources. Different named sources include government offices, free downloads, data brokers, and computer programs. On the right is an alternative that acquires the data online through unknown sources on the deep web or darknet. Additional options are combinations of named and unnamed sources between the left and right sides (connected by dashed lines).

An alternative appears on the right side of Figure 2, in which the attacker acquires voter data or personal profiles (data containing names, addresses, and demographics), along with accompanying Social Security numbers and driver’s license data, through anonymous sources online. Breached data and data of unknown origins are often available for sale anonymously on the deep web and the darknet. The “deep web” is part of the World Wide Web whose contents are not indexed by standard search engines. Web searches tend to exclude content from the deep web, making it harder for someone to just stumble onto the content. A user can access content freely on the deep web if she knows (or learns) the URL. The “darknet” is a specialized encrypted network of anonymity-providing web servers on the deep web that primarily operate as a haven for drug markets, pedophiles, sex traffickers, and personal data [62]. An attacker could also mix named and anonymous sources.

An attacker looking to impact a local election only needs data specific to the targeted geography. An attacker looking to cause widespread havoc on voter rolls might garner as much data as practical to impact as many state websites as possible. Foreign governments or state actors may simply steal the data needed. The specific data and amount of data needed by an attacker depends on the voter websites targeted. An attacker could pursue several different means of acquiring the personal voter data needed.

Lastly, the website may not require the same fields that a Frequently Asked Questions (FAQ) page for the website describes. In this case, we deferred to the version available on the website itself unless it had a multi-page process, in which case, we elected to report what the FAQ described in the belief that there may be other information requested on subsequent pages we could not view without risk of changing a voter record.

A field of personal information may be required but not actually checked against any information the state holds. For example, a website may require a Social Security number be given, but behind the scenes, the value given is not actually checked for validity in order to submit the change; in this case, any value having 9 digits would suffice without necessarily being the SSN of the voter. Because we were not actually changing any records, we had no way of knowing which values the state actually verified. Therefore, our results may report a greater burden for the impostor than is actually necessary to perpetrate the attack.

Our recorded fields may not necessarily be all the fields requested on the page. We consider the required fields to be those fields necessary to proceed; these are usually highlighted, stated as such on the web page, or become evident if we attempt to submit a blank page. For example, a web page may request Social Security number, but if the value was not required to proceed, we did not record it as being a required field.

We advanced through a sequence of one or more web pages the website required, but we stopped before actually changing voter rolls. States expect the general public to use these websites, so the websites tend to provide clear notice at which point a subsequent click will submit a change to voter records. We only proceeded in the sequence of web pages as we were confident that doing so does not submit any changes to actual voter rolls. As we proceeded through the pages, we recorded the fields of personal information that the website required.

We surveyed the Internet for state websites that allowed voters to submit changes to their voter registration information online. Websites sought may or may not be the same websites as those that allow members of the public to register to vote, to look up voter information, to review ballot information, or to locate polling places. We searched for a website for each of the 50 states and the District of Columbia. Search queries began with the name of the state followed by “voter registration address change.” We reviewed the top 6 results from each search to see whether a candidate website was found.

Results

Below is a summary of our findings. Supporting details appear in the subsections that follow this summary and are organized following the 6-step approach described above.

We found online voter websites for 35 states and D.C. that allowed voters in those states to submit changes to their addresses. The kinds of personal information an attacker would have provided were the voter’s name in 30 (83 percent) of 36 websites, date of birth (35 or 97 percent), driver’s license number, or State ID if the voter did not drive (33 or 92 percent), and part or all of the voter’s SSN (22 or 61 percent). There were 43 possible combinations of fields of personal voter information required at the 36 websites. In combination, {name, date of birth, driver’s license} was needed in 27 (63 percent) of the 43 and {name, date of birth, address} was necessary in 15 (35 percent).

Our surveys found that an attacker could acquire voter names and demographics from government offices, data brokers, the deep web, or darknet markets, and could acquire government-issued identification numbers from data brokers, government sources, websites, and the deep web or darknet markets.

For voter lists, we calculated that an attacker could have spent $219 to acquire voter lists for 18 (50 percent) states, $4,407 for 29 (81 percent) states, or $17,679 for all 35 states and D.C. from authoritative government sources, publicized websites, or data brokers. Sources of all cost information and the assumptions we used to calculate attack costs are laid out further below in the sub-sections.

Alternatively, an attacker could have spent $1,002 from darknet sources to acquire 2 datasets that jointly contained the names, addresses, dates of birth, genders, and SSNs of most adult Americans.

While prices varied, an attacker could spend as little as $40 per month for an unlimited number of searches at a data broker website to acquire the SSN and driver’s license numbers of voters (and an additional $0.01 per record for more details such as prior addresses and driver’s license issue date). Some data brokers charged $1 per name compared to $0.41 from clandestine sources on darknet markets. Compilations from swipes of the magnetic strip of driver’s licenses and photo images of driver’s licenses were available on darknet markets for prices ranging from $0.01 to $15 each.

Government election offices, political campaigns, and data analytic companies working on elections have experienced breaches containing most or all the personal information an attacker would have needed to impersonate voters at the 36 websites. Copies of some of these datasets have been found publicly available on the deep web and could have been available for an attacker to use if the attacker made or became aware of the URLs. In these cases, the data would have been available at no additional cost.

Eleven (31 percent) of the 36 websites had a CAPTCHA service that attempted to limit the speed with which an attacker could submit address changes on the website. In 2016, however, automated programs could respond to the kinds of CAPTCHAs found on all the state websites that had CAPTCHAs, thereby rendering them a nominal deterrent.

In summary, the cost of an attack may vary based on actual data sources and whether the website used CAPTCHAs. An attacker that primarily used two datasets offered on darknet markets, the Texas voter list, and a data broker as sources could change 1 percent of the voter records on all 36 websites for a total attack cost of $10,081. The minimum state cost is $1 (Alaska), the maximum $3,059 (Texas), and the median $41 per state. Alternatively, an attacker could primarily purchase data from government offices, data brokers and websites archived on search engines to change 1 percent of the voter records on all 36 websites for $24,926. The minimum state cost was $5 (Delaware), the maximum $3,059 (Texas), and the median $417 per state. An attacker that found relevant information on the deep web, or had a confederate that placed it there, would have no data costs, dramatically reducing the attack cost for machine use to $748 for all 36 state websites.

Results for Step 1: Number of Websites

Thirty-five states and D.C. offer online websites for submitting changes to voter addresses. Specifics appear below.