Securing Our Elections: How States Can Mitigate the Potential Damage of Hacked Voter Registration Rolls

Introduction

Our nation is working in a variety of ways to address election security and integrity. From the halls of the Capitol to hacker conferences like DEF CON, malicious exploitation of voting machines and websites has become a much-watched issue. The nation’s largest social media companies are scrambling to find ways to respond to bots, false stories, and foreign propaganda that is infecting discourse on their sites.

Yet one critical area of election security has received far less attention: protection of voter registration rolls. If state registration databases were hacked and compromised, it could have a catastrophic effect on elections, because for most states, only the weak safety net of provisional voting is in place to serve as a backup if the worst should occur.

While backups using best security practices and making potential structural changes to election systems offer greater potential for preventing or limiting the harms of database hacks than does provisional voting, it is nonetheless important to examine how well this final backstop could serve following a successful breach.

The Constitution Project at the Project On Government Oversight conducted a state-by-state analysis to determine this by examining states’ legal requirements for provisional ballots and their ballot capacity. Of the 29 states examined,¹15 have laws that would prohibit provisional voting by anyone whose registration status cannot be determined, 6 states’ laws contain legal ambiguities that create uncertainty about whether provisional ballots could be broadly used, and 3 maintain a number of ballots below necessary capacity for broad use. Based on these findings, we set forth recommendations for decreasing the likelihood of needing to resort to broad use of provisional ballots, and for ensuring that in the event that states must resort to provisional ballots as a final safety net, it would be possible for them to do so.

Risks of an Attack on Registration Systems

Combating election interference and protecting the integrity of our voting system is a critical policy goal receiving growing attention in the wake of increasing threats and attempted interference by foreign adversaries. Successful meddling in our election system could result in a variety of harms: such efforts could tip election results, create the specter of elections being “stolen” or “rigged” even if actual impact was minimal, or cause disorder and delays that prevent elections from occurring at all.

There are numerous means for achieving these nefarious aims. But one of the most dangerous is attacking registration databases, an area we have said “may be our election system’s greatest vulnerability.”²

In fact, according to the Senate Select Committee on Intelligence, Russia successfully penetrated state registration databases in 2016, which “in a small number of cases” provided it with the potential ability to alter and delete registration data.³ In June this year, mere printer and computer errors related to registration systems on the eve of California’s and Maryland’s primary elections forced tens of thousands of voters in each state to cast provisional ballots,⁴ demonstrating how problems related to registration databases can hamper voting on a mass scale. And in July this year, indictments of Russian military intelligence officers by Special Counsel Robert S. Mueller III’s office indicated Russia penetrated the computer systems of a vendor that supplied voter registration equipment, and used its infiltration of the vendor’s systems to launch spear phishing attacks⁵ against its clients.⁶

As we have previously highlighted, “tampering with registration can be just as influential in swinging an election’s outcome as targeting voting machines themselves.”⁷ Select removal of several thousand individuals who reliably vote for one party from registration rolls in a single state could alter the outcome of Congressional races, or even a presidential election.⁸ If an espionage operation successfully destroyed the registration database in just a single state—or tampered with records to a sufficient degree to render most records unreliable—it could cause irreparable damage. We might be left with insufficient votes in the electoral college to decide the presidency, control of one or both chambers of Congress could be put into limbo, or problems completing elections for state governments.

Yet in most states, should a centralized attack on registration rolls occur on the eve of an election, it would likely leave provisional voting as the sole means for citizens to cast a ballot. In light of the emerging threats of election interference, reliance on provisional ballots as a safeguard to mitigate the harms of a successful attack is wholly insufficient.

Provisional Voting is Ill-Suited to Address Modern-Day Threats

Purpose of Provisional Ballots

Provisional ballots are largely a modern phenomenon, designed to be a fail-safe for individualized situations when a voter’s records were unclear due to small-scale errors or events such as an unregistered change of address.⁹ In 2001, only 17 states offered provisional ballots.¹⁰ This was changed by the Help America Vote Act (HAVA) of 2002, which required all states to create a provisional ballot system.¹¹ According to the National Conference of State Legislatures, “the most common reasons [for casting a provisional ballot], as identified by the EAC [Election Assistance Commission], are:

• The voter’s name is not on the poll or registration list
• The voter’s eligibility cannot be otherwise established
• The voter’s identity and/or eligibility to vote has been challenged by a poll-worker or election official
• The voter does not have identification as required by that state
• The voter requested an absentee ballot but claims he or she either didn’t receive it or didn’t cast it
• The voter’s address or name has changed but their voter registration information does not reflect the change
• For primaries, the voter registration reflects an error in party listing.”¹²

As a result, provisional ballots typically represent only a small portion of ballots cast. According to the Election Assistance Commission, between 2006 and 2016, provisional ballots ranged between 1.6 and 2.1 percent of ballots cast in presidential elections, and 1.0 and 1.2 percent of ballots cast in midterm elections.¹³ Overall, the rate of rejection is approximately 21 percent in midterm elections and approximately 31 percent in presidential elections.¹⁴ Rejection rates vary significantly between states, which have vastly differing standards for accepting and rejecting provisional ballots. Rejection rates in 2016 ranged from 1.4 percent (Alaska) to 92 percent (Delaware).¹⁵ According to the MIT Election Data + Science Lab, “[states] with high provisional ballot usage rates tend to have low rejection rates and vice versa.”¹⁶

The threat of nation-state cyberattacks against our election systems is relatively new to our public policy discourse.¹⁷  In 2002, the notion that malicious hacks could destroy an entire voter database was not under consideration by federal lawmakers as they passed HAVA, nor was it a chief concern of the state lawmakers who responded to the law by establishing provisional voting systems. Thus, while many of the systems we encountered presented problems for broad use of provisional voting as a fail-safe against attacks on our registration rolls, these problems are not due to states’ indifference to modern threats. Most election laws present provisional balloting as an option only when individual registration status cannot be confirmed at the polls. These systems simply were not designed to operate as a backstop to a surreptitious purge of thousands of voter registration records.

States Are Unable or Unprepared to Use Provisional Voting as Broad Contingency if a Malicious Hack Compromised Registration Databases

A majority of the states examined are unprepared and appear unable to use provisional voting on a broad scale to respond to a debilitating attack on its voter registration database. This is due to the operation of state law governing provisional voting, as well as logistical challenges that would likely accompany any wide-scale use of provisional ballots.

First, many state laws are designed in a manner that would not even allow most voters to cast provisional ballots following destruction or compromise of their registration databases. Fifteen of the 29 states examined have laws that would prohibit provisional votes by anyone whose registration status cannot be determined from being counted.¹⁸ Additionally, in 6 states, legal ambiguities create uncertainty about whether provisional ballots could be broadly counted. In states with these legal ambiguities, statutes set conditions for both accepting and rejecting provisional ballots based on a determination of registration status, with no clear default rule about how to act if such a determination cannot be made.

Multiple states examined also do not have the logistical capacity to allow broad voting by provisional ballot because they do not print enough materials to suffice in the event of an election attack that required resorting to provisional ballots. Three of the 29 states studied maintain a number of ballots below that level. Seventeen of the 29 states either did not provide sufficient information on practices regarding the number of provisional ballots prepared for elections, or did not have centralized control of printing provisional ballots.¹⁹

Even in states that have the most effective laws for permitting provisional voting following destruction of registration records—and that have full capacity in terms of having sufficient provisional ballot materials on hand—provisional voting is problematic in a number of ways. Generally, states require individualized review of provisional ballots that is not typical for a standard ballot; this would dramatically slow the process of tabulating election results in cases where these ballots were needed broadly. Further, despite this additional verification, it is likely that broad use of provisional ballots would lead to mistrust and accusations of fraud. Therefore, although maintaining effective state laws and balloting systems would do much to minimize damage, a situation requiring broad use of provisional ballots would unavoidably harm election integrity.

Other Remedies Would Be More Effective to Prevent or Mitigate the Harms of Attacks on Registration Databases

In terms of facing the modern risk of large-scale attacks on registration systems, methods other than resorting to broad use of provisional ballots would be more effective in terms of resources, maintaining election integrity, and preventing subsequent election-meddling.²⁰Most notably, secure backups of registration databases are an effective method of negating the harms of an attack on a registration database.²¹

However, in order to serve as an effective safeguard, backups need to be properly designed and protected. If a malicious hacker can access and alter backups in the same manner as main databases—or prevent knowledge of changes for prolonged periods of time and thereby taint subsequent backups—backups provide no security benefit at all. Many states we contacted responded that they do maintain backup databases; we intend to conduct additional research on whether states employ a variety of specific best practices to ensure that backups can effectively withstand an attack and to guarantee mitigation of harms.

There are several distinct structural systems that could minimize or prevent the damage of altering or deleting voter databases: same-day registration, mail-in voting, and decentralized registration databases. Same-day registration may provide an alternative to provisional ballots, mail-in voting could offer an early warning of a malicious hack, and decentralized databases²² could make a large-scale attack on registration data significantly more difficult by diluting targets. However, additional factors need to be evaluated to see if these systems could be effective at scale in responding to an attack on registration databases. Therefore, we do not include states with same-day registration, mail-in voting, or decentralized databases in this study of provisional ballot systems. A later phase of The Constitution Project at POGO’s research on election security will seek to determine whether these systems could effectively prevent or mitigate the harms of an attack on states’ registration databases.

Recommendations

Our primary recommendation is to develop effective backup systems to ensure that resorting to broad use of provisional ballots is never necessary. However, we also provide recommendations on how to ensure that a provisional-ballots system can act as a last resort in response to a successful attack compromising registration data.

1. States should develop effective backups for registration databases, with features such as access limits and auditing systems recommended by security experts.

Such measures may take time to fully develop; furthermore, best practices and necessary protocols change over time, and a component of strong election and cybersecurity preparedness involves contingencies, including for worst-case scenarios. Thus, even if a state has taken all proper measures to protect registration databases, it should be as prepared as possible for a scenario where its database is nonetheless breached and compromised.

In light of these factors, states should be prepared for the eventuality of a database compromise, and for the need for large-scale provisional ballot use. States’ laws and election policies should be designed to maximize the ability to use provisional ballots in such a situation with as little disruption to the election process as possible. However, in more than half the states examined, the provisional balloting system in place is not equipped for use on a broad scale, and laws and policies governing that use are not equipped to serve as a backstop to malicious hacking. 

In light of this:

2. States should clarify in their provisional ballot laws that inability to confirm registered status does not invalidate provisional votes. At minimum, states should eliminate this requirement if the number of provisional ballots needed or cast reaches a certain threshold.

3. States should replace discretionary review standards for counting provisional ballots with clear and objective criteria. At minimum, states should establish a uniform, objective standard for counting provisional votes if the number of provisional ballots reaches a certain threshold. 

4. States should maintain a full contingency of provisional ballots—meaning enough provisional ballots to be used by all registered voters—or maintain a system where a full contingency can be printed in the days before an election or on election day. 

The right to vote is a cornerstone of our democracy. Because the federal government has a critical role in supporting access to this right—as previously seen in broad bipartisan consensus in passing HAVA in 2002—and because federal aid is particularly appropriate when foreign adversaries threaten this right, there are also measures the federal government ought to undertake in order to support provisional ballot use in the states. 

Namely:

5. Congress should update HAVA’s requirement that states maintain provisional ballot processes to also require that their provisional ballot laws do not invalidate provisional votes in situations where the state is unable to confirm registration status.

6. When providing states with funding for election operations and security, Congress should include funds to aid states in maintaining a full contingency of provisional ballots.

State-by-State Analysis

The following state-by-state description details whether provisional ballots could be used broadly if necessary in response to a major attack on registration databases based on two critical factors: provisional ballot law and provisional ballot capacity.

In terms of provisional ballot law, we examine whether each state’s law would permit voters to cast provisional ballots if the state’s registration database had been deleted or otherwise compromised by a hack.²³ If the law does permit this, the state’s law is marked as “operative.” If it doesn’t—typically because the law explicitly requires an affirmative determination that the individual casting a provisional ballot is in the registration database, or because of vague or subjective standards—the state’s law is marked as “inoperative.” If there is ambiguity or conflicting rules about how the law would be applied in such a situation and therefore about whether it would restrict provisional voting, the state’s law is marked “unclear if operative.”

In terms of provisional ballot capacity, we examine whether each state could produce enough provisional ballots to allow all registered voters to cast a provisional vote if necessary in the wake of a successful attack on the state’s registration database. If the state does not require separate materials (some states use a distinct ballot for provisional voting, some use distinct envelopes, and some states don’t use either), has a full supply of necessary materials, or could rapidly acquire a full supply of necessary materials, state capacity is marked as “full capacity.”²⁴ If the state allows counties or precincts to control production of provisional ballot materials, state capacity is marked as “locally controlled.” If the state does not maintain a full supply of necessary materials or does not have plans to rapidly acquire them, state capacity is marked as “below full capacity.” If the state did not respond to our inquiries, it is marked as “no responsive data.” For this report, we sent all states we reviewed mail and electronic letters requesting relevant information on provisional ballot capacity, and called election offices for states that did not reply. Information on provisional ballot capacity is based on correspondence received and telephone conversations, with exceptions where public information was available.