Interstate Crosscheck FOIA Documents
Last Updated: November 5, 2017
We've moved! Head over to EndCrosscheck.com for the latest!
Summary of Our Findings
Crosscheck is a highly-error prone interstate data-sharing program between 28 states. Participating states send their entire voter file to a server in Arkansas. Kansas then downloads all of this data, runs a rudimentary name matching algorithm, and then uploads the results back to Arkansas. For more information, check out our FAQ.
We've posted documents obtained by Indivisible Chicago as a result of FOIA requests to Florida and Illinois. The "yellow paper" redactions you'll see in photos of documents are our redactions of usernames and passwords that states inadvertently released to us. We have redacted instead of posting publicly, as we take the sensitivity of this data more seriously than the Illinois, Arkansas, and Kansas election authorities. Black redactions were done by the government officials.
The primary problem here is not that we have these passwords, but that every official and IT department involved in this process sends usernames, login passwords, and decryption passwords in clear text in email - sometimes with up to eighty recipients. Anyone could have these passwords and could have had them at a time they could have been used while the ISBE would have been none the wiser.
In addition, Crosscheck asks states to login to an FTP server that does not encrypt traffic to upload their entire voter file. This means that every state's username and password to this central server housing 100 million voter records is sent in clear text across the Internet. These are astounding security lapses, and yet, following an unprecedented rash of hacks against voter registration systems in 2016, Crosscheck and the ISBE changed nothing and continued their poor security practices in 2017.
The documents include:
- Email from Kansas Director of Elections stating FTP username/passwords are not emailed
- Arkansas decides not to change passwords
- Emails with the FTP username/passwords 2012 through 2017 (yes, the username/password that isn't emailed)
- Passwords to Crosscheck Results files for all states, 2011 through 2017.
- Illinois State Board of Elections, full voter file encryption password, 2012 through 2017
- Florida-Kansas matches; Florida provides Kansas SSN4
- ISBE IT emails Kansas asking how Crosscheck works\basic security questions, July 2017
- Florida's questions about how Crosscheck works (Illinois never asked) and susceptibility to FOIA with Kansas responses
- Kansas Director of Elections says double votes are almost always clerical errors
Crosscheck Encryption Password - 2011
The encryption password to every participating state's results file in 2011, consisting of millions of records of voter data, is emailed to 26 people.
Florida-Kansas Voter Data
This demonstrates that other states can and have handed over other states' voter data, including the last four digits of social security number, under FOIA requests. Kansas RUNS this program, so if they can't protect their citizens' data from FOIA requests, they certainly can't protect Illinoisans. We have over 1,400 Kansans personal info plus SSN4 thanks go Crosscheck.
ISBE's Basic Questions...
Perhaps most shocking in this entire episode: After Indivisible Chicago started asking questions, the ISBE asked Arkansas and Kansas how the system works and how it's secured. Why weren't these questions haveasked in 2010 when we started sending voter data? We know they weren't, because we have all of their emails about Crosscheck.