We're in the news! Great pieces today by Ari Berman in Mother Jones, Kira Lerner in Think Progress, and Jessica Huseman & Derek Willis in ProPublica!

We just issued this letter in response to the Illinois State Board of Elections letter this past Friday.

Summary of Our Findings

Crosscheck is a highly-error prone interstate data-sharing program between 28 states. Participating states send their entire voter file to a server in Arkansas. Kansas then downloads all of this data, runs a rudimentary name matching algorithm, and then uploads the results back to Arkansas. For more information, check out our FAQ.

We've posted documents obtained by Indivisible Chicago as a result of FOIA requests to Florida and Illinois. The "yellow paper" redactions you'll see in photos of documents are our redactions of usernames and passwords that states inadvertently released to us. We have redacted instead of posting publicly, as we take the sensitivity of this data more seriously than the Illinois, Arkansas, and Kansas election authorities. Black redactions were done by the government officials.

The primary problem here is not that we have these passwords, but that every official and IT department involved in this process sends usernames, login passwords, and decryption passwords in clear text in email - sometimes with up to eighty recipients. Anyone could have these passwords and could have had them at a time they could have been used while the ISBE would have been none the wiser.

In addition, Crosscheck asks states to login to an FTP server that does not encrypt traffic to upload their entire voter file. This means that every state's username and password to this central server housing 100 million voter records is sent in clear text across the Internet. These are astounding security lapses, and yet, following an unprecedented rash of hacks against voter registration systems in 2016, Crosscheck and the ISBE changed nothing and continued their poor security practices in 2017.

Documents

The documents include:

  • Email from Kansas Director of Elections stating FTP username/passwords are not emailed
  • Arkansas decides not to change passwords
  • Emails with the FTP username/passwords 2012 through 2017 (yes, the username/password that isn't emailed)
  • Passwords to Crosscheck Results files for all states, 2011 through 2017.
  • Illinois State Board of Elections, full voter file encryption password, 2012 through 2017
  • Florida-Kansas matches; Florida provides Kansas SSN4
  • ISBE IT emails Kansas asking how Crosscheck works\basic security questions, July 2017
  • Florida's questions about how Crosscheck works (Illinois never asked) and susceptibility to FOIA with Kansas responses
  • Kansas Director of Elections says double votes are almost always clerical errors

Kansas says FTP passwords are not sent via email

It seems officials know emailing usernames and passwords is a bad practice, yet in the same email Kansas asks states to email their encryption passwords. Also, they do in fact email the FTP username and password every year.

Decision not to change passwords

Arkansas let's states know that they will not change passwords to the FTP server as previously planned, because they are too busy.

NOTE: This is what happens in a "free" program...

Username and Password to Arkansas FTP Server - 2012

Arkansas emails the ISBE their username and password (and in a single email) to access the FTP server which housed 45 million voter records in 2012.

The server connection is not encrypted, meaning this username/password is not only sitting in email (and emailed every year) but it is transmitted across the internet in plain text.

Username and Password to Arkansas FTP Server - 2013

Arkansas emails the ISBE their username and password again to access the FTP server which housed 85 million voter records in 2013.

Username and Password to Arkansas FTP Server - 2014

Arkansas emails the ISBE their username and password to access the FTP server which housed 102 million voter records in 2014.

Username and Password to Arkansas FTP Server - 2015

Arkansas emails the ISBE their username and password to access the FTP server which housed 109 million voter records in 2015.

Username and Password to Arkansas FTP Server - 2016

Arkansas emails the ISBE their username and password to access the FTP server which housed 99 million voter records in 2016.

FTP Server Credentials - 2017

Arkansas emails the ISBE their username and password to access the FTP server which housed 98 million voter records in 2017.

NOTE: Because these weren't redacted we know the passwords were the same in 2016 & 2017.

1. Crosscheck Results Password 2011.jpg

Crosscheck Encryption Password - 2011

The encryption password to every participating state's results file in 2011, consisting of millions of records of voter data, is emailed to 26 people.

Crosscheck Encryption Password - 2012

The encryption password to every participating state's results file in 2012, consisting of millions of records of voter data, emailed to 36 people.

Crosscheck Encryption Password - 2013

The encryption password to every participating state's results file in 2013, consisting of millions of records of voter data, emailed to 59 people.

Crosscheck Encryption Password - 2014

The encryption password to every participating state's results file in 2014, consistent of millions of records of voter data, emailed to 80 people.

Crosscheck Encryption Password - 2015

The encryption password to every participating state's results file in 2015, consistent of millions of records of voter data.

Crosscheck Encryption Password - 2016

The encryption password to every participating state's results file in 2016, consistent of millions of records of voter data.

Crosscheck Encryption Password - 2017

The encryption password to every participating state's results file in 2017, consistent of millions of records of voter data.

Illinois Voter File Encryption Password - 2012

ISBE emails Kansas the encryption password to the full set of 8.24 million Illinois voter records, including last four digits of social security numbers.

Illinois Voter File Encryption Password - 2012 (part 2)

Illinois must have had a typo so Kansas helpfully emails back the correct password...

Illinois Voter File Encryption Password - 2013

ISBE emails Kansas the encryption password to the full set of 8.57 million Illinois voter records, including last four digits of social security numbers.

Illinois Voter File Encryption Password - 2014

ISBE emails Kansas the encryption password to the full set of 8.18 million Illinois voter records, including last four digits of social security numbers.

NOTE: This is the same password as 2012, only it ends with "2014" instead of "2012". Really.

Illinois Voter File Encryption Password - 2015

ISBE emails Kansas the encryption password to the full set of 8.2 million Illinois voter records, including last four digits of social security numbers.

Illinois Voter File Encryption Password - 2016

ISBE emails Kansas the encryption password to the full set of 8.2 million Illinois voter records, including last four digits of social security numbers.

Illinois Voter File Encryption Password - 2017

ISBE emails Kansas the encryption password to the full set of 8.8 million Illinois voter records, including last four digits of social security numbers.

9. Florida-Kansas Crosscheck Match Data with SSN4.png

Florida-Kansas Voter Data

This demonstrates that other states can and have handed over other states' voter data, including the last four digits of social security number, under FOIA requests. Kansas RUNS this program, so if they can't protect their citizens' data from FOIA requests, they certainly can't protect Illinoisans. We have over 1,400 Kansans personal info plus SSN4 thanks go Crosscheck.

10. ISBE IT asks Arkansas Kansas How Crosscheck Works in July 2017.png

ISBE's Basic Questions...

Perhaps most shocking in this entire episode: After Indivisible Chicago started asking questions, the ISBE asked Arkansas and Kansas how the system works and how it's secured. Why weren't these questions haveasked in 2010 when we started sending voter data? We know they weren't, because we have all of their emails about Crosscheck.

NOT Secure FTP

In one of the most shocking revelations, Arkansas and Kansas acknowledge that what they've called "secure FTP" for years is in fact, not "secure". Traffic to this server is not encrypted at all, meaning every state's username and password has traveled in plain text across the internet.

Florida asks questions...

Kudos to Florida to at least asking basic questions about how the system works, who accesses the data, how long data is retained, etc. There's no record of Illinois ever asking these questions.

Florida is concerned...

Florida is worried that someone might sue for all state's voter data in Jan/Feb when it is all in their possession... Just a few months away!

Also, Kansas' Director of Elections doesn't know who runs the Crosscheck comparisons?

Florida has more FOIA concerns and questions...

Florida continues to ask for clarification about the susceptibility of this data. There's a reason Florida only participated in Crosscheck for one year: concerns about the data and they found the data was mostly garbage.

Kansas concerned that Crosscheck is susceptible to FOIA

Kansas doesn't know if the data in their program and shared with twenty-eight states puts voter records at risk of public disclosure... but they continue to take that risk.

Double Votes Rarely Turn Out to be Real

The Director of Elections in Kansas acknowledges that actual double votes are very rare, dispelling Kobach's fever-dream in a single email.