Over the weekend, several users on the infamous 4chan message board claimed to have found similar vulnerabilities in the Oregon and Washington state voter registration system that would allow hackers to "cancel" people's votes.
In a thread that has more than 400 replies, anonymous users posted a variety of screenshots showing what they claimed was a serious vulnerability in Oregon and Washington's online voter registration portals. This is where people in the two states can register to vote and update their addresses to receive their mail-in ballots.
Some users claimed they were able to access or alter voter's personal details, such as name, whether the person is registered to vote, their home address, their mailing address, and "mark" the person's ballot. Oregon and Washington are two of nine states that are sending every registered voter a ballot this year, meaning every voter can choose whether they want to vote by mail, or at a polling place.
4chan users thought that by changing some people's personal details on these portals, they had found a way to tamper with people's votes. Several people on Twitter noticed the 4chan thread and posted alarming tweets that went viral and have even transcended to the right-wing, conspiracy-loving, blogosphere. Many of the posts on 4chan and its outside coverage seem like an attempt to sow distrust in the election, a tactic that has been employed by Donald J. Trump and the Republican party.
In reality, however, literally not everyone can change—let alone cancel—anybody's vote in neither Oregon nor Washington, according to both government election officials and independent election security experts.
Would you like to read more stories about hacking, privacy, and surveillance? Subscribe to our pop-up 'zine The Mail. The next issue is about hacking culture.
"No votes can be cast or cancelled online through MyVote," Stephen Trout, the director of elections at the Oregon Secretary of State, said in an email to Motherboard. "Attempts to alter information on MyVote can be tracked through our system logs to help identify the individual who is committing the crime."
Kylee Zabel, the communications director of the Washington's Office of the Secretary of State, explained in an email that "the voter information that can be accessed on VoteWA.gov is publicly disclosable by law. However, in order to alter a person’s registration record online, you would need to provide your driver’s license number and issuance date."
While it's always funny to find out how full of shit 4chan users are, this misunderstanding underlines the challenges of giving citizens an accessible and easy to use voting system. Most voter registration portals require minimal authorization because they've been designed to enfranchise voters.
"Yes, if you know someone's personal information, you're going to be able to access their voter registration record and request a change," Ben Adida, the executive director of VotingWorks, a non-partisan non-profit that studies election security and helps with both voting equipment and audits, said in an email. "There's no way around that in a system where you want to enfranchise voters and make it easy to vote."
As Zabel explained: "if someone logs in to VoteWA.gov and accesses an online ballot, the ballot previously mailed to the voter is placed on hold. Only one active ballot can be live at one time, even if multiple physical ballots have been issued. Once a returned ballot is received by county election offices, the signature on the return envelope is checked against the signature on file in the voter’s registration record."
Do you work on election security? Do you do vulnerability reserch on voting machines or ssystems? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email email@example.com
Moreover, the Washington state's online systems are monitored 24/7 "to detect and prevent unusual activity," and there are "manual backend processes" against attempted fraud, according to Zabel.
"If a voter authenticates using their Washington state driver’s license number or I.D. and the issuance date, and makes an update to their record, it is sent to the Department of Licensing to verify the identity of the voter," Zabel explained. "Then it is queued up for the county to review and accept the change to the voters record. If the county has questions or concerns or if the application is missing information, the county will follow up directly with the voter."
In other words, there's a long trail of evidence, checks, and balances. All 4chan users did was make life harder for election officials in the two states
"Unless someone has a voter’s driver’s license number and issuance date, no changes can be made to that voter’s registration record on VoteWA.gov," Zabel said. "Printing another’s ballot would not be considered fraudulent. However, attempting to vote someone else’s ballot is voter fraud, and punishable by up to 5 years in prison and a $10,000 fine. If a ballot is returned for a voter but the signature does not match, the county elections office will reach out to the voter to cure the ballot. If the voter receives a cure form but has not returned their ballot, they will notify the county elections office, which in turn will pass the information on to county sheriffs and prosecutors to investigate for potential fraud."
Matt Bernhard, a research engineer at VotingWorks, said in an online chat that if he had to guess, "no records have been changed illegally though. This feels a lot more like a confidence-suppressing disinfo campaign than an actual hack."
"I don't see a significant threat here," VotingWorks' Adida said in an email. "This is another form of vote-by-mail fraud, which, as we know from countless studies, doesn't happen very often. When it does, because of extensive records, people are often caught, and the penalty is very harsh."
That, at least, is clear even to the 4chan amateur bug hunters.
"Don't fuck with the vote system anons," warned one. "Just get this out to discredit the election results of every state with this system."
Messing with the vote system is not, technically, a felony. Voter fraud, however is. And penalties for are indeed harsh, as Trout and several other government officials contacted for this story were quick to point out in similarly worded emails.
"Altering someone’s voter registration or attempting to vote another person’s ballot are crimes. It is a felony with up to 5 years in prison and a $125,000 fine," Trout wrote.
In Oregon, just like Washington, the voting system requires an ID to do significant changes, and election officials check documents behind the scenes.
"While you can view a voter’s information if you know their name and birthdate, (it is all public information that anyone can view at an elections office) you cannot change it online without having the drivers license number," the email continued. "The mark my ballot tool helps voters with disabilities and military and overseas voters to mark their ballot. They still must return the ballot with the proper identifying information, including their signature, which will be compared against the voter’s signature in the voter registration file before being accepted to count."
In conclusion, there were no serious vulnerabilities discovered by 4chan. In fact, the systems in both states were actually designed to deal with the very "hack" that people on 4chan were worried—or excited?—about.
"I can imagine that some people might try to commit fraud this way," Adida concluded. "But it won't be that many votes before they're discovered, and the penalties are particularly harsh, so it's not going to happen at any reasonable scale."