Problems with Georgia’s Voter Registration Portal

It’s possible to cancel other people’s voter registrations:

On Friday, four days after Georgia Democrats began warning that bad actors could abuse the state’s new online portal for canceling voter registrations, the Secretary of State’s Office acknowledged to ProPublica that it had identified multiple such attempts…

…the portal suffered at least two security glitches that briefly exposed voters’ dates of birth, the last four digits of their Social Security numbers and their full driver’s license numbers—the exact information needed to cancel others’ voter registrations.

I get that this is a hard problem to solve. We want the portal to be easy for people to use—even non-tech-savvy people—and hard for fraudsters to abuse, and it turns out to be impossible to do both without an overarching digital identity infrastructure. But Georgia is making it easy to abuse.

EDITED TO ADD (8/14): There was another issue with the portal, making it easy to request cancellation of any Georgian’s registration. The elections director said that cancellations submitted this way wouldn’t have been processed because they didn’t have all the necessary information, which I guess is probably true, but it shows just how sloppy the coding is.

Tags: , , , ,

Posted on August 7, 2024 at 7:10 AM18 Comments

Comments

Doug August 7, 2024 8:23 AM

I move there 8 years ago and was astounded at the login security. Our only option is to check it regularly.

John August 7, 2024 8:28 AM

Georgia has lots of political problems. Gerrymandering of election maps is still happening here. A few weeks ago, a court order required a new election for county commissioners due to a bad map drawn to favor Republicans. This has been happening since the DoJ stopped overseeing political maps in the south. It is really blatant again, like in the 1950s.

The idea that everyone legally able to vote should be allowed to vote is NOT what the leaders in Georgia believe. They are doing everything they can to stack the deck AND remove legal voters from registration if they think they won’t vote for their party. The last few years, about 313K voters have been removed from registration without any notification. Approximately 200K of those removals were invalid. https://www.cnn.com/2020/09/02/politics/georgia-voter-rolls-report/index.html Through a lawsuit, about 22K of those removals were reinstated.

In my area, the House district lines were drawn to split 1 district between who existing districts controlled by the long-time opposing party. Further, the existing representative had to move to a different location to even run for election in the slightly less leaning district.

Politics is very dirty in Georgia and it appears it will remain that way for the foreseeable future, unless the Feds jump back in to ensure 1-person, 1-vote and gerrymandering district lines isn’t allowed. The Georgia House and Senate can do almost anything they want with a compliant governor. The parties – and outsiders have far too much power these days. I want to vote for an individual, not someone forced to spout whatever the party says.

Sigh.

Clive Robinson August 7, 2024 8:42 AM

@ Bruce,

“I get that this is a hard problem to solve. We want the portal to be easy for people to use—even non-tech-savvy people—and hard for fraudsters to abuse, and it turns out to be impossible to do both without an overarching digital identity infrastructure.”

To some not news.

One of the supposedly simplest interfaces we have is the “Automatic Teller Machine”(ATM) for people to get cash out.

The reality is it’s only security,

1, Holding onto a plastic card.
2, Remembering a four digit number.

Yes it’s a “Two Factor” authentication system yet it fails thousands of times every day.

Some years ago now the first Female Director of the UK’s MI5 made it perfectly clear to the UK Government and public that chose to listen, that there was no reliable way to tie people as “bodies with agency” to “Information”.

As was once observed by a senior Met Police Detective about a man jailed under a false identity he gave whilst under oath,

“You are who you say you.”

As a society we went through major changes in the Victorian Era with the ability to store and use what we would now call “Biometric Identities” via finger prints and photographs, with even early voice recordings.

But we’ve not actually in any real way improved them just what surrounds them.

The simple fact is between the “body with agency” and the stored “Biometric Identities” lies a method of linking, call it a “proof” or a “Test”. And none are perfect they all have false positives and false negative. But more importantly they are all falsifiable or gameable in some way, so will always fail one way or the other, for better or worse depending on the “Directing mind” or the “independent observer”.

A hundred or so years ago people understood this and society reflected that. Now we have people who will not accept the fact of it and treat technology as some omnipotent deity that can be made omnipresent. And where ever there is an idiotic belief in place you will find a charlatan, huckster, or crook taking advantage.

Winter August 7, 2024 9:51 AM

But Georgia is making it easy. [to cancel voter registration]

Together with seeing that a New Georgia Law Spurs Bogus Challenges to Voter Eligibility [1] and the way Georgia election board clears county officials to delay vote certification with information demands [2], there might be a trend?

Maybe this is related a recent speech where Trump Reveals Plan To Subvert Georgia’s Elections [3]?

In other words, the ease with which voter registration can be canceled by others than the actual voter might fit in with a larger trend in Georgian election organization.

[1] ‘https://www.brennancenter.org/our-work/analysis-opinion/new-georgia-law-spurs-bogus-challenges-voter-eligibility

[2] ‘https://georgiarecorder.com/2024/08/07/georgia-election-board-clears-county-officials-to-delay-vote-certification-with-information-demands/

[3] ‘https://www.democracydocket.com/opinion/trump-reveals-plan-to-subvert-georgias-elections/

Peter Galbavy August 7, 2024 10:48 AM

The naivety is global. Or is it not so passive a problem?

Here in the UK, at least in my locale, we get sent annual forms to check voter registrations at each address and to then make updates via phone or web – you’ll love this – you need to security numbers but BOTH are printed on the same form, one under the other. Theatre at it’s finest.

Ted Heise August 7, 2024 10:58 AM

The overlap here puts me in mind of this old story…

A reporter once asked a forest ranger at Yellowstone why they don’t make garbage cans “bear proof” to help reduce the problem of bears interacting with campers.

The ranger replied, “There is significant overlap in intelligence between our smartest bears and our dumbest tourists.”

https://christhebrain.medium.com/a-reporter-once-asked-a-forest-ranger-at-yellowstone-why-they-dont-make-garbage-cans-bear-proof-578c23d90442

Jon (a different Jon) August 7, 2024 2:33 PM

Given who is running the Georgia elections, I suspect there may be a reason for that. J.

jones August 7, 2024 7:23 PM

I just encountered a half-baked approach to security like this in my workplace.

I teach, and the University switched to Follett to supply all textbooks (they closed the campus bookstore). We are expected to sign up for an account with this 3rd party and supply personally-identifiable information.

Follett is explicitly instructing everybody to use the same, identical, 4-digit password (that is, four numbers, no punctuation or letters or mixed case text) for all accounts.

The password is published as part of the instructions on a public-facing webpage.

I contacted the IT department and they replied:

The 4-digit password, xxxx, is intended to serve as a university access code for instructors. This code allows instructors to update course materials and ensure the bookstore can prepare inventory for student orders. While the password may appear simple, it is part of a controlled process specific to updating course materials and maintaining bookstore operations

Even if IT isn’t concerned, it seems like an opportunity for mischief from a disgruntled employee at least, and potentially a source of phishing attacks.

Tim van Beek August 8, 2024 6:36 AM

Everybody has a primary address. Everybody is eligible to vote based on citizenship and age. Everybody has a passport. You either go with the passport to your voting station at your primary address, or you request vote by mail using the vote notification you got at your primary address.
It is really that simple.
If you remove the game where the right to vote can be stripped from people based on one political party thinking that it is for their benefit to hold on to power, you don’t need a webpage to register or deregister people.

I do understand that for people in the US, a world outside of the US does not exist. But maybe make an exception in this case. There are a lot of well working democracies out there who don’t have a lot of the problems the USA have. There are reasons why.

britelite77 August 8, 2024 6:40 AM

Moving the voting process to computers which are connected to a network….For what purpose? Who asked for this, what problems is this solving, and more importantly what problems in this creating?No one asked for this.

Counting paper ballots by hand is probably much faster and cheaper in the long run considering every presidential election will always be challenged, it will go to a manual hand count anyways. There will always be that nagging thought, “did someone hack or alter the election?”

The costs associated with designing/supporting these systems and software is probably extreme. More importantly, the integrity of the democratic process is called into question, potentially eroding the trust of the people.

We talked about this issue 4 years ago. Election voting computer systems/networks are a bad idea. Yet, here we are looking at and trying to fix a solution to an unknown problem.

Funkybear August 8, 2024 10:58 AM

Cancelling other people’s voter registration is the entire point of this site. It even made this clear in the original website copy.

Other items of note:
– To REGISTER to vote, you need a “wet signature” on a form and mail it
– The state already gets notifications when people die or leave the state.

So what is the official use-case for this? You want to report that you died? That somebody else died and you expect them to vote? That you left the state but can’t trust yourself not to risk imprisonement by voting twice?

There is only one very obvious reason why this site exists.

QnJ1Y2U August 8, 2024 11:43 AM

There’s no need to have a cancellation system in the first place. The better answer is to simply remove any entries that haven’t voted for a few years.

As others have noted, this is more about voter suppression than anything else.

JonKnowsNothing August 8, 2024 8:32 PM

@Tim van Beek

re: Everybody has a primary address

USA

No, not everyone has a primary address.

There are 75,000 people in Los Angeles County California with no primary address. The larger portion of these folks are 50yo-90yo. They lost their housing when they got sick, too old to work, their pensions do not cover the cost of rents.

What is true, is that nearly every aspect of modern US Government and Assistance Agencies and Charity Organizations are required to record a “fixed address”. (1) If you do not have a fixed address you cannot have a bank account, or utility bill or access credit cards. Utility bills are one of the primary methods of IDing a person (RealID). If you share digs, and the bill is in their name, you do not exist for Government purposes.

There are other methods of assigning “fixed locations”, some of them are used in refugee camps. It is basically a triangular grid placed over a map of the camp. Each triangle has 3 planes, and the tent inside those 3 planes is assigned an ID. Generally people inside refugee camps have limited mobility and limited options to leave or move away.

In Gitmo, their addresses are based on cage numbers, somewhat like going to the Animal Shelter, prisoners are referenced by numbered cages.

===

1) On a regular basis, depending on the charity and their internal record keeping which they need to account for the number of people using their services and the food they distribute, require a form to be signed and an address to be listed. Sometimes each week, sometimes once a quarter. The charities input the addresses into a database or SS to verify you are authorized to access their services.

They also keep track of the number of people in your household, which determines how many bags of groceries you are allocated.

Some charities are fussier than others and require Proof of (Low) Income (Social Security Award Letter).

Untitled August 9, 2024 6:47 AM

@Tim van Beek: “Everybody has a passport.”

Not in the US, they don’t. Only around half of American citizens have a passport.

Knut August 9, 2024 10:35 AM

As Tim van Beek wrote, voter registration is entirely unnecessary. In Norway, you show up at your voting station on voting day with a valid ID, like a passport. They have a list of all people living in the area based on the national citizen registry. They check that you’re on that list, that you haven’t already voted, and verify your ID. Then you can vote. No need to do anything in advance.

If you will be somewhere else on that day, you can vote some weeks in advance wherever you are. They do a live lookup of your ID, and register the fact that you have voted. Done.

It’s simpler yet more secure than the USian system. No-one can deregister anyone. It’s as secure as the ID system is, which is obviously can’t be perfect, but that problem is the same everywhere including the US.

Also, multi-party representational democracy ensures that gerrymandering is impossible in practice. Minority votes always matter. First-past-the-post is just bad democracy.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.