If you'll recall, a number of voters in Riverside found themselves unable to cast a ballot during primary day because their details were inexplicably changed. Time's follow-up report published this year said Russian hackers might have used the county as some kind of a test bed for their next attacks designed to rig election results in the US. With these registration websites in place, attackers can replicate what happened in Riverside en masse.
They'll be able to easily change your address, assign you to a different precinct or change your party affiliation. How? The study's co-author, Latanya Sweeney, used Delaware as an example. She told IEEE:
"With Delaware, you have a choice. You can either provide the person's name, date of birth, and zip code; or you can provide the person's driver license number and date of birth. If you were playing the role of the attacker, the question is where could you get a Delaware voter's zip code. And the answer is the Delaware voter list."
Hackers can easily buy that list for $10. And if they need your name, date of birth and other details, they can also scour the dark web and buy packages of data from information brokers for a few bucks. Considering how much info we give various companies and how many cyberattacks happened these past years -- one voting machine supplier recently leaked 1.8 million voter records, for instance -- hackers will definitely be able to gather enough info to access a lot of people's registration details.
Sweeney says one of the few things preventing widescale attacks on voter registration systems is Captcha, though the technology is also becoming easier to crack. Also, 10 of the 35 states at least keep a record of web access and change logs, so officials can switch back to the old copies of records that show tampering. To ensure that these websites won't cause problems in the future, the researchers are holding a workshop for state officials and their IT departments. Team member Ji Su Yoo explained that they're not trying to get rid of voter registration websites. They simply want to "push everybody to have a good and productive conversation about how to implement them in a way that is really secure."