Hacker News new | past | comments | ask | show | jobs | submit login
Georgia's entire voter file potentially compromised after voting machine theft (wsbtv.com)
111 points by anigbrowl 26 days ago | hide | past | web | favorite | 61 comments

> Diamant said this is a huge deal, because the elections director said the machines contained the entire state of Georgia voter file, which includes names, addresses and birthdates for all Georgia voters -- all now potentially compromised.


> By law, voter registration lists are available to the public and contain the following information: voter name, residential address, mailing address if different, race, gender, registration date, and last voting date. Pricing is set by the Secretary of State's Office.


So I guess now the hackers improperly know everyone's birthday?

I get that it seems minor compared to, say, Equifax, but voting is intended to be a particularly private aspect of public life.

You can say someone can buy their privacy by avoiding Gmail, Facebook, etc., but no one should feel like they have to choose between privacy and voting.

Voter information is posted publicly on the outside of each voting location (at least in California). Election monitors, journalists and nosey neighbors can check to see who voted and when.

In some states you can even buy all this information on a CDROM. This is how canvassers know your name, especially when there's maybe a parent and adult child living at home (if the old person shows you ask to speak to the elder, otherwise ask for the child). I just don't see this as that big a deal.

That's interesting. Here in Russia voter list is not publicly available. As a voter you can only check whether your own information is recorded correctly, and if you are an observer then you can examine (but cannot copy) voters list before election day.

> You can say someone can buy their privacy by avoiding Gmail, Facebook, etc., but no one should feel like they have to choose between privacy and voting.

But again,

>> By law, voter registration lists are available to the public

Someone may have stolen information they are legally entitled to have. That's not a scandal.

What information do they have that isn't already public? That's what the parent was talking about.

Who people voted for is, but not really the other stuff. In my country, name, address and occupation on the electoral role are public-ish information that anybody can look up in the local library. The law requires it to be made public, though also disallows any bulk copying of it, so theft of the whole database would still be a problem.

Here in Argentina too. It even includes the equivalent of the SSN, that is public here. I guess all the political parties get one whole copy and the relevant pages are posted in the walls of the voting building, so you can check in which room you should vote (if you didn't check before in internet).

This is why in the Netherlands both private parties and the government are forbidden from using the ‘SSN’ for anything but a defined set of purposes. Your employer knows the number but can’t use it as your ID in their databases, your municipal authorities can’t link your garbage disposal pass to it.

Now the number is assigned chronologically when you register your newborn during the first week of life, so knowing the birth date, you can guess all but the last 3 or 4 digits. If used like a "secret", it is a 13 bits secret.

Until a few years ago (10?) each city got a block of consecutive numbers and used it until it got exhausted, so with the birthplace it was easier to get a more smaller range even with an approximate birthdate. (Some cities used to continue the numeration after their block was exhausted, but these numbers where in the block of another city, so there is some duplication.)

(And many years ago, the numeration for men and women was independent, because they had a different ID. When the ID were unified there was a lot of duplication.)

Same for Belgium. Your id is mostly birth date + 3 digits + a checksum. The 3 digits are half male half female. So 9 bits of randomness, and that's assuming all 500 combinations get used.

Why is the occupation recorded in the list?

These are voter registration data, not voter history data (showing elections voted in and vote method).

Note that both Obama campaigns illegally distributed voter registration data freely and without qualification or tracking via their volunteer app.

I assume you're talking about the app where you could find out if your neighbors were registered R or D. I don't think that info should be made public, but I can't find any evidence that the app was illegal. Can you clarify?

In most jurisdictions, you need to sign policy protections (and pay a fee, except parties get the full set for free) to get voter data in bulk. That data can't be redistributed except under tracked conditions. The app made it available to everybody.

Naive question from a European here: how do you know and classify "race" and why is it relevant?

Do you get entries like 1 person's race being "25 % native Filipino, 10 % Chinese, 15 % "black", 25 % Arab, 25 % Caucasian"?

How do you even...?

Many, many* forms in the US ask this information so they can do later analysis on how they are racially biased in their decision making, so they can Do Better Next Time (Tm)

Since I can answer in the Best Possible Way - old white guy - I don’t mind answering these optional questions. They never ask about how cynical I am though!

* many includes Job Applications, Loan applications, and, it seems, for voting too

Race is self-reported. So if people answer honestly, the form records their own opinion about their own race. The categories on forms have been built up over time by finding commonalities in what people report.

> Do you get entries like 1 person's race being "25 % native Filipino, 10 % Chinese, 15 % "black", 25 % Arab, 25 % Caucasian"?

This isn't really something to worry about. The odds are pretty good that there is no person in the world with the ancestry you describe; if you did get input like this, the sensible thing to do would be to discard it.

(Note also that Arab is a strict subset of Caucasian...)

> Naive question from a European here: how do you know and classify "race" and why is it relevant?

Very naive, especially considering you're european. Race has much less to do with genetics and biology and more to do with perceived social norms. During the 1800s in the US, person who is 10% black is still often considered black. In Nazi Germany, a person who was 10% jewish was still considered jewish.

Putting people into race buckets is often based on unscientific (and immoral) notions of "purity" and a "natural hierarchy" of disparate societies.

Actually, "Year of Birth" appears to be one of the voter file fields too. Not quite the same as an exact birth date (esp for identity theft purposes), but useful for demographic targeting.

Identity fraud is more likely with this information because SSNs are fairly predictable.


Nobody spends their time predicting SSNs when accurate profiles cost 10 cents or less.

Having spent quite a bit of time requesting voter files from the government, I can say it’s not hard to obtain this data in most states. Many times it’s just a small fee, a pinky promise that you won’t use the data for non political purposes, and a photo of your drivers license. I think they should be more worried about someone reverse engineering the closed source software of the checkin machine in this case...

I hope this helps the lawsuit to force Georgia away from using electronic voting. Clearly their security procedures (physical and digital) are lacking.

The officials somehow need to verify eligibility. If not with a computer, then on paper... which could also be stolen in exactly this manner.

So I doubt it'll have this impact.

Or just distribute the verification work to a local level where theft of one set of names is only locally useful.

digital voting is not an issue only in Georgia... but that would be a start.

> The state will soon roll out a new, $100 million voting system which Raffensperger said will have a new iPad-based check-in system, which they can track and delete data remotely if they get stolen.

I'm confused. Why are these records on the device at all? Why not a server? Why spend $100 million just to move it from paper to an iPad?

I am personally in favor of simple, physically based voting systems. The kind that can still work reliably during periods of unrest and mistrust.

Paper ballot, electronic counting. Best of both worlds. You get a quick count, but also if there’s shadiness/hacking going on you can always recount the paper.

Some states seem to be moving towards absentee voting over the internet, which will be a mess when accusations of hacking start flying.

Voting over the internet? Oh dear... But it theoretically could be a use case for blockchain.

Still I don't get it why voting in the US is so complicated and difficult. Even India does a better job. There is also a reason why most other western countries have a paper ballot, they are harder to temper with.

> Voting over the internet? Oh dear... But it theoretically could be a use case for blockchain.

Upon deployment of such scheme, it will be quickly discovered - or claimed - that some of the voters had their voting software MITMed, or their computers hacked, or whatever.

With electronic voting, you have to secure the whole chain, starting from a person interacting with their device. It's not like finance, where you can paper over malware or direct attacks on people's devices through police investigations, reimbursements and insurance payouts. Mere accusation of a e-voting's equivalent to Zeus being deployed would call an election into question.

Paper ballots are easy to tamper with when there are chain-of-custody issues regarding the ballots.

Maybe, but certainly not at a scale needed to influence the election outcome without anybody noticing. Voting over the internet is totally different in that regard.

Paper ballot, people counting.

There cannot be a black box in a voting system.

It works perfectly well in the UK and is literally impossible to hack because all the candidates are in the room with the people counting the votes. There are also two people with the votes (in a sealed bag) at all time during transit

> but also if there’s shadiness/hacking going on you can always recount the paper.

It depends on the country, but typically you need some valid reason to require recounting. And "my favourite candidate got less votes than I expected" doesn't sound like a valid reason.

Purple finger tech has yet to be improved upon...

They need to be able to check in voters on election day even if the polling place's internet connection drops.

I get that. But you could always fallback onto another way of reaching the server (LTE/4G) or even a direct connect to some central server close by. I mean, this is sensitive data that is essentially being replicated across the whole state onto devices that are not heavily guarded apparently. Surely there are better ways to handle this? And as connectivity gets better, I think there should be a push to adopt client-server architectures for critical infrastructure.

How would remotely wiping an iPad help? What if the stolen iPad is never allowed to connect to a network?

This is not sensitive data; voter registration information is public and available for purchase from the government.

Sidenote: whether this is appropriate is a completely different discussion.

To me, as someone from a country where this data is considered sensitive, the fact that you can purchase this data is mind-boggling.

The UK eventually picked an interesting compromise. There are two versions of the list of voters:

* A list that's available for purchase electronically, used by marketers, you can opt in or out of this list when registering to vote or renewing a registration. I have no idea why anybody would choose to be on this list; when it was last my job to care, the size of the list was falling but not as precipitously as I'd expect.

* The full list, available electronically to a limited set for specified purposes: law enforcement and intelligence for obvious reasons, candidates standing for election in order to send out literature to voters, elected politicians likewise, the Credit Reference Agencies for name + address matching on credit applications, I'm sure there's a few others, but most people don't have this.

The full list also exists on paper for anyone to read, but the law is clear that even if you were interested in painstakingly copying data from the paper records that's illegal unless you already have a purpose for which you'd be able to buy an electronic copy. This allows people to be individually nosy still, which feels proportionate. e.g. "How are fifteen people registered in the two bed cottage next door to me? I should go ask someone what's up with that."

The UK still doesn't have a secret ballot though which is crazy. If we're going to have the technical capability to reverse ballots we should use it OR if we don't want to use it, we should stop marking ballots so that it'd be technically possible to reverse them. Parliament periodically asks witnesses about this, but like the US Congress periodically asking whether ¢1 coins make sense (no, no they don't) it doesn't act on what it gets told.

It’s to help prevent voter fraud. Anybody who cares can check who voted and when.

Also, your name, birthday, and address will never be very private. You give it to so many different people/companies.

They computerized for the same reason most things are, higher efficiency leading to lower cost. It speeds up the check-in process which means each polling location can handle a larger number of voters reducing the cost of elections. After the fact records need to be updated to reflect which voters have actually voted. It is much faster, less labor intensive and less error prone to gather that information electronically from some iPads than pay people to review paper records and enter that information into a computer.

The information is stored locally on the iPads because doing so on a server greatly increases both the potential failure scenarios and the potential attack surface of the system. Think about the impact of that server going down or a DDOS of the server. Also think about the communication infrastructure needed to and within the polling place for those iPads to reliably be able to reach the server.

You can't rig paper.

Ballot box stuffing? "Losing" boxes from certain districts?

Both impossible if votes are submitted and counted in public without transportation of the ballot box.

And before you say this is impractical, that is exactly what they do in the UK:


Also in Spain. Votes are counted literally in the voting table, right after closing it. The counting is verified by three (randomly chosen) citizen and also by one person per party. Then the tallies are aggregated. And the vote distribution per table is then made public (which then can be compiled by the press to make interactive maps like this: https://elpais.com/politica/2019/05/01/actualidad/1556730293... ).

We have similar system in Russia. The votes are counted after closing the polling stations, and the result table is signed by election commitee members and signed copies are given to candidates' representatives and observers. Later the results for every polling station are published on the Internet. Also we have cameras that stream the video on the Internet in real time.

Of course this system still allows falsifications. But it is still better than any electronic system because the violations are easily noticeable.

Yes, there are attacks on paper voting systems.

Yes, there are procedural countermeasures against many of these attacks.

One of the greatest advantages of paper voting systems is that we have decades (if not centuries) of experience with subversion attempts and appropriate defenses and that these defenses are often procedural, not technical.

This means that many attacks can be prevented and you don't have to be an expert to do so.

Which doesn't mean that paper is not riggable, it means that the attack methods on paper ballots are well understood and we have created systems and institutions which making current paper ballot systems effectively un-riggable.

Also in Italy. Local members of political parties often look at counting operations to check that nothing bad goes on.

Oh yes you can. It's in how and what you count.

Or perhaps it's a "theft" to justify some other effort to further restrict people's voting rights - like, I guess it's time to make everyone re-register, except for those right-thinking folks that they're already sure aren't cheaters...

> The state will soon roll out a new, $100 million voting system which Raffensperger said will have a new iPad-based check-in system, which they can track and delete data remotely if they get stolen.

Will they be able to delete votes for a wrong candidate remotely too?

Pretty sure they mean apple’s remote tools for tracking and deleting.

This does say check in.

Sorry to be that guy, but here is the obligatory XKCD: https://xkcd.com/2030/.

As a tech worker, and as someone who knows about computers, I very strongly oppose electronic voting. And the more I know, the more I oppose it. It's slightly more convenient, but in exchange it's way way less secure.

Also, this is not the first time Georgia has had problems related to electronic voting: see https://www.theinquirer.net/inquirer/news/1003966/diebold-in....

But it's the wet dream of people willing to spend a lot of (not theirs) money and maybe rigging the results.

This is what you do if you want to probe one for weaknesses.

I think both practically, theoretically and ethically the only response to electronic voting is to kill it with fire

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact