To build confidence in voting rolls, Georgia digitized a cancellation process.
Instead, they exposed voter data to exploitation.
The website launched this week by Georgiaโs secretary of state intended to help individuals to cancel their voter status and to increase confidence in the stateโs electoral rolls has instead exposed private personal data of voters, according to an investigation by The Current.ย
Oversights by IT workers during a test phase meant that for at least two days vital data such as driverโs license information or partial Social Security numbers would have been visible to malicious actors.ย Georgia Secretary of State Brad Raffensperger unveiled the site on Monday.
The Current discovered one security flaw on Wednesday โ and immediately alerted the Secretary of Stateโs office. The story was held for publication until the agency worked with the IT vendor, MTX Group, to correct the issues.ย
Gabriel Sterling, chief operating officer for the Georgia Secretary of Stateโs office, told The Current on Wednesday afternoon that approximately a couple hundred people had visited the site before the software fix.ย
โWe launched something, we found some issues, no one was impacted in any real way that we can discover, weโve taken steps to mitigate it and make sure it doesnโt happen,โ Sterling said.ย
The issue is the second security flaw discovered since the site came online. The first, reported by The Associated Press, has also been fixed, according to Sterling.
The partial Social Security numbers and driversโ license numbers exposed inadvertently on Georgiaโs voter cancellation site are part of data necessary to initiate a voter registration cancellation, along with a personโs date of birth and county of residence. This personal information is valued by hackers to perpetuate identity or credit fraud.
The Current, while using the new site, discovered that sensitive personal information displayed in the computer code sent from the cancellation portal to some usersโ browsers. That flaw was related to an even more obvious security problem first reported by the AP: One page inside the portal very briefly displayed personal information in plain text.ย ย
Sterling said his office has been testing the portal internally for weeks. One of the problems had been fixed during testing, but a last-minute change elsewhere invalidated the fix, he said. The problem identified by The Current was on a list of things that needed to be checked, but it wasnโt checked, he said.ย
The cancellation portal is part of a larger $5.1 million overhaul of the stateโs voter registration system. Those changes include storing information in cloud-based servers run by the company Salesforce, which uses security standards laid out for agencies like the Federal Bureau of Investigation and the U.S. Department of Defense.ย Not even the MTX Group programmers can see votersโ information, he said.
Georgiaโs new election laws allow unlimited numbers of challenges to voter registration, part of a series of changes that the Republican-led state government has made to voting law amid pressure from the pernicious but wrong opinion that voting fraud is rampant in the Peach State. The brunt of those registration challenges falls on county election officials.
Though this portal was designed for individuals to remove only themselves or deceased relatives, it comes at a time when voter-list vigilantes are appearing at county election boards with thousands of names they want removed from voter rolls. Voting rights advocates are on high alert, and didnโt care for the language that first appeared on the new Secretary of State page: โPlease enter the information for the voter you are wanting to cancel.โ
Despite the initial flaws in the cancellation portal โ which Sterling emphasized were fixed within hours โย the new digitized system is more secure than depending on paper and the mail, he said.ย
Sterling said fewer than 20 people visited the site before Mondayโs flaw was fixed; and a couple hundred people had initiated cancellation requests as of Wednesday afternoon.ย
โAt the end of the day โฆย all these county [election office] folks, a human being still has to look at this to see if it seems right to them,โ Sterling said. Anyone whose registration is canceled should receive a postcard in the mail double-checking the deletion.
Raffenspergerโs office called the site โsecureโ when they announced its debut via press release Monday. The office touted it as a simple way for anyone moving out of state to remove themselves from the Georgia voter list, or to do so for a deceased family member.ย ย
โIt will also help keep Georgiaโs voter registration database up-to-date without having to rely on postcards being sent and returned by an increasingly inefficient postal system,โ Raffensperger was quoted as saying in the Monday release.ย
Georgia Democrats this week have panned Raffenbergerโs voter cancellation initiative, and the security snafus have enhanced the mistrust among many members of the stateโs minority party. As Georgia moves from long-term Republican dominance to a place where more Democrats register to vote, margins as small as 12,000 votes matter in statewide elections. Democrats fear the portal will be abused by conspiracy theorists and bad actors to wrongly disenfranchise voters.ย
One Democratic state senator said she saw her own personal information in plain text on the site. Her caucus called for the cancellation portal to be taken down altogether.ย
The state cancellation site still starts by asking for a personโs name, date of birth and county of residence to start the voter cancellation process.ย ย
Next, the site asks for the voterโs drivers license number or the last four digits of their Social Security number.
For a short period Monday morning, if a user clicked an option saying they donโt have a driverโs license, the site generated a form for the user to print and return by mail or email. Pressing that button to create the form exposed the personal information.ย
August 1, 2024, 10:57 a.m.: Clarification:ย One reference in this story has been updated to clarify the day on which one flaw was fixed on the Secretary of Stateโs site.
