Crosscheck Is Ineffective and Insecure, but States Aren’t Withdrawing

This story was originally published by Reveal from The Center for Investigative Reporting, a nonprofit news organization based in the San Francisco Bay Area. Learn more at revealnews.org and subscribe to the Reveal podcast, produced with PRX, at revealnews.org/podcast.

At least eight states have stopped using Kansas’ anti-voter fraud program because of its ineffectiveness, but they’ve put residents’ personal data at risk by not formally withdrawing.

The Interstate Voter Registration Crosscheck Program was supposed to help states scrub ineligible voters, but many states have for years found the program’s data to be inaccurate and burdensome to verify. Rather than immediately canceling the free program, these states continued to send sensitive voter information — in one case, for nearly a full decade — through a system with serious cybersecurity vulnerabilities. 

Sending data through this insecure system had the potential of opening up millions of Americans to identity theft.

Based on interviews with state election officials and communications obtained through public records requests, the following states have sent voter registration data to Crosscheck without using the analysis received in return to clean their voter lists: South Carolina, Kentucky, West Virginia, Georgia, North Carolina, Nevada, Louisiana and Colorado.

None of the states listed have submitted voter data to Crosscheck since its cybersecurity vulnerabilities were made public late last year.

Every year or two, participating states sent the full names and birthdays of their registered voters to Kansas Secretary of State Kris Kobach, who sat on President Donald Trump’s short-lived voter fraud commission, pushed false stories about voter fraud in New Hampshire and advocated for strict new rules to make registering to vote more difficult, the justification for which was eviscerated in court in recent days. In some cases, states have sent additional information such as the last four digits of Social Security numbers.

Kansas has extended the window of time for submitting data in 2018 as it deals with security issues. No states have pulled out since the discovery, but at least a handful now are considering leaving the program over fears that they will expose residents to identity theft.

“Concerns about personal information being exposed have come to light only recently, and we are having internal discussions on how to proceed with that information in mind,” North Carolina election official Patrick Gannon said in statement. “If security concerns are addressed, receiving the data is helpful, but we cannot participate or provide data if we can’t be certain it is secure. No final decisions have been made.”

On the other hand, Colorado Elections Director Judd Choate said his state currently has no plans to alter its participation in the program.

An evaluation recently conducted by cybersecurity firm Netragard on behalf of Gizmodo discovered significant holes in security practices of the Kansas secretary of state’s office, which manages Crosscheck. Netragard didn’t penetrate Kansas’ computer networks because it wasn’t hired by the state and breaching the system without explicit permission is against the law. Nevertheless, Netragard CEO Adriel Desautels was scathing in his analysis of the state’s cyber defenses.

“We have never had a client that had a network that was as grossly vulnerable as what we saw when looking at the open-source information for Kansas’s network,” he said. “The only word I can really use is carelessness.”

In addition, the secretary of state’s office sent residents’ personal data in unencrypted emails to local election officials, and both personal information and passwords to access voter registration data were turned over in public records requests.

While the security holes are serious, Kansas officials have insisted that there is no hard evidence that hackers have successfully circumvented Crosscheck’s security for nefarious purposes. However, successful breaches can go undetected, especially from sophisticated attackers.

As of last year, 28 states were sending data to the program.

In return for sending their information to Kansas, local election officials receive reports flagging the names of voters who are registered in other states. Voters are allowed to be registered in only one state at a time.

However, that data is riddled with inaccuracies. A 2017 study from researchers at a coalition of leading universities found that for every one illegitimate voter it finds, Crosscheck flags 300 false matches.

Until the recent publicity about Crosscheck’s cybersecurity issues, states saw little risk in providing voter data to Crosscheck. If state and local officials didn’t want to use the data, they were under no obligation to do so. Recent revelations about Crosscheck’s security have changed that reasoning dramatically.

Local officials previously have made mistakes with Crosscheck data. In 2014, Ada County, Idaho, incorrectly removed over 750 voters from the rolls by taking Crosscheck data at face value without doing its own secondary verification. This mix-up was rectified before voters cast their ballots.

Election officials take great pains to avoid these errors, but doing so can put a strain on election offices, which often struggle to fulfill their primary function of simply running elections. Numerous state election officials told Reveal from The Center for Investigative Reporting that having local election administrators verify Crosscheck data wasn’t a good use of resources.  

“The issue with Crosscheck data is that it doesn’t match enough variables, so it requires a lot of county clerks to look at registration records manually, which is extremely arduous,” said West Virginia Elections Director Donald Kersey. “We haven’t used it really at all to clean our records.”

Representatives from Kansas did not respond to multiple requests for comment. 

Here’s why the eight states have stopped using Crosscheck data:

  • West Virginia and Louisiana ignore Crosscheck when scrubbing their lists in favor of data provided by the Electronic Registration Information Center, a similar program widely seen as providing more reliable data. Officials say they share their voters’ information to help other states.
  • Kentucky stopped using Crosscheck’s data five years ago, but it wasn’t until June that it quietly pulled out of the program entirely. Bradford Queen, a spokesman for the Kentucky secretary of state’s office, wrote in an email that the state “has not used Crosscheck data as part of its process to purge voters under the current administration, dating back to 2012. We did not find the data reliable for matching purposes.”
  • Georgia, which has sent data to Crosscheck since 2013, never has used Crosscheck results for list management. When it joined, Georgia had to preclear electoral system changes with the Department of Justice to ensure it didn’t violate the voting rights of racial and ethnic minorities. As part of that preclearance process, Georgia agreed not to use the data for list maintenance, though the state still sent information to the program to assist other states. 
  • South Carolina election official Chris Whitmire said the state stopped using Crosscheck data last year “due to issues with verification and concerns about cybersecurity.”
  • Nevada, North Carolina and Colorado use Crosscheck only for a secondary purpose: trying to identify double voters. Research has shown such activity is rare and almost always accidental.

Kansas officials have announced changes in the program designed to assuage security fears, but many states remain skeptical about future participation.

Illinois has said it will stop sending data to the program until security concerns are addressed. Lawmakers in New Hampshire and Idaho introduced legislation to withdraw their states from Crosscheck, but both efforts were unsuccessful.

The debate has even popped up in Kansas, where Crosscheck is based. A bill introduced in the Kansas state Legislature in January would force the state to cease participation in its own program.