Protecting Your Vote: 2020 Election Security
I. Election Interference in the United States
Doubts about a fair and secure U.S. election on November 3, 2020 are at an all-time high. According to an August 2020 Pew Research Foundation survey, a majority of American voters believe that foreign governments will try to influence the 2020 election. In an effort to avoid foreign interference resembling the kind that occurred in 2016 (when Russia hacked into the Illinois voter registration database, viewed multiple database tables, and accessed up to 200,000 voter registration records), federal and state governments have put in place new security safeguards, including hiring internet security specialists and implementing new voting machines. This blog post will summarize the security threats facing the upcoming U.S. election and highlight key steps that voters can take to help protect their voice.
II. Foreign & Domestic Security Threats
According to sources that include the Director of National Intelligence (DNI) and the Federal Bureau of Investigation (FBI), foreign adversaries including Iran, Russia, China, and foreign-aligned groups, are attempting to illegally influence American political processes via cyberattacks and disinformation campaigns.
- Foreign Cyberattacks and Disinformation Campaigns. Attacks against political campaigns and government infrastructure can include foreign adversaries hacking and leaking sensitive information from computers, databases, networks, phones, and emails. A foreign adversary can purposefully spread false or inconsistent information on social media platforms that confuse, trick, or upset the public about an existing social issue to provoke all sides and encourage conflict. Tactics may also include political advertising from foreign groups pretending to be U.S. citizens that are intended to help or harm a person or cause, lobbying by unregistered foreign agents, and illegal campaign contributions from foreign adversaries. Below are a few recent examples:
- On October 21, 2020, the DNI publicly accused Russia and Iran of separately obtaining U.S. voter registration information and using the information to interfere in the 2020 election, including by sending threatening emails to voters while posing as an extremist group. A related FBI Public Service Announcement addressing spoofed election-related internet domains and email accounts, warns that: “Spoofed domains and email accounts are leveraged by foreign actors and cybercriminals and can be easily mistaken for legitimate websites or emails. Adversaries can use spoofed domains and email accounts to disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses.”
- Cybersecurity company Trustwave, which monitors the dark web for threat information, recently announced that it discovered a hacker selling personally identifying information of more than 200 million Americans on the dark web, including names, email addresses, phone numbers, and voter registration records.
Closer to home, domestic election security issues have also developed, including the following examples:
- Unofficial Ballot Drop Boxes and Electronic Voting Vulnerability.
- In at least three California counties, unofficial ballot drop boxes have appeared, which falsely claim to be authorized to collect mail-in ballots. California Secretary of State Alex Padilla explained that these unofficial ballot collection boxes lack a “chain of custody” and do not have the requirements in place that are necessary to safeguard official state-approved ballot drop boxes.
- Many states permit certain voters that fall under the federal Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) to submit absentee ballots electronically (via fax, email, web portal, or mobile voting app). These electronic votes can be exposed to cybersecurity attacks.
- Electronic pollbooks, which are the electronic devices many voters use to sign in to vote, as well as to verify their eligibility to vote at the election polls, are vulnerable to hacks and manipulation. These pollbooks communicate wirelessly with each other, which opens the door for attacks from cybercriminals. These attacks include malicious actions such as locking the election polls in a voting network, adding different instructions on the ballots, and changing which ballots are on display. The devices are also prone to glitches, which could affect the outcome of the election without any third-party interference.
III. Protecting Your Vote
FBI Director Christopher Wray has warned that Americans should be skeptical of information that undermines their faith in our elections. According to Director Wray, as a U.S. voter, “[y]ou should be confident that your vote counts. Early, unverified claims to the contrary should be viewed with a healthy dose of skepticism.” A similar view has been echoed by state and local election officials.
- The FBI, Department of Homeland Security, DNI, and other U.S. intelligence agencies have issued Warnings and Guidance regarding the security of the upcoming election, which include the following key steps to help protect voter security: (1) practicing good cyber hygiene; (2) using multi-factor authentication; (3) scrutinizing incoming emails for fraud; (4) updating and protecting routers; (5) using a VPN when accessing public Wi-Fi; (6) setting up browsers and apps for maximum security; (7) updating security software and firewalls; and (8) using reliable cloud-based services that have the best balance of privacy, security, and cost.
- The U.S. Election Assistance Commission provides resources, including an Election Security Voter Pamphlet, which illustrates how U.S. elections are secured through (1) training election workers to notice and respond to any suspicious behavior; (2) requiring election officials to take oaths to uphold state election laws and protect the security of the election; (3) implementing contingency planning; (4) restricting access control to voter registration databases and routine backups; (5) maintaining a decentralized election structure with no single point of access; (6) conducting post-election audits; (7) placing tamper evident seals on election equipment; (8) implementing policies that forbid voting machines from connecting to the internet; (9) documenting the chain of custody when election materials are transferred; and (10) securely storing voting equipment (when not in use) in a location that is only accessible by trained personnel.
This election brings with it tremendous risk to both the privacy and security of voter personal information and the validity of election results. To minimize this risk, we recommend:
- Using reputable resources, such as eac.gov and usa.gov/how-to-vote to find your registration information and your polling location;
- Following FBI Guidance resources, including implementing the cybersecurity measures set forth above; and
- Making sure that mail-in ballots are only placed in an official state-approved ballot drop off box.
For more articles and alerts on this or other significant data protection laws and developments, follow the Fey LLC LinkedIn page here.
Will Davis, a law student at the University of Florida-Levin College of Law and a law clerk with Fey LLC, and Keith Geekie, an information analyst with Fey LLC, contributed to this post.