Personal Information, Social Security Numbers, Birthdates of 1.5 Million Voters Exposed to Online Tampering, Downloading, Identification Theft!
Breach Discovered, Video-Taped by Illinois Election Integrity Organization...
By Brad Friedman on 10/23/2006, 2:58pm PT  

Blogged from the road by Brad Friedman

Another stunning security breach has been exposed in our nation's electoral system, The BRAD BLOG has learned, as the online voter registration database --- containing the personal information of some 1.5 million voters in Chicago --- has been found to be vulnerable to both downloading and hacking.

The flawed electronic database which allowed the retrieval and modification of personal voter information --- including social security numbers and birthdates of Chicago voters --- was discovered recently by members of the Illinois Ballot Integrity Project (IBIP), a non-partisan group of Election Integrity advocates.

IBIP members say they were not only able to get full editing access to the online database, they also found they could modify the records for registered voters, setting them to inactive and otherwise changing addresses and other key information fields.

The ability to gain access and hack the system, said by IBIP to be covered on the front page of tomorrow's Chicago Sun-Times, was documented by the group on video-tape. (UPDATE 10/24/06: As promised, the Sun-Times story is now here...)

An exclusive version of that video-taped hack has been made available to The BRAD BLOG.


-- Streaming Flash version...

Cook County elections officials are said to be scrambling to plug the hole in what has become an ever-increasingly unsecured system of voting in America in light of new regulations, encouraging the use of electronic voting systems, and state-wide registration databases, as set forth by Congress's Help America Vote Act (HAVA) after the 2000 Election Debacle.

In a news release sent to The BRAD BLOG earlier today (complete release posted at the end of this article), Bob Wilson, the Cook County chair of IBIP, says that the vulnerability would allow a malicous hacker to change voter registration status for thousands of Chicago voters.

"For example, you could change the status of all the voters in a precinct to inactive after the registration deadline so that when one of those voters checked their online status they might believe they were ineligible and wouldn't attempt to vote," Wilson says.

"Or, you could change their polling place information," he added, "so they would show up at the wrong precinct on election day . . . the possibilities are nearly endless and could cause election day havoc."

The problem was discovered by IBIP weeks ago, and the group immediately notified the appropriate authorities. "We had hoped that the Chicago Board of Election Commissioners would take quick action to plug this hole, but apparently that's not the case," IBIP member Peter Zelchenko is quoted as saying.

He estimates it would have taken little more than five minutes to fix the problem originally, but late last week IBIP and Zelchenko became aware that the security breach was significantly more severe than first thought. The Board was immediately notified again and finally began taking action over the weekend to install a new web interface for the system.

Zelchenko, an information technology expert who originally discovered the flaw, says the latest alarming discovery underscores the vulnerability of our new electronic system of voting in America. As reported by the news release:

Peter Zelchenko, 43rd Ward Alderman Candidate with more than 30 years of computer programming and database design and management experience, discovered the flaw during what he described as a "what if" session. Zelchenko said, "This situation shows how vulnerable the entire electronic voting system is. Identity theft is only one possible outcome. Election theft is another very real possibility." According to Zelchenko, "This was a very serious vulnerability. Here we have an online database that can be accessed by millions of PCs throughout the world. Clearly, this indicates that the whole system is inherently insecure."

Since the vulnerability reportedly affects only the online version of the voter registration database, as opposed to the master copy, it is hoped that the damage may be controlled and that any tampering might now be minimized. Such tampering --- either the collection of personal information for political, or more nefarious purposes, or legally registered voters having their online records deleted or otherwise set as inactive --- may have already occurred before the problem was discovered.

Whether the problem has been corrected by now or not, the remarkable security breach may have already given some voters incorrect or misleading information concerning the status of their registration or the correct location of their polling place when checking the online system for information.

We'll try to update this story when new information is available from the Sun-Times as we continue to be on the road and are unable to keep up and/or follow-up as much as usual.

The complete news release from the Illinois Ballot Integrity Project follows in full...

UPDATE, Posted by John Gideon 4:45pm PT: ABC News has now picked-up this story...

UPDATE by Brad, 8:09pm PT: Though we gave this story to ABC, having spoken to them earlier today, they didn't see fit to credit us. And yet, we always give them proper attribution for their stories. Sigh...Still always the bridesmaid I guess.

UPDATE 9:34pm PT: Chicago Tribune reports (and attempts to slightly downplay, as expected from the conservative Trib) "Voter information open to hackers". Associated Press reports "Group says data vulnerable, election officials investigating".

RELEASE: October 23, 2006
Contact Bob Wilson - (847) 644-2654

CHICAGO VOTER REGISTRATION BASE FLAWED -
VOTERS' KEY PERSONAL INFORMATION AVAILABLE ON THE INTERNET

Chicago, October 24, 2006. A serious security vulnerability was discovered in the City of Chicago online voter registration database that would allow an identity pirate to obtain the names, addresses, birth dates and Social Security numbers of more than 1.5 million Chicago voters.

According to Bob Wilson, Cook County chair of Illinois Ballot Integrity Project, a malicious hacker could have readily change the voter registration status of individual voters or groups of voters. "For example, you could change the status of all the voters in a precinct to inactive after the registration deadline so that when one of those voters checked their online status they might believe they were ineligible and wouldn't attempt to vote," said Wilson. "Or, you could change their polling place information so they would show up at the wrong precinct on election day . . . the possibilities are nearly endless and could cause election day havoc," he added.

IBIP notified staff at the Chicago Board of Election Commissioners several weeks ago about the vulnerability but no action was taken. "We had hoped that the Chicago Board of Election Commissioners would take quick action to plug this hole, but apparently that's not the case," said Illinois Ballot Integrity Project member, Peter Zelchenko. He estimates it would take little more than five minutes to fix the problem. Late last week, IBIP and Zelchenko became aware that the security breach was significantly more severe than first thought. The Board was immediately notified and began taking action to alleviate the threat last Friday and began installing a new web interface over the weeekend

Peter Zelchenko, 43rd Ward Aldermanic Candidate with more than 30 years of computer programming and database design and management experience, discovered the flaw during what he described as a "what if" session. Zelchenko said, "This situation shows how vulnerable the entire electronic voting system is. Identity theft is only one possible outcome. Election theft is another very real possibility." According to Zelchenko, "This was a very serious vulnerability. Here we have an online database that can be accessed by millions of PCs throughout the world. Clearly, this indicates that the whole system is inherently insecure."

"Problems of this type occur when systems and personnel are strained to the limit," said Wilson, continuing, "an apt analogy is that of a balloon - it only takes a small hole to let all the air out. In this case, a small hole could have let out the personal information of 2.2 million Chicagoans.

"Identity theft is a crime that everyone is concerned about," said Clare Tobin, chair of the Chicago Chapter of IBIP. "We need to be equally concerned about the theft of one of our most precious rights - the right to vote," concluded Tobin.

The Illinois Ballot Integrity Project is a not-for-profit, non-partisan civic organization dedicated to the correction of election system deficiencies and to ensuring fair, accurate, and completely transparent elections. IBIP sees paper ballots as fundamental to this quest. "It takes a lot of time, effort and people to change 10,000 paper ballots, but only a few keystrokes to change 10,000 computer votes," said Wilson. We do not oppose the use of technology in the election process, but it's obvious that today's electronic voting systems fall far short of minimum acceptable standards," he continued.

"Each of the complex steps in the voting process requires the translation of the voter's intent from one form of media to another," said Zelchenko. Every time that translation occurs, there's an opportunity for error or deliberate manipulation. A paper ballot offers one simple step that's nearly impossible to misinterpret and very difficult to hack," he concluded.

_________________________________________________

The Mission of the Illinois Ballot Integrity Project is to inform and educate the public, media and government officials about important election integrity issues and to promote the adoption of legislation and policies designed to secure the democratic process. IBIP believes that fundamental to election integrity is the inscribing of all votes (whether by hand or by machine) on durable paper ballots which are easily handled and verified by the individual voter. The voter's paper ballot should be the only official ballot for purposes of casting, tallying, counting, audit and recount.

###

UPDATE: Posted by John Gideon 4:45PM Pac. ABC News has now picked-up this story Here