* Indivisible Chicago…
Crosscheck is an interstate data-sharing program between 28 states. Participating states send their entire voter file to a server in Arkansas. Kansas then downloads all of this data, runs a rudimentary name matching algorithm, and then uploads the results back to Arkansas. We have the passwords to every step in this process.
We’ve posted documents obtained by Indivisible Chicago as a result of FOIA requests to Florida and Illinois. The “yellow paper” redactions are our redactions of usernames and passwords carelessly sent via email. We have redacted instead of posting publicly, as we take the sensitivity of this data more seriously than the Illinois, Arkansas, and Kansas election authorities.
The documents include:
Passwords to Crosscheck Results files for all states, 2011
Passwords to Crosscheck Results files for all states, 2013
Passwords to Crosscheck Results files for all states, 2014
Illinois State Board of Elections, full voter file encryption password, 2012
Illinois State Board of Elections, full voter file encryption password, 2014
Arkansas decides not to change passwords, 2011
ISBE username/password to Arkansas FTP server, 2016
ISBE username/password to Arkansas FTP server, 2017
Florida-Kansas matches; Florida provides Kansas SSN4
ISBE IT emails Kansas asking how Crosscheck works\basic security questions, 2017
For some background on how counter-productive and perhaps even dangerous Crosscheck is, click here.
* The documents appear to show the group was sent this info via FOIA…
ISBE Encryption Password - 2012
The password used by the Illinois State Board of Elections to encrypt over 8 million voter records in a file sent to Arkansas and Kansas state authorities.
ISBE Encryption Password - 2014
The password used by the Illinois State Board of Elections to encrypt over 8 million voter records in a file sent to Arkansas and Kansas state authorities. NOTE: This is the same password as 2012, only it ends with “2014″ instead of “2012″.
FTP Server Credentials - 2016
Both the username and password, in a single email, which allows Illinois to login to the FTP server in Arkansas which houses over 100 million voter records across 28 states. The server connection is not encrypted, meaning this username/password is not only sitting in email but is transmitted across the internet in plain text.
FTP Server Credentials - 2017
Same as the image above. Exactly the same. How many years states have gone without ever changing their passwords to access such sensitive systems is unknown.
* I reached out to Steve Sandvoss, the executive director of the Illinois State Board of Elections. He said they did attempt to redact all user ID info, login IDs and passwords, but four of them got through. “They should’ve been redacted but they weren’t,” Sandvoss admitted.
But, Sandvoss said, all the login info and passwords are “obsolete” with the exception of the one for 2017. “It’s possible that it is active,” he said, but “the file is empty” because te people who run Cross Check in Kansas are required to immediately delete the information.
And even if it wasn’t empty, Sandvoss said, the file itself is encrypted so you’d need an encryption key to access it and Indivisible Chicago doesn’t have that. And the file can only be accessed remotely via a specific IP address. Without that, you can’t get in.
“At first glance, it looks bad,” Sandvoss admitted. But when you peel the layers back, “We don’t feel that the information they have poses a risk to voter data.”
* But there is an upside for Indivisible Chicago, which has been working to get Illinois out of Crosscheck for a while now. Sandvoss said Florida FOIA laws are “pretty liberal.” A lot of information can legally be requested in that state, which brings up a “legitimate security concern” about remaining in the program. Sandvoss said he thought the full board would take a hard look at that issue when they meet in November to decide whether the state will remain in the program.
…Adding… From Sandvoss…
Hi Rich,
Just an update; the FTP login ID and password contained in the January 19, 2017 e-mail have been changed, therefore the ones that were released are no longer valid.
- getafteritguy - Thursday, Oct 19, 17 @ 3:34 pm:
The point isn’t that they forgot to redact some passwords. The point is that those passwords and username were in Emails. That is gross negligence when we’re talking about SSN4, DOB, Names, Addresses for 8.8 million people.
- Roman - Thursday, Oct 19, 17 @ 3:34 pm:
The state board gave up passwords and log-ins in the FOIA and then they blame Florida’s FOIA laws for creating vulnerabilities?
Seeing as Illinois voter data has already been hacked once before by the Russians (who didn’t have passwords and log-ins,) pardon me if I don’t buy the “nothing-to-see-here” assurances from the board of elections.
- OneMan - Thursday, Oct 19, 17 @ 3:44 pm:
Really curious how they are doing the matching with a ‘rudimentary name matching algorithm’
Doing it with SOUNDEX (a phonetic algorithm for indexing names by sound, as pronounced in English. The goal is for homophones to be encoded to the same representation so that they can be matched despite minor differences in spelling.) on that scale would give you a ton false positives. So many it would be useless.
Using full name matching with birthdate might be a better filter but even then it is going to have a decent false positive rate. If you then included logic to see if voting was such that it overlapped it would be better, but still not good enough to close out a voter’s registration.
- Charles - Thursday, Oct 19, 17 @ 3:48 pm:
soooo…there are emails with decryption passwords that access voter files? I used to work at Indiana University with IT managers. That is unbelievably bad IT security, especially when we are talking about SSN4 and other sensitive info.
- indivisiblechinw - Thursday, Oct 19, 17 @ 4:05 pm:
“Just an update; the FTP login ID and password contained in the January 19, 2017 e-mail have been changed, therefore the ones that were released are no longer valid.”
Guarantee you that was changed today. The username and password for 2016 and 2017 were the same and previous years specifically mention not bothering to change passwords. This was a completely reactive response to bad security practices.
- Amalia - Thursday, Oct 19, 17 @ 4:13 pm:
all very frightening. paper ballots don’t look too bad right now.
- Bebeembop - Thursday, Oct 19, 17 @ 4:15 pm:
Why didn’t they take proper precaution with the passwords and usernames. Our voter information is vulnerable because of incompetence. Everyone involved with this debacle should resign.
- indivisiblechinw - Thursday, Oct 19, 17 @ 4:16 pm:
The name matching algorithm is an exact match on firstname, lastname, and DOB. No name variations or Soundex involved.
They have middlename and SSN4 however even when those mismatch, Crosscheck returns it as a match.
E.g.,
John Sam Doe 1/1/1970 8329 in IL
John Frank Doe 1/1/1970 3439 in KS
Crosscheck calls those a match and then local clerks in each state have to parse through. To give a sense for the magnitude of that pile of garbage, IL receives ~500k “matches” every year from Crosscheck that are re-assess every single year. That’s nuts.
Here is the count of match rows for the last 4 years:
2017:542,065
2016:454,325
2015:456,791
2014:451,982
This is for “maintenance” yet the number of matches never goes down… the vast majority of this is garbage that just gets thrown over the wall every year and re-parsed through every year, mixed in with the % of people who actually move in/out of state and should have their voter records updated. It would be hard to design a less efficient system. No one can tell us the hours spent across every county filtering through this mess every year.
- Harold - Thursday, Oct 19, 17 @ 4:35 pm:
The usernames and passwords weren’t obsolete when they were originally put in emails, apparently group emails, and sent willy nilly all over the internet. That is textbook gross incompetence and when we’re talking about sensitive voter information….that person should get canned.
- Claire - Thursday, Oct 19, 17 @ 4:53 pm:
This really shows a disregard for ensuring that voters have the right to vote without risking that their personal information will be inappropriately divulged.
- John - Thursday, Oct 19, 17 @ 4:55 pm:
My buddy told me that if he had put user names and passwords in unencrypted emails he would be fired from his job. In this case…it seems we’re talking about some pretty sensitive data. Isn’t the State Board of Elections accountable to the Legislative Branch?
- Lynn - Thursday, Oct 19, 17 @ 4:58 pm:
John - No, the Illnois State Board of elections has broad powers and little to no oversight with regard to election management in this state which includes voter registration data. It seems to me that Legislators need to consider legislation in the upcoming session that would be some general checks on board. This type of incompetence can’t happen.
- Bebeembop - Thursday, Oct 19, 17 @ 5:02 pm:
Lynn: they should call have the ISBE members and staff to the Assembly and question them. Between this, the hacked Illinois voter roll, the exposed Chicago voter roll, and the vulnerability of e-voting machines to hacking, the Illinois government needs to get a handle on voting and voter rolls before the next election cycle.
- countrybeforeparty - Thursday, Oct 19, 17 @ 5:02 pm:
I’m frankly shocked that the IL State Board of Elections would not immediately pull our state from Crosscheck based on this gross negligence. No matter your political affiliation, you should be outraged that IL voters’ personal info is so vulnerable and used in such a dysfunctional way that is designed to make it more difficult for citizens to exercise their right to vote and make their voice heard.
- Hanna Banana - Thursday, Oct 19, 17 @ 5:12 pm:
I don’t understand. DId Springfield pass a law that we participation in Crosscheck? There was something wasn’t there? I thought they passed something.
- Bother J - Thursday, Oct 19, 17 @ 5:17 pm:
NO its voluntary. They could vote to get out all on their own. It seems that the republicans on the board don’t want to and don’t care that Illinois voter registration has been put at serious risk.
- arewedoomed - Thursday, Oct 19, 17 @ 6:19 pm:
This is absolutely ridiculous. Anyone who pays attention has known for years that crosscheck is problematic at best…more accurately it is racist and disenfranchises voters. Now it’s a way to hand over personal data to hackers who don’t even have to be that good at hacking.
We need out and we need out now.
- TinyDancer(FKASue) - Thursday, Oct 19, 17 @ 9:01 pm:
All this to detect all that voter “fraud” that doesn’t even seem to exist.
This is what we should be worried about:
https://www.c-span.org/video/?435437-1/def-con-hacking-report-warns-voting-machines-vulnerability
Here’s the report:
https://www.defcon.org/images/defcon-25/DEF%20CON%2025%20voting%20village%20report.pdf
- McLincoln - Thursday, Oct 19, 17 @ 11:51 pm:
FTP was dubbed unsecured > 5 years ago. I’m an accountant and I know this.
- ThatGirl - Friday, Oct 20, 17 @ 2:07 pm:
How can the ISBE justify participation in a system that’s outdated, not secure, and partisan when the IL legislature has passed a law specifically requiring IL to participate in a secure, non-partisan system? It’s negligence at best.