Registration

Voter registration has always been at the forefront of political election law discussions. People are concerned about people who are not eligible to vote being registered, people who are eligible being able to erroneously register (and vote) in more than one location, and people who are eligible to vote not being able to vote due to registration issues. Ideally, a voter registration system would securely allow each eligible voter to register and vote in exactly one location, without needing to register days or months in advance.

This is one of the three key systems in an election, along with the overall management system and the voting machines. Registration processes face often-competing issues of security and accessibility, which often become partisan talking points. We’re interested in applications of technology that remedy these issues, ideally leading towards an affordable, trustworthy, and simple system for elections at different levels.

We examined the issue of registration both with respect to Helios as well as the broad state of registration in larger elections. This includes the systems that are used to enroll voters, the storage systems for these rolls, and the tools for editing, purging, and referencing the same. Registration and voting systems are often separate, but a failure in registration can negate the benefits of auditability and security that a system like Helios may offer. The implementation of these systems has important consequences for voter security and privacy as well as election integrity.

Issues

Confidentiality

The primary task of registration systems is to store and protect sensitive information, so the threat of losing confidentiality is prominent. A theft of voter data may not always result in immediate financial or safety hazards to victims, but it violates the trust and credibility of the system that upholds democracy. These systems become threats to election security when they become obsolete and when the capacity for independent or government inspection is lost.

In a 2019 hearing before the Congressional Committee on House Administration, Marian Schneider, President of the Verified Voting Foundation, identified an ongoing issue with election security: 83% of Pennsylvania counties use vulnerable systems, and the cost to replace these systems approaches $100 million dollars. (Lofgren et al., 2019, pg. 74). Furthermore, Michigan Secretary of State Jocelyn Benson noted in the same hearing that investment in technology with the capacity to evolve is necessary, and that further sustained investment is a critical issue. (Lofgren et al., 2019, pg. 49)

Later in 2019, the Congressional Research Service published the paper Election Security: Voter Registration System Policy Issues which reports that the Senate Committee on Intelligence struggled with "limited information on the extent to which state and local election authorities carried out forensic evaluation of registration databases." (Eckman, 2019)

Integrity

Registration systems must resist foul play in the elections they serve. We examined a Helios case study to show how this might happen. In Electing a University President Using Open-Audit Voting (Adida et al., 2009), Helios creator Ben Adida and faculty from Université catholique de Louvain in Belgium note that only a fifth of 25,000 potential voters at the school registered, and only 4,000 voted.

If only university rosters were used to register voters, the system would be vulnerable to ballot stuffing. (Adida et al., 2009, p. 7) This threat involves falsely registering or persuading unengaged voters to add dishonest votes for a candidate. Even in elections with defined rosters, some method for identifying active members from the pool of eligible voters preserves the “one man, one vote” principle.

Availability

Building registration systems is a balancing act. They must have a wide reach or significant interconnectedness in order to accurately determine eligible voters, but must minimize the threat of a single massive failure. The Help America Vote Act (2002) calls for states to create a “single, uniform, official, centralized, interactive computerized statewide voter registration list defined, maintained, and administered at the State level,” (Help America Vote Act, 2002, pg. 43) containing registration information and a unique identifier for every registered voter in the state. In 2020, CISA’s National Risk Management Center (NRMC) outlined and measured the scale of various cyber attacks towards election infrastructure on the basis of several system design components including system networking and centralization. (Election Infrastructure Cyber Risk Assessment, 2020, pg. 5) Prior to their risk assessment, they categorized attacks against systems with these design properties to have much more widespread potential in terms of the reach of harm for election integrity. In their outline, they organized each of the election’s system components and categorized them based on several factors including attack type, attack scale, and risk rating. According to the NRMC’s Risk Assessment, state registration databases are an attack vector as they feature many properties which can affect an election’s integrity or availability. Furthemore, the risk management center reported that attacks on state registration databases have large scale (“affecting an entire state or multiple jurisdictions”) and gave this form of attack a high-risk rating (“based on aggregate cyber capability and attach scale measures and assessments by an expert group of elections officials and technology providers”), presenting them as a key threat to election infrastructure and other processes.

Research

We’ve collected literature on how registration affects election security, but we’ve also noticed some trends in the overall field that will change registration and affect what concerns are most important. Why American Elections Are Flawed by Pippa Norris (2017) introduced us to the benefits of automatic and same-day registration, along with the technological shift to online registration. These techniques reduce the complexity of registration and tend to increase turnout. This reduction in complexity yields benefits that Avgerou highlighted in Indian elections: “E-voting is less likely to face problems... when registering or being authenticated… An additional mechanism for development of trust in e-voting is the accumulated voter experience of election up to the point of voting. (Avgerou et al., 2019, pg. 281) In addition to potential improvements in election security and accuracy, a trustworthy registration system improves overall voter confidence. This is especially useful when adding technology to other parts of the voting process. Avgerou’s argument is similar to the interactive proof process within Helios, where a complicated cryptographic system is unpacked before the voter to build confidence in the casting process before larger election-scale audits are conducted.

Confidentiality

Effectively investing money in trustworthy voting machines can be a challenge. A 2019 hearing showed that a large percentage of counties in Pennsylvania used vulnerable systems, and replacing all those systems would cost close to one hundred million dollars (Lofgren et al., 2019). Issues replacing voting systems are not limited to Pennsylvania: many states and counties bought electronic voting machines through a 2002 federal fund and never replaced or overhauled those machines (Norris).

There is also an issue of limited information regarding what election authorities have done to analyze their registration databases (Eckman, 2019). It is difficult to audit elections and registration without a common standard. In contrast to current auditing issues, Helios and similar bulletin-board systems allow easy, widespread checks on voting statistics including distribution of votes over time as well as strict controls on double-voting and voter lists.

When it comes to establishing public trust in elections, there are concerns both about security being too strict and not strict enough. Introducing too many restrictions has the potential to lower voter turnout, create inequality in who does show up to vote, and make elections harder to administrate (Mitchell and Wlezien, 1995 and Gibson, 2001). On the other hand, policies that are too lenient may increase the risk of voter fraud and lower public trust in elections. (Norris)

Ensuring voter rolls are accurate is also a challenge when it comes to registering voters. Sometimes mistakes are made when people register, resulting in people who should be registered not showing up, or being registered in the wrong location, which could potentially prevent people from voting. Some places allow voters to check their registration online so these mistakes can be more easily caught and fixed, but this isn’t an option everywhere (Avgerou et al). Purging voter rolls is one way to improve their accuracy. One approach is algorithmic matching by sound, name, date of birth, address, and so on to check for similarities and thus remove duplicate voters. However, purging voters also comes with the inherent risk of incorrectly removing someone who actually is an eligible voter, which can have, or seem to have, partisan motives.

Confidentiality, as defined by the CISA, is a theft of information. Obsolete databases are certainly a concern, but why bother about purging and editing? In the first case, an outside attacker is a reasonable culprit. However, individuals within the election system must also be considered as possible malicious actors. A politician or official may take actions that result in the unjust loss or dissemination of information, constituting an attack on confidentiality. For this reason and many more, care must be taken to add oversight to the methods of modification as well as the databases they operate on.

Integrity

Helios has limited support for private elections with predefined lists of voters. It allows administrators to add and remove voters, but does not have a dedicated registration system. Either a raw group roster or the results of a registration campaign must be compiled first. Helios offers valuable auditing and cryptographic properties, but like any voting machine, it can be compromised by faulty or inefficient registration.

Private elections in Helios accept a list of voters and send emails containing individualized links to each voter. While this adds security to very small elections, UC Louvain demonstrated that high numbers of voters and a moderate chance of malicious interference necessitated a gap between registration and live voting links.

Adida and the faculty at UC Louvain adopted a full-fledged registration system, which corresponds with the school’s large pool of 25,000 eligible voters. However, only a small portion of those eligible were expected to vote. This introduced a threat of “ballot stuffing”, where the emails of eligible but uninterested voters could be used to multiply votes for a candidate. Following similar statistical logic as the original Helios demonstration used about spoiling ballots (where a small percentage of auditing will detect any malicious vote-switching), a small number of students could be expected to alert the authorities if their email was registered without permission.

Ballot stuffing was used as justification for the registration system to prevent ballot stuffing, but it added complexity to an election that was already expected to struggle with engagement. In cases like UC Louvain, registration brings positive and negative effects. It adds time to the overall process, but it gets voters involved earlier and increases advertisement opportunities. While only twenty percent of UC Louvain members registered, eighty percent of registered voters went on to vote.

Availability

The Help America Vote Act of 2002 requires states to create a single, centralized voter list for the entire state, containing voter registration information and a unique identifier for each voter registered in that state. Such centralization makes the information more accessible from anywhere in the state, but this also poses security risks. The Cybersecurity and Infrastructure Security Agency investigated possible cyberattacks to election infrastructure and found that these state registration databases are high risk. This problem with centralization is not unique to the United States: the United Kingdom found that the introduction of online voter registration also made the system more vulnerable to fraud (Norris).

There are several issues that need to be addressed when it comes to centralized databases. Maintaining a database for the entire state requires many systems to all be able to make updates to one centralized place, incorporating information from death notices, departments of public safety, law enforcement, and so on (Celeste, Thornburgh). This maintenance can be difficult, since we don’t have efficient and secure digital identifiers available to the general public. Until such a digital identifier exists, states must rely on in-person records such as signatures given to departments of motor vehicles and similar institutions to verify voters. Registered voters can request an electronic authentication code, but registration itself would still need to happen through traditional non-electronic identification, typically by means of a hand-written signature on a paper form (CIVTF, 2000 and Gibson, 2001). This system is not perfect, and voters can still run into problems when crossing state lines, changing their names, or making other such changes.

The mandated use of statewide databases also creates the potential of statewide disruptions. For instance, in 2016, about 200,000 voting records were lost in Illinois (Norris, 2017, pg. 7). The large scale of statewide registration systems, which are among the larger systems at play in elections, means that existing issues will spread faster. The existence of eight thousand jurisdictions in national elections provides some defense through decentralization, but this is by no means bulletproof. Smaller-scale systems such as county-wide setups can also face security concerns, but they have a much more limited scope than state databases.

Recommendations

While Helios might not be adopted as a government-approved voting system in the near future, it isn’t the only open-source election system in development. The TrustTheVote project from the Open Source Election Technology (OSET) Institute has released ElectOS under a public license. This full-featured election system includes a core registration service as well as a number of auxiliary apps that add security to voter rolls with ledgers, notifications, and other optional services.

Since online and same-day registration is already common, we see open-source registration systems like that of ElectOS as a potential upgrade that is low-cost and transparent, allowing outsiders to verify the security and trustworthiness of these new systems.