Audit: Serious Security Concerns for Maryland’s Online Voter Registration System, Felons Not Removed From Voter Rolls

The Maryland State Board of Elections conducted the 2012 presidential elections with known security concerns regarding its online voter registration (OLVR) system, and only recently has taken steps to adequately address those problems.
According to a legislative audit, an independent security research team sent a letter, dated September 25, 2012, to the elections board identifying serious security concerns related to the OLVR system.  The State Board of Elections opened the OLVR system o August 12, 2012.
The security team noted that the integrity of Maryland’s voting process relied heavily on the OLVR process to authenticate voters and eliminate fraudulent registrations.
According to the audit:

The research team’s OLVR security concerns focused on the use of Maryland driver’s license and identification numbers for user authentication. The team noted that these numbers are derived in a straightforward manner, using a known formula, from the citizens’ names and birth dates, both of which are readily available to the public. In addition, the team noted the existence of an Internet website, which, when provided with the aforementioned information, would accurately generate the Maryland driver’s license number or Maryland identification number. Because of this, the research team advised that the OLVR system allowed an attacker to process fraudulent voter registrations or changes.

The security team provided multiple examples of attacks on the OLVR system, which could disenfranchise legitimate voters and allow fraud to affect elections.
In February 2013, legislative auditors concurred with the independent security team’s findings and determined that limited action had taken place to address the security concerns.  The auditors and security team suggested that the board require additional readily available, non-public personal information for authenticating users; recording complete transaction logs for each attempted and completed online voter registration submission; and regularly running exception reports of unusual activity.
Revisiting the issue last November, auditors determined the board had made some progress in implementing the recommendations such as requiring non-public personal information to verify voters and developing reports to identify suspicious activity.
In response to the audit, State Board of Elections Administrator Linda Lamone stated that as of June 2013, OLVR now requires users to provide the last four digits of their social security number and the number and issue date of their Maryland driver’s license or MVA issued identification card.  As of June 2013 the board created a log of all OLVR transactions and developed automated reports to identify suspicious activity.   
Lamone’s response also noted that the board hired a security consultant to make recommendations to enhance the security of the OLVR system.
The audit also disclosed that the elections board did have an adequate process to remove those serving sentences for felony convictions were removed from voter registration rolls.
State law bans anyone serving a sentence for a felony conviction (including parole or probation) from voting or registering to vote.  If an ineligible individual under this scenario votes attempts to vote they are guilty of a felony and subject to prison time.
Every month the Judiciary provides to the state elections board a report of all the convictions from the various circuit and district courts throughout the state.  The board then excludes misdemeanor convictions and sends the adjusted reports to the local election boards, which have the responsibility of removing convicted felons from the database. 
Auditors found that since 2003 the Judiciary’s monthly report did not include all the felons for the circuit court of “one large county,” and that the state board did not detect the error until July 2012.  Auditors performed a match of the state board’s file of registered voters with an updated file provided by the Judiciary, containing the more than 3,300 felons excluded over the last nine years.   They found that 15 convicted felons illegally voted in the 2010 gubernatorial election.  Auditors also found that the state board improperly excluded 25 convicted felons serving a court ordered sentence from adjusted reports sent to the local election boards.
Also, auditors found that the state board did not have procedures to remove from the voter registration database, felons who violated their parole and issued extended sentences.   Auditors found that four felons given extended sentences illegally voted. 
In the election board’s response, Lamone disagreed with this finding stating that the board did not remove these particular individuals because election law does not require the clerks of circuit courts to provide the board with information on sentencing, probation, or parole regarding these felons.  However, Lamone said if state election law were amended to require this, the state board of elections would comply.
In response to Lamone, the auditors stated

SBE is responsible, under State Election Law, for the integrity of the State’s voter registration database and, as such, we believe SBE should use available information sources to help fulfill this responsibility. As stated in the audit report, counsel to the General Assembly informed us that, although the law does not require the Judiciary (via the clerks of the courts) to provide this information to SBE, there was nothing precluding SBE from obtaining such information. Therefore, we believe an amendment to the law requiring the Judiciary to provide this information is unnecessary. [Emphasis mine].

Auditors also found that the board’s consolidated procurement process for its $21 million voting support system may have resulted in limited competition.  The board received only one proposal and could not provide documentation it adequately evaluated the proposal, and that the board did not seek contract modification from the Board of Public Works when the scope of the contract was reduced by a value of $6.5 million.

Auditors also found accounting and control deficiencies over cash receipts, accounts receivable, purchasing transactions.

Send this to a friend