Georgia voter registration system crisis touches Connecticut

Georgia Secretary of State, Brian Kemp, just launched an investigation of the Democratic Party of Georgia, after their consultant pointed out a serious vulnerability in Georgia’s voter registration system/database: Kemp’s Aggressive Gambit to Distract From Election Security Crisis <read>

This touches Connecticut because the vendor for Georgia’s system, PCC, is located in Bloomfield Connecticut and supplies Connecticut’s voter registration and election night reporting systems. It is not certain that the reports so far accurately portray PCC’s role in Georgia and if any of the same vulnerabilities apply to the Connecticut’s system. From our understanding Connecticut has paid a lot of attention to the security of our voter registration system and that PCC supplies the software by is not involved in its operation. We have reached out to the Secretary of the State’s Office suggesting that they address the relevance of the Georgia report to Connecticut.

The beginning of the article points to the weakness discovered in the Georgia system and the attempted political deflection of the issue from Brian Kemp’s responsibilities as Secretary of State to the Democratic Party:

When Georgia Democrats were alerted to what they believe to be major vulnerabilities in the state’s voter registration system Saturday, they contacted computer security experts who verified the problems. They then notified Secretary of State Brian Kemp’s lawyers and national intelligence officials in the hope of getting the problems fixed.

Instead of addressing the security issues, Kemp’s office put out a statement Sunday saying he had opened an investigation that targets the Democrats for hacking…

WhoWhatWhy, which exclusively reported on these vulnerabilities Sunday morning, had consulted with five computer security experts on Saturday to verify the seriousness of the situation. They confirmed that these security gaps would allow even a low-skilled hacker to compromise Georgia’s voter registration system and, in turn, the election itself. It is not known how long these vulnerabilities have existed or whether they have been exploited…

“What is particularly outrageous about this, is that I gave this information in confidence to Kemp’s lawyers so that something could be done about it without exposing the vulnerability to the public,” Brown told WhoWhatWhy. “Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.”…

“It’s so juvenile from an information security perspective that it’s crazy this is part of a live system,” Constable said.

It’s Georgia and Brian Kemp’s responsibility but the article also implicates PCC:

A Connecticut-based private contractor, PCC Technologies Inc., has contracts to manage voter registration systems for Georgia and 14 other states. PCC also runs online voter registration for six of them, including Georgia. If these vulnerabilities exist in Georgia, they could also be present in other states where PCC operates.

Matt Bernhard, a Ph.D. student in computer science at the University of Michigan focusing on voting technology, found that personally identifiable information could also be accessed through North Carolina’s voter page, which PCC also manages.

As Georgia’s system has not been audited — if it had, these problems would have been found and fixed, presumably — there are likely other vulnerabilities that could impact the midterm election, according to Constable.

PCC also runs the ElectioNet system, which is used by every county in Georgia to manage the state’s voter rolls. If voter registration data was changed, it would show up in the ElectioNet system. In a declaration as part of a recent lawsuit against the state, Colin McRae, chair of the Chatham County Board of Registrars, disclosed that the ElectioNet system is also responsible for populating the data in the pollbooks of every state.

Our understanding is that PCC just supplies software to Connecticut and does not manage our voter registration system.

Connecticut does not officially use ePollbooks. We use printed paper checkin lists, although some registrars have purchased and use ePollbooks for redundant record keeping. We presume it is PCC code that is used to print the paper checkin lists we use and to load the ePollbooks purchased by some towns.  Any significant errors in either of those could cause chaos and dramatically effect elections.  Once again, there is a strong possibility that vulnerabilities in Georgia may not apply to Connecticut.




Leave a Reply

You must be logged in to post a comment.