Security News

October election update: Hacking and suppressing the vote

David Strom, 14 October 2020

Exploring voter suppression and voter fraud in the Trump campaign

It's time for another update on election security as we draw closer to the actual November date. Our previous election blogs can be found here:

Technology and the vote
LA and Iowa primary voting issues
Black Hat and DEFCON sessions regarding elections security
NJ and other September updates



Today’s news concerns two themes: voter suppression and supposed voter fraud. First, an analysis of how 3.5 million Black Americans were recently profiled by the Trump campaign, in an article from the UK’s Channel 4 news. The group was targeted for ads to try to convince them to stay home and not vote on election day this November. A second article described how the campaign was targeting white voters with fearful social media messages to encourage them to vote for Trump. These articles are complemented by other research by the Washington Post about a Twitter account @WentDemtoRep that was removed by the platform in late August. The account featured a number of testimonials by Blacks challenging accusations of racism by Trump.

Voter suppression was part of the playbook of the Trump 2016 campaign. This article in TechCrunch describes what Cambridge Analytica did to manipulate private Facebook members’ data when working for the Trump Campaign itself. Back in 2016, many Blacks didn’t vote, thanks to various disinformation ads on Facebook and other social media platforms, according to PolitiFact here. These ads aren’t exclusive to Republicans -- you might recall back in 2012 when the Obama campaign had an app that allowed them to collect private user data and friend networks. More recently, Elizabeth Warren’s experiment with placing a phony Facebook ad back in October 2019, using its example to call for better accountability from the platform. These same targeting methods are still widely in use by many campaigns.

This isn't the first time this is happening

Voter suppression also isn’t new: There was a lot of data collected by Mueller, during his investigation several years ago which showed that more than 3,500 ads on Facebook were placed by the Russian Internet Research Agency to try to convince potential Black voters to stay home during the 2016 elections.  The same group also posted a series of anti-Muslim ads and organized concurrent protest rallies in Texas on opposite political sides. (You can view some of these ads in a new PBS program called Us vs. Them at the 20 minute mark, and the Amazon movie All In goes into detail about the long history of voter suppression in the south.)

One thing that doesn’t help voting matters is when the various state-run registration systems crash. This happened over the first week in October in Pennsylvania, followed quickly by systems serving Florida registrations. Service was restored to both by Monday, October 5. The Pennsylavnia outage was caused by equipment failure at an outsourced data center and affected other state agencies. One reason for the outage could be the system was initially constructed nearly 20 years ago and now is overwhelmed by the huge increase in mail-in ballot requests. The weekend outage wasn’t the first time the system had crashed: it also went down the day before the last day to register for the state’s primary. Florida’s registration system was overwhelmed by ballot requests hitting just before the filing deadline. This week also saw system crashes in both Georgia (where early voting has begun) and Virginia (where a construction crew cut a fiber optic cable that brought down their online registration portal). The voting machine failures in Georgia contributed to long waits at various polling stations.

Contrast what is happening in Colorado, where they have been voting by mail for many years. I recently spoke to Trevor Timmons, the CIO for the Colorado Department of State, the agency that supervises its elections. In its June 2020 primary, more than 99% of registered voters submitted mail-in ballots. The state maintains duplicate data centers with active failovers to handle potential outages. “And we do plenty of load and failure tests to ensure we have sufficient capacity,” he said. “We don’t want to create our own denial of service incident if we don’t have sufficient processing capacity.” He mentioned that almost every state should have tested its mail-in processes out during the primary season to learn any weak spots. 

The other bit of news is the result from another investigation, this one by the New York Times into voter fraud. Trump has brought up this issue in numerous rallies, including mentioning it several times during his first live debate with Biden in late September. The Times wrote: “Voter fraud is an adaptable fiction, and the president has tailored it to the moment. It is nothing short of a decades-long disinformation campaign — sloppy, cynical and brazen, but often quite effective — carried out by a consistent cast of characters with a consistent story line.” 

There have been many studies of potential fraud claims, including this recent FBI advisory that didn’t find any direct evidence. “During the 2020 election season, foreign actors and cyber criminals are spreading false and inconsistent information through various online platforms in an attempt to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions,” the advisory stated. Colorado’s Timmons hears from many of its citizens and advocacy group members about potential fraud cases, “but the reality is that our ballots are mailed to specific people, the registered voter. The return envelope is signed and we then compare the signatures.”  Timmons says his goal is to dispel any uncertainty and help people understand how mail-in ballots move through the process. 

Facebook attempts to do its part

In anti-fraud efforts, Facebook has announced they will reject ads that wrongly claim victory in the US presidential race prematurely. It will also ban ads that claim widespread voter fraud and will also ban ads the week before the election. Google is also banning ads placed after the polls close too. Given Facebook’s spotty record at protecting its members’ privacy, this is long overdue.

The FBI advisory suggests several strategies for voters to evaluate any potential voting fraud claims, including:

  • Rely on state and local election officials for information about voter registration databases and voting systems.

  • Refer to the CISA elections security guidelines that were published last year that documents what state elections officials can do to better protect their elections.

  • View early, unverified claims with a healthy dose of skepticism.

  • Verify through multiple reliable sources any reports about compromises of voter information or voting systems.