New safeguards for Georgia election security await Kemp’s signature

JOHN SPINK/JSPINK@AJC.COM

JOHN SPINK/JSPINK@AJC.COM

When some Georgia voters showed up at the polls last fall, their registrations had mysteriously disappeared without a trace. They couldn’t vote except on provisional ballots.

The unsolved case of the missing voter registrations and a federal lawsuit prompted state lawmakers to pass a bill requiring election officials to strengthen protections against hacking, tampering and computer errors.

Secretary of State Brad Raffensperger would be responsible for creating security protocols for voter registration information consistent with standards set by national cybersecurity and election organizations, according to House Bill 392.

The bill is awaiting Gov. Brian Kemp’s signature or veto. Kemp’s office didn’t respond to an email seeking comment.

"If the governor signs it, this bill will represent a significant upgrade to the security of the system," said Max Feldman, an attorney for the Brennan Center for Justice, a policy institute at New York University focused on democracy and criminal justice that is representing plaintiffs in the lawsuit. "Ensuring that any sort of gaps in security that would expose voters' registration information or allow third parties to change registration information on the voter registration list is what we're hoping will be addressed here."

Deputy Secretary of State Jordan Fuchs said the legislation puts the force of law behind the state’s existing security procedures.

“Security of the voting system is Secretary Raffensperger’s top priority,” Fuchs said. “This law recognizes that priority and should help put an end to unfounded speculation and meritless claims that our election data is not secure.”

The legislation arose from an ongoing federal lawsuit that accused election officials of failing to protect voter registration information, allegedly making it possible for someone to gain access to the state’s voter registration system and change registration information. Attorneys for the Secretary of State’s Office responded in court filings that potential vulnerabilities are speculative, and if they exist, it’s unknown whether they’ve been exploited.

The lawsuit, filed by the government accountability group Common Cause Georgia, listed three voters whose registrations went missing during the 2018 election, along with poll watchers and volunteers who heard complaints from voters about problems with their registrations.

One Roswell voter had been registered to vote for 17 years, but Fulton County election officials told him there was no record of him ever having voted in Georgia, according to the lawsuit. Another voter in Gwinnett County cast her ballot in the 2016 presidential election, but election officials couldn’t find her registration in 2018. An Atlanta voter was also told she wasn’t registered, and the issue wasn’t rectified until she found a record of her registration at the library where she had signed up to vote in May.

Election officials across Georgia issued provisional ballots more frequently last fall than in previous elections, according to the lawsuit. The percentage of provisional ballots increased to 0.54% in 2018, compared with 0.47% in 2014.

Sara Henderson, the executive director for Common Cause Georgia, said the legislation addresses the main concerns of her organization's lawsuit. If Kemp signs the bill, Common Cause will evaluate the next steps for the court case. Feldman declined to say whether the new security protocols would resolve the lawsuit.

While it’s unknown whether Georgia voter registration information has ever been compromised, it has been exposed in the past:

  • Voter information was available for download from a state election server housed at Kennesaw State University in 2016.
  • The Secretary of State's Office in 2015 inadvertently released the personal information of more than 6 million Georgia voters to 12 organizations, including statewide political parties and news media organizations that legally buy more limited voter information from the state.
  • A computing expert warned last fall that anyone's voter registration information could be obtained from the state's My Voter Page and voter registration websites. The Common Cause lawsuit said voter data could have been accessed and changed, an allegation the Secretary of State's Office denied.

Under HB 392, the Secretary of State's Office would implement security practices and consider recommendations from the National Institute of Standards and Technology, a science laboratory within the U.S. Commerce Department that promotes cybersecurity standards; the Center for Internet Security, a nonprofit organization that helps prevent cyberthreats; and the U.S. Election Assistance Commission, a federal agency that provides election administration information.

Security standards could include voter registration system backups, access logs and precautions against denial-of-service attacks that could attempt to overload election websites, said Edgardo Cortés, an election security adviser for the Brennan Center and Virginia’s former elections commissioner.

Election officials could also strengthen verification safeguards before anyone could access the state’s voter registration system, such as requiring both a password along with another method of authentication, he said.

“It’s a big step for Georgia,” Cortés said. “It will give the public assurance that the state is reviewing election security on a regular basis.”

Stay on top of what’s happening in Georgia government and politics at www.ajc.com/politics.