During testimony before the Kansas legislature earlier this month, Secretary of State Kris Kobach (R) claimed he was unaware of any security breaches with the Interstate Crosscheck Program, a project Kansas administers to compare voter registration databases across states for duplicate voters.
“We have never had any security breach, ever, since the Crosscheck program has existed,” Kobach said on January 10th.
Less than 10 days later, Florida announced it would be providing free credit checks to 945 individuals whose social security numbers Kansas inadvertently sent through unsecured email and that Florida then provided to an individual who filed a public records request seeking information about the state’s participation in the program.
The Kansas resident who filed the records request, Anita Parsa, told ThinkProgress that after the 2016 election, she became interested in learning more about why her state administers a program that opponents say allows for voter suppression. She quickly learned that it’s also rife with security concerns.
“I was shocked by what I received,” Parsa said. “It’s part of an overall careless approach that I feel like the Kansas secretary of state’s office has used.”
“Their protocol and their internal process for handling this puts people at risk,” she continued.
In April, Parsa requested public records from states that have recently pulled out of Crosscheck to learn why they made that decision. When she received a disc in the mail from Florida, she noticed that the state had inadvertently sent her an encryption password to access the Crosscheck data electronically. That revelation prompted her to contact Indivisible Chicago, which had been looking into security concerns with the system. The group made Parsa’s discovery and other reports of breaches public, leading to reports about massive concerns with Crosscheck’s data security.
Gizmodo, a technology news site, published a piece with the deadline: “Even a novice hacker could breach the network hosting Kris Kobach’s bogus voter fraud program.”
A few months later, while looking through the records again, Parsa said she noticed an attachment that included the names and social security numbers of 945 people in Kansas and Florida who Kansas claimed potentially voted twice. The records indicated that almost all of them were false positives — people with the same name and birthdate, but different social security numbers.
Parsa said she was shocked to gain access to so much personal data, and questioned why Kansas does not have tighter security precautions.
“When you are dealing with the private data of a hundred million people, it needs to be at a professional level where the people in charge are experts at data security and make it a huge priority,” she said. “In Kansas, we don’t have the money and we don’t have the expertise to be the ones in charge with this kind of data.”
One of the people whose personal data was compromised was 45-year-old Kansas resident Scott Moore. Moore told ThinkProgress that because he has a fairly generic name, he was not surprised that a Florida voter has his same name and birthdate.
In a phone interview Monday, Moore said he was disappointed when he learned that his state was not only spending money and resources going after purported voter fraud, but also compromising its citizens information in the process.
“I think it’s a shame that this happened,” he said. “Why the state of Kansas decided that it was our job to go out there and administer this database is beyond me.”
Moore said he finds the breach “upsetting” and will look into the free credit services, but said “I’m less concerned about my own personal information as I am the fact that this happened. This is not why [Kobach] was elected secretary of state. It is not what the state of Kansas should be doing. I think it’s a shame, I really do.”
“None of this really had to happen,” he added.
Armed with the trove of personal data in her inbox, Parsa contacted state Rep. Brett Parker (D) and a local reporter last fall with her concerns. After the reporter, Allison Kite of the Topeka Capital-Journal, reached out to Florida, the Department of State announced Friday it would be offering a year of free fraud detection and protection services to the individuals affected. Kansas has not yet issued an official response or offered anything to the voters, despite the breach being Kansas’ fault, Parsa said.
“I feel like Kansas isn’t taking appropriate responsibility,” Parsa said. “Yes, Florida shouldn’t have given it to me, but this is Kansas’ problem… Kansas is the owner and operator of this program and they’re the ones that set the tone with proper data handling. Kansas sent this file to Florida. Kansas is the ultimate bad actor here.”
When contacted by Kite for comment, Kansas Director of Elections Bryan Caskey, who works closely with Kobach, said repeatedly that “Crosscheck’s entire database, which last year totaled nearly 100 million records, to his knowledge has never been breached.” He said that Kansas officials are trained on how to securely handle data, and he blamed Florida for this particular breach.
“Although I agree that it should not have been sent by email, I also am adamant that Florida had no business turning that over to any third party,” Caskey said.
In addition to the security concerns, Parsa said her investigation of Crosscheck has raised other questions, including why only Kansas — and not a consortium of states — administers the system, or why Kansas shares the names of any matches and not just the names it believes are actually double-voters. A vast majority of the matches flagged by the Crosscheck system are false positives, which undermines people’s confidence in the system as a whole.
“I find it shocking and upsetting that they would do that,” she said.
Steve Held, a member of Indivisible Chicago who has been leading its End Crosscheck initiative, told ThinkProgress that Kobach and other Kansas officials may not have know about the Florida breach when they testified this month that they haven’t heard about any security concerns, but they should have known that breaches were plausible.
“There are lots of other examples of this kind of information being passed around through email,” he said. “I question their assumption that their system is secure just because they don’t know of a data breach. It’s not clear to me that they have any of the right tools in place to actually know if there is a data breach. The rest of the program is so incompetently run — why should we have confidence that they have the right tools in place to monitor these systems? I think it’s unwarranted confidence on Kobach’s part.”
The list Parsa received is not the only recent security breach stemming from Crosscheck, Held said. The group has also received from Florida full voter applications for 28 Mississippi voters, including partial Social Security numbers and driver’s license numbers. Arizona has also emailed Washington a list of voters with unredacted social security numbers, according to Held, and Washington emailed 50 to 100 voters’ information with social security numbers to Massachusetts and other states.
Kansas launched Crosscheck launched in 2005 as part of a broader effort to combat voter fraud and improve election administration. Since becoming secretary of state in 2011, Kobach has become the most vocal advocate for the program. During testimony before the state legislature this month, he said the state plans to spend around $20,000 to make security upgrades this year.
But Parsa said that’s not enough. “We [in Kansas] are the stewards of 100 million voters’ private data, and we’re doing it with 2005 tech that has not been updated, that we haven’t spent a dime on, and we’re securing it with a $20,000 security upgrade patch,” she said.
Kobach’s office announced Monday that Crosscheck will be operational again next month following the security review.