Wisconsin sued over voting system’s allegedly weak cyber protections
An election clerk and voter have filed a lawsuit against the Wisconsin Elections Commission (WEC) seeking to block the state from continuing to use its online election portal until it improves allegedly weak cybersecurity protections.
The portal, known as MyVote, is a statewide system used for voter registration and absentee ballot requests. It allows anyone to seek an absentee ballot by providing nothing but a name and a birthdate and then request the ballots to be sent to any address without verification, the lawsuit says.
The complainants are also asking a Wisconsin federal court to order the WEC to perform a security audit to find voting fraud that the system may already have enabled before continuing to rely on the platform, the lawsuit says.
Election administration has become a lightning rod in recent years as political parties and operatives have sued with increasing frequency over voting procedures which they say threaten election integrity. These lawsuits are often without merit and are sometimes designed to weaponize electoral processes for political gain.
The election clerk in the Wisconsin case, Jeannette Merten, ran for office without any political party affiliation, according to Ballotpedia.
Because MyVote does not allow voters to create accounts with usernames and passwords, or otherwise use standard cybersecurity measures, anyone can fraudulently ask for absentee ballots in a given voter’s name, the lawsuit alleges.
“Any person in the world can request MyVote mail an absentee ballot to any address in the world merely by inputting a voter’s name and providing his or her birthdate,” the complaint says.
WEC is the Wisconsin agency charged with overseeing elections in the state. However, the lawsuit asserts that the MyVote system was not created by statute.
A WEC spokesperson did not immediately respond to a request for comment.
Wisconsin previously acknowledged that MyVote does not use account names and passwords or verify the identities of voters in an indictment of a state resident accused of fraudulently requesting absentee ballots in other people’s names, the complaint says.
That defendant admitted to the crime, the lawsuit says, and said he was able to order the ballots from MyVote “all without providing a photo I.D. or identifying myself.”
Individuals using a virtual private network (VPN) can go even further, the lawsuit says, by easily altering a voter's personally identifying information, voting history or address without detection due to the encryption VPNs provide.
“The inadequate cybersecurity safeguards present within the MyVote website pose significant risks to the integrity of the electoral process and the personal data of Wisconsin voters,” the complaint says.
Similar problems have recently emerged in other states.
In August, a cybersecurity researcher discovered a vulnerability in a new online portal run by the Georgia Secretary of State’s Office which would have let anyone make a “voter cancellation request” for any citizen, according to ProPublica.
Election cybersecurity has become a big issue in the run up to next month’s election. In the aftermath of the 2020 election former President Donald Trump claimed without evidence that the election was stolen due to fraud.
Last month, the House Administration Committee heard testimony from six state election officials addressing election integrity procedures. Cybersecurity was a prominent theme.
Ohio Secretary of State Frank LaRose told lawmakers that under his oversight Ohio has ensured that every county board of elections has access to cybersecurity experts and vulnerability disclosure policies.
Federal government officials say election infrastructure is cyber secure.
“I've traveled the country meeting with election officials of both parties and they work tirelessly every day to ensure that every one of their citizens’ votes are counted as cast,” Cybersecurity and Infrastructure Security Agency director Jen Easterly told CBS News on Tuesday. “It's why I have such confidence and why I can say election infrastructure has never been more secure.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.