GOP states announce new voter roll systems. Are they as secure as ERIC?

Several Republican-led states in recent days have announced agreements with each other to share voter information in an effort to prevent election fraud. But critics say the deals potentially expose voters in those states to security breaches and unfounded attempts to kick them off the rolls.

Alabama, Ohio and Virginia in the last week have released details about the one-on-one agreements they’ve signed with several states. Ohio reached deals with Florida, Virginia and West Virginia. Alabama announced it will work with Arkansas, Florida, Georgia, Mississippi and Tennessee. And Virginia said it will partner with Georgia, Ohio, South Carolina, Tennessee, West Virginia and the District of Columbia. 

The state-by-state partnerships come after several Republican-led states left the Election Registration Information Center, known as ERIC, earlier this year. That group serves as a clearinghouse for voter information that can detect, for example, when a voter moves from one state to another but forgets to update their registration. Twenty-five states and Washington, D.C., are members of the group.

But in the aftermath of the 2020 presidential election, some conservative activists and Republican officials have claimed that the bipartisan group is too liberal. Former President Donald Trump urged GOP election officials to leave the group, and more than half a dozen states have.

Now, the states that left are looking for other ways to do what ERIC does.

“This is a major new development as states look to move beyond the old model of sharing voter data through an unaccountable third-party vendor,” said Ohio Secretary of State Frank LaRose about the agreements in a statement, apparently referring to ERIC, even though the group is made up of states and one of LaRose’s deputies chaired it in 2022.

“Ohio took the lead on this election integrity project, and it’s only one aspect of the work we’re doing to keep our elections honest as we prepare for the next presidential election year,” added LaRose, a Republican who is running for U.S. Senate next year.

Mary Cianciolo, a spokesperson for the Ohio secretary of state's office, said the agreements between other states and Ohio differed on some details to reflect various state laws and legal standards. “Every agreement,” she said, “maintains the same goal: to bolster election integrity across the U.S. through a commitment to securely share relevant data points depending on the state’s laws to identify cross-state voter fraud and duplicate voter registrations between states. These important agreements will continue to allow states to review voter registration rolls, identify double voting, and assist voters who need to update their address, among other needs identified by participating and interested states.”

Wes Allen, Alabama’s secretary of state, announced a new approach to verifying voter information, which he called the Alabama Voter Integrity Database, or AVID. The effort would involve linking voter registration information to the state’s driver’s license database, sharing information with other states, and checking lists against national databases for change-of-address requests and deaths. All of those are similar to how ERIC operates, but Allen stressed that the information would be on a server in Alabama.

The state’s new system would be an “incredible tool in detecting voter fraud and protecting our elections,” he said at a press conference. “Alabama will be able to access the voter lists of every state that borders us for the first time in history. We have never had that ability.”

But David Becker, an expert in elections administration and one of the founders of ERIC, said the state-by-state approach poses three main problems that ERIC has addressed: low data quality, high costs and inadequate data security.

Becker, who stepped down from ERIC’s board earlier this year after conspiracy theorists spread baseless rumors about him, said the GOP efforts are similar to past attempts to combat voter fraud that fell flat. He said they operate in much the same way as the Interstate Voter Registration Crosscheck Program that started in Kansas in 2005.

The Crosscheck program shut down in 2019, after a Florida open records request exposed the partial Social Security numbers of nearly 1,000 voters. The American Civil Liberties Union sued to shutter the troubled program, which at one point covered half the voters in the country. Before that, the Department of Homeland Security had exposed problems with its data security.

Another problem with Crosscheck, Becker explained in a call with reporters, is that it falsely identified too many “matches” to be practical. The system based its matches primarily on two factors: people’s first and last names and their birth date. But the probability is high that in a country of millions, tens of thousands of people share a name and birth date. Researchers found that 99% of the matches of potential fraud it produced were inaccurate.

“Eventually, states get to the point where they realize there are so few pieces of useful information in this stack, that they stop using it. It’s just used as a talking point to indicate that they may be doing something about fraud and voter list accuracy when they’re really not,” said Becker, who is now the executive director of the Center for Election Innovation & Research.

When state officials developed ERIC, he said, they came up with more sophisticated methods for identifying voters who had moved out-of-state. Instead of just depending on names and birthdays, they also compare driver’s license information, social security numbers and previous mailing addresses in encrypted formats.

In Alabama, Allen said the state’s new approaches have already yielded thousands of potential matches. Anyone identified as having moved out of state would get a postcard at their Alabama address indicating that they need to update their information. If they try to vote, they will be told the same, he said.

Cianciolo, from the Ohio secretary of state's office, said that once preliminary matches are identified, “the states will agree to move forward with an investigation and will work together to gather additional evidence.”

But Becker said that too many inaccurate results would also drive up costs for states that are using less sophisticated methods than ERIC. Government workers will have to follow up on those reports to see whether they are accurate. Plus, Becker said, individual states using the post office’s database for change-of-address requests or the Social Security Administration’s information on death notices would have to bear the costs entirely themselves, rather than sharing it with dozens of other states in ERIC.

Finally, the go-it-alone states run a higher risk of exposing voter information compared to the ones participating in ERIC, Becker claimed.

There are more opportunities for hackers or bad actors to intercept information, because it is not kept at a central repository. So each state could potentially have 50 connections that could be compromised, rather than just one with ERIC.

The other issue would be how the data is stored, which could differ from state to state.

That’s another reason why ERIC was established, Becker said. ERIC doesn’t possess the raw data of sensitive, personally identifiable information, such as date of birth, social security numbers or driver’s license numbers. Instead, that information is “hashed” by the states before it is sent to ERIC, meaning “it’s about a 45-digit set of characters that is not human readable and not decodable.” Then ERIC hashes it again, meaning even the states couldn’t reconstitute the records.

“Anyone who sought that data would get a double-hashed set of information that would be virtually impossible to break,” he said. “You need two different code keys from two different people in two different places. It’s very, very difficult to get that.”

With the state-by-state approach, Becker said, “we don’t know how this other data is being stored and transmitted. And that’s potentially a real problem for those other states.”

But Cianciolo from Ohio said the deals with other states do address security concerns. “The agreements maintain the data at a state level as opposed to providing data to an external organization. Additionally, the data that is being shared does not contain confidential information and thus will never exist in another state’s IT infrastructure,” she wrote in an email message. “The agreements include relevant industry cybersecurity standards, such as encryption, that will address many of the concerns listed by Mr. Becker.”

“We are proud to have made this progress in a short amount of time and are actively encouraging agreements with other states,” she added.