GOP states announce new voter roll systems. Are they as secure as ERIC?

Several Republican-led states in recent days have announced agreements with each other to share voter information in an effort to prevent election fraud. But critics say the deals potentially expose voters in those states to security breaches and unfounded attempts to kick them off the rolls.

Alabama, Ohio and Virginia in the last week have released details about the one-on-one agreements they’ve signed with several states. Ohio reached deals with Florida, Virginia and West Virginia. Alabama announced it will work with Arkansas, Florida, Georgia, Mississippi and Tennessee.

And Virginia said it will partner with Georgia, Ohio, South Carolina, Tennessee, West Virginia and the District of Columbia. 

The state-by-state partnerships come after several Republican-led states left the Election Registration Information Center, known as ERIC, earlier this year. That group serves as a clearinghouse for voter information that can detect, for example, when a voter moves from one state to another but forgets to update their registration. Twenty-five states and Washington, D.C., are members of the group.

But in the aftermath of the 2020 presidential election, some conservative activists and Republican officials have claimed that the bipartisan group is too liberal. Former President Donald Trump urged GOP election officials to leave the group, and more than half a dozen states have.

Now, the states that left are looking for other ways to do what ERIC does.

“This is a major new development as states look to move beyond the old model of sharing voter data through an unaccountable third-party vendor,” said Ohio Secretary of State Frank LaRose about the agreements in a statement, apparently referring to ERIC, even though the group is made up of states and one of LaRose’s deputies chaired it in 2022.

“Ohio took the lead on this election integrity project, and it’s only one aspect of the work we’re doing to keep our elections honest as we prepare for the next presidential election year,” added LaRose, a Republican who is running for U.S. Senate next year.

Mary Cianciolo, a spokesperson for the Ohio secretary of state's office, said the agreements between other states and Ohio differed on some details to reflect various state laws and legal standards. “Every agreement,” she said, “maintains the same goal: to bolster election integrity across the U.S. through a commitment to securely share relevant data points depending on the state’s laws to identify cross-state voter fraud and duplicate voter registrations between states. These important agreements will continue to allow states to review voter registration rolls, identify double voting, and assist voters who need to update their address, among other needs identified by participating and interested states.”

Wes Allen, Alabama’s secretary of state, announced a new approach to verifying voter information, which he called the Alabama Voter Integrity Database, or AVID. The effort would involve linking voter registration information to the state’s driver’s license database, sharing information with other states, and checking lists against national databases for change-of-address requests and deaths.

All of those are similar to how ERIC operates, but Allen stressed that the information would be on a server in Alabama.

The state’s new system would be an “incredible tool in detecting voter fraud and protecting our elections,” he said at a press conference. “Alabama will be able to access the voter lists of every state that borders us for the first time in history. We have never had that ability.”

But David Becker, an expert in elections administration and one of the founders of ERIC, said the state-by-state approach poses three main problems that ERIC has addressed: low data quality, high costs and inadequate data security.

Becker, who stepped down from ERIC’s board earlier this year after conspiracy theorists spread baseless rumors about him, said the GOP efforts are similar to past attempts to combat voter fraud that fell flat. He said they operate in much the same way as the Interstate Voter Registration Crosscheck Program that started in Kansas in 2005.

The Crosscheck program shut down in 2019, after a Florida open records request exposed the partial Social Security numbers of nearly 1,000 voters. The American Civil Liberties Union sued to shutter the troubled program, which at one point covered half the voters in the country. Before that, the Department of Homeland Security had exposed problems with its data security.

Another problem with Crosscheck, Becker explained in a call with reporters, is that it falsely identified too many “matches” to be practical. The system based its matches primarily on two factors: people’s first and last names and their birth date. But the probability is high that in a country of millions, tens of thousands of people share a name and birth date. Researchers found that 99% of the matches of potential fraud it produced were inaccurate.

“Eventually, states get to the point where they realize there are so few pieces of useful information in this stack, that they stop using it. It’s just used as a talking point to indicate that they may be doing something about fraud and voter list accuracy when they’re really not,” said Becker, who is now the executive director of the Center for Election Innovation & Research.

When state officials developed ERIC, he said, they came up with more sophisticated methods for identifying voters who had moved out-of-state. Instead of just depending on names and birthdays, they also compare driver’s license information, social security numbers and previous mailing addresses in encrypted formats.

In Alabama, Allen said the state’s new approaches have already yielded thousands of potential matches. Anyone identified as having moved out of state would get a postcard at their Alabama address indicating that they need to update their information. If they try to vote, they will be told the same, he said.

Cianciolo, from the Ohio secretary of state's office, said that once preliminary matches are identified, “the states will agree to move forward with an investigation and will work together to gather additional evidence.”

But Becker said that too many inaccurate results would also drive up costs for states that are using less sophisticated methods than ERIC. Government workers will have to follow up on those reports to see whether they are accurate.

Plus, Becker said, individual states using the post office’s database for change-of-address requests or the Social Security Administration’s information on death notices would have to bear the costs entirely themselves, rather than sharing it with dozens of other states in ERIC.

Finally, the go-it-alone states run a higher risk of exposing voter information compared to the ones participating in ERIC, Becker claimed.

There are more opportunities for hackers or bad actors to intercept information, because it is not kept at a central repository. So each state could potentially have 50 connections that could be compromised, rather than just one with ERIC.

The other issue would be how the data is stored, which could differ from state to state.

That’s another reason why ERIC was established, Becker said. ERIC doesn’t possess the raw data of sensitive, personally identifiable information, such as date of birth, social security numbers or driver’s license numbers. Instead, that information is “hashed” by the states before it is sent to ERIC, meaning “it’s about a 45-digit set of characters that is not human readable and not decodable.” Then ERIC hashes it again, meaning even the states couldn’t reconstitute the records.

“Anyone who sought that data would get a double-hashed set of information that would be virtually impossible to break,” he said. “You need two different code keys from two different people in two different places. It’s very, very difficult to get that.”

With the state-by-state approach, Becker said, “we don’t know how this other data is being stored and transmitted. And that’s potentially a real problem for those other states.”

But Cianciolo from Ohio said the deals with other states do address security concerns.

“The agreements maintain the data at a state level as opposed to providing data to an external organization. Additionally, the data that is being shared does not contain confidential information and thus will never exist in another state’s IT infrastructure,” she wrote in an email message. “The agreements include relevant industry cybersecurity standards, such as encryption, that will address many of the concerns listed by Mr. Becker.”

“We are proud to have made this progress in a short amount of time and are actively encouraging agreements with other states,” she added.

Updated Sept. 26 – Florida Department of State spokesperson Mark Ard sent this statement, received after the initial publication of this story:

In 2022, a working group of ERIC member states was formed, which included Florida, and proposed necessary changes to the ERIC membership agreement. Proposed changes included: amending ERIC bylaws to ensure that ERIC membership consists only of members who answer to the voters and taxpayers they represent; strengthening list maintenance reporting requirements to more closely align with the National Voter Registration Act; and the allowance of sharing of non-citizen information.

After the unwillingness of ERIC to implement the necessary changes proposed by the working group, Florida felt it in the best interest of Florida, its citizens, and its voters to withdraw its membership from ERIC. Over the past year, seven other states – Alabama, Iowa, Louisiana, Missouri, Ohio, Texas, West Virginia, and Virginia – left ERIC citing similar concerns.

The establishment of the Office of Elections Crimes and Security in 2022, gave Florida the resources and ability to investigate, review and make criminal referrals for instances of double voting. On September 1, 2023, Secretary of State Cord Byrd signed Memorandums of Understanding (MOUs) with Alabama, Georgia, Ohio, and West Virginia to further prevent voter fraud by routinely sharing only publicly available voter registration information to ensure accurate voter rolls. (See attached.)

The Department will also follow the same security protocols as we have in the past for other list maintenance and quality assurance/control reports.  The process for review and research mirrors previous processes for reviewing and researching potential interstate duplicate registration and/or double voting. Just as they have in the past, Supervisors of Elections will research to verify the voter’s record in Florida including identity, accuracy of recorded voter registration and voting history data.  The Office of Election Crimes and Security will conduct further investigations with the other state jurisdiction based on valid verified records. Those efforts will also be coordinated with the respective Supervisor of Elections office.

Regarding security, the Department is confident in its security measures and the security of information shared among partner states.