New York Times: Supreme Court Upholds Ohio’s Purge of Voting Rolls

From The New York Times: Supreme Court Upholds Ohio’s Purge of Voting Rolls

The case was the latest battle in a partisan war over how far states can go in imposing all kinds of voting restrictions, including cutbacks on early voting and tough voter ID laws.

By Adam Liptak
June 11, 2018
WASHINGTON — The Supreme Court on Monday upheld Ohio’s aggressive efforts to purge its voting rolls.
The court ruled that a state may kick people off the rolls if they skip a few elections and fail to respond to a notice from state election officials. The vote was 5 to 4, with the more conservative justices in the majority.
On one level, the decision sought to make sense of tangled statutory language. But it was also the latest battle in a partisan war over how far states can go in imposing all kinds of voting restrictions, including cutbacks on early voting, elimination of same-day registration and tough voter ID laws.
Republicans have pushed for such restrictions, arguing without evidence that they are needed to combat widespread voter fraud. Democrats have pushed back, countering that the efforts are part of an attempt to suppress Democratic constituencies from voting, particularly minorities.
The case concerned Larry Harmon, a software engineer and Navy veteran who lives near Akron, Ohio. He voted in the 2004 and 2008 presidential elections but did not vote in 2012, saying he was unimpressed by the candidates. He also sat out the midterm elections in 2010 and 2014.
But in 2015, Mr. Harmon did want to vote against a ballot initiative to legalize marijuana and found that his name had been stricken from the voting rolls. State officials said that they had done so after sending Mr. Harmon a notice in 2011 asking him to confirm his eligibility to vote and that he did not respond. Mr. Harmon said he did not remember receiving a notice.
Federal laws prohibit states from removing people from voter rolls “by reason of the person’s failure to vote.” But they allow election officials who suspect that a voter has moved to send a confirmation notice.
The central question in the case was whether a failure to vote could be the reason to send out the notice.
Justice Samuel A. Alito Jr., writing for the majority, said federal laws allowed such notices as part of a process to cull inaccuracies from the voting rolls. A key provision, he wrote, “simply forbids the use of nonvoting as the sole criterion for removing a registrant, and Ohio does not use it that way.”
“Instead,” he wrote, “Ohio removes registrants only if they have failed to vote and have failed to respond to a notice.”
Chief Justice John G. Roberts Jr. and Justices Anthony M. Kennedy, Clarence Thomas and Neil M. Gorsuch joined the majority opinion.
In dissent, Justice Stephen G. Breyer wrote that the majority had placed too much reliance on failures to respond to the notices. In 2012, he wrote, Ohio sent out 1.5 million notices, to roughly 20 percent of the state’s registered voters.
But only 4 percent of Americans move outside their county each year, he wrote.
“Ohio only received back about 60,000 return cards (or 4 percent) which said, in effect, ‘You are right, Ohio. I have, in fact, moved,’” Justice Breyer wrote. “In addition, Ohio received back about 235,000 return cards which said, in effect, ‘You are wrong, Ohio, I have not moved.’”
“In the end, however, there were more than one million notices — the vast majority of notices sent — to which Ohio received back no return card at all,” he wrote.
The upshot, Justice Breyer wrote, was that many voters who had not moved were removed from the rolls, thanks in large part to “the human tendency not to send back cards received in the mail.”
Justice Alito said he was unimpressed by Justice Breyer’s “cobbled-together statistics and a feature of human nature of which the dissent has apparently taken judicial notice.”
Federal law, Justice Alito wrote, “plainly reflects Congress’s judgment that the failure to send back the card, coupled with the failure to vote during the period covering the next two general federal elections, is significant evidence that the addressee has moved.”
“It is not our prerogative to judge the reasonableness of that congressional judgment,” Justice Alito wrote, “but we note that, whatever the general ‘human tendency’ may be with respect to mailing back cards received in the mail, the notice sent” in Ohio “is nothing like the solicitations for commercial products or contributions that recipients may routinely discard.”

Ohio is more aggressive than any other state in purging its voter rolls. After skipping a single federal election cycle, voters are sent a notice. If they fail to respond and do not vote in the next four years, their names are purged from the rolls.
A few other states use similar approaches, but not one of them moves as fast.
“Ohio is the only state that commences such a process based on the failure to vote in a single federal election cycle,” said a brief from the League of Women Voters and the Brennan Center for Justice. “Literally every other state uses a different, and more voter-protective, practice.”
Justice Alito wrote that Congress had good reason to urge states to clean up their voting rolls. Citing a 2012 report from the Pew Center on the States, he wrote that some 24 million voter registrations are estimated to be invalid or significantly inaccurate, and that 2.75 million people are registered to vote in more than one state.
The United States Court of Appeals for the Sixth Circuit, in Cincinnati, ruled in favor of Mr. Harmon in 2016, saying that Ohio had violated the National Voter Registration Act of 1993 by using the failure to vote as a “trigger” for sending the notices.

Without that decision, “the ballots of more than 7,500 eligible Ohioans would have gone uncounted in the November 2016 election,” Mr. Harmon’s lawyers at Demos, a liberal think-tank, and the American Civil Liberties Union wrote in a Supreme Court brief.
A Reuters study in 2016 found that at least 144,000 people were removed from the voting rolls in recent years in Ohio’s three largest counties, which are home to Cleveland, Cincinnati and Columbus.

“Voters have been struck from the rolls in Democratic-leaning neighborhoods at roughly twice the rate as in Republican neighborhoods,” the study found. “Neighborhoods that have a high proportion of poor, African-American residents are hit the hardest.”
Twelve states, generally led by Democrats, filed a brief supporting Mr. Harmon. Seventeen states, generally Republican, filed a brief on the other side.
The Justice Department for decades took the position that failing to vote should not lead to disenfranchisement. In the appeals court, the Obama administration filed a brief supporting Mr. Harmon.

After the last presidential election, the department switched sides in the case, Husted v. A. Philip Randolph Institute, No. 16-980.
Justices Ruth Bader Ginsburg, Sonia Sotomayor and Elena Kagan joined Justice Breyer’s dissent. In a separate dissent in which she wrote only for herself, Justice Sotomayor said Ohio’s program was of a piece with “concerted state efforts to prevent minorities from voting and to undermine the efficacy of their votes” that were “an unfortunate feature of our country’s history.”

The program, she added, “has disproportionately affected minority, low-income, disabled and veteran voters.”
Justice Alito responded that the dissenters had focused on the wrong questions.
“The dissents have a policy disagreement, not just with Ohio, but with Congress,” he wrote. “But this case presents a question of statutory interpretation, not a question of policy. We have no authority to second-guess Congress or to decide whether” Ohio’s notification program “is the ideal method for keeping its voting rolls up to date.”
“The only question before us is whether it violates federal law,” Justice Alito wrote. “It does not.”

Follow Adam Liptak on Twitter: @adamliptak.

New York Times: Bombing Kills at Least 14 Afghans Registering to Vote

By Fahim Abed and Rod Nordland
May 6, 2018

KABUL, Afghanistan — A bomb blast killed at least 14 Afghan civilians on Sunday as they lined up in a mosque to register to vote in coming national elections, according to officials.

The explosion was at least the sixth attack on voter registration activities in Afghanistan since the authorities last month began requiring citizens to register to vote in person at centers across the country.

According to Bashir Khan, a spokesman for the police department in Khost Province, explosives apparently had been hidden in the mosque and were detonated while some people were praying and others registering to vote.

He said that at least one woman was among those killed, and that 33 others had been wounded.

Mohammadin Mangal, deputy head of the health department for Khost, said that at least 12 bodies and the wounded had been taken to the hospital after the attack. (Some Afghans take the dead directly to funerals rather than to the hospital).

The attack occurred two weeks after a suicide bomber struck a voter registration office in Kabul, the capital, killing at least 57 people. The Islamic State in Afghanistan claimed that attack; Taliban insurgents denied any responsibility for it.

The Taliban also denied any role in the attack on Sunday.

Voter registration began on April 14, after voting cards issued in previous elections were invalidated because of widespread forgery. Citizens must now go to registration centers to have their national identity documents stamped to show that they can vote in the elections for the national parliament, planned for October.

The elections are three years behind the schedule mandated by the Afghan Constitution. A disastrous and disputed presidential election in 2014 led to widespread disagreement among political parties about how to conduct elections, both for Parliament this year and for presidency in 2019.

Voter registration has proceeded very slowly, according to officials. In addition to the attack on a registration center in Kabul on April 22, there have been at least four other attacks reported on registration centers or officials since the voter drive began.

Maliha Hassan, an election commissioner, said that 1.2 million Afghans had registered to vote so far, out of what is believed to be 14 million who are eligible. The registration process ends June 15, which, at the current rate, would leave most Afghan voters unregistered.
EDITORS’ PICKS
On Social Media’s Fringes, Extremism Targets Women
A Simple Way to Improve a Billion Lives: Eyeglasses
Storms, Missteps and an Ailing Grid Left Puerto Rico in the Dark

“We don’t have a specific target for the number of people we expect to register,” Ms. Hassan said. “Let’s wait until the end of the process and see how many people register.”

Abdullah Abdullah, Afghanistan’s chief executive, in a recent speech blamed the slow registration drive on “insecurity, lack of trust in the government and lack of awareness.”

Follow Fahim Abed and Rod Nordland on Twitter: @fahimabed and @rodnordland.

Fahim Abed reported from Kabul, and Rod Nordland from London.

NPR Story: Six States Hit Harder By Cyberattacks Than Previously Known, New Report Reveals

Two years after Russia’s wave of cyberattacks against American democracy, a Senate committee investigating election interference says those hackers hit more states harder than previously thought.

The committee also added that it still doesn’t know with complete certainty exactly how much of U.S. voting infrastructure was compromised.

The report summary released this week by the Senate intelligence committee gives an overview of initial findings focused specifically on how Russian government operatives affected U.S. elections systems. The full report is undergoing a review to check for classified information.

“U.S. election infrastructure is fundamentally resilient,” the Senate report said.

Committee members also said that they uncovered no evidence that any vote tallies were manipulated, or any voter registration data was deleted or changed, which is similar to what the intelligence community and other lawmakers have said consistently since 2016.

Some of the report’s other findings also are familiar: Russian cyber attackers targeted or scanned the elections systems in at least 21 states, and the Department of Homeland Security was slow in reaching out to the correct officials in those states to let them know.
Will Your Vote Be Vulnerable On Election Day?
Politics
Will Your Vote Be Vulnerable On Election Day?

New details about cyberattacks

But the report also says that in at least six of those states, the Russian-affiliated cyber operatives “went beyond scanning and conducted malicious attempts on voting-related websites” — a specific detail that had not been previously reported.

In most of those six instances, the Russian cyber attackers attempted to use a “SQL” injection, which involves using special characters on a public facing website to gain access and either read or manipulate data.

The report says that in “a small number of states,” the Russian operatives were in a position to alter or delete voter registration data. DHS has previously said Russian hackers only broke into the voter registration system in Illinois, but that there’s no indication any records were altered.

While the security of state election websites isn’t tied to the security of vote tallying — they are completely separate systems — displaying the results of an election correctly is key to maintaining voter trust.

In detailing an election hacking worst-case scenario at a Senate Intelligence Committee hearing in March, Sen. Marco Rubio, R-Fla., mentioned hacking a state election website that posts results as a way to sow doubt among the voting population.

Imagine an Election Day on which officials counted ballots correctly but lost control of the official website on which they’d intended to announce the results. It could display the name of the loser as the winner or serve as some other kind of avenue for mischief.
FACT CHECK: Trump Repeats Voter Fraud Claim About California
Politics
FACT CHECK: Trump Repeats Voter Fraud Claim About California

The reporting issue

NBC News reported earlier this year that the intelligence community had evidence in 2017 that Russian operatives compromised the voting systems of seven states, including in some cases, their public websites. The Department of Homeland Security responded by slamming the report as “factually inaccurate and misleading.”

In response to an inquiry by NPR about the number of states that had their websites attacked, a DHS spokesperson declined comment but referred back to Senate testimony given last summer by Jeanette Manfra, the chief cybersecurity official at DHS. The testimony does not detail how many states specifically had their websites attacked in the way the Senate Intelligence Committee report says — but it also does not contradict the finding.

DHS Secretary Kirstjen Nielsen told the Senate intelligence committee in March that DHS won’t reveal specific information about cyberattacks and the states because of fears they will stop reporting. Nielsen’s agency depends on the states to volunteer what has happened to them; she cannot compel them to talk or detect many attacks on her own.

“Unfortunately, throughout the last 15 years at DHS, when it comes to this situation, the victims stop reporting,” Nielsen said. “When they stop reporting, we’re just not aware of the attacks.”

The Senate report also spotlighted this reporting issue.

Although it says “the diversity of our voting infrastructure is a strength,” because it makes a large coordinated attack on vote tallies almost impossible, it also means neither Congress nor the Department of Homeland Security get an unimpeded look at the security of state voting systems.

“[They] are required to notify no one” about attacks, said Joseph Lorenzo Hall, a cybersecurity expert with the Center for Democracy and Technology.

Because of that, the Senate committee says “it is possible that additional activity occurred and has not yet been uncovered.” And: “In light of the technical challenges associated with cyber forensic analysis, it is also possible that states may have overlooked some indicators of compromise.”
Election Chiefs ‘Straddle The Line Between Sounding The Alarm And Being Alarmist’
National Security
Election Chiefs ‘Straddle The Line Between Sounding The Alarm And Being Alarmist’

For example, an attack on Alaska’s election website in 2016 just became public this week, because the Anchorage Daily News made a public records request that revealed emails about the event. A website called Cyberwar News had also previously reported the incident, but Alaska only acknowledged it this week.

The hacker, whom Alaska officials told the Daily News was unrelated to the Russian scans of the 21 states, posted a photo on Nov. 8, 2016, of an administrator’s view of the Alaska elections website on Twitter.

Despite bragging about “ballot administrator access,” the user wasn’t actually able to view any confidential information nor affect any data. The state deemed the threat as “election disinformation” and did not disclose it because the elections process wasn’t “impeded” by the event, according to the Daily News.

Elections experts such as Hall viewed the Alaska event as a positive because it showcased how many layers a hacker would have to break through to actually affect an elections system. Hall compared the event to an intruder breaking through a home’s screen door, but not being able to get any further into the house.

He said he wished the state had been more proactive in talking about the issue, rather than hiding it because of worries about voter confidence. Many elections officials argue that announcing each individual hacker could embolden them.

“I think it’s more of a success story that I would have loved to seen detailed earlier,” Hall said.

ADN Article: Hackers broke partway into Alaska’s election system in 2016. Officials say no damage was done.

https://www.adn.com/politics/2018/05/07/hackers-broke-partway-into-alaskas-election-system-in-2016-officials-say-no-damage-was-done/

JUNEAU — A hacker gained unauthorized access in 2016 to the server that hosts Alaska’s public elections website, according to documents released by Gov. Bill Walker’s administration.
The documents, obtained by the Anchorage Daily News through a public records request, outline an incident that drew the attention of federal law enforcement but had not been publicly revealed by Alaska election officials.

The documents show that Alaska’s elections, like other states’ around the country, face threats from hackers seeking to undermine American democratic institutions. But technology experts both inside and outside state government said that no damage was done — and that the attack actually highlights the resilience of Alaska’s multi-layered cyber-defenses.
“I’m surprised elections officials haven’t been more proactive in telling this story,” said Joseph Lorenzo Hall, chief technologist at the Washington, D.C.-based Center for Democracy and Technology, who reviewed the documents at the ADN’s request. He added: “It could have been a lot worse for Alaska.”

An earlier incident involving Alaska’s elections system was made public in September, when state officials said an election-related server was scanned by Russian cyber-actors. In that case, the state said that the event, which it learned about roughly a month before Election Day, did not amount to a security breach.
But elections officials never disclosed an apparently unrelated, successful intrusion into the website-hosting server on Election Day. They now say the attack had no effect on the integrity of Alaska’s election or the counting of votes.

The state elections director, Josie Bahnke, said the internal documents do not change her account of the 2016 election. The state did not announce the hacker’s unauthorized access because the elections process wasn’t “impeded” by the event, the state elections division said in a prepared statement.
There was no confidential data on the hacked server, and there was no way for the server to bring malicious data into state networks because it could not make outgoing connections to the internet, current and former state officials said in interviews.

“No voter data was compromised. No results of the election have changed. And we continue to conduct secure elections,” said Bahnke.
State and federal officials, and the public, have made elections security a focus since 2016. The U.S. Department of Homeland Security last year told officials in 21 states, including Alaska, that hackers affiliated with the Russian government targeted their elections during the 2016 campaign.

At least two states were successfully attacked by the Russian hackers. In Arizona, they stole a county elections official’s login information; in Illinois, they downloaded information about thousands of people from that state’s voter registration database, including partial Social Security numbers.

There’s no evidence those incidents affected the outcome of the 2016 election. In Alaska, computers using Russian-affiliated internet addresses simply scanned an elections-related server, but they didn’t try to gain any kind of unauthorized access, said the state election division’s systems administrator, Phillip Malander.

The state has previously acknowledged that scan. It had not disclosed the other incident, which the state learned of at 5:30 a.m. on Election Day, Nov. 8, according to the public records.
A Twitter user named CyberZeist had posted a screen shot “from what appeared to be a compromised Alaska Division of Elections reporting system,” Chris Letterman, who was then the state’s chief information security officer, wrote to another state official on Election Day afternoon.

The reporting system hosts one of the state’s three publicly available elections results pages, along with other public websites. CyberZeist had found a weakness in a computer language called PHP — a weakness that software developers publicly revealed in October 2016, along with an update to fix it. The announcement meant that hackers likely knew about the weakness, and how to exploit it.
The state elections reporting system normally would have been automatically updated to patch the weakness. But a state cybersecurity analyst, Myron Davis, had inadvertently broken the automatic update process in September 2016, when he was trying to make more efficient use of storage space, according to the documents.

The hack granted CyberZeist administrator privileges, which theoretically allowed the hacker to view all files on the server — not just the ones available to the public. But none of the files held on the server were confidential, and the hacker could not modify them, officials said.

A Twitter user named CyberZeist touted his hack of one of Alaska’s elections-related servers in 2016, in a screen grab captured by a blog, ForensicsXploited.blogspot.com.
CyberZeist posted a screenshot from the reporting system on Twitter, with a message: “#USElections2016 Alaska Election Division online #ballot administrator access #pwned.. waiting for people to start voting.” (“Pwned” is commonly-used expression on the internet to indicate when something has been hacked or defeated.)

The hacker also contacted an Australian security researcher and internet publisher, Lee Johnstone, Johnstone said. CyberZeist told Johnstone that the system was running an out-of-date operating system, and sent a screenshot that suggested they could edit elections-related web pages.

The screenshot, however, came from a test area that didn’t actually have the power to alter publicly accessible pages, Alaska elections officials said.
“It was all shady and seemed more media-bait than anything else,” Johnstone said in a message, suggesting that CyberZeist wanted their attack to be publicized.
CyberZeist’s identity and motives are hazy. The hacker was once part of a collective called UGNazi, according to a private security firm’s report included in the public records request.
The collective waged successful attacks to take down the websites of the CIA and NASDAQ, and it repeatedly posted online the Social Security number and address of former New York City mayor Michael Bloomberg, according to Wired. CyberZeist left the group in 2012 and has made subsequent attacks on financial institutions, according to the security firm’s report.
CyberZeist told the tech website Gizmodo that they attacked Democratic National Committee members using information from the successful, Russian-linked hack of the email account of Hillary Clinton’s campaign chairman, John Podesta. But, CyberZeist told Gizmodo: “I am not directly linked with the Podesta hacks.”

Alaska officials said they have received no information that links CyberZeist’s attack with the separate, Russian-affiliated internet addresses’ scans of the state elections-related server.
A spokesman for the U.S. Department of Homeland Security, Scott McConnell, referred questions about the attack back to the state.

Davis, the state security analyst, pinpointed the internet address of an Indian power company as the one he thought CyberZeist used to make their attack on Alaska. It’s likely the attacker wasn’t actually in India and instead used the address to conceal their true location, said Hall, the Washington, D.C.-based technology expert.
Johnstone, the Australian security researcher, ultimately published a story about the hack on his website, Cyber War News, headlined: “Alaska elections result site hacked by CyberZeist.”
But the information did not spread to organizations with broader circulation, and Alaska news outlets did not pick up the story.

State officials recounted the incident to an FBI agent, who in turn reported it to a federal judge, according to one of the emails in the public records request. But state technology experts found no evidence that CyberZeist changed anything on the hacked server.

The server couldn’t even make outgoing connections to the global internet, according to Davis, the state security analyst who’s since left his job. The server was specifically limited so that it could make outgoing connections only to one other computer: the state server that transmitted software updates.
“It could not connect anywhere else,” Davis said in a phone interview. “It was pretty well locked down.”

The computer system that actually counts and adds Alaska’s vote totals is completely separate from the one that hosts the public website.
It’s also not connected to the global internet, and it only transmits data to the reporting system by disk, in one direction. State elections officials call it a “sneakernet,” since you need sneakers to walk data from one system to the other.

Those different layers of security are “beautifully done,” said Hall. CyberZeist’s intrusion was analogous to a burglar who successfully broke through a screen door, but got no further, he said.
“All the other doors and other things did exactly what they were supposed to do,” he said. “This is just a glorious example of things working.”
Alaska’s elections division wants to keep voters informed of situations “that would adversely impact the exercise of their voting rights,” the division said in its prepared statement.
But it also wants to keep both foreign and domestic adversaries from sowing uncertainty and mistrust in the state’s democratic process — and there’s a risk that comes with publicizing a hack that had no practical affect on the 2016 election, elections officials said.

“Their whole goal is just to undermine people’s confidence in the electoral process and the system,” said Malander, the elections division’s systems administrator.
Alaska’s elections system scored well on a February security review by the Washington, D.C.-based Center for American Progress: It was one of 11 states to receive a ‘B,’ the highest grade awarded.

In this year’s election, Alaska will stop allowing voters living or stationed overseas to return ballots electronically, a practice that the center’s report called “notoriously insecure.”
Alaska elections and technology officials, in interviews and emails, broadly described other steps they’re taking; there are new login restrictions and procedures for identity confirmation, new information-sharing tools and a federal security clearance obtained by Bahnke that will grant her more access to details about threats and defenses.
But officials were hesitant to delve into the details of those measures. Alaska’s election system, with its paper ballots and layers of protections, is secure, and residents are better off focusing on other threats to their democratic institutions, said Bill Vajda, the state’s chief information officer.

“We are taking steps to make sure that we’re protecting the integrity of the security of the technology and infrastructure,” Vajda said in an interview.
“The real focus of the story isn’t us,” he said, pointing instead toward Russian-linked efforts to distribute false news stories on social media. He added: “Facebook sold ads to the Russians to promote fake news, and they got called in front of Congress to answer.”

One Alaska lawmaker said the CyberZeist attack underscores the importance of keeping the state’s elections secure from foreign interference.
“I think there’s always room for improvement; I think this highlights that fact,” said Sitka Democratic Rep. Jonathan Kreiss-Tomkins, who chairs the House State Affairs Committee, which has jurisdiction over elections.

He said he’s considering holding a hearing on elections security this week.