Anonymous Report: Was Arizona’s Voter Registration Data Hacked and Changed?

Ely Diaz made the trip from Los Angeles to Phoenix the last two weekends before the Arizona Democratic Primary to volunteer for Bernie Sanders. When Ely arrived to headquarters on Sunday morning, March 20 about 8:45 a.m., volunteers were being told they could no longer use the electronic get out the vote (GOTV) app they’d been using on their phones to help with door to door canvassing. Paper print outs were to be used exclusively instead. Campaign workers were tight-lipped about the reason for the switch. Ely made inquiries until another volunteer whispered that “apparently Bernie’s list has been hacked.” This was not a surprise to Ely, every campaign worker has war stories of cheating by the other side, but Ely was later gobsmacked to realize “the magnitude or the repercussions [those] actions could have on the Arizona primary.”

Ely did not speak to the Justice Gazette for their similar story and provided Anonymous with pictures from time volunteering with the Bernie Brigade. The Bernie Brigade traveled by bus and carpool from Los Angeles to Arizona to work or volunteer with the campaign. Anonymous has made contact with a top official with the Sanders campaign who was active in Arizona for comment. We will update this report accordingly if and when we hear back.

Two days after Sanders’ Arizona campaign barred further use of their GOTV phone app, Bianca Rodriguez was forced to vote provisionally even though she brought along a copy of her state-issued voter registration card proving she was a registered Democrat. Bianca, whose last name we have changed at her request, provided Anonymous with a copy of her voter registration card, along with a screen shot with the identical voter identification number showing that her information had been scrubbed from Arizona’s Secretary of State voting website.

The day before the election, Bianca’s information was still there. She used it to look up her proper polling location. Bianca pursued her case with the Pinal County Recorder until she was assured that her vote had been counted; others were not so fortunate.  Some people, like twenty-one year old Ron Traider*, were simply told they could not vote, even with a provisional ballot, because their information had similarly disappeared from Arizona’s Secretary of State website or had been switched to a different party or none altogether. Arizona officials have stated that most provisional ballots will not be counted because the voting information they have on record does not indicate that the voters in question are registered with the party whose candidate they attempted to vote into the general election in November.

Individual Reports

Concerned that we might only be hearing one side of the story, Anonymous has used our very best online research methods in an attempt to discover what the reach of this potentially rather substantial scandal may be. We searched deeply on multiple social media sites, using a wide variety of search terms. We looked into every news story we could reasonably find reporting on this phenomenon. We engaged directly with a few Republicans and Hillary Clinton supporters on Twitter. We tried various general Google searches. We were looking very closely at specific reports where individuals said either that they or someone they knew directly (a relative, friend, or person they were at the polls with) had experienced having their voter registration changed without their knowledge. Where we were able to have direct contact with Democrats making such claims, we asked whether they supported Sanders or Clinton. While these results are far from comprehensive (there are likely well over a thousand of these little reports out there), we have done our best to get an accurate sampling.  As reported on Twitter, these are our results:

Update: in going through the details of the database, the numbers adjusted slightly. 1 Unknown Party, 12 GOP, 139 Dem, 113 Sanders supporters, 24 Unknown Preference, 2 Clinton.

Anonymous has published our full database below. There are associated weblinks in the database for 146 of the 151 entries. The other five, like Bianca’s, were emailed to us directly. Eighty-five of the reports came from a private, get out the vote Facebook Event for Sanders in Arizona. We need to fill out the details of those 85 reports, but do not want to let that work hold up publication. That event page has thousands of members. For transparency, and in advance of a possible story, we shared the data in advance with a reporter from the Washington Post and made sure they had access to the Private Event page. The reports from that Facebook Event were almost all made while voting was still happening and before results had been announced. Five of the specific reports of this happening to Republican voters came from that Facebook Event.  Dozens of people, in addition to Ron, nearly all Sanders supporters, were prevented from voting altogether.

Three reports include video, the most powerful of which is Alisa Wolfe’s on Facebook. Alisa pursued her inability to vote on election day until the county recorder electronically found two different signed records, one of which Alisa insisted she did not sign, noting the clear difference in signatures. The recorder acknowledged a mistake had been made and said her vote would be allowed. Another video includes a man showing his voter ID card on camera; it has been viewed over 120,000 times as of publication here.

We did not discover a Clinton supporter at all until entry 140. Entry 151 was emailed to us from Maeve Robertson, a seventy-year-old Clinton supporter form Tuscon. Maeve explained that she “didn’t receive my early and ballot and could not not vote because my registration had mysteriously changed to independent. I didn’t receive my voter registration card until the day after the primary.” Maeve has since followed up with the Pima County Recorder who told her that, even though she had been registered as a Democrat for decades and has had an Arizona drivers license since she was sixteen, new procedures meant that she was required to state that she was a Democrat when she renewed her license this past December. She had never had to do that previously and was accordingly disenfranchised from voting last Tuesday. The Recorder told Ms. Robertson that the Motor Vehicles Division (MVD) clerk should have asked her to designate a party. “That didn’t happen, or I certainly would have. Seems as though there’s been some sabotage at the MVD.” While Ms. Robertson would have voted for Clinton and may have donated a small amount to her campaign, she closed cheerfully with the following: “This election it’s vote for anyone who is not Trump, not Cruz or any of those loony tunes Republicans. Thanks for doing this. I’m a big fan of Anonymous.”

Hacked? Arizona’s SQL Vulnerability

Anonymous asked three of our veteran hackers, of varying skill levels, to scan Arizona’s Secretary of State website for vulnerabilities, while insisting that nothing illegal be done along the way. One hacker had health related issues that prevented her or him from doing a vulnerability scan. Another hacker was quite busy, but made two or three attempts. In each case, the IP associated with their vulnerability scan was immediately blocked by the website. One of Anonymous’ best hackers, however, discovered a massive vulnerability in less than a minute that we feel is nearly impossible to defend against a skilled and determined attacker.

Arizona’s Secretary of State website stores its data in SQL databases. Properly maintained (a big question given Arizona’s constant penny wise, pound foolish budgeting), SQL databases can be defended against hackers with a moderate or lesser skill level. But SQL databases in general have been known to have a particular, structural flaw for decades. SQL Injection, where random data is entered into a data entry field, can trigger an SQL database to give up most or all of its goods to an unauthorized user. SQL Injection is nearly always the first line of attack a hacker learns, and at its most basic level, it can literally be taught to a toddler .  A Vice article from November is entitled “The History of SQL Injection, the Hack That Will Never Go Away.” It notes that SQL Injection repeatedly takes the number one spot in Open Web Application Security Project Foundation’s triennial report on threats that websites face.

NoSQL or non-SQL databases have been around since the 1960’s, gained popularity beginning in 1998 in the initial move to greater web security, and are used by banks, major social media sites, and web giants like Google and Amazon to process and protect big data.

Anonymous may release an addendum to this report at a later time outlining specific SQL related vulnerabilities for the Arizona Secretary of State’s voter related websites.

Impact

How widespread was the problem of switched voter registrations last Tuesday?

It is hard to say with certainty.

At this point, it is clear that some of the cases, like Ms. Robertson’s, stem from ridiculous new procedures put in place by Arizona’s Secretary of State and Motor Vehicles Division. That said, other cases like Bianca’s, clearly do not fit that pattern, and the apparent overwhelming impact on Sanders supporters cannot be explained by a glitch that should have hit all parties and candidate supporters in roughly equal numbers.

The numbers in Pima County and Maricopa are particularly glaring. Reports of five-inch thick piles of provisional ballots and up to 2/3 of ballots in a particular voting location in Pima are quite suspicious. Numbers Anonymous is using internally to monitor election results across the country suggest that Sanders should have won student rich, and reliably progressive Pima county comfortably. The lack of polling stations alone in Maricopa County cannot explain how Phoenix, with a Democratic Mayor, could see Republicans show up at the polls on election day to the tune of around 80,000 voters, while Democrats cast a paltry 33,000 votes in Maricopa County on election day.

While Early Voting is increasing in Arizona with each election, we are rather skeptical of the idea that Maricopa had nearly 100,000 fewer Democrats voting in-person over against 2008’s primary between Clinton and Obama.

Conclusion

At this point, Anonymous quite obviously does not have the required proof to point a finger at any particular person or campaign for the findings in our database and of our vulnerability scan. Non-conspiratorial alternative explanations may emerge for why  perhaps tens of thousands of voters showed up to the polls expecting to be able to vote with the party they had registered with previously and were either denied or forced to vote provisionally. What is unmistakable, at this point, is that something went very badly wrong well beyond the lack of polling stations. The evidence does point to the possibility that something more malicious is happening.

In that vein, we should note that there are now likewise dozens and dozens of reports of Sanders supporters in places like Pennsylvania and New York, with upcoming closed primaries, finding that their own registrations have been switched. One such report arrived in our inbox on Friday morning, the final day for new voter registrations in New York. The emailer told us that the website for New York was going up and down intermittently. We asked what link they were using. When we checked it, our Tor Browser informed us that the website was insecure, presenting an invalid encryption certificate.

Suspicious, for damn sure. We’ll allow readers to draw their own further conclusions at this point.

*We’ve changed Ron’s name as his report was one found in the invitation only Facebook Event page created to help get Bernie Sanders’ supporters to the polls.

Clarification: This article was updated at 11:07am MST on March 28 to clarify the roll of the Washington Post reporter with whom we shared data. The Post, in keeping with their journalistic principles, played no roll in helping us to verify data in advance of our publication.

Appendix – Arizona Switched Database

https://docs.zoho.com/sheet/published.do?rid=b7lrg2140d3169d644b8082fea3207bbb73c5