Hack the Vote

Five ways Internet tricksters could tamper with the 2008 elections.

In the late 1800s, during the heyday of Tammany Hall, New Yorkers would often show up to vote with a full beard. “When you’ve voted them with their whiskers on, you take them to a barber and scrape off the chin fringe,”explained Democratic boss Big Tim Sullivan. If the political machine needed still more votes, the voter would return with nothing but a mustache, and then once again clean-shaven. “That makes one of them good for four votes,” according to Sullivan.

Technology has cleaned up elections since then. Voting machines ensure one person casts only one vote. Electronic databases let secretaries of state compare their rolls to avoid double registration. Hotlines tell voters where and when to show up on Election Day.

This year, campaigns are relying more than ever on e-mail, texting, and the Web to get their message out and raise cash. But high-speed communication also means more opportunities for electronic skullduggery. Just as new technology lets voters get good information faster than ever in 2008, mischief-makers can spread bad information quickly.

Election tricksters—perhaps working for campaigns, perhaps freelancing—disseminate false polling locations and closing times. They spread rumors that Democrats vote Tuesday, Republicans vote Wednesday, or that anyone with outstanding parking tickets, unpaid rent, or family members in prison can’t vote. Voters also get misled about ID laws, believing they’re stricter than they really are. (A recent Supreme Court decision to uphold Indiana’s voter ID law could be misinterpreted as applying to other states as well.)

Campaigns and voting rights activists are anticipating all kinds of Internet dirty tricks to spread this misinformation. Here are five they are most worried about—and how they can be stopped.

1. Fake e-mails. In 2004, Democrats were duped by an official-looking e-mail soliciting donations to the Kerry campaign. Researchers exposed it as a phishing scam, but many donors had already lost their money. Now most contributions to the presidential candidates are given online. And supporters are eager to give—a fake solicitation from Obama campaign manager David Plouffe could rake in cash before the campaign had time shut it down. (Just look how accurately tricksters were able to replicate bank Web sites.) Such fraud doesn’t have to be about money: In November, an e-mail falsely attributed to the Mitt Romney campaign called out Rudy Giuliani and “his pedophile friends,” reflecting poorly on both candidates.

Defense: Rapid response. Campaigns need an early-warning system that lets them counter false claims as soon as they occur. Branding also helps—the more distinctive campaign e-mails are, the more likely supporters will recognize a fake. Notice that Obama’s donation page has a security seal at the bottom designating it an “authentic site.” Notice, also, that you can easily copy the seal and post it on your own site.

2.Dummy Web sites. In 1999, a Web site appeared depicting George Bush with a straw up his nose inhaling lines of coke. It was clearly satire, but the GOP sued and the site was taken down. More threatening is the prospect of fake candidate sites that look real. Some weak points have already been exposed: A team from Symantec registered 124 domain names with various misspellings of the candidates’ names and attracted 21,000 hits over two months. In April, a hacker redirected anyone who clicked on the “Community Blogs” section of MyBarackObama.com to Hillary Clinton’s home page, then posted an apparent confession. (One online security expert recently discovered a flaw in the Domain Name System that could allow hackers to redirect visitors to other pages.) Particularly vulnerable are Secretary of State sites, where many voters go to find polling locations and to preview their ballots. These state sites are generally low-tech and subject to tampering—if people with basic coding skills could access and manipulate Oklahoma’s sex offender registry, they can certainly muck with the Secretary of State polling-station locators.

Defense:Back it up. If a campaign finds a major security breach in their site, they can immediately pull it down and automatically redirect users to an identical clone site. If done right, the user experience would be seamless. That said, beware of false alarms: Sen. Joe Lieberman cried foul in 2006 when he thought his Web site was downed by Ned Lamont-loving hackers. Turns out it was his own campaign’s fault. As for security, companies offer seals of authenticity for political and government Web sites. But, again, they’re easy to fake.

3.Social networking. Social networks let advertisers target users based on geography, age, gender, and even interests. Say you wanted to tell female students between the ages of 18 and 25 at Ohio State University interested in “Obama” that their polling place had moved all the way across town (even though it hadn’t) or that locations actually stay open two hours later (even though they don’t). You can create a Facebook ad that displays only to that group.

Defense: Social networking. The sickness is also the cure. Social networks thrive on sharing, so if you discover a misleading ad, it’s that much easier to tell everyone you know. Plus, Facebook users (and Myspace, LinkedIn, etc.) tend to be savvier than grannies who still log on through AOL. They’re more likely to know where to go get proper info rather than trust the same ad space that normally features Busted Tees.

4. Robo-calling. The tactic isn’t new, but the Web makes it absurdly easy. Robo-calling can be used for everything from providing false registration information to smear campaigns. Before the North Carolina Democratic primary, a mysterious robocaller told voters in black neighborhoods they had to fill out an extra voter registration form before Election Day. (The calls were eventually traced to Women’s Voices Women Vote.) Another automated call targeted at possible caucus-goers in Nevada trashed “Barack Hussein Obama.” You could set a robo-call up in the next five minutes as long as you’re willing to pay for call lists. The best part: Voice over I.P. technology makes the calls virtually untraceable.

Defense: Not much. The best campaigns can do is condemn the calls, as the Obama camp did after the Nevada blast. They can also file a complaint, as the NAACP did in the aftermath of the North Carolina call. But retroactive justice is little consolation once an election is over.

5. Search-engine deoptimization. However many e-mail blasts the campaigns send out, many voters will just search Google or Yahoo for polling info. Pranksters could therefore buy ads directing anyone looking for “where to vote” or “polling place” to the wrong information. They could also make misinformation more prominent in the search results. Google recently announced the death of the Google Bomb—a concerted effort to bump a particular page to the top search result—but bloggers and hackers have already discovered workarounds.

Defense: Search-engine optimization. Google is on the case. The search giant has partnered with the Pew Center on the States and the JEHT Foundation to create the Voting Information Project. The goal is to standardize polling and ballot information, make sure it’s accurate, and put it in places on the Internet where voters will find it. So when people search for “Virginia polling locations” on Election Day, they’ll be directed to their Secretary of State site. There, they can enter their address into an embedded search bar and see a Google Map providing directions to their official polling place. It’s a step up from current poll locators, says a Google spokeswoman, since it corrects for misspellings.

That’s not to say these Internet tricks will upset the election—or even dent it. There are plenty of bright mischief-makers out there, but how many of them want to screw up elections? (Elect John McCain for the lulz!) And it may turn out that traditional methods of voter manipulation—such as, say, paying busloads of homeless people to pass out inaccurate sample ballots—will prove more effective. Plus, one smear campaign probably equals a thousand polling-place misinformation campaigns.

Ultimately, the best thing campaigns can do is fight bad information with good. (I know, I know; it’s boring and often doesn’t work.) That means keeping the lines of communication open among election officials, campaigns, and Internet service providers in case something goes wrong. During the primaries, campaigns provided polling locators and organized phone banks to answer voter questions on Election Day. This time around, they’ll have dozens of voting rights groups backing them up on the local level. At the same time, the Obama campaign is recruiting an army of lawyers to supervise polling places and prevent discrimination. And, of course, to keep an eye out for suspicious mustaches.

Thanks to Lillie Coney of the Electronic Privacy Information Center, Thad Hall of University of Utah, Michele Jawando of People for the American Way, Jon Pincus, and Tova Wang of Common Cause.