Saying I-Voters is secure isn’t enough

Reprinted from the print edition of The Gazette 8/4/2019

I am writing in response to Iowa Secretary of State Paul Pate’s July 30 guest column ‘A model for election security.’ And my purpose is to explain I-Voters and why you should be concerned about it.

I-Voters is our statewide voter registration system. It is a computer system maintained and operated by the Secretary of State’s Office. Voter registration records for more than 2 million voters now are stored in I-Voters.

Every county is required to store its voter registration records on IVoters and every county is required to pay the secretary of state an annual fee to maintain I-Voters. Normally, when you pay someone a fee, you are entitled to know what you are getting in return. That is not the case with I-Voters.

I-Voters went into service in Iowa in 2006. Cybersecurity did not become a hot topic until 2016 – 10 years later. Although I-Voters is running on newer hardware than it did in 2006, that just means the old software, including its flaws, is running faster – not more securely. Let me explain one flaw, which others view as a feature.

Imagine you show up to vote on Election Day and your name is not on the election register. You swear you voted at your precinct in the last election. Heck, you swear you voted in this precinct for the past 30 years. Some of the precinct officials know you and cannot explain why you are not listed on the election register. Yes, you still can vote. Unfortunately, you have to go through the Election Day registration process to register before you can vote.

That takes time and requires proof of who you are and where you reside. What if you don’t have time? Or proof? Now multiply this scenario by ten thousand voters across the state.

How could your name disappear from the election register? One feature of I-Voters is that it allows an election employee – an I-Voters user – in one county to pull your voter registration record from the losing county to the gaining county; e.g., when you relocate from Cedar Rapids to Iowa City.

One flaw of I-Voters is that one employee – not two employees – can pull your voter registration record from Cedar Rapids to Iowa City; i.e., from Linn County to Johnson County. What used to be a ‘feature’ before the age of cyberwarfare now is a ‘flaw.’ I do not know how many other flaws I-Voters has, but that is the one that keeps me awake at night.

When you pay someone a fee, you are entitled to know what you are getting in return. Unfortunately, I do not know what Pate is doing with the millions of dollars he has received to upgrade I-Voters. I thought I-Voters would be upgraded before the 2020 presidential election. On July 19, the Associated Press reported it would not be upgraded until after 2020.

I-Voters is the Achilles’ heel of elections in Iowa. Maliciously remove or relocate a thousand voter registration records in the system just before Election Day, and chaos will ensue.

Time is of the essence, Mr. Secretary.

Telling Iowa’s voters, taxpayers, and county auditors that I-Voters is ‘secure’ is not enough. County auditors do not know what is going on with I-Voters, and they are entitled to know.

I request that you hire a third party, independent cybersecurity firm to assess I-Voters and determine if it is ready for the 2020 elections. In addition, let me and my fellow county auditors on your Auditors’ Advisory Panel observe the assessment, see the results, and monitor the fixes. Nothing is more important.

 Joel Miller is Linn County auditor.

One comment on “Saying I-Voters is secure isn’t enough

  1. […] appeal is still relevant. Our statewide voter registration system (IVoters) is now 17 years old and ...
%d bloggers like this: