Wisconsin MyVote Website Suit Puts Focus on Authentication Woes

A lawsuit accusing Wisconsin’s voter website of cybersecurity vulnerabilities put its finger on growing identification challenges for organizations across industries—but its timing two weeks before the presidential election realistically leaves little time for an overhaul.

On Oct. 21, an Oshkosh elections clerk and another state resident sued the Wisconsin Elections Commission over its MyVote portal, asking a judge to order the state to take down the online voter registration and absentee ballot site until it can can be redesigned and tested because “inadequate security” exposed it to “unauthorized access, data breaches, and other cybersecurity threats.”

For instance, the complaint said, the portal doesn’t allow users to create accounts with usernames and passwords to protect against third parties requesting absentee ballots in their names. It cited the 2022 indictment of a person who had fraudulently requested absentee ballots for two other voters.

While the complaint’s authentication concerns resonated with cybersecurity professionals, several told Bloomberg Law its timing so close to Election Day left them puzzled. The requested audit alone could take months or even years before there’s a finished product, they said.

Nearly 100 lawsuits have been filed within the last few months across the country seeking to strengthen voter identification requirements or invalidate ballots that don’t meet them, NBC News reported.

“It’s generally strange to attempt to do some sort of legal intervention like this within 90 days before an election,” said Mike Specter, assistant professor at Georgia Tech who researches systems security and elections. He called the complaint’s timing “incredibly surprising.”

“Altering elections equipment and altering elections processes 90 days before an election is hard, it’s generally not considered a favorable thing,” Specter said.

The identity-verification issues the suit raises echo concerns the cybersecurity community has been focused on, industry professionals said. Organizations across all sectors are targeting authentication risks to shore up systems that identify users through biometric or multifactor means.

The world has been in “this weird global identity crisis,” said Jim Coyle, chief technology officer for the US public sector at Lookout, a cloud security company.

“We are really bad at understanding identity and protecting it, and what identity actually means as far as, ‘I am, who I say I am. Here’s my proof,’” he added.

‘Gross Negligence’

The complaint zeroed in on the site’s lack of identification protections, saying it allows users to request absentee ballots by giving only a voter’s name and a birth date.

Adding an extra layer of protection to ask voters to identify themselves should be “one of the very first things that you do,” Coyle said.

“The fact that somebody can go out and get absentee ballots in your name without you authorizing—without anybody logging in or doing anything like this—is gross negligence,” he said. “This is basic. And this does need to have a fix.”

Additional identification steps could include requiring users to provide a driver’s license number or another form of identification the state could match to its own records.

“Limit it to people who only already have an established record, and it could be anything from a driver’s license to perhaps a hunting license, anything like that, where you had to present evidence of who you are,” said Hans A. von Spakovsky, manager of the Election Law Reform Initiative at the Heritage Foundation, which promotes policies focused on preventing voter fraud.

The complaint asks the court to require the election commission to conduct a comprehensive security audit of the portal and voter registration system and implement all necessary security measures. In practice, that process could involve a number of time-consuming steps: red teaming, which looks for vulnerabilities; blue teaming, which focuses on defenders’ capabilities; and purple teaming, which combines both the red and blue teams’ functions.

After completing the risk audit, actually fixing the site could stretch the timeline even more.

“Depending on the amount of problems, fixing it—that can be a much longer process, especially if you’re going to be talking about resource constraints, people, time, money, right?” Coyle said. “That in itself, could take months to a year, maybe even more, depending on how bad it is.”

Election Countdown

The complaint based its concerns on the 2022 indictment of Harry Wait on charges that he improperly requested two elected officials’ voters’ absentee ballots through the state’s portal. Wait, who pleaded not guilty, said he was trying to expose the system’s flaws and was able to order absentee ballots online in other people’s names, “all without providing a photo I.D. or identifying myself,” according to the filing.

Patrickus Law Office SC, the law firm that filed the suit brought by Dawn McCole and Jeannette Merten, didn’t respond to multiple requests for comment about the timing of the complaint.

So far, “all signs are pointing” to this year’s elections to be “just as, if not more secure” than the 2020 elections “because of important improvements many states have made over the last four years,” Greta Bedekovics said in an email. She’s the associate director of democratic policy at the Center for American Progress, which opposes policies that make it more difficult to vote.

The Wisconsin Elections Commission made the same point when reached for comment on the complaint, pointing out that Wait was caught and charged, demonstrating that “the system works as intended.”

The suit’s security concerns, Coyle said, ultimately don’t threaten the overall voting process. Even in the event of duplicate registrations, most states’ counting and auditing systems are able to catch unintended uses of online voting portals like Wisconsin’s, he said.

“Yes, there’s a vulnerability. Yes, you can execute on that vulnerability. But does it make a difference? Not really,” he said. “Because the auditor is going to catch it, they’re going to get down to the bottom of it, and eventually they’re going to throw out the fraudulent vote.”

The case is McCole v. Wisconsin Elections Commission, E.D. Wis., No. 2:24-cv-01348.