• Lax state rules provide cover for sponsors of attack ads

    By Alan Suderman
    The Center for Public Integrity

    While much criticism has been lobbed at the federal system for failing to adequately identify who is spending money to influence campaigns, 35 states have independent spending disclosure laws that are less stringent than federal election law.

    In fact, in 30 states it’s impossible to total how much money outside groups are spending on campaigns, information that is mostly available when it comes to federal contests.

    That’s according to a new 50-state analysis by the National Institute on Money in State Politics, which graded the states on disclosure requirements for super PACs, nonprofits and other outside spending groups.

    Fifteen states — Alaska, California, Colorado, Connecticut, Illinois, Maryland, Massachusetts, North Carolina, Ohio, Oklahoma, Oregon, Rhode Island, Texas, Washington and Wisconsin — received an “A” grade, meaning the states’ laws were at least as robust as federal independent spending requirements.


    New Jersey and Virginia, states where residents will be casting votes for governor and state legislature this year, were among 26 states that received a failing grade in the analysis  by the nonpartisan, nonprofit organization that focuses on the influence of campaign money on state-level elections and public policy in all 50 states.

    The others were Alabama, Arizona, Arkansas, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Dakota, Pennsylvania, South Carolina, Tennessee and Wyoming.

    States were graded on a 100-point scale, based on how much information is provided to the public about non-candidate organizations that buy ads, often negative and misleading, just before an election. Six states — Alabama, Indiana, New Mexico, New York, North Dakota and South Carolina — didn’t garner a single point in the survey.

    Independent super PACs and nonprofits intent on influencing campaigns proliferated in the wake of the 2010 U.S. Supreme Court’s Citizens United v. Federal Election Commission ruling, adding about $1 billion in spending  in federal races in the 2012 election cycle.

    At the state level, lavish spending by outside groups often faces weaker disclosure rules than federal contests and receives far less media attention.

    The result is a mishmash of rules, with some states scrambling to pass legislation in the wake of the high court decision while others show little interest in enacting any changes.

    In South Carolina, for example, outside groups paid for ads attacking several state and local politicians in 2012 but were not required to report the spending.

    Two federal court decisions have left the state without “any rules” related to outside groups’ spending, according to Cathy L. Hazelwood, deputy director of the state Ethics Commission.

    State Sen. Wes Hayes, a Republican from Rock Hill, estimates that an anonymous group called Conservative GOP PAC, which despite its name has no apparent affiliation with the state’s Republican party, spent at least $100,000 on campaign fliers in an unsuccessful effort to unseat him.

    He concedes that’s just a guess.

    “I’ll never know the amount, just like I’ll never know who spent it,” Hayes says. Efforts to contact Conservative GOP PAC were unsuccessful, as the group has no office, no phone number, no website, did not file incorporation records with the state and no individuals have claimed membership in the organization.

    Non-candidate, independent spending on elections can be broken into two general categories: “independent expenditures” and “electioneering.” With independent expenditures, potential voters are asked to back or oppose a candidate. With electioneering, a candidate is named, but there’s no explicit request for support or opposition.

    In 25 of 50 states, electioneering advertisements are not required to be reported, according to the analysis by the National Institute.

    The term “electioneering communications” came to be with the passage of the Bipartisan Campaign Reform Act of 2002. The federal law requires such expenditures be reported, but it applies only to television and radio ads that air shortly before an election.

    In a few states, however, the definition of electioneering communications is broader than at the federal level, and may include non-broadcast expenditures like direct mail and print advertising. Independent expenditures refer to all expenditures used to support or oppose a candidate, including non-advertising costs like polling and yard signs.

    Points were withheld in the survey based on the level of disclosure and whether disclosure forms differentiate between independent spending and other types of campaign expenditures.

    While North Dakota scored a zero, the state passed legislation this year that will beef up disclosure requirements for outside groups once the law goes into effect Aug. 1.

    The National Institute’s rankings focus solely on spending and not on donors to the groups that are doing the spending. Increasingly, “social welfare” nonprofits — currently at the center of a scandal involving the IRS — and trade associations are being used to hide donors’ identities in both federal and state races.

    In New Mexico, outside political action groups spent heavily on races for the state Legislature, races that typically attract fewer than 20,000 voters. Once sleepy contests have become bruising battles fought through statewide television ads, said state Sen. Peter Wirth, a Democrat from Santa Fe.

    He’s pushed a bill requiring greater disclosure by outside groups through the Senate three times (twice with unanimous approval) only to see it die in the state House after frenetic lobbying by “very powerful special interests” from both parties, he says.

    “It’s bipartisan support in the open, and then behind the scenes it’s full-on bipartisan opposition,” Wirth says.

    But several states have enacted disclosure requirements that go beyond federal requirements.

    •In Maryland, corporations are required to alert shareholders about a company’s independent political spending;

    •A “stand by your ad” provision in a 2010 Massachusetts law requires that in corporate-funded ads, the CEO appear in the spot;

    •Alaska, California and North Carolina require independent expenditure groups to list their top donors in political ads.

    The National Institute’s rankings also factor whether states require independent spending groups to disclose which candidate they are targeting.

    Two states, Florida and Delaware, require that spending be made public but not the targets or the purpose of the spending. The result: It’s virtually impossible to track how much was spent by outside groups trying to hurt or help a particular candidate.

    Thirty-six states will elect governors in 2014. Edwin Bender, executive director of the National Institute on Money in State Politics, said he hopes states with poor grades will strengthen their reporting requirements.

    “The majority of states will elect their governors and other major statewide offices in 2014,” he said. “We think the public should know how much money is spent on these races, and by whom.” 

    John Dunbar contributed to this report.

    The Center for Public Integrity is a nonprofit, non-partisan investigative news organization in Washington, D.C. For more of its stories on this to go publicintegrity.org.

    For more information about money in state politics, visit www.followthemoney.org.

    More from Open Channel:

    Follow Open Channel from NBCNews.com on Twitter and Facebook 


  • Cyberattack on Florida election is first known case in US, experts say

    Internet security experts are keeping a close eye on a case in Miami that may be the first of its kind --an attempt to fraudulently obtain absentee election ballots online. Correspondent Mark Potter reports this is being seen as a wake up call to the risks involved in voting on line

    By Gil Aegerter
    Staff Writer, NBC News

    An attempt to illegally obtain absentee ballots in Florida last year is the first known case in the U.S. of a cyberattack against an online election system, according to computer scientists and lawyers working to safeguard voting security.

    The case involved more than 2,500 “phantom requests” for absentee ballots, apparently sent to the Miami-Dade County elections website using a computer program, according to a grand jury report on problems in the Aug. 14 primary election. It is not clear whether the bogus requests were an attempt to influence a specific race, test the system or simply interfere with the voting. Because of the enormous number of requests – and the fact that most were sent from a small number of computer IP addresses in Ireland, England, India and other overseas locations – software used by the county flagged them and elections workers rejected them.

    Computer experts say the case exposes the danger of putting states’ voting systems online – whether that’s allowing voters to register or actually vote.

    “It’s the first documented attack I know of on an online U.S. election-related system that’s not (involving) a mock election,” said David Jefferson, a computer scientist at Lawrence Livermore National Laboratory who is on the board of directors of the Verified Voting Foundation and the California Voter Foundation.

    Other experts contacted by NBC News agreed that the attempt to obtain the ballots is the first known case of a cyberattack on voting, though they noted that there are so many local elections systems in use that it's possible that a similar attempt has gone unnoticed.

    There have been allegations of election system hacking before in the U.S., but investigations of irregularities have found only software glitches, voting machine failures, voter error or inconclusive evidence. Where there has been evidence of a computer security breach -- such as a 2006 incident in Sarasota, Fla., in which  a computer worm that had been around for years raised havoc with the county elections voter database -- it was unclear whether the worm's appearance was timed to interfere with the election.

    In any case, experts say they’ve been warning about this sort of attack for years.

    Tim Chapman / Miami Herald

    About 2,000 rejected absentee ballots at Miami-Dade Elections Department, mostly for lack of signatures or review of signatures from the last election.

    “This has been in the cards, it’s been foreseeable,” said law Professor Candice Hoke, founding director of the Center for Election Integrity at Cleveland State University.

    The primary election in Miami-Dade County in August 2012 involved state and local races along with U.S. Senate and congressional contests (see a sample ballot here). The Miami Herald, which first reported the irregularities, said the fraudulent requests for ballots targeted Democratic voters in the 26th Congressional District and Republicans in Florida House districts 103 and 112. None of the races’ outcomes could have been altered by that number of phantom ballots, the Herald said.

    Overseas “anonymizers” -- proxy servers that make Internet activity untraceable -- kept the originating computers’ location secret and prevented law enforcement from figuring out who was responsible, according to the grand jury report, issued in December. The state attorney’s office closed the case in January without being able to identify a suspect.

    Read the Miami-Dade County grand jury report (PDF)

    Then came the Herald report, which said that three IP addresses in the United States had been identified among those sending the requests and that there had been a delay in getting that information to investigators, which a Miami-Dade elections official confirmed to NBC News. Terry Chavez, spokeswoman for the state attorney’s office for Miami-Dade County, also confirmed to NBC News that the investigation was reopened to look into those IP addresses. Chavez said she could release no details on the investigation.

    Rep. Joe Garcia won the Democratic primary in the 26th District and went on to win the general election. Jeff Garcia, his chief of staff and no relation, said last week that no state or federal investigators had contacted the congressman's office about the case.


    State Rep. Jose Javier Rodriguez, a Democrat who won the District 112 seat, said Thursday that his office had not heard from investigators about the case either. A message left at the legislative office of state Rep. Manny Diaz Jr., the Republican who won the primary and the general election in District 103, was not immediately returned.

    The Herald report said that as the requests began coming in, elections officials figured out that they were improper and started blocking the IP addresses. “I guess they finally gave up,” the newspaper quoted Bob Vinock, an assistant deputy elections supervisor for information systems, as saying. 

    People who study election security say the fact that this attempt did not succeed should be of little comfort to election officials. They warn that attempts to attack voting systems are likely to increase.

    “In this case the attack was not as sophisticated as it could have been, and it was easy for elections officials to spot and turn back,” said J. Alex Halderman, an assistant professor of computer science and engineering at the University of Michigan who studies the security of electronic voting. “An attack somewhat more sophisticated than the one in Florida, completely within the norm for computer fraud these days, would likely be able to circumvent the checks.”

    Fraudulently obtaining absentee ballots is just one way elections might be subverted by digital means, experts say. Among the other methods and attack points:

    •  Malware. Rogue software infects millions of home computers across the country. Jefferson said hackers could use malware to change votes or prevent them from being cast in an online election.
    • Denial of service attacks. Jefferson said that hackers could use botnets to prevent election-system servers from working for hours, or perhaps longer. In fact, during an election in June 2012, a DOS attack hit the San Diego County Registrar of Voters' website, preventing voters from tracking the results.
    • “Spoofing” of election websites. For example, Hoke said, legitimate requests for absentee ballots could be misdirected to another site. The data then could be misused, or the requests could hit a dead end, and voters would be left wondering where their ballots were.
    • Exploiting software flaws in digital voting machines, known as DREs. The flaws could allow insertion of viruses or alteration of programming code that would change votes or delete them. (Read one description of hacking a voting machine.)
    • Tampering with email return of marked ballots. Experts say email return is troublesome because of the multiple points for attack along the ballots’ electronic path. “The overwhelming consensus of the computer science community is don’t do it, it’s a bad idea,” said Jeremy Epstein, a senior computer scientist at SRI International. But in about half the states, email absentee ballot return is an option for members of the military and their families, along with some other U.S. citizens living overseas.
    • Wholesale hijacking of an online voting system. In 2010, the District of Columbia Board of Elections and Ethics tested an Internet-based voting system for a week, asking computer experts to probe it for flaws. It took only 48 hours for a team led by Halderman to break in and take control of the site – even altering it so that the University of Michigan fight song played after a vote was cast.

    Read the University of Michigan researchers’ report on the DC hack (PDF)

    In terms of illegally getting access to absentee ballots, Epstein said, the attacker or attackers who failed in Florida might have had an easier time with Washington state and Maryland.

    He said that last summer he demonstrated to the FBI a method of changing individual voters’ addresses and other information online in those two states by predicting their driver’s license numbers.

    J Pat Carter / AP file

    Absentee ballots for the general election marked for delivery to the U.S. Postal Service for mailing are seen at the Miami-Dade County election center in Doral, Fla., on Oct. 5.

    First he used publicly available information to gain a voter’s full name and address. Then, he predicted the individual’s driver’s license number – which is based on a combination of the person’s name and numbers and letters -- and used the information to access their voter registration online. From there, he said, he could have changed their addresses and had absentee ballots sent out.

    “Imagine if (attackers) changed the address for 2,500 votes. It could be completely automated, and they have the ballots sent to a post office box or whatever,” Epstein said. “Then the registered voters would have no idea until they tried to vote.”

    In October, Halderman and other researchers sent letters warning elections officials in both states of the danger of staking system security on driver’s license numbers.

    The letter to Washington officials (read it here in PDF) also said that other security features in the state’s MyVote system would be only a speed bump to a dedicated hacker.

    “Although the MyVote system uses a CAPTCHA, an image of distorted text intended to deter simple automated attacks, this provides only minimal defense,” the letter says. “Attackers can use commercial services to defeat the CAPTCHA at a cost of less than $0.001 per voter.”

    Shane Hamlin, assistant director of elections in the Washington Secretary of State's Office, told NBC News that state election officials have acted on the recommendations in the October letter and will require additional information to register to vote or change registration online.

    Maryland election officials did not immediately return a call from NBC News seeking comment, but the Washington Post reported last month that Ross K. Goldstein, deputy administrator of the Maryland State Board of Elections, acknowledged the security hole and said the online voter registration system was being updated to address the issue.

    “I believe technology can solve problems, and there are steps that we definitely can, and plan to, take to mitigate the risks,” the newspaper quoted him as saying.

    While elections officials are attracted to the savings that online voting and registration systems promise, the cost of guarding online registration and voting systems is large, Hoke said. And that might negate the financial advantage of online balloting touted by some elections officials and vendors who want to sell electronic voting products.

    “It’s cheap, if you don’t care whether elections are stolen,” she said.

    That possibility -- of an election being stolen through digital means -- haunts researchers. For Jefferson, it’s a matter of national security.

    “The legitimacy of government depends on it being impossible for single parties to change the results of elections,” he said.

    More from Open Channel:

    Follow Open Channel from NBCNews.com on Twitter and Facebook