The Conference Call

This wouldn’t have happened without me, but it also wouldn’t have happened if it was ONLY me.

No Lone Ranger

Peggy Lowe’s fun story about my self-appointed watchdog role investigating the Kansas-run Interstate Voter Registration Crosscheck (Crosscheck) program gives a great overview of the dogged pursuit of Crosscheck by citizen watchdogs resulting in its pause.

I love her story and am grateful for the publicity about Kansas Secretary of State and gubernatorial candidate Kobach’s terrible record and the risks Crosscheck poses for Kansas.

What her hometown hero story doesn’t capture is the teamwork that was involved, and the front-and-center critical work done by the amazing Indivisible Chicago team.

Getting to know one another

In late 2016 I was freaked out to learn that Kansas was paying for a free service for 25+ states. Working alone in Kansas, I started investigating. The first few months of my research revealed that voter suppression, while a concern, was only the third-worst thing about Crosscheck. (My ranking: data security/privacy/liability; misuse of the results to bolster a false narrative of widespread voter fraud; then suppression/purge risk). In July, after Kobach’s chairmanship of the Presidential Advisory Commission on Election Integrity Crosscheck state drew national attention, Indivisible Chicago started working on Crosscheck also. At first, neither of us knew of the parallel effort of the other. We eventually “met” on twitter in late summer 2017.

And that’s when things really got good :) We decided to collaborate.

We agreed to have a conference call in early October to share information and discuss strategy.

The Timeline

A few weeks before the conference call, I’d finally received a response to an April Freedom of Information Act (FOIA) request to Florida. I’d asked for emails from Florida explaining why they’d withdrawn from Crosscheck, but what I got was…better.

On October 4th, during our conference call, I confided to my new team that I’d received some pretty jaw-dropping stuff proving Crosscheck’s lax data security in the Florida FOIA. Among other things, I’d received an email exchange between Kansas and Florida in which Kansas officials sent the encryption password to the Crosscheck results file - containing private data for millions of Americans - via plain text email. We all KNEW this was a big deal. (I remember a lot of laughing and excitement during this conference call. There was this gleeful sense that we were on to something big.)

The difference is that they knew what to do with it. I didn’t.

The day after the conference call, a member of their team fired off his own Freedom of Information Act requests. Soon, they had encryption passwords for many years of Crosscheck up through 2017 that had been sent through plain text email to 75+ people.

And they got more. A lot more. They contacted data security experts and journalists with what they’d found.

Less than three weeks later, the first article describing what they’d found and its significance was published by Jessica Huseman, followed a few weeks later by an even more detailed and damning article by Dell Cameron in November 2017.

By January, 2018, there were hearings in Topeka on Crosscheck. To my knowledge, the Kansas legislature had never been briefed on Crosscheck before. Kobach vowed to redo the data security, but didn’t get it done. DHS visited. Crosscheck did not run in 2018 as a direct result of these revelations. And there are rumors that things almost got very ugly. (If you know anything about this, message me!)

So what DID I contribute?

I obtained the first concrete evidence of the incredibly lax data privacy and security procedures maintained by the Kansas and Arkansas officials running the Crosscheck program.

And I shifted the narrative around Crosscheck to data security and data privacy in a way that got attention from the people whose support we needed. Rather than approaching it from a partisan framework without supporting evidence, we had a concern that we could back up that resonated with nearly everyone. When I first spoke with one Kansas State Senator in spring 2017 about my concerns that Kansas would be on the hook for a catastrophic liability if Crosscheck were to be hacked, she said “I have never heard this angle before. This will open doors.”

The effect was similar in Springfield. One of the emails they obtained through FOIA even said something along these lines: “The voter suppression stuff we’ve heard before. But this data security stuff…WOW”

Early on in this process, we all seemed to realize that the strands of the rope we created was made up of individual contributions that were hard - and maybe counterproductive - to detangle. That said, I don’t want to get individual credit for the work they did, or at most generous we did together. Their graciousness and class is such that this is the message I got from up Chicago way in response to the KCUR piece:

No one over here is upset. On the contrary. We're happy. While credit for work is always nice, this is a major team effort and we all worked together. Nice job, and good on ya getting that interview.

I am proud to be a part of this success and thrilled to know these warriors of Indivisible Chicago. (Even though I STILL haven’t met any of them in person!).

There is an amazing story to be told about all that happened in Chicago in the days between October 5th and October 23rd, and all the way through the process of getting a bill through the legislature to remove Illinois from Crosscheck (only to have it vetoed by the governor).

They blew this whole data security thing out of the water.

Chicago journalists, get on this story!