Close Close Comment Creative Commons Donate Email Add Email Facebook Instagram Facebook Messenger Mobile Nav Menu Podcast Print RSS Search Secure Twitter WhatsApp YouTube


The Informed Voter’s Guide to Making Sure Your Vote Counts

Worried about voting? Here’s what to know before you go.

ProPublica’s Collaborative Data Journalism Guide

Learn tips and best practices on how to set up and run a collaborative reporting project.

Latest Stories

Law Enforcement Files Discredit Brian Kemp’s Accusation That Democrats Tried to Hack the Georgia Election

Volunteers and staff for Republican gubernatorial candidate Brian Kemp hold a phone banking event at his campaign office in Atlanta on Nov. 5, 2018. (Leah Millis/Reuters)

It was a stunning accusation: Two days before the 2018 election for Georgia governor, Republican Brian Kemp used his power as secretary of state to open an investigation into what he called a “failed hacking attempt” of voter registration systems involving the Democratic Party.

But newly released case files from the Georgia Bureau of Investigation reveal that there was no such hacking attempt.

The evidence from the closed investigation indicates that Kemp’s office mistook planned security tests and a warning about potential election security holes for malicious hacking.

Kemp then wrongly accused his political opponents just before Election Day — a high-profile salvo that drew national media attention in one of the most closely watched races of 2018.

“The investigation by the GBI revealed no evidence of damage to (the secretary of state’s office’s) network or computers, and no evidence of theft, damage, or loss of data,” according to a March 2 memo from a senior assistant attorney general recommending that the case be closed.

The internet activity that Kemp’s staff described as hacking attempts was actually scans by the U.S. Department of Homeland Security that the secretary of state’s office had agreed to, according to the GBI. Kemp’s chief information officer signed off on the DHS scans three months beforehand.

Although there was no malicious hack, the GBI files also report that the state’s website where voters can check their information did have a significant vulnerability — a flaw Kemp’s staff still won’t acknowledge a year and a half later.

Candice Broce, Kemp’s spokeswoman, continued to insist Friday that elections officials responded to a “failed cyber intrusion,” despite the GBI’s findings that scans came from DHS.

“The attorney general determined that the secretary of state’s office properly referred this matter to law enforcement for investigation,” Broce said. “The systems put in place by Brian Kemp as Georgia’s secretary of state kept voter data safe and secure.”

In 2018, while the secretary of state’s office rushed to fix the vulnerability before Election Day, Broce, who was also Kemp’s spokeswoman then, said the last-minute patches to the website were “standard practice.”

The attorney general’s office in March closed the investigation Kemp started, finding no evidence that would justify a prosecution.

After the investigation ended, The Atlanta Journal-Constitution used the Georgia Open Records Act to obtain 395 pages of GBI case files, including interview summaries, emails and election security reports.

“Accusing an opponent of criminal acts without basis in fact, and lying to the public to cover up their own ineptitude, was a breach of public trust,” Sara Tindall Ghazal, the Democratic Party of Georgia’s voter protection director at the time, said in an interview. Ghazal helped alert authorities to the election website vulnerabilities.

The GBI files don’t explain the basis for the decision by Kemp’s office to blame the Democratic Party or support his accusation. Kemp went on to narrowly defeat Democrat Stacey Abrams in the election for governor.

Raising the Alarm

Events unfolded quickly when Richard Wright, a Roswell voter, noticed vulnerabilities in the state’s election website shortly before voters went to the polls Nov. 6, 2018, according to the case files.

Wright, a Georgia Tech graduate and Democratic voter who works for a software company, had listened to a news report about a lawsuit over election security. He then checked his voter registration information and used his web browser’s built-in tools to analyze the state’s My Voter Page.

“When visiting the MVP site, I was curious if there were security issues given the recent news coverage I had heard,” Wright wrote in a response to questions from the attorney general’s office.

Wright found that he could look up other voters’ information by modifying the web address on the site, a flaw confirmed by ProPublica and Georgia Public Broadcasting before it was fixed.

He also made more disconcerting claims, that someone could “download any file on the system” as well as voters’ driver’s license numbers and partial Social Security numbers. Those allegations were not substantiated. Wright told investigators he didn’t attempt to look at any information on the website other than his own and his wife’s.

Kemp’s office disputes Wright’s allegations.

“Richard Wright’s allegations — sent through the Abrams campaign and funneled to the Democratic Party of Georgia — were false because you could not access confidential voter data,” Broce said.

After discovering the vulnerability, Wright contacted plaintiffs in the election security lawsuit and the Democratic Party of Georgia. They passed along his concerns, which soon reached the FBI, the National Security Agency, the GBI, the Abrams campaign, Georgia Tech professors and attorneys for the secretary of state’s office.

Kemp’s staff began looking into Wright’s claims. If true, they would be another blemish on Kemp’s election security record after his office had previously exposed voter data and wiped election servers soon after being sued. His staffers, however, suspected hacking.

“Our vendor’s research shows that the only way to accomplish this on the site is using tools designed to attack websites, which is what we fear is happening here,” Ryan Germany, Kemp’s general counsel, wrote in a Nov. 3 email. “Our vendor is making changes tonight to resolve the issue and is reviewing logs, but after our initial research it seems that we are dealing with an intentional attempt to hack a website.”

An election security vendor for the state, Fortalice Solutions, later concluded, however, that there was no evidence that voter information had been accessed, manipulated or changed by bad actors.

Fortalice also confirmed vulnerabilities that exposed files on the My Voter Page. DHS exploited those vulnerabilities when it was testing Georgia’s election system in October 2018, according to the GBI files. Details of Fortalice’s findings were redacted from those files. The company said the vulnerabilities did not reveal confidential voter information.

Nevertheless, “having an unpatched vulnerability like this is a really big problem,” said Richard DeMillo, a Georgia Tech cybersecurity professor contacted by the Democratic Party with Wright’s concerns. “Since we know that the Russians were probing voter registration sites, why would you assume this kind of vulnerability wasn’t something they could exploit?”

Hacking Fears

Wright’s email to the Democratic Party included an attached file that showed his web browser’s interactions with the My Voter Page. The way the website worked suggested to Wright that the system could be exploited.

When that email reached Kemp’s office, Broce told investigators she thought the attachment was a script that could be used for hacking.

That wasn’t true, according to a GBI digital forensic investigator. The file was “merely a roadmap” of the website’s behavior.

But someone else was probing Georgia’s election websites: the U.S. government. The federal Cybersecurity and Infrastructure Security Agency confirmed it was conducting cyberhygiene scanning to find vulnerabilities, tests that had been approved in advance by Kemp’s office.

Broce, who was both Kemp’s press secretary and a staff attorney, told investigators she was concerned that Wright had “spoofed” internet addresses to make it look like they were coming from DHS. Investigators later confirmed with Homeland Security officials and their network providers that they were the source of the scans.

It remains unclear how Kemp’s staff concluded that the Democratic Party was responsible for a hacking attempt. The party’s only role was that it had forwarded an email about vulnerabilities to two cybersecurity professors at Georgia Tech, including DeMillo, who then alerted authorities. The GBI did not interview Kemp about the case.

“Instead of immediately addressing the problem, it became political. It became an attack on the Democratic Party on the eve of the election,” said David Cross, an attorney for plaintiffs in the election security lawsuit against the state. “I don’t see any way anyone could have a genuine belief there was any hacking done at all, much less by the Democratic Party.”

While publicly denying Wright’s claims about vulnerabilities, behind the scenes, Kemp’s staff was working to correct them.

ProPublica and GPB reported on the day before the election that Kemp’s office was patching problems with the state’s election website, even as Kemp maintained the system was secure. The GBI files confirmed that the My Voter Page was modified to restrict access to vulnerable areas.

The secretary of state’s firewall hadn’t been set up to block access to the locations identified by Wright, according to a GBI agent’s report. Election officials then “set up safeguards to restrict access to the vulnerable areas” on the last two days before the 2018 general election.

ProPublica found at the time that the vulnerability gave access to some nonconfidential information on the My Voter Page, such as a voter’s absentee ballot status. Birthdates, Social Security numbers and driver’s license numbers weren’t available. It wasn’t clear what sensitive information, however, could have been inadvertently accessible before programming errors were fixed.

Even if the security vulnerabilities revealed public information, web pages would have been nonetheless visible to people who shouldn’t have been able to see them. The flaws also exposed details of the computer system that could have given hackers a road map to inflict greater damage.

Georgia election officials and their cybersecurity companies should have detected the problem before Wright brought it to their attention, said Frank Rietta, the CEO of, a web application security firm based in the Atlanta suburb of Alpharetta. Users of the My Voter Page were able to access voter registration information without first logging in.

This type of weakness, called broken access control, is one of the 10 most critical web application security risks, according to the Open Web Application Security Project, an organization that works to improve software security.

“The fact that there’s one vulnerability is an indication that there might have been other vulnerabilities,” Rietta said. “We should want to fix vulnerabilities, not pretend they’re not there until it is exploited by the bad guys.”

When Kemp’s office found out about the problem, Broce repeatedly dismissed it. While some of Wright’s concerns weren’t validated, the GBI files confirmed that anyone could alter web addresses to access other voters’ information on the My Voter Page.

Then Broce said changes to the website were routine, meant to accommodate high traffic prior to Election Day, when in fact election officials were fixing a vulnerability Wright had brought to their attention.

“We make changes to our website all the time,” Broce told ProPublica and GPB at the time. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.”

Even after the GBI cleared Wright, Broce said the investigation was appropriate.

Wright declined to comment for this article, but he answered a list of questions for the attorney general’s office about his findings.

“I do not engage in ‘hacking’ activities. I reported the vulnerability that I discovered on the SOS My Voter Webpage because I was concerned that our elections process might not be secure,” Wright wrote.

Broce suspected a Democratic Party plot to undermine Kemp’s credibility, according to an interview with the GBI.

She was also facing questions about security weaknesses from reporters for the website WhoWhatWhy, who she speculated were working with the plaintiffs in the election security lawsuit.

Broce told investigators that cybersecurity companies had identified attempts to exploit voter registration websites, but they weren’t able to verify where the scans came from. Those companies later verified that they originated with Homeland Security.

Soon after WhoWhatWhy published its article alleging that a hacker could compromise Georgia’s election, Broce posted a press release on the secretary of state’s website saying that the office was opening an investigation of the Democratic Party, alleging a hacking attempt.

Ghazal, with the Democratic Party, said in an interview that the party reported the website vulnerabilities but made no effort to publicize them, contact news media or turn them into an attack.

Electionland 2020: Trump on Vote by Mail, Poll Worker PPE, Naturalizations and More

Trump’s Crusade Against Vote by Mail

In both his public appearances and on Twitter, President Donald Trump has continued to rail against mail voting, and has accused Democrats of trying to rig the election. This set off alarm bells among voting rights advocates and experts who believe the president is setting the stage to delegitimize the election if he loses. Then, this week, the president tweeted again about mail voting, and Twitter labeled his tweets with a message “Get the facts about mail-in ballots,” which linked to this fact-check page. After falsely accusing Twitter of interfering in the election and stifling free speech, Trump threatened “Big action to follow!” On Thursday, Trump signed an executive order that aims to limit the power of social media companies.

Ignoring Trump and Right-Wing Think Tanks, Red States Expand Vote by Mail

An Ohio voter drops her ballot into a box outside the Cuyahoga County Board of Elections on April 28 in Cleveland. (Tony Dejak/AP Photo)

On April 23, during the same week that Kentucky’s Republican secretary of state said he was contemplating a “significant expansion” of vote by mail, the Public Interest Legal Foundation emailed one of his employees under the subject line “28 MILLION ballots lost.”

“Putting the election in the hands of the United States Postal Service would be a catastrophe,” wrote J. Christian Adams, president of PILF, a conservative organization that has long complained about voter fraud. His missive contended, with scant evidence, that “twice as many” mailed ballots “disappeared” in the 2016 presidential election than made up the margin of votes between Hillary Clinton and Donald Trump.

The state worker forwarded the message to his supervisor, who ignored it, according to emails obtained through a public records request. Only days later, Kentucky finalized its plan for the biggest increase in vote by mail in the state’s history. Secretary of State Mike Adams (no relation to J. Christian) said he had little trouble persuading legislators to pass the measure. “I’ve been pleasantly surprised on social media and elsewhere,” he said. “Republicans and Democrats both have been supportive of what we did.”

A Conservative Legal Group Significantly Miscalculated Data in a Report on Mail-In Voting

Mail-in ballots being reviewed in Ohio last month. A study from a conservative legal group suggesting that voting by mail opened the door to widespread fraud appears to have been based on flawed data. (Matthew Hatcher/Getty Images)

In an April report that warns of the risks of fraud in mail-in voting, a conservative legal group significantly inflated a key statistic, a ProPublica analysis found. The Public Interest Legal Foundation reported that more than 1 million ballots sent out to voters in 2018 were returned as undeliverable. Taken at face value, that would represent a 91% increase over the number of undeliverable mail ballots in 2016, a sign that a vote-by-mail system would be a “catastrophe” for elections, the group argued.

However, after ProPublica provided evidence to PILF that it had in fact doubled the official government numbers, the organization corrected its figure. The number of undeliverable mail ballots dropped slightly from 2016 to 2018.

Whether the Ballot You Mail Is Counted May Depend on Where You Vote

A voter waits to drop off a ballot at the Board of Elections in Dayton on Tuesday after the Ohio primary shifted to an exclusively vote-by-mail system to reduce the coronavirus spread. (Megan Jelinger/AFP via Getty Images)

The April 6 guidance from the U.S. Supreme Court seemed final: Election officials in Wisconsin should only count absentee ballots postmarked on or before the next day’s voting. Then, in the days after the chaotic primary, thousands of ballots poured in with missing or illegible postmarks — an issue the court had not directly addressed. Throwing up its hands, the Wisconsin Elections Commission left it to local officials to decide if ballots had been mailed on time.

2020 Political Ad Collector

How Political Advertisers Target You on Facebook

Who Has Emergency Authority Over Elections? Nobody’s Quite Sure.

Primary day in Whitmore Lake, Michigan, on March 10. The COVID-19 pandemic has exposed severe limits on how election officials can respond to emergencies. (Erin Kirkland/Bloomberg via Getty Images)

The tug of war over whether and how to hold Tuesday’s Wisconsin primary exposes a national problem: State and local officials with the most experience running elections lack the power to revamp or postpone voting during a crisis.

Voting by Mail Would Reduce Coronavirus Transmission but It Has Other Risks

Election worker Ruth Ard opens vote-by-mail ballots for the presidential primary on March 10 in Renton, Washington. (Jason Redmond/AFP/Getty)

As COVID-19 spreads, many are proposing to hold the November election by mail. Without careful preparation, though, the transition could run into logistical problems and provide opportunities for voter fraud.

Elections May Have to Change During the Coronavirus Outbreak. Here’s How.

Empty voting stations at a Florida precinct during Tuesday’s primary. Polling volunteers say that in-person turnout is down at most locations due to fears of the COVID-19 virus. (Zack Wittman for the Washington Post)

As the novel coronavirus spreads through the U.S. during presidential primaries, election and government officials are scrambling to figure out how to allow voters to cast their ballots safely ― or postpone primaries altogether. Managing in-person voting during an unprecedented pandemic has forced authorities to overcome new virus-related hurdles: providing sufficient cleaning supplies to polling places, moving polling places out of nursing homes and ensuring there are enough poll workers.

There’s also a huge open question: If the virus continues to infect large numbers of people, how can the general election take place safely this fall?

We’ve Reported on Elections for Years. Here’s How Reporters Can Hold Officials Accountable.

Californians vote using new touch-screen machines on Super Tuesday, March 3, in Los Angeles. (Melina Mara/The Washington Post via Getty Images)

As part of our Electionland project, we work with journalists around the country to provide reporting resources about voting rights, election security and election-related misinformation. We’ve put together a series of tips and ideas about how local reporters can tackle election reporting well ahead of the general election.

Some Election-Related Websites Still Run on Vulnerable Software Older Than Many High Schoolers

Diego Patiño, special to ProPublica

The Richmond, Virginia, website that tells people where to vote and publishes election results runs on a 17-year-old operating system. Software used by election-related sites in Johnston County, North Carolina, and the town of Barnstable, Massachusetts, had reached its expiration date, making security updates no longer available.

Republican National Committee Obscured How Much It Pays Its Chief of Staff

President Donald Trump at the 2018 Republican National Committee winter meeting at the Trump International Hotel in Washington. The RNC has covered costs or made payments that are personally beneficial to the president. (Mandel Ngan/AFP via Getty Images)

Amid the record-breaking flows of cash, the RNC is giving lucrative consulting work to a select group of political operatives with Trump campaign ties.

The Iowa Caucuses App Had Another Problem: It Could Have Been Hacked

Precinct captain Carl Voss of Des Moines, Iowa, shows the IowaReporterApp on his phone. (Nati Harnik/AP)

A glitch in the smartphone app used to count and report votes from individual precincts continues to delay results from Monday’s Iowa caucuses. But a closer look shows that the app had a potentially graver problem that apparently did not come into play: its vulnerability to hacking.

Iowa’s Lesson: Political Parties Are Not as Good as Government Officials at Counting Votes

Mackenzie Mcilmail awaiting results of the Iowa caucuses at a Bernie Sanders campaign event Monday in Des Moines. (Salwan Georges/The Washington Post via Getty Images)

Here’s the takeaway from the Iowa fiasco: Beware of caucuses run by political parties. But don’t panic about the integrity of most primaries and the general election, which are run by state and county election administrators.

Help Us Cover the Election With Electionland 2020

Erin Lefevre for ProPublica

ProPublica is relaunching its collaborative project for a third time to cover voting during this crucial election year. We’re recruiting newsroom partners.

About Electionland

Electionland is a coalition of newsrooms around the country that are covering misinformation, cybersecurity, and problems that prevent eligible voters from casting their ballots during the 2020 elections.

Questions? Read our FAQ.

Follow Electionland


and 50+ local and national newsrooms. Sign up to become a partner here.

More Election Tools

The User’s Guide to Democracy

Congress works for you. Here’s how to be a better boss.


See what your representatives in Congress say and do.

ProPublica on IFTTT

Do more with ProPublica data and automated notifications.

Current site Current page