Weak protection and free access Following Russia’s constitutional plebiscite, online voters’ passport data has been left publicly accessible
During Russia’s recent nationwide plebiscite, more than a million residents of the Moscow and Nizhny Novgorod regions cast their ballots online. Now, Meduza has discovered that passport data belonging to these voters are very easy to obtain; basically, this information has been left publicly accessible. What’s more, it turns out that some online voters were registered in the system twice, while others were able to vote even though their passports are officially considered invalid.
This translation has been edited and abridged for length and clarity
Step 1: download the archive degvoter.zip
On June 30, a source sent Meduza a photo of the official instructions for verifying information on online voters’ participation in Russia’s nationwide plebiscite on constitutional amendments. The Moscow City Election Commission had sent these instructions to territorial election officials the night before. The document didn’t include any markers indicating its secrecy or confidentiality.
Following these instructions, election officials at local precincts could use a special program, a specifically worded SMS message, or phone a call center operator, to find out whether or not a particular citizen had registered as an online voter, and confirm whether or not that person had actually ended up voting remotely. Information on a particular voter could be verified using their passport number.
This verification was required to ensure that only those residents who had registered to vote online but hadn’t managed to cast their ballots during the online voting period (June 25 and June 30), would be able to cast paper ballots at their local polling stations on the final day of voting — July 1.
To access the program, the first thing you had to do was download it. The instructions included a link to an encrypted archive, degvoter.zip, along with a password. The archive was located on a government website. What’s more, it was freely accessible: on July 1 — between 9:00 a.m. and 12:00 p.m., Moscow time, at the very least — anyone who wanted to could download the archive.
The archive included passport information for all online voters
The program for online voter verification took the form of a small executable file called degvoter.exe. Once downloaded, it prompts you to enter the number and series of a Russian citizen’s passport, and then it tells you whether or not the person in possession of this passport was given “access to [their] ballot for remote electronic voting.” If you try entering a random passport number and series, it will most likely tell you that this passport can’t be found “on the list of remote voting participants.”
Online voters’ passport information — along with a marker indicating whether or not they voted — was located in a db.sqlite database, which wasn’t password protected. However, the passport numbers and series in the database weren’t in cleartext: they were encoded as alphanumeric sequences using a hash function. Taken together, it works like this: based on the passport data the user enters, the program degvoter.exe computes a hash code, and then searches the database for this hashcode and the corresponding voting marker.
That said, you can successfully access this information without the hash codes. Meduza discovered that deciphering online voters’ passport information turns out to be very simple.
Each of the hash codes recorded in the database contained 64 alphanumeric symbols. There are a number of different hash functions that can be used to generate these kinds of sequences. To find the right one, we used these functions to generate hash codes based on the passport data of several real online voters, and then compared them to the hash codes in the database.
As it turns out, all of the passport data was hashed using the cryptographic hash algorithm SHA-256. Once we knew that, we were able to use the password cracker John the Ripper to restore the passport data of online voters.
As a result, we gained access to 1,190,726 entries with passport data. According to official data, this is exactly the number of voters who registered for remote electronic voting. In other words, given the degvoter.zip archive’s weak protection and free access, the Russian authorities have essentially made the personal information of all online voters from the Moscow and Nizhny Novgorod regions publicly accessible.
Keep in mind that this isn’t the first time that Russia’s online voters have seen their personal information leaked. Immediately after the Moscow City Duma elections in the fall of 2019, Alexey Navalny’s Anti-Corruption Foundation (FBK) obtained a complete list of Moscow’s online voters. A Meduza investigation concluded that it was highly likely that the data was genuine.
We analyzed the data and it looks real
According to the Russian government’s decree number 828 (which dates back to 1997), the numbering on Russian passports must consist of three groups of digits: “the first two groups are made up of four digits, indicating the passport book’s series, while the third group is made up of six digits, indicating the passport book’s number.”
The first two digits in the series number are based on the region where the passport was issued: for example, passports issued in Moscow have a series number starting with “45.” The last two digits of the series number usually indicate the year the passport was issued.
All total, 921,176 of the passports had series numbers containing the issuing code for Moscow (45), while 135,723 had the code for the Nizhny Novgorod region (22). There were also 47,463 passports with the code or the Moscow Region (46). Each of Russia’s other regions had less than 3,000 passports with their corresponding issuing codes in the database.
These numbers correspond with the official data on the total number of people who signed up for online voting: 1,051,000 Muscovites registered to vote online, along with 139,726 voters from the Nizhny Novgorod region.
According to their series numbers, the majority of the passports in the database were issued between 1997 (the year the Russian Federation started issuing its first passports) and 2020. What’s more, the database only included 89 entries where the last digits of the passport’s series number didn’t correlate with the year it was issued.
Some voters were able to vote twice
Judging by the voting markers in the database, 1,107,594 electronic ballots were issued to online voters (clearly, some of the registered voters didn’t end up participating in the vote). This is slightly less than the official number of ballots issued: 1,107,648.
Meduza found 97 passports that had been recorded in the database twice. As such, it’s possible that the total number of real online voters (including those who cast electronic ballots and those who only registered to vote) could be less than the official number (by almost 100 people).
Six of the passports with two entries had a marker indicating that the voter didn’t take part in online voting. For the remaining 91 passports, one marker confirmed that the voter had already voted online, while the other indicated that they had yet to vote.
The program degvoter.exe — which election officials at local polling stations were able to use to verify if an individual had voted already — reacted differently to these double entries with and without voting markers (depending on which one was recorded first). In 25 of the 91 cases, the program claimed that the voter in question had yet to vote, even though the marker next to the passport’s second entry asserted the opposite. As such, theoretically, a voter in possession of one of these passports could have gone to their local polling station on July 1 and “proven” to local election officials that they had every right to receive a paper ballot.
Thousands of invalid passports
The website for the Russian Interior Ministry’s migration department offers a service that allows you to check if a Russian passport has been deemed invalid (such as passports that have been lost or stolen, or ones that have expired). In addition to searching for a specific passport, you can also download the entire database with the list of invalid passports, which is updated periodically.
Meduza obtained two copies of this list, downloading one version from the Interior Ministry website on May 22, 2020 and the other on July 3, 2020. In other words, we obtained one version from before the rescheduled date of the constitutional plebiscite was announced and one from the day that the votes were tallied.
We compared all of the online voters’ passport data against the information in each of these databases. In both cases, according to the information from the Interior Ministry, thousands of online voters’ passports were considered invalid: 2,347 of the entries came up in the May 22nd version, while the July 3rd version included 4,720 of them.
What’s more, 209 passports belonging to online voters were listed as invalid in the May 22nd version of the database, but were not included in the July 3rd list.
Meduza also checked the voting markers, and it turned out that that majority of the individuals in possession of these invalid passports participated in online voting. Of the 4,720 entries that came up in the July 3rd version of the database, 4,233 had cast their ballots online (according to the May 22nd version, it’s 2,060 out of 2,347).
Don’t believe us? See for yourself. The Russian version of this investigation includes a table with a list of data on the 4,720 invalid passport numbers that came up in the Interior Ministry’s database. You can pick a passport number and series, and go to their website to confirm that the passport is actually invalid. To verify that this passport was used to register for online voting, there’s a special service available on the website of Russia’s Central Election Commission.
Translation by Eilish Hart