Recommendations for Election Officials
State and local election officials are the most important actors in addressing the use of disinformation to suppress votes. They must establish themselves as trusted sources of accurate information for voters in their communities. The most urgent response to instances of disinformation to suppress voting is to disseminate correct information, which is discussed immediately below. But officials cannot wait for incidents to come along. This paper describes crucial preparations that should be made long in advance.
1. Develop plans and procedures to publicize corrective information
The most important way to respond to disinformation is to correct it with the truth without helping to spread the lie, a task that requires long-term planning and infrastructure building. It is too late to formulate a plan on Election Day, or even during early voting periods. Instead, agencies should formulate written procedures that cover what to do and who should do it when deceptive practices are discovered. Relevant staff members should receive checklists and training that includes simulated incidents or tabletop exercises.
The DHS Cybersecurity and Infrastructure Security Agency (CISA), offers standardized incident response plans, trainings, and simulated disinformation scenarios to assist state and local agencies. The Belfer Center for Science and International Affairs has outlined best practices for communicating with the public to counter false information.
Establish channels of communication with key actors
The goal of contingency plans is to prepare to most effectively correct false information with the truth without helping to spread lies. When officials find instances of disinformation about voting, they should proactively distribute accurate information to all the appropriate actors and channels, including:
- election officials’ websites, social media accounts, and other channels
- individuals staffing phone lines and reception areas at election offices
- information-sharing networks like the voter assistance coalition Election Protection
- media outlets that serve affected communities, including those in languages other than English
- community groups and faith leaders
- parties and candidates running in the relevant election
Officials should establish these channels of communication long before Election Day. Relationships must be built and maintained over time, not when an emergency is already underway. Establishing lines of communication early allows election officials to include points of contact in their plans. That way, when disinformation is detected, officials can simply go down the list of contacts and share corrections with the relevant individuals and groups. In addition, ongoing communication helps inform political actors of whom to contact to report incidents. Community groups, for example, may be the first to discover disinformation about voting, and information will be shared most efficiently if they know the right election official to report it to.
Election agencies should consider naming an individual official or a small team to lead information collection, which includes processing reports that are made to an official email address, phone number, or social media account. The same official or team should also monitor social media more broadly for false content or receive direct reports from staff or vendors who are monitoring digital content. And a single authority should be in charge of sharing information about incidents with appropriate networks and informing affected communities of the correct information. Without clear accountability, issues and incidents may fall through the cracks.
Do not repeat falsehoods
Messages from election officials correcting disinformation should not repeat falsehoods. Research shows that repeating falsehoods to debunk them can backfire and make people more likely to remember the false information. If officials consider it absolutely necessary to include the original disinformation, they should structure the messages to present accurate and easy-to-understand information first, warn that the disinformation is false before mentioning it, and repeat the facts. People are more likely to remember the first and last things they hear, as well as information that’s repeated.
As an example, during the Texas presidential primary on Super Tuesday, robocalls told voters to vote “tomorrow.” The official Twitter account of the Texas secretary of state alerted the public that false information was being circulated and provided correct information without repeating the falsehood.
2. Publicize official sources of accurate information to build public trust
Election officials must work to build resilience to disinformation long before Election Day. Accurate information from a trusted source provides the most effective shield against deceptive vote suppression. Accordingly, election agencies should build public trust in specific sources of information before disinformation attacks occur. They should proactively inform the public of key information like dates for voting and encourage voters to look up polling places and registration status well in advance.
State and local agencies should designate and publicize specific sources of information — at a minimum, a phone number and website — as authoritative. They should provide an official email address and maintain social media accounts on platforms popular in local communities. When using traditional forms of outreach like mailers and advertising, agencies should direct voters to official digital sources.
Wherever possible, election agencies and officials should ensure their social media accounts are designated as official by the associated platforms — for example, as a verified or “blue check” account on Twitter. The procedures and requirements for obtaining verified accounts vary depending on the platform. Some local election officials have had difficulty getting verified due to issues such as low follower counts. Social media companies ought to accommodate local governments, but if they do not, involvement by state officials could help. For example, Arizona Secretary of State Katie Hobbs has worked with social media companies to get county administrators’ accounts verified.
Election agencies and officials should not allow their social media accounts to lie dormant, but rather should work actively to gain followers, including journalists and community groups. They should maintain uniform icons, logos, and other branding across all media — including websites and social media accounts, which should link to each other.
The National Association of Secretaries of State (NASS) initiative #TrustedInfo2020 promotes election officials as reliable sources of voting information. Election officials should participate by using the hashtag to help direct audiences to their websites and social media accounts.
Officials should also find ways to distribute information to relevant audiences. In California, for example, officials collected millions of email addresses during the voter registration process, then sent an email to that list directing voters to the official state elections guide. Illinois officials bought YouTube ads pointing viewers to county election websites. Officials should make information accessible to members of the community who speak languages other than English and to people with disabilities. Finally, officials should frequently review and update digital materials to help ensure their accuracy.
3. Protect official sources from hacking and manipulation
The potential for bad actors to hijack official sources of election information — either through spoofing or hacking — represents perhaps the gravest threat to the ability of election officials to disseminate accurate information and maintain public trust. Accordingly, election agencies should invest in security measures to protect those information sources from hacking and manipulation.
Spoofing protections
“Spoofing” is what happens when bad actors set up look-alike websites with similar or disguised URLs to divert audiences from official sources. In 2019, a government imposter sent a phishing scam to thousands of email addresses, using the web domain “uspsdelivery-service.com” to mimic the U.S. Postal Service website. Officials should regularly check for attempts to mimic their websites and consider using services that offer custom monitoring.
Election agencies should use a .gov domain for their websites rather than other options such as .com, which are easier to spoof. A survey by computer security company McAfee found that fewer than 2 in 10 counties in anticipated 2020 battleground states are doing so. Using a .gov domain offers protections like two-step verification and monitoring from federal agencies like DHS, the General Services Administration, and the National Institute of Standards and Technology.
Additionally, agencies should encrypt their official websites with Secure Sockets Layer (SSL) technology, which is signaled to users with an “HTTPS” prefix in the URL and, in most browsers, a lock icon. They should use search engine optimization to improve their rankings in search engine results. Officials should regularly monitor for search engine manipulation by copycat websites and report spoofing attempts to the relevant search engine company.
Bad actors may set up fake social media accounts to masquerade as election officials. During the 2016 election cycle, for example, operatives of Russia fooled some Twitter users into thinking that their @TEN_GOP account was a mouthpiece of Tennessee Republicans. Officials should regularly monitor platforms for these copycat accounts and report them to the relevant social media companies.
Hacking protections
Bad actors can hack websites, email accounts, and social media accounts to take control of official channels. For example, in 2019, hackers took over Twitter CEO Jack Dorsey’s account and tweeted racist messages from his Twitter handle. Late in the day of a primary election in Knox County, Tennessee, hackers shut down the local election commission’s website for an hour, disrupting the publication of early results. And in a July 2020 scam, hackers took control of several prominent Twitter accounts, including those of politicians, and urged their followers to send them Bitcoin. Overall, the risk for cyberattacks — including ransomware attacks on election infrastructure — has increased in 2020 as Americans have shifted to working from home due to the Covid-19 pandemic.
Officials should implement cybersecurity best practices, such as the Brennan Center’s detailed recommendations for election infrastructure and staff training. Agencies should maintain tight controls on who has the ability to make changes to official websites. When employees leave, their credentials should be removed immediately. Log-in credentials for website edits should include strong passwords that are changed regularly and multifactor authentication, and automatic logout should occur after a period of inactivity. Agencies should install software updates immediately and consider the use of a web application firewall.
Election agencies should catalog social media accounts — including those that belong to the agency itself and those of individual officials — along with a list of individuals with log-in credentials for each account. Officials should protect their accounts with strong passwords and multifactor authentication, and they should change passwords regularly, especially as an election approches. Agencies should consider a comprehensive social media policy that directs staff to exercise caution when posting election information, even on personal accounts, to prevent them from sharing inaccurate information. Staff should receive regular training on how to avoid phishing scams. They should never use personal email accounts for official business.
Officials should monitor agency websites and social media accounts at least once a day for hacking and prepare to recover hacked sites and accounts. They should identify points of contact with social media companies for troubleshooting problems like losing control of an account. Some platforms offer enhanced protection for official accounts.
Election agencies should back up websites and other resources that will be needed by voters confused by disinformation, like polling place lookup tools and voter registration checks. They should have contingency plans for how they will keep voters informed if online tools are disabled. It is also useful to stress test web-based tools and databases ahead of time to learn how much traffic they can handle.
The Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), a nonprofit membership organization for election officials, offers guidance on how to secure websites against hacking, as well as a service that checks domains for outdated software. CISA offers cybersecurity assessments that can help secure official web portals and protect against phishing attacks that may endanger website credentials.
4. Monitor for disinformation
Officials must actively monitor for disinformation that could suppress votes in their jurisdiction. This requires dedicating staff time to searching for it and creating channels for others to report incidents. Officials should also work with social media companies, notifying them of activity that may violate their terms of use, and participate in broader information-sharing networks.
Set up an ongoing monitoring operation
Election officials in every state — ideally at both the state and local levels — should monitor social media for false information about how to vote. They should conduct monitoring efforts in consultation with legal counsel. Monitoring should focus on the relevant jurisdiction, of course, as well as communities typically targeted by vote suppression. Search terms should include concepts around voting logistics, including dates and locations for voting and details about voting by mail. Disinformation is also likely to mention candidates or parties standing in local elections.
There are services that can assist with monitoring efforts. The MITRE Corporation, for example, offers a tool designed to quickly analyze reports of disinformation and help election officials report incidents up their agency hierarchy. Commercial social media monitoring or “listening” services — some available for free — can track mentions of elections or voting procedures in a jurisdiction.
Set up channels for officials to receive reports of disinformation
Election officials should provide and publicize a clear line of communication for voters, journalists, internet companies, and officials in other jurisdictions to report deceptive practices. At a minimum, there should be an email address and phone number, but official social media accounts are also useful. For example, California’s secretary of state launched Vote Sure, an initiative to increase voter awareness of false and misleading information, and has directed the public to report disinformation to a dedicated email address.
Report content that violates platform policies and check for takedowns
Election officials should report instances of disinformation to the relevant internet company. While the platforms’ terms of use differ, most major social media companies have some form of prohibition against deception about voting. Election officials should establish contacts at key platforms in advance of the election. They should report disinformation to their specific point of contact — not through a “flagging” option, which is often an inadequate mechanism to address voter deception and leaves no way to monitor platform responses. On Facebook, for example, users can report content as “voter interference,” but that only triggers monitoring for trends in the aggregate; it does not lead to a manual review for takedowns. Officials should look online to check whether false posts, shares, or retweets have actually been removed, and if the disinformation is still live, they should follow up with their contacts.
Participate in information-sharing networks
Officials should participate in information-sharing networks with other election officials, federal government agencies, internet companies, and community groups. For example, the national nonpartisan coalition Election Protection, which operates the voter help line 1–866-OUR-VOTE, provides voter information and maintains contact with election officials across the country. Election Protection coalition members can alert affected communities of disinformation and push corrective information out to individuals.
Agencies participating in the EI-ISAC have access to a platform for sharing threat information in real-time. At DHS, CISA plans to operate a switchboard during the election that will transmit reports of disinformation from election officials to internet companies and law enforcement.
Where appropriate, election agencies should report incidents to federal and local law enforcement.
5. Build relationships with communities and media
Election officials should do extensive public outreach to build trust with all the communities they serve, and those efforts should incorporate all commonly spoken languages in those communities. Cultivating ongoing relationships with communities will make it easier to communicate during an emergency.
Election agencies should consider designating a spokesperson to provide accurate information on how to vote, to promote that information online and on social media, and to make local media appearances. This designated official should also build relationships with community groups.
Agencies can build public trust and familiarity by working to increase the number of followers on official social media accounts, a process that could include advertising and engaging in conversation with community leaders, journalists, and other relevant figures. They should also consider recruiting high-profile surrogates, such as influencers with significant followings on particular social media channels, to amplify accurate information.
Local and ethnic media that serve frequently targeted communities are key partners in disseminating correct information in response to deceptive practices. Officials should build relationships with outlets and reporters to help establish themselves as trusted sources. Media partners should receive instruction in advance on how to avoid repeating falsehoods when reporting incidents.