Cybersecurity & Standards, Elections & Democracy
Only 1 in 4 Election Websites Uses the .gov Domain. That’s a Problem — and an Opportunity
This post is authored by William T. Adler and researchers James Doyle, Mac Milin Kiran, Meg Leta Jones, and Paul Ohm of Georgetown University’s Foo Law Lab. The authors thank CISA official Cameron Dixon for helpful guidance on this project.
Ahead of the U.S. midterms, election misinformation appears to be thriving online. As always, local election officials hold the front line as the frequent targets of that misinformation. CDT and the Center for Tech and Civic Life (CTCL) have pointed out, though, that election officials are in a strong position to debunk and respond to misinformation, by “flooding the zone” with trusted information about how elections really work. But they can only do this effectively if they have a trusted web presence, which involves getting verified accounts on Facebook and Twitter and making those accounts look official. It also involves having a website that users know to trust.
Election official websites serve many important functions. Voters can use them to register to vote or request an absentee ballot. Election officials can use them to educate voters on when, where, and how they can vote; to convey election results; and to debunk misinformation and myths about local elections. But how is a voter supposed to know that they can trust that the election website they are accessing is authentic?
One indicator of trustworthiness is whether an election website uses the .gov top-level domain (TLD). Unlike other TLDs that are available to any interested entity (e.g., .com, .net, .org, .us), .gov is only available to federal, state, and local government entities verified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In other words, the .gov TLD functions like a blue checkmark on Twitter: an indicator that a government website is authentic.
.gov adoption has improved since 2020, but is still too low
We analyzed a dataset of election websites maintained by CTCL and found that, of the 7,010 websites that we included for analysis (see methods below), only 1,747 (25%) used .gov. This low adoption rate creates an opportunity for bad actors to create fake election websites and spread disinformation. As an example, the official election website in Harris County, TX (home to nearly 5 million residents), is harrisvotes.com. A bad actor could register, say, harriselections.com and use it to spread false information about voting options, to collect private voter information, or to publish false results. In 2020, Steve Grobman of McAfee showed how easy it would be to set up a fake election website like this.
And this isn’t theoretical — in 2020, the FBI identified dozens of fake election websites that may have been set up to mislead voters. In a Public Service Announcement released this month, the FBI and CISA warned the public that, because foreign actors may attempt to “manipulate information or spread disinformation in the lead up to and after the 2022 midterm elections,” voters should be wary around websites that solicit voting information that are not using .gov.
To address this problem, election websites — and all government websites — need to adopt .gov widely enough that voters know to look for it as an indicator of trustworthiness. There’s reason to believe this change would be helpful: In 2020, when Congress passed the DOTGOV Online Trust in Government Act of 2020, it found that “when online public services and official communications from any level and branch of government use the .gov internet domain, they are easily recognized as official and difficult to impersonate.” Obstacles to using .gov were recently lowered: in April 2021, CISA — which took over responsibility for administering the .gov program in March 2021 — announced that it was making .gov free for qualifying government entities, eliminating the old fee of $400 per year.
So, has .gov adoption for election websites increased since CISA took over .gov and made it free? In 2020, Grobman analyzed a dataset that, unlike our dataset, consisted of only one URL per county; he found that only 20% of these websites used .gov.
Because our research uses a different dataset, and because our primary analysis includes websites for both county- and municipality-level election officials, we cannot make an apples-to-apples comparison with Grobman’s results. But, after reducing our dataset — from 7,010 unique domains held by election officials responsible for election administration, to 3,021 unique domains held by county-level offices — we can offer a rough comparison. (This reduced set of domains is not necessarily the most accurate representation of election officials’ web presence, because it cuts out thousands of municipality-level officials who in many cases, particularly in the Northeast, are responsible for election administration.) After this reduction, we found that about 32% of county election websites used .gov, a marked improvement from the 20% found by Grobman in 2020, but still a long way to go.
One might expect the most populous counties in the U.S. to have higher levels of .gov adoption — after all, the counties should be better-resourced and more able to spend the time and resources necessary to switch to .gov. We looked at the top 20 most populous counties, analyzing their 19 unique websites (because Brooklyn, NY, and Queens, NY, are both represented by vote.nyc); of these websites, eight (42%) used .gov. The most populous counties indeed appear more likely to use .gov, but adoption is still less than half.
HTTPS adoption is fairly strong
Another key component of a trusted web presence for election officials is HTTPS. When a browser connects to a website that supports HTTPS, the information flowing between the browser and the web server is encrypted, which protects the integrity and confidentiality of the information. For voters using an election website, encryption helps ensure, for example, that they are able to privately submit sensitive voter registration information and be sure that the information about how to vote or about election results is genuine. When websites don’t use HTTPS, the information flow may be more easily intercepted, read, or altered by malicious actors. HTTPS also provides authentication, by giving the browser an assurance that the server it is communicating with is indeed the one it tried to contact. Websites that don’t connect via HTTPS will typically show an unlocked padlock in a browser, indicating to the user that the connection is not secure and not authenticated.
While security experts urge all websites to adopt HTTPS, there have been specific calls for government websites to do so. In 2015, the Obama Administration issued an order requiring all publicly accessible websites administered by the federal government to use HTTPS. The order explains that Federal websites that do not adopt HTTPS leave “Americans vulnerable to known threats, and may reduce their confidence in their government.” Although the order could not require HTTPS by county or municipality websites, the reasoning applies equally — or more so — for sensitive election-related websites.
Our analysis found that, of the 7,010 websites that we analyzed, 6,260 (89%) supported HTTPS. The rates are similar for county-level websites and the 20 most populous counties. This rate appears to be a dramatic improvement from the 55% found by Grobman in 2020 — though we again note that we are using different underlying methods and data.
The federal government has made admirable moves in recent years to secure online elections infrastructure against cyber attack. The passage of the DOTGOV Act, as well as CISA’s work to increase .gov and HTTPS adoption, has made it easier (and cheaper!) for state and local election websites to secure their websites. Indeed, there appears to have been a substantial increase in both .gov and HTTPS adoption among election websites. But the overall number of election websites that have moved to .gov still appears quite low.
Why do election officials overall seem hesitant to move their websites to .gov, despite the established importance of having a trusted online web presence? This question deserves further exploration. For now, we speculate that a number of factors are slowing the move to .gov. For one thing, many election officials may simply not be aware that .gov is available and free to them.
Additionally, election officials tend to be stretched thin. For years, Congress has failed to provide election officials with sufficient, predictable funding, often leaving election officials with limited budgets and staffing levels for securing elections. CISA has provided a great set of online resources to help officials who want to move to .gov — but many election offices may not have a full-time IT staffer and might therefore have to hire a contractor for the work.
And, as CISA notes, moving to .gov is “not solely a technical task.” Moving a long-established domain to .gov requires updating email addresses, business cards, and signage. The costs may seem too high to cash- and time-strapped officials, who are busy running elections and responding to other threats and harassment.
Once the midterms are in the rearview mirror, election officials will begin the hard work of preparing for the 2024 presidential election, which will no doubt present new challenges for security and for communication. If they haven’t already, election officials should then immediately get to work moving to .gov and HTTPS — key ingredients of a trusted web presence, which is essential for ensuring a trusted democracy.
The authors thank three programs at Georgetown for supporting this research: the Institute for Technology Law and Policy, Massive Data Institute, and Fritz Family Fellows program.
We conducted our analysis primarily using pandas, the Python-based data analysis package. We used a dataset of 8,941 election official URLs in the 50 states and D.C. that is maintained by and was obtained from the Center for Tech and Civic Life (CTCL). While that dataset underwent CTCL’s quality assurance process, details and URLs may change over time. We did not independently verify each entry in the dataset, and thus recognize the possibility of some variation in the data as a result of recent changes.
We used Python’s urllib.parse to trim websites down to their network location, or domain name (i.e., reducing a URL from something like https://www.lavote.net/home/voting-elections to www.lavote.net). We used pandas to drop duplicate domains, bringing us to a set of 7,316 domains. Of these domains, 7,010 are associated with “primary election officials,” i.e., election officials whom CTCL has determined are responsible for election administration, possibly including voter registration websites. This was the set of domains that we analyzed.
To analyze these domains, we ran CISA’s pshtt (pronounced “pushed”) software on each domain. (CISA uses this software to monitor HTTPS adoption across the federal government.) pshtt reported over 99% of domains as “Live.” pshtt scanned each of four endpoints (URLs beginning with http://, http://www, https://, https://www) and records whether the endpoints redirected to a different location. We counted a domain as “using .gov” if any of the four endpoints ultimately pointed to a URL with a .gov suffix. We used tldextract to extract the suffix from the URLs reported by pshtt.
pshtt also provided information about HTTPS support. Our analysis reports the percentage of domains that pshtt found to “support HTTPS,” which in all of our cases indicated that the domain had valid HTTPS and did not downgrade the connection from HTTPS to HTTP at any point.
We replicated our findings by running pshtt on every website in the database a second time, from a different computer and network location, about a week after the first run. For all analyses presented here, differences in the number of websites that used .GOV or HTTPS were very low — in the single digits. In all analyses, the rounded percentages remained identical.
To make a comparison to the previous number reported by McAfee of the number of counties using .GOV, we trimmed the dataset only to those rows where “Office Name” included the word “County,” “Borough” (for Alaska websites), “Parish” (for Louisiana websites), or “DC,” to account for the names of county equivalents. This was a rough heuristic that brought the dataset down to 3,021 websites, roughly the same number as the 3,143 counties and county equivalents in the 50 states and D.C. and the 3,089 websites included in the McAfee study.