First and last names. Recent addresses and phone numbers. Party affiliation. Voting history and demographics.
A database of this information from 191 million voter records was posted online over the last week, the latest example of voter data becoming freely available, alarming privacy experts who say the information can be used for phishing attacks, identity theft and extortion. The information is no longer publicly accessible.
It is not known who built the database, where all the data came from, and whether its disclosure resulted from an inadvertent release or from hacks. The disclosure was discovered by an information technology specialist, Chris Vickery, and the findings were published on databreaches.net. The federal authorities were alerted to possible concerns about security and the legality of what was done.
NationBuilder, a nonpartisan political data firm, has said it may have been the source of some of the data, although the actual database that was released was not the company’s.
“The reality is there’s a tremendous amount of data that’s freely available,” said Craig Spiezle, the executive director of the Online Trust Alliance. “For candidates, it’s what doors to knock on. For cybercriminals, it’s identifying a higher network of targets.”
Indeed, nearly all of the data that was released was already publicly available. But having it compiled in one place makes it particularly valuable.
As a result of the Help America Vote Act of 2002, state governments are each required to maintain a single, “interactive computerized” voter registration list with “name and registration information.” It leaves what that “registration information” consists of to the discretion of the states. But as big data increasingly plays a large role in politics and business, the presence of the publicly available information raises questions of privacy and security. Some ask whether states have gone too far in making such data available.
Big data advocates argue that what is in most voter files is nothing more than the White Pages of a phone book augmented with party affiliation and voting history (not which candidate people voted for, but whether they voted.) But for privacy experts, that alone, especially when compiled in one place, is cause for concern.
“Simply by digitizing the data, collecting it in one place, making it freely available in one place — it’s a Christmas gift for thieves,” said Neal O’Farrell, the executive director of the Identity Theft Council. “I interviewed an identity thief, and he said credit card numbers are for chumps. It’s much easier to get caught. The cybercriminals really want to know who you are. And voter information and any kind of information that fills in all the blanks makes it easier for phishing, for social engineering, and for extortion.”
Access to data is, of course, a necessity for modern campaigns. Voter databases vary from state to state — there is no federal agency overseeing voter data or registration — making it a messy field to navigate. It is this discombobulated system that makes companies like NationBuilder and NGP VAN, a software company that manages such data for Democrats, invaluable to campaigns.
“From our perspective, it is extremely important for campaigns to be able to know who can vote for them, and be able to do legitimate outreach and engagement,” said Jim Gilliam, the founder and chief executive of NationBuilder. “That’s the point of the democratic process: that you can talk to voters.”
But even without the streamlined databases of NationBuilder, such voter data is publicly available on a state-by-state basis.
For example, in Pennsylvania, it costs $20 to download the whole voter file — which includes names, addresses, birth dates, gender and party — in a spreadsheet format. North Carolina offers free access to an online database of voters. Wisconsin makes its voter file available online, with privacy restrictions that leave out such information as dates of birth and Social Security numbers, and it charges $25, and $5 per 1,000 voter records.
Each state also has a varying set of rules and verification requirements to try to ensure the data is used solely for a political purpose. Anyone can search North Carolina’s free online voter database, for example, but in New Hampshire, people have to verify they are with a political party or committee before purchasing the voter file from the secretary of state. Many states and jurisdictions, from Alaska to the District of Columbia to Florida, allow for “unrestricted” use of the data, according to a database kept by NationBuilder.
Such wide availability has many security experts concerned. “It’s not the individual pixels, but the mosaic,” Mr. Spiezle said.
The digitization of many of these voter files in recent years has opened the door for more data breaches. Just in the past year, there have been some major disclosures of information.
More than six million voters in Georgia had their voting information and Social Security numbers exposed in a breach back in October. And in Florida, personal voter information about an undisclosed number of “high-risk professionals” such as judges and law enforcement officials was mistakenly released in April.
Those disclosures were just the results of human error. But many campaigns, especially at the presidential level, have been the target of hacking attacks. In 2008, Barack Obama’s campaign and Senator John McCain’s campaign were reported to have been hacked by the Chinese government. In 2012, the Obama and Mitt Romney campaigns were subjected to repeated hacking attempts, sometimes as often as four to five times a week.
Because of this threat, some campaigns have been taking steps to make sure their data and infrastructure are secure. Hillary Clinton’s campaign has a team of engineers and others continually monitoring for potential attacks, and Gov. Scott Walker’s now-defunct campaign hired people to monitor and prevent threats.
Even with aggressive efforts to secure proprietary data, accidental breaches can happen, as evidenced by the recent flare-up after a member of the campaign of Senator Bernie Sanders viewed and saved information from the Clinton campaign’s confidential voter file that was held by the Democratic National Committee.
That data may have been of real use only to the Sanders campaign; had it fallen into the hands of a hacker or activist group, it would have essentially the same worth as the publicly available data. But many security experts cite it as yet another example, along with the publication of the 191 million voter records, that states are not taking the security of voter data seriously enough.
“No one wants to go through a phone book trying to build up profiles of individuals,” Mr. O’Farrell said. “These collections of massive amounts of user-specific and very personal data just make it easier. And the easier the crime, the more profitable it becomes.”