Are citizens compromising their privacy when registering to vote?
Connecting state and local government leaders
About 84 percent of registered voters were put at increased risk of having their personal data exposed in the run up to the midterm elections.
From both sides of the aisle, we’ve heard a consistent drumbeat about the importance of citizen participation in the midterm elections. Maximum voter participation is vital to our democracy, yet citizens may unwittingly be putting their own privacy at risk when they register to vote.
My company has been tracking the exfiltration of voter registration data that was presumably stolen or obtained under false pretenses from legitimate organizations authorized to handle the data, such as official election commissions and the offices of political parties. Not only is this data for sale in dark markets, it is openly and freely available to petty criminals via the deep web, specialized forums or on the surface web for anyone to access. These bad actors are using the personal identifiable information to initiate a variety of attacks. Their target may simply be e-commerce and bank accounts, or the criminals’ intentions could extend all the way to full identity theft.
Recently, I came across a story about an individual who had registered for an absentee mail-in ballot because he would be doing some last-minute traveling on Election Day. Within days of registering, well before his ballot arrived, he began receiving targeted campaign advertisements in the mail based on his vote-by-mail status.
Mail-in ballot requests in states like Florida are not public, but campaigns and political parties are allowed access to this information. Voter registration information, however, is public record and at minimum includes name, address and party affiliation. In some states, such as Florida and Texas, it even includes email address, date of birth and race. While it does not include who someone voted for, it does include the elections that person voted in.
The 2002 Help America Vote Act required all states to create centralized databases and make voter data available as part of the election process. Some states like Florida have no restrictions on how the data can be used, while other states like New York and California merely disallow the usage of data for commercial purposes. Campaigns, political parties and advertisers can combine this data with information about consumers' buying patterns and interests from data brokers to tailor messages and influence their vote.
The problem is that county registrars, individual campaigns and specialty vendors are not cybersecurity-savvy. Online data requests are often verified based on phone calls or emails that can be spoofed, and these small organizations are soft targets for even unsophisticated cybercriminals. Last year, we found over 61 million voter records that had been exfiltrated, and in 2018 more than 71 million additional such exfiltrations have already been uncovered. The records, circulating in the deep or even surface web, have accrued from over 20 states, most of them from political campaigns and marketing companies, for a total of 132 million currently breached voter records just after the midterm elections.
The issue is not uniform across the U.S. There are several states for which the numbers are particularly troublesome. The majority of states store voter records on a 1:1 ratio to the number of voters in the state. However, states like Florida, North Carolina and Washington keep much more data than that. For instance, in Florida, 18 million breached voters have had the following exposed: full name, address, date of birth, voter ID number, voter registration data, voter status, party affiliation, etc. This means that voters in Florida are at a six-fold greater risk.
Some notable state voter data circulating [2018] (raw data):
New York | 18.00M unique voters | 18.16M total records |
Florida | 14.00M unique voters | 85.14M total records |
Washington | 4.70M unique voters | 21.24M total records |
Pennsylvania | 8.50M unique voters | 8.55M total records |
North Carolina | 8.10M unique voters | 39.57M total records |
Individual states, election commissions or even certain political parties could face accusations of negligence around information security, which could lead to difficult-to-navigate discussions about accidental voter suppression -- and the degree to which it could have been prevented.
With 245 million Americans eligible to vote, and 157 million registered according to 2016 Census Bureau data, about 84 percent of registered voters were put at increased risk in the run up to the midterm elections. Every time voter data is exposed in the deep web, it can initiate a new wave of phishing, social engineering and identity theft attacks, which in just 2017 alone resulted in over $16 billion in losses, according to Javelin Strategy & Research. Data exposed in this election cycle could also be used to alter official voter registration databases and interfere with future elections.
Voter registration is vital to our democracy, and we need more, not fewer, citizens voting. But citizens, campaigns and counties are simply not able to protect themselves from indiscriminate, non-stop, organized attacks. It is high time we took a more holistic approach to protecting voting -- one of our most essential freedoms -- because this problem is destined to get worse before it gets better.