An unsecured database containing information on more than 190 million US voters has been floating around the internet, and nobody seems to know how it got there. That’s a troubling sign as political campaigns become increasingly dependent on collecting, analyzing, and utilizing personal voter information.
Internet researcher Chris Vickery found the database on Dec. 20; it has since been taken down. The database contained information that citizens provided to states when they registered to vote: names, addresses, phone numbers, and potentially demographic info and voting history.
The information would be time consuming to aggregate (it can be purchased from state governments) but it is only truly useful to campaigns when combined with other data sets obtained from media companies, pollsters, and direct voter contact.
Vickery, recognizing the voter file information that is used by campaigns to plot outreach and strategy, began contacting political data vendors to figure out where it came from, and found telltale data labels used by a company called Nation Builder.
“While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns,” Nation Builder CEO Jim Gilliam wrote on his company’s website. “From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”
According to campaign spending data, Nation Builder’s biggest clients in the current election cycle are the Massachusetts Republican Party, West Virginia Congressman David McKinley, and the Lyndon Larouche Political Action Committee—associated with the controversial conspiracy theorist and perennial presidential candidate.
There are a patchwork of state laws that limit using the data for commercial or non-political use, and the unsecured data is worrying to security professionals and privacy advocates. But it’s important to recognize that all of this information is available to the public. Ultimately this is appears to be a much less worrying incident than the data breaches that have plagued major retailers and the US government.
This is also not exactly the kind of data that got Senator Bernie Sander’s campaign in hot water a few weeks ago. While that involved a similar database of voter information, the real issue was the Sanders campaign’s ability to see proprietary information gathered by Hillary Clinton’s campaign about which voters support her and are likely to vote.
It’s not clear how recently the exposed database was updated; voter file information tends to quickly grow stale, as voters die, move, or change their political allegiances. The kind of registration data found in exposed database is typically only the a starting point for the comprehensive voter files maintained by the two major US parties and their vendors. The parties, in turn, rely on campaign canvassers to update the files.
But as the free-for-all search for personal information becomes ever more important to politicians—indeed, some campaign vendors brag that they are psychoanalyzing voters from afar—voters will be increasingly concerned about the security of their personal information.