Over the last three months, more than 100 million US voters have had their data exposed online. These data breaches weren’t caused by a sophisticated hack or malware. Instead, political campaigns' abysmal cybersecurity practices are to blame. Although modern campaigns constantly acquire and purchase massive amounts of data, they often neglect to fully beef up security surrounding it, effectively turning the campaigns into sitting ducks — huge operations with databases left open and vulnerable.
Most people understand that free online services monetize their business by collecting data. Users know the unspoken deal they’re agreeing to when they sign up for something. However, this isn’t the case when it comes to voter data. It’s typically a surprise to people — even those who work in the industry — how much data is collected on voters and how much of it is considered public. In addition to public data, campaigns purchase information from brokers, or companies that make their money selling information about people.
The end result is that campaigns know most everything that can be tracked online
The end result is that campaigns know which Americans bought a gun in the last year, what stores they like, and most anything that can be tracked through online data. They know voters' Facebook friends and what magazines they read. They buy information about what programs voters watch on Netflix and information about their finances and health.
That might be unsettling, but perhaps more troubling is the fact that political campaigns are terrible at cybersecurity. Not only do the organizations have access to more information than ever before, they’re not able to keep it safe. The incentives to do so just don't exist, and that's why we're seeing so much compromised voter data.
more troubling is that political campaigns are terrible at cybersecurity
In Iowa last month, the state's Republican party failed to adequately protect a database containing information on 2 million voters, making it readily available through just a basic scan of the website’s source code. In December, an independent security researcher uncovered a publicly available database of 191 million voter records. Included in that trove was each voter’s full name, home address, mailing address, unique voter ID, state voter ID, gender, date of birth, phone number, date of registration, political affiliation, and voter history since 2000.
The conditions of a campaign make cybersecurity a passing thought, if there's a thought at all. They're short-term endeavors that last the length of the election cycle, and once votes are tallied, all the amassed data becomes more or less unnecessary. Granted, politicians might want to return to it in the future, but for the most part, it’s left as a casualty of the campaign. The focus is on gathering data and building out a full-fledged effort, not building an entire security team.
"You aren’t going to win an election by having better security practices, so in all likelihood, you aren’t going to give it a lot of attention, unless there’s a breach," Ira Rubinstein, a research fellow at New York University School of Law, told The Verge.
You aren’t going to win an election by having better security practices
Beyond time constraints, security decisions often come down to money. Cybersecurity isn’t a top priority for a tight-pocketed operation. If a campaign is trying to choose between hiring a security expert or sending mailers, the mailers win.
"The resources aren’t there to do the same security audits [like they do on the data brokerage firm] Experian national level," said Azarias Reda, founder at Republic Computer Science and former employee of the Republican National Committee. "National campaigns have a budget and awareness, but below that level it wouldn’t be fair to expect that [security]."
The Democratic National Committee and RNC own the largest voter databases, and arguably do a decent job keeping information secure. Reda said during his time at the RNC, he saw the organization bring in penetration testers and use their findings to alter security. But still, risks exist. In December, presidential hopefuls Bernie Sanders and Hillary Clinton disputed over DNC data when a Sanders staffer accessed Clinton’s proprietary information. That incident was the direct result of a third-party software glitch, demonstrating that even well-protected databases can be accidentally exposed.
even well-protected databases can be accidentally exposed
Some voter data has even already surfaced on the dark web. Granted, campaigns, and therefore underground market troves, don’t have access to Social Security numbers, but nonetheless, exposed information could be used to carry out phishing attacks or to break into a voter’s online accounts by correctly answering password questions. In a worst case scenario, every voter in the US could have data ranging from their shirt size to their hobbies to their annual income and voter history compromised. But even with that possibility looming in the background, it doesn't appear that candidates and their constituents are too worried about cybersecurity, and they likely won't be until there is a massive data fallout.
"These recent data breach incidents aren’t startling enough to create public outcry," Rubinstein said. "[But] if and when one of the very big data operations is hacked, and one that is comprehensive is stolen or taken by hackers, that might grab attention. People will see for the first time how extensive those files are, and you can imagine that’ll happen at some point."
An unfortunate reality is that until this hypothetical mega-breach thrusts all voter data onto the internet, it's unlikely anything will change. That is, unless voters politicize the issue, thereby forcing politicians to mandate more thorough security. Maybe only the possibility of doxxing the very people campaigns want to win over will bring about the cybersecurity changes voters deserve.