The aggregation of voter data – which includes partial social security numbers – is a privacy concern.
The full names, addresses, dates of birth, and political affiliation of 200 million Americans – sent over unencrypted email. That’s what Trump’s voting integrity commission has requested from all 50 U.S. State Secretaries.
Since the election, President Trump has repeatedly talked about voter fraud – falsely saying that millions of illegal votes had been cast.
The latest effort to deal with this “problem” is the Presidential Advisory Commission on Election Integrity which wants to collect full voter rolls from all 50 U.S. states in order to investigate voter fraud.
Here is the data the commission asked for on June 28th:
“The publicly-available voter roll data…. Including… the full first and last names of all registrants, middle names or initials if available, addresses, dates of birth, political party (if recorded in your state), last four digits of social security number if available, voter history (elections voted in) from 2006 onward, active/inactive status, cancelled status, information regarding any felony convictions, information regarding voter registration in another state, information regarding military status, and overseas citizen information…”
Note that, when available, the commission also wants the last four digits of voters’ social security numbers – which are often used as a security/identity verification measure by companies and services such as banks and ISPs. In fact, this broad request has been criticized by various state Governors and Secretaries of State, and may, in fact, be illegal. It is also asking for data to be sent via unsecure channels.
The requests ask that the data be sent to a federal email address – ElectionIntegrityStaff@ovp.eop.gov – which does not use TLS to protect emails sent to the server, leaving them completely in plain-text and easily recordable.
Too bad the commission is not as concerned with data integrity as it is about voter integrity.
Ironically, the commission’s request also asked how it can “support state and local election administrators with regard to information technology security and vulnerabilities.”
The commission does give an option to submit data through “SAFE” – an online file sharing platform operated by the U.S. Army. However, the Army, which is part of the Department of Defense, uses its own PKI, which is not widely trusted by consumer devices.
Department of Defense personnel use devices that have manually added trust for those roots. However, Secretaries of State, who are not part of the DoD, likely don’t trust those certificates and would have a broken HTTPS connection.
This request has drawn wide criticism from privacy and security experts who claim that the insecure collection and aggregation of such data is a threat to voters. But some also consider this overblown outrage since much of the countries’ voting data is already public.
However, while voter data for many states is already available, it’s not exactly easy to get, nor is it cheap. ElectProject.org says it would cost just over $125,000 in fees for a U.S. citizen to get voter data from every state they are legally able to, but that would still leave them a few states short. Only political committees, parties, and candidates registered in every state can get data for all 50 states.
Loyola University Law Professor Justin Levitt points out that handing the data over to this Commission will subject it to federal public records laws which will make it easier for the data to be exploited:
“Some states have restrictions on why you can access the voter file. For example, many states — like, for example, Texas — prohibit use of the voter file for commercial purposes. Again, no such limit in federal open records rules. Any state with a use restriction that sends information to the Kobach commission has just eviscerated their own law on that score too.”
So there are still some clear downsides here, even if much of this data is publicly available. It also highlights the fact that unencrypted communication and poor security practices are still common in the U.S. government – which is shocking given the recent history of politically-motivated security breaches.
The Electronic Privacy Information Center has urged states not to comply with the request, which has been co-signed by dozens of privacy organizations and experts, including the Center for Democracy & Technology, and Ron Rivest (the “R” in the RSA algorithm). The commission only gave states until July 14th to comply.