Sun Sentinel Palm Beach Edition
GOP data on voters exposed for anyone to see
Personal information on millions of Americans went unguarded on internet
WASHINGTON — To any nefarious hackers looking for data that could be used to sway elections or steal Americans’ identities, the file compiled by a GOP digital firm called Deep Root Analytics offered all manner of possibilities.
There in one place was detailed personal information about almost every voter in America. It was a collection of some 9.5 billion data points that helped the firm assess not only how those Americans would probably vote, but their projected political preferences. In some cases, the data collectors had scoured voters’ histories on Reddit, the social media platform, and well-informed predictions were made about where each voter would stand on issues as personal as abortion and stem cell research.
It’s the kind of sensitive information that, if a bank or a big-box retailer or almost any other corporation had failed to protect it, would have triggered major trouble with regulators. But there it sat on the internet, without so much as a password to guard it, for 12 days.
Luckily for the Republican Party and its contractor, a cybersecurity consultant with a firm in Mountain View, Calif., came across the treasure-trove of political data this month, not a foreign agent.
But the exposure of the data, which some are describing as the largest leak of voter information in history, is a jolting reminder of how deeply the political parties are probing into the lives of voters and how vulnerable the information they are compiling is to theft.
As cybersecurity experts sound an increasingly loud alarm about the potential consequences, the lapses keep happening — often with nobody held accountable for them.
“This is a catalog of human lives, with intrinsic details,” said Mike Baukes, CEO of UpGuard, the firm that came across the file during a routine scan of cloud systems.
“Every voter in America is potentially in there. The scale of it is just staggering, and the fact that it was left wide open is wholly irresponsible. … This is happening all the time. We are continually finding these things. It is just staggering.”
Privacy experts were skeptical that political operatives will change their ways following the latest incident.
“The state of security for massive data sets is so incredibly poor despite a daily drumbeat of data breached,” said Timothy Sparapani, a former director of public policy for Facebook who is now a data privacy consultant at the firm SPQR Strategies, based in Washington. “It is shocking. It is embarrassing. People ought to lose their jobs.”
Sparapani said if the culprit had been a private firm, it would be subjected to punitive actions by attorneys general, consumer lawsuits and big fines from regulators. But political operations face no such repercussions.
“As a voter, you are left with almost no recourse because our laws have not caught up to the massive computing power which is readily available to gather enormous data sets and make them searchable at the click of a button,” he said.
UpGuard was able to access the file merely by guessing a web address. It alerted Deep Root as well as federal authorities.
Deep Root apologized in a statement, but also suggested the incident had been overblown.
“This is data used for opinion manipulation,” said Marc Rotenberg, executive director of the nonprofit research group Electronic Privacy Information Center, based in Washington. “It needs to be regulated. And there needs to be consequence for breaches. We have a major problem in this country with data security, and it’s getting worse.” The foundation wants Congress to hold hearings on political data security.