Data exposure on 200 million voters highlights need to improve industry standards

Electoral politics has always been serious business, but it’s only in the last few election cycles that big data has played such a deciding role, voters mobilized or paralyzed by carefully targeted advertisements and other marketing collateral narrowcast for maximum impact.

This nascent business of motivation and-or demotivation recently had a big reveal. Nearly 200 million registered voters were exposed in a publicly accessible database that included the kind of granular data that makes political campaigns hum—and identity thieves (as well as state-sponsored election meddlers) sing for joy.

The data was discovered by UpGuard’s cyber risk analyst Chris Vickery and reported on June 12. According to an excellent deep-dive report on Gizmodo, the database included “advanced sentiment analyses used by political groups to predict where individual voters fall on hot-button issues such as gun ownership, stem cell research, and the right to abortion, as well as suspected religious affiliation and ethnicity.”

ADVERTISEMENT

Needless to say, there was a whole lot more on that unprotected Amazon cloud account than the kind of data that’s publicly available at this or that board of elections, which generally includes name, date of birth, address, etc.

 

So, all this data was just sitting there on an Amazon server. Forget encryption. There wasn’t even password protection. All you needed was the URL address. The database was maintained by a conservative data marketing company that worked for the Republican National Committee during the last election.

The super detailed psychographics contained in those files came from a variety of sources, many of them funded by conservative PACs and kingmakers, and they were all pointed at the task of revealing the inner workings of the swayable voter. It was a rare look at the intricate data-driven campaign tactics that won Trump the presidential election.

There was Koch Brothers intel, and a slew of data points mined from a staggering number of Republican-leaning sources ranging from public records to more slippery grabs on social media and beyond. We’re talking about data mining operations that could very well—though it’s probably hyperbole—sift through landfills to figure out how this or that person might vote or what they might be tempted to purchase online.

It matters because organizations large and small keep getting data security wrong, and people keep getting hurt as a result. It matters because it is a betrayal of our right to expect our private information to remain private. It matters because we should really be getting tired of the Wild West approach to sensitive information being used however anyone wants.

The recent discovery of 200 million voters not being afforded the most basic cyber precautions revealed a serious lapse in common sense, and an even more dire shortfall in responsible data handling. It opened the door to all stripe of cyber malfeasance, the database being a literal El Dorado for criminals who use personal information to commit crimes.

Does the voter care about the environment more than making America great again? Is saving walleye habitats more important than building the Great Wall of Mexico? Immigration? Integration? Organic food? Frankenfood? Jesus? Buddha? G-D? Muhammed? It’s all in there. There were even inferences established regarding this or that unknown fact using data points that were known. 

For those who are unacquainted with the kinds of information that “big data” firms use, let’s just say… there’s a lot of “there” there. To those who are unfamiliar with the way identity thieves and other scam artists work: ditto.

“Deep Root Analytics maintains industry standard security protocols,” Deep Root founder Alex Lundry told Gizmodo. “We built our systems in keeping with these protocols and had last evaluated and updated our security settings on June 1, 2017.”

Not all industry standards are created equal. The worst in class are like potato chips: cheap and bad for you. It was “industry standard” cyber security that brought us some of the biggest hacks in the history of the cybercrime wave targeting consumers that began more than a decade ago. 

The problem here lies in the definition of industry standards. Regardless how you approach that question, we need better ones right now.

Adam K. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com, and a former director of the New Jersey Division of Consumer Affairs. He is also the author of "Swiped," which debuted at #1 on the Amazon Bestsellers Hot New Releases List.


The views expressed by contributors are their own and are not the views of The Hill.