Posted on 12/28/2015 1:57:13 PM PST by LibWhacker
Massive database exposed to public, major political data managers deny ownership
A misconfigured database has led to the disclosure of 191 million voter records. The database, discovered by researcher Chris Vickery, doesn't seem to have an owner; it's just sitting in the public – waiting to be discovered by anyone who happens to be looking. What's in the database?
The database was discovered by researcher Chris Vickery, who shared his findings with Databreaches.net. The two attempted to locate the owner of the database based on the records it housed and other details. However, their attempts didn't pan out, so they came to Salted Hash for assistance.
Never one to shy away from a puzzle, I agreed to help. the best place to start looking was the database itself. That's when Vickery sent me my personal voter record from the database. It was current based on the elections listed. My personal information was accurate too. Vickery discovered his own record as well, so I asked him about his initial reaction. MORE ON CSO:Millions of records compromised in these data breaches
"My immediate reaction was disbelief," Vickery said.
"I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?"
The database contains a voter's full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. In addition, the database contains fields for voter prediction scores.
All voter information, except for a few elements protected by law in some states, is public record. For example, in Ohio, voter records are posted online. Other states make obtaining voter records a bit more challenging or outright expensive, but they're still available. For the most part, voter data is restricted to non-commercial purposes.
However, each state has its own rules for such data.
Point in case, in Alaska, Arkansas, and Colorado, voter data has no restrictions placed on it. However, in California, voter data may only be used for political purposes and may not be made available to persons outside of the U.S. South Dakota has a law that is directly related to this article's focus:
"...the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet."
The database discovered by Vickery doesn't contain Social Security Numbers or driver license numbers, but it's still a massive collection of data.
Again, most states or data brokers require that anyone obtaining voter data affirm that they're not going to use it for commercial gain and that they'll follow all related state laws.
Yet, because the information Vickery discovered is in a database available to anyone on the Internet who knows how to find it, it's essentially unrestricted data.
I shared my personal voting file with a few election sources and experts. One of them offered a simple explanation as to why it exists, and what a database such as this could be used for during an election season.
"This file has all the basic information that a voter file would have on you: your address, date of birth, every election you did or didn't vote in, and some basic demographic information. Campaigns use all of [this] information to target their messages more efficiently: to make sure they're targeting not just the right people, but people who will actually end up voting. Most of this data is public record, with the caveat that it can only be used for campaign purposes," explained Maclen Zilber, a Democratic political consultant with the firm Shallman Communications.
"Some major voting data companies will give each voter a rating of how likely they are to turn out and vote, how likely they are to support a given political party, and even more niche questions such as how likely they are to support a specific issue. The prediction score row suggests that this file is from a company selling voter data, not just a file from a government database." Who owns the database?
Salted Hash reached out to several political data firms in an effort to locate the owner of the exposed database. Dissent (admin of Databreaches.net) did the same thing. However, none of our efforts were successful.
The following firms were contacted by Salted Hash for this story: Catalist, Political Data, Aristotle, L2 Political, and NGP VAN. Databreaches.net reached out to Nation Builder. Speaking to Dissent, Nation Builder said that the IP address hosting the database wasn't one of theirs, and it wasn't an IP address for any of their hosted clients.
As for the firms contacted by Salted Hash, each of them denied that the database was theirs, and in the case of NGP VAN, the technical aspects of the infrastructure (Linux vs. Windows) ruled them out because they're a Windows shop and the data is housed as part of a Linux build.
A later attempt to contact i360, another political data firm, was unsuccessful. In addition, DSPolitical, TargetSmart, and Data Trust were also contacted about the database.
Conversations between TargetSmart and Salted Hash went as expected by this point; the database isn't theirs and they are not using that IP address. If DSPolitical and Data Trust respond to questions, this story will be updated.
Update: Data Trust has reached out with confirmation that the database isn't theirs. How was this database compiled?
For the last week, Salted Hash has attempted to discover not only who owns the database that's been exposed to the public, but also how it was compiled. The hope was that if the owner couldn't be determined, then knowing the source of the data could be useful, as the vendor might be able to contact a customer and alert them to the problem.
As it turns out, researching this story was a bit complicated because of the Sanders / Clinton / NGP VAN voter database incident. Many of those contacted by Salted Hash assumed the two stories were somehow connected.
To be perfectly clear, this story is not related to the Sanders / Clinton incident at all.
The NGP VAN incident involving the Sanders and Clinton campaigns centered on a software configuration error that resulted in the Sanders campaign seeing client scores from the Clinton camp. There were no voter records exposed, just client scores.
In fact, the Sanders and Clinton campaigns share the exact same DNC voter database. The information exposed was added by one campaign, and the glitch allowed the other campaign to see it.
What Vickery has discovered is worse, because the data he discovered isn't a client score – it's a complete voter record for 191 million registered voters. The problem is, no one seems to care that this database is out there and no one wants to claim ownership.
As it turns out, many state and county elections offices charge for access to voter data. Sometimes, voter data is free, but when there's a cost involved, the total paid can be extreme. For example, in 2012, the fee to obtain 3 million voter registration records in Alabama was just over $29,000. Such costs can really cut into the budget of a political campaign, so campaign managers will turn to various political data firms and purchase the information needed at a lower cost.
One of the places campaigns turn to is Nation Builder. When Vickery first discovered the voter database, he and Dissent identified Nation Builder as the possible source of the data. However, as mentioned, Nation Builder denied that the IP address was theirs. They also said the IP wasn't being used by any of their hosted clients. Digital maps and Big Data
But did the data in the exposed voter database come from Nation Builder? Based on the database schema and formatting, yes, it did. The personal voter file given to me by Vickery is clearly from a Nation Builder data set.
In the U.S., few vendors maintain a national voter file. For those vendors that do, each voter file has signature components that are unique to that particular vendor – similar to a digital fingerprint.
In order to distinguish one voter file source from another, one can compare the file structure - how the vendor chooses to name various fields as well as the order in which they appear on their file. Another clear distinguishing factor is the unique voter ID - the code that the vendor assigns to each voter in the country.
Each vendor that deals with national voter files has their own distinct approach to creating unique identifiers for voters.
In my voter record, the voter ID and the field names point directly to Nation Builder as the source of the data that's been exposed. When you compare my voter record to the file structure published by Nation Builder, there are clear similarities including the nbec_precinct_code.
This code is unique to Nation Builder. It's shorthand for Nation Builder Election Center Precinct Code. In my case, that code is: 18097-Marion-Center (Marion County, Center Township).
As for the voter ID, my voter record uses a voter ID code consisting of 32 letters and numbers separated by dashes: 058a902b-4e1d-4989-8fdb-4976f48fbfb6
Multiple firms questioned about the digital fingerprints in my voter record (UID / NBEC code) quickly concluded that Nation Builder was the source of the data, and one said that this would be clear to anyone who has ever viewed Nation Builder before. But is Nation Builder to blame? Not really...
So while Nation Builder denied any claim to the IP and the leaked database, it's entirely possible they might know who developed it – but that would require an extensive records check. This is because a developer or campaign wishing to access the Nation Builder Election Center would need to register their contact details, such as name and email address.
However, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it. In short, while they provided the data that's in my newly leaked voter record, they're not liable in any way for it being exposed.
And to be clear, I don't blame Nation Builder for my leaked record either, I blame the person(s) who developed the database and poorly configured its hosting. I'm just not sure who they are yet.
Either way, I'm just one individual. There are more than 191 million people with records in this database. So if you're a registered voter in the U.S., you should know your data has been exposed.
Moreover, there is no way to know for sure how long this database has existed online, and for some of you – that's a problem. Point in case, the law enforcement officer that spoke to Dissent about their leaked voter file.
Based on the voter count and some of the records, the database appears to be from Nation Builder's 2014 update from February or March, but unless the database owner is contacted and confirms, there's no way to prove that conclusion.
The concern is the potential for abuse. Stalking and the exposure of people who normally don't share their personal information is certainly an issue.
There are other long term issues too. The personal information in this database, including political affiliation, date of birth, could be used to construct a targeted Phishing campaign.
While most people are aware of financially-based Phishing attacks, or those focused on retail or shipping, a targeted list based on politics might have a higher level of success, especially this time of year heading into the 2016 election cycle.
Vickery and Dissent have reached out to federal law enforcement for assistance in locating the database's owner or removing it from public view. In addition, they've contacted the California Attorney General.
At the time this article was written and published, the database was still live.
Such records are exposed at various nodes around the Net and are already used by exclusionist political groups to harass voters.
Colorado registered voters as of 1 November 2015
http://coloradovoters.info/
Try searching your state voter ID number -— that should be specific enough to bring up something where that number exists.
Somebody with political skills should interrogate the database by address to find out how many hundreds of “voters” share the same, small, vacant lot as their “home address.”
With my voting record - FEMA camp here I come.
Seriously tho - you are correct. When I ran for office in California, I was PROVIDED a complete list of Registered Voters in the District, but I believe it is based on Party Affiliation. Only the list for those in one’s party IIRC.
Basically, ANYONE (either of the two uni-parties) can get the complete list easily. Just run nominal candidates in all districts across all parties, even if they are not serious candidates. You get: all the voter names, addresses, AGES (DOB), voter history, etc.
4L
Voters in my area received mail a few years ago showing that an anonymous political organization was aware of their voter information. In light of contemporary political speech, how long before one political group starts burning homes down and murdering its competition?
What is the database URL?
None of this particularly shocking, except that a lot of hard work goes into building a national database so why someone would give it away... almost sounds like an urban legend.
I made a FOIL request to my county board of elections and got a voter download for the town I just moved to. Using it to build a C#/SQL application to turn out the vote, and to help me meet hardcore Conservatives and Republicans in my new town.
All conservatives should be doing this.
Good idea, thanks. Not sure what mine is, but I should be able to find it somewhere around here.
Yep. I’m glad he was! I still don’t think it’d be that hard to find, but I am about to give up.
The most common example, perhaps, is Medicare and Social Security. Become a "beneficiary" and you'll be besieged by tons of unsolicited mail from just about every health care organization and HMO you can think of. And when you turn 50, the Social Security Administration will see to it that you get on the (left- leaning) AARP mailing list.
As government grows, more and more organizations have more and more access to citizens' private information, and the zone of personal privacy shrinks until it becomes non-existent.
What's scary now is the possible ramifications of the HIPPA's requirements for medical record electronic databases.
It's freely available in most states. Just Google "voter lookup" for your home county. The big deal being made is that this database aggregates all the local records into one. It's actually no big deal.
This.
The same people freaking out over this would freak out if they knew a local company used to deliver a big book to your doorstep with all of the city residents' names, telephone numbers, and home addresses.
Looks real similar to the data they are accumulating:
http://nationbuilder.com/people_api
And they offer:
Free access to the registered voters in your district
Get a CSV file of your district for free
http://nationbuilder.com/voter_file
Oh man....
They gotta find out where this came from...
191 million is pretty much all voting records I would guess.
I have a schematic of hippa privacy.
There is no privacy from the government under hippa
If you know how the voting records for each state are "coded" ... yes, you should be able to figure that out.
Back between 1993 and 1996 I did quite a bit of political consulting and had access to the voter lists here in Illinois. When I say "access" I mean I had the entire database of every voter in Illinois, along with their voting history.
I could look up anyone and see whether or not they voted in a particular race, and how they voted (which party, which candidates, etc..) because I also had the database mapping of what each column meant for each voter.
One of the things I did back then was to sort and print what are called "walking lists" which are used by campaign workers who go door to door around election time and ask you to vote for a specific candidate.
Every campaign worker for campaigns I consulted with would know who you were BY NAME, your political affiliation and whether or not / how you voted in the last x number of elections before they ever rang your doorbell.
Obviously, those voters with histories of voting straight party line every time AGAINST YOUR PARTY, smart campaigns/campaign workers would knowingly avoid so as not to get into a confrontation. Voters with a history of voting FOR your party/candidate they'd focus on reminding you to get out and vote, and thank you for voting. Those with mixed voting records would get the "would you consider voting for our candidate based on ......" approach.
So as long as you know what each column of information means for each voter, and that database identifies voters BY STATE, one could easily conceivably determine who's voted multiple times in an election --- assuming that information made it into the database in the first place. There are scenario's I can think of where multiple ballots would be counted for the same person, but that information not make it into a state database (seen that happen here in Illinois.)
Anyone find a link to the database mentioned in this article? I haven't finished reading it yet, and I'd sure like to get a copy for my own "testing" purposes....
Depends on how the data is stored & laid out. For all we know right now, that 191 million number is simply the number of voting records and not the number of people and their voting records.
Make sense?
bkmk
Been on it since I turned 50, 17 years. Despite the fact I fill their self paid envelopes up with Traitors, you ruined Medicare.
My husband’s late MIL and his late wife still receive them and they have been dead over a decade. They never purge their list.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.