The recent news that a conservative data analytics firm left 198 million voter records unsecured online for nearly two weeks should give every American pause, particularly at a time when intelligence officials say the Russian government actively seeks to undermine American elections.
This particular breach, discovered by researcher Chris Vickery, exposed 1.1 terabytes of personal information compiled by Deep Root Analytics, a company that analyzes not just basic data like names and addresses, but also scores how particular voters feel about a range of political issues, from gun control to offshoring in the auto industry. Vickery’s discovery illustrates how poorly organizations safeguard sensitive information. But it also shows just how much information those groups have access to–and raises serious questions about what a nefarious actor could do with it. Perhaps the scariest part though is how much of this information already exists in the public domain.
Since November, suspicion has mounted about whether the Trump campaign somehow colluded with Russian actors to influence American voters. More recently, members of the House and Senate have wondered aloud and in secret whether the Trump data operation, run by the firm Cambridge Analytica, somehow fed information on which voters were most persuadable to the Russians. CNN reported just last week, in fact, that the House’s Russia investigators want to call Trump’s former digital director Brad Parscale to testify. (Parscale told the Wall Street Journal he has received no such invitation).
These questions have not amounted to anything beyond speculation. And yet, Vickery’s discovery serves as a sober reminder that deeply personal information on the American electorate is already all too easy to find. In this particular case, Deep Root Analytics says a change in its security settings made the database publicly accessible for 12 days, beginning June 1.
It sounds scary, and it’s certainly not ideal. But surprisingly enough, much of that data already lives in the public domain, making it relatively simple for anyone with bad intentions to weaponize it, exposed database or not.
“For an outside actor, with a big list of names and addresses and political scores? You could act like a super PAC and target their voters with messaging and misinformation,” says Michael Slaby, former chief innovation officer for President Obama’s 2012 campaign. “But you could pretty much do that without all this.”
It’s true. In some states, like Ohio, you can, right at this very moment, download the names and addresses of every voter at the state, county, and congressional-district level. Social media platforms like Facebook and Twitter make it easy to target ads to people within that voter file, and to create audiences based on how Facebook understands their preferences.
Of course, advertising on Facebook creates the kind of paper trail that bad actors would probably like to avoid, which makes the likelihood of Russians buying targeted ads to spread misinformation on Facebook seem even less plausible. “Even if Russia had the data, I’ve never heard of a way where you can target voters without a paid political ad,” said one Republican digital strategist.
That’s not to say you shouldn’t find Deep Root’s breach deeply troubling. Several Republican data operatives who agreed to speak on the condition of anonymity described the breach as alternatively “baffling,” “bullshit,” and “everybody’s worst nightmare.” Yes, the treasure trove of information Vickery unearthed included the most basic details, compiled by the Republican vendor Data Trust. But it also revealed what data experts consider their special sauce: the scores they assign each voter based on that person’s feelings about a given political issue. In this case, those scores were generated by another vendor working with the Republican National Committee called TargetPoint.
Data companies base those scores on so-called “hard identifications,” political lingo for the information campaigns gleaned from door knocks, phone calls, surveys, and other voter contacts. That can include anything from emails to a person’s candidate preference to their thoughts on a battery of political issues. Data firms then take those tidy details and use them to build models that predict how similar voters might feel about a given candidate or issue. Though Vickery didn’t access the models themselves, he did find a mass of voter scores that were relatively easy to understand, and free for the taking.
“The purpose of modeling is to figure out who to talk to and what to say to them,” one Republican data operative said. “This kind of takes the work out of it.”
Given that Deep Root’s data only sat exposed after the election, and for a temporary period at that, it wouldn’t have been used to improperly impact the 2016 campaign. Still, it’s unclear who besides Vickery may have accessed the information for future use. In response to a question about whether Deep Root had enabled Amazon CloudTrail, which would have tracked any APIs that accessed the database during that period, a Deep Root spokesperson said the company had hired the cybersecurity firm Stroz Friedburg to investigate the breach.
For technologists who have worked in politics, this lapse on Deep Root’s part is troubling, but not altogether surprising, given the hasty nature of so many campaigns. “People come at it with a need for speed,” said one GOP operative. “In some cases, without having the background in security, they cut corners.”
That’s true for both Republicans and Democrats, who, of course, had their fair share of security nightmares to deal with over the last year. All of it amounts to a political system that needs to devote at least as much energy into securing its systems as it does into securing votes. At this point, there’s no saying they weren’t warned.