In June 2017, a spreadsheet containing personal information for more than 198 million U.S. voters was publicly accessible online for a 12-day period, effectively leaking private information to anyone who looked.
The data was compiled by Deep Root Analytics, one of three data collection companies hired by the Republican National Committee (although it was paid $983,000 through a subsidiary, Needle Drop). The RNC contracted with the company during the 2016 election season, and the leak was reportedly discovered by cyber security expert Chris Vickery. The files contained information on not only GOP voters but supporters of the Democratic Party and registered independents.
The company said in a statement that it did not believe that its servers had been hacked, but took “full responsibility” for the lapse in security:
Deep Root Analytics builds voter models to help enhance advertiser understanding of TV viewership. The data accessed was not built for or used by any specific client. It is our proprietary analysis to help inform local television ad buying.
The data that was accessed was, to the best of our knowledge proprietary information as well as voter data that is publicly available and readily provided by state government offices. Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access. We take full responsibility for this situation.
The information was apparently discovered on an Amazon-owned cloud server that did not require a password for access, meaning that anyone who knew the web address could read it. The data inside also reportedly contained information gathered by the political action groups Americans for Prosperity and The Data Trust, as well as another private company, The Kantar Group. The RNC paid The Data Trust $6.2 million in 2016, for what was described as an “exclusive list-sharing agreement.”
Kantar Media said in a statement:
Any Kantar Media data that may have been accessed from the files of Deep Root Analytics would have been information on political campaigns’ ad expenditures, ad occurrences and ad creatives. This is the same syndicated data we supply to many clients on both the media buyer and media seller sides, as well as to journalists. It does not include voter information.
Connor Quintin, a security researcher for the Electronic Frontier Foundation, says that it was fortunate for involved voters that Vickery — who works for the security firm UpGuard — came across the exposed data:
You hear about “Big Data” all the time. This is what “Big Data” means. Much of the time, it means personal data about a large number of people. If that data is in the wrong hands, it can be extremely bad. Whether or not this company is “the wrong hands,” that’s up to peoples’ personal judgement.
Quintin pointed out that voter rolls in many states are already public. But the incident, he says, shows how easy it is to lose control of data collections like the one Deep Root had amassed:
You don’t need to be hacked. You might just mess it up and accidentally make it publicly available.
Jeffrey Chester, executive director for the consumer protection group the Center for Digital Democracy, calls the exposure of the data “a cyber disaster waiting in the wings” because groups like Deep Root are “engorging” themselves on voters’ information:
This is just the tip of the iceberg. Our political information is available for sale by the data broker industry, used by Facebook and Comcast and the political parties. But now others have it as well.
Chester also says that the lapse in security illustrates the need for laws stopping the use of political information without written consent from the individual:
You need federal privacy legislation that slows down this cancer that we have unleashed where all of our lives are subjected to this intense, expansive surveillance of one’s environment. And we need special rules for how political parties and campaigns can use this data in the first place. This is not just about how you voted. this is really about who you are — what your concerns are, what your fears are, how much money you have, are you looking for a loan, are you in debt for a car, are you concerned about cancer. It’s highly personal information.
Attempts to reach the RNC, Americans for Prosperity, The Data Trust, and the Democratic National Committee for comment prior to publication were unsuccessful.
Added a statement from Kantar Media.