In this era of big data, you never know where your personal information is going to turn up next or who will find it and use it.
It was revealed this week that computer security investigator and “white hat” hacker, Chris Vickery, discovered a freely accessible online database that contains the personal information on people from 191 million U.S. voter records.
The database, which contains millions of voter records from all 50 states, requires no password to access and is openly available to anyone who knows about it.
Personal information that can be found in the database includes – full names, residential addresses, mailing addresses, voter IDs, date of birth, gender, race, age, phone numbers, political affiliation and specific voting history for every election since the year 2000.
The database contains over 17 million voter records in the state of California alone. California is one of the few states that puts strict limits on how voter records an be accessed and used. California’s e-crime division is currently investigating the issue.
It is still not clear who is responsible for the database; how long it has been available online; how much of the information has been accessed or how many people may have searched the records in it.
The open voter data is reportedly stored on a public server in a MongoDB database that was poorly configured and doesn’t require a password to access. It was likely set up by political pollsters, consultants or a campaign for their own use.
The information found in the database has led some to speculate that the data itself may have come from NationBuilder. NationBuilder is a company that collects personal information on people and then offers it to political campaigns, academia, nonprofit organizations and governments.
Some unique codes found on the renegade database are like the ones used in NationBuilder’s data set.
NationBuilder’s CEO, Jim Gilliam, stated that his company was not responsible for the database, but acknowledged that it was possible that some of the voter records and personal information found in the database came from his company.
Big data aggregators like NationBuilder buy personal information and public records like voter registrations from state and county governments and then resell it to their clients.
Personal data collectors like NationBuilder are not required to identify their customers and have no control over the data once it is bought by a client.
Unlike private sector businesses, there are no laws that regulate the use and protection of personal information by political campaigns. Political campaigns are mostly free from the data privacy and communication laws that regulate businesses.
So far, no organization has come forward to claim ownership of the IP address or voter database in question. What’s more, data security experts are not even sure which federal department or agency would have oversight and enforcement powers over a political campaign that mishandled voter information in this way.
The U.S. Federal Election Commission does not oversee the regulation and handling of voter information. Each state is responsible for regulating their own voter records and different states have different laws on how voter records can be accessed and used.
With a few exceptions, most states consider voter records to fall in the public record domain.
In states like Ohio, voter records are publicly available and searchable online. In Colorado, Alaska and Arkansas the use of voter information is largely unregulated. However, states like California are much more restrictive with the ways that voter information can be accessed and used.
One of the big concerns about this voter database is that the personal details it contains could be used by online scammers for a political phishing campaign to obtain money and financial information from people.