GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server
from the whoops-a-daisy dept
A GOP data firm has accepted responsibility for leaving the personal data of 198 million Americans (aka: most of the country’s voting populace) openly accessible on an Amazon server in the biggest voter data leak in global history. Deep Root Analytics, the owner of the data, has long been contracted by the Republican National Committee to measure voter opinions on a wide variety of issues, from health care to gun control. As part of their contract with the RNC, the group pulls voter information from a wide variety of sources, ranging from Reddit to the Karl Rove super PAC American Crossroads.
This data, which includes religious affiliation and ethnicity, is then utilized to help craft PR efforts and other messaging, as well as to determine turnout and voter preferences. And, according to analysis of the data and previous profiles of the company like this one over at Ad Age, this firm was hugely influential in getting Donald Trump’s “populist” message out to voters during the last election cycle.
But last week, UpGuard cyber risk analyst Chris Vickery discovered that Deep Root had been storing a massive amount of this data on Amazon servers, publicly accessible via the internet, with absolutely no apparent security precautions whatsoever:
The data repository, an Amazon Web Services S3 bucket, lacked any protection against access. As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump?s presidential victory, simply by navigating to a six-character Amazon subdomain: ?dra-dw?.
Vickery frequently hunts for misconfigured data sources on behalf of UpGuard’s Cyber Risk Team, often finding everything from military engineering plans to lists of potential terrorists — simply sitting out in the open. Vickery had recently exposed a top defense contractor for doing something similar, albeit on a notably smaller scale. In this instance, the openly-accessible data included names, addresses, birthdates, phone numbers, troves of stored online user posts, collected over the better part of the last decade:
“Within ?data_trust? are two massive stores of personal information collectively representing up to 198 million potential voters. Consisting primarily of two file repositories, a 256 GB folder for the 2008 presidential election and a 233 GB folder for 2012, each containing fifty-one files – one for every state, as well as the District of Columbia. Each file, formatted as a comma separated value (.csv), lists an internal, 32-character alphanumeric ?RNC ID??such as, for example, 530C2598-6EF4-4A56-9A7X-2FCA466FX2E2?used to uniquely identify every potential voter in the database. These RNC IDS uniquely link disparate data sets together, combining dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name.”
One segment of the files contained modeled data about each individual voter’s likely positions on 46 different issues. Other portions of the data detail whether voters are registered, and whether they are currently on the federal “Do Not Call” list (you may recall that the RNC is currently supporting a proposal that would let them spam your voicemail inbox without your phone ringing). Collectively, this data was collected and used by a massive number of Republican outfits, including Americans for Prosperity, market research firm TargetPoint, Causeway Solutions, and more.
The security faux pas is considered one of the most monumental ever documented in any country. The 198 million American voters exposed by this screw up dwarves the previous biggest leak — a leak of the voting data of 93.4 million Mexican citizens — as well as the now-third biggest leak of this kind ever — the exposure of the data of 55 million voters in the Philippines. On the plus side, a statement being provided by Deep Root to the media takes ownership of the screw up, without too much of the couching you often see after such breaches:
“We have engaged Stroz Freidberg to conduct a thorough review, and that process is underway. Based upon this review we have determined that the access that was made without our knowledge happened because of a change that was made in the files? asset access protocols. We are in the process of determining how that change was made and take full responsibility for the change, but suffice to say we have updated the settings to prevent further access. We believe the change that was made happened post June 1 2017, which was when we last evaluated and updated our security settings. We do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery.”
Still, it’s not exactly a confidence builder to witness the largest leak of voter data in global history as we’re busy trying to ascertain just how secure our clearly dysfunctional voting systems are to malicious outside influence — and debating the slow-but-steady erosion of consumer privacy protections being spearheaded by the GOP.
Filed Under: chris vickery, gop, online security, privacy, rnc, security, voter data
Companies: deep root
Comments on “GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server”
Remind me again what are the possible problems of amassing huge databases of personal data?
I’m looking at you Googles and Facebooks of the world. Do we really need to collect and store so much data?
Of course they probably have more than cardboard security to offer but it’s still problematic.
Re: Re:
How dare you question their right to profit. How dare you, sir.
Re: Re: Re:
total nonsequitor guys…
that data is largely given to them for free by the people that gave it to them.
Re: Re: Re: Re:
which they turn around and sell, thus profit – no?
Re: Re: Re:2 Re:
well of course, but that is not the point here.
Re: Re: Re:3 Re:
really? Do tell…
Re: Re: Re:4 Re:
Another poster just below this one has already done a great job of it.
You are welcome.
Next time, try to figure these things out for yourself, instead of or at least before voting in the next election.
Re: Re: Re: free 'government' data
By name voter registration & political donations records are mandated and made public by the GOVERNMENT.
Government makes it easy for political parties & interest groups to find out who is voting and what their political affiliations are. Mandatory Census data also provides detailed demographic data down to the street/block level. Public government real estate records mandate exact name and address of home owners.
GOP & Democrat Party want to know details of who is in the electorate.
It’s not just a GOP thing (and of course Democrat Party would NEVER let its private computer records be compromised)
Re: Re:
But it’s ok when big corporations do it!
It’s just not ok when the government does it!
Because you know, it’s always a big bad evil government who’s the villain in dys-utopian futures!
Re: Re: Re:
I doubt anyone is saying it is ok at any time or place.
You think the GOP is ‘the government”?
Re: Re: Re:
“Because you know, it’s always a big bad evil government who’s the villain in dys-utopian futures!”
That’s usually because the corporations have co-opted the governments in dystopian futures
Re: Re: Re: Re:
Shadowrunning much?
Let’s just call this “meta-data”. Then it’s ok, right?
Databases like this allow propaganda targeted on the individual level. But since it’s Americans meddling in American elections this is acceptable.
Re: Re:
It also allows you to do things like flood the public comment boxes of the FCC with millions of comments using the names of millions of real people.
Re: Re: Re:
That did not necessarily need unauthorized access to the database.
Re: Re: Re: Re:
It didn’t, but this breach sure would make it easy for anyone to do the same.
Re: Re: Re:2 Re:
breach?
Someone leaving information laying around is not a breach. Unless you are talking about a breach of trust, but if anyone thinks they can trust these guys then perhaps…
Re: Re:
Of course.
“No title of nobility shall be granted by the United States: and no person holding any office of profit or trust under them, shall, without the consent of the Congress, accept of any present, emolument, office, or title, of any kind whatever, from any king, prince, or foreign state.”
https://en.wikipedia.org/wiki/Title_of_Nobility_Clause
Is it really a leak if it’s made of public information? Sure there’s some sweat of the brow to put it all together but it can’t have any legal protection since it’s comprised of facts.
Re: Re:
Just because something is a fact, does not make it public information.
Re: Re: Re:
“Just because something is a fact, does not make it public information.”
It makes it free from copyright. All of the information in this database was from publicly accessible sources so the argument is irrelevant anyway.
Re: Re: Re: Re:
This has nothing to do with copyright…
Re: Re: Re:
No, but the fact that all this information was gathered from other public databases makes a pretty strong argument for this being essentially public data.
Embarrassing, sure. Stupid, absolutely. But there will be a number of people and news outlets calling for legal or financial penalties (including lawsuits, probably) that just aren’t appropriate.
this is just politicians proving that encryption is bad!
Protected Personal Information
Check out what the the Code of Federal Regulations at:
https://www.law.cornell.edu/cfr/text/32/701.115
Has to say about a persons date of birth, home address, home telephone number, etc.
Take note of item e
Re: Protected Personal Information
GOP is not a federal agency.
Typo: “this screw up dwarves the previous biggest leak” should be “dwarfs”.
Putin did it!
How long before Clapper and his ilk declare Putin did this to steal voter records? 5…4…3…2…
There is as yet ZERO evidence establishing that the Russian government has done ANYTHING with regard to the US election.
The ONLY “evidence” of ANY kind was that provided by CrowdStrike re the DNC leaks – and that was utter crap, thoroughly debunked as proving nothing by a company whose head is an Atlantic Council member with close ties to Ukraine.
Re: Putin did it!
Whoh whoh whoh. You are days late for Russian Troll Day. Sorry Comrade.
This is an exposure of (1) public information on voter rolls and (2) privately compiled information about voter opinions that was willingly provided. No credit cards, SSNs, etc. So it was stupid but not illegal.
Is there anything you can’t get from Amazon?
I have no major problem with businesses trying to get revenue through ads. I do object to personal data being collected, sold on and combined with other datasets.
People don’t understand how powerful large personal datasets are.
It may start as a lists of music you listened to, tv shows you watched, stuff you bought, sites you visited and contact lists, but you can infer all sorts of other things from it, including health, relationship status, religion, voting intentions, sexual orientation etc. Data you can openly buy is enough to build targeted political propaganda bots and worse.
https://www.techdirt.com/articles/20170619/07021037612/gop-data-firm-left-personal-data-198-million-american-voters-openly-accessible-amazon-server.shtml
Governments can then combine all of this with everything government bureaucracies collect, from institutions like schools, courts, prisons, hospitals, tax agencies, police etc.
American surveillance capitalism, and the dirty politics associated with it, is unsustainable and toxic. Europe is leading the way here.