GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server

from the whoops-a-daisy dept

A GOP data firm has accepted responsibility for leaving the personal data of 198 million Americans (aka: most of the country's voting populace) openly accessible on an Amazon server in the biggest voter data leak in global history. Deep Root Analytics, the owner of the data, has long been contracted by the Republican National Committee to measure voter opinions on a wide variety of issues, from health care to gun control. As part of their contract with the RNC, the group pulls voter information from a wide variety of sources, ranging from Reddit to the Karl Rove super PAC American Crossroads.

This data, which includes religious affiliation and ethnicity, is then utilized to help craft PR efforts and other messaging, as well as to determine turnout and voter preferences. And, according to analysis of the data and previous profiles of the company like this one over at Ad Age, this firm was hugely influential in getting Donald Trump's "populist" message out to voters during the last election cycle.

But last week, UpGuard cyber risk analyst Chris Vickery discovered that Deep Root had been storing a massive amount of this data on Amazon servers, publicly accessible via the internet, with absolutely no apparent security precautions whatsoever:

The data repository, an Amazon Web Services S3 bucket, lacked any protection against access. As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: “dra-dw”.

Vickery frequently hunts for misconfigured data sources on behalf of UpGuard's Cyber Risk Team, often finding everything from military engineering plans to lists of potential terrorists -- simply sitting out in the open. Vickery had recently exposed a top defense contractor for doing something similar, albeit on a notably smaller scale. In this instance, the openly-accessible data included names, addresses, birthdates, phone numbers, troves of stored online user posts, collected over the better part of the last decade:

"Within “data_trust” are two massive stores of personal information collectively representing up to 198 million potential voters. Consisting primarily of two file repositories, a 256 GB folder for the 2008 presidential election and a 233 GB folder for 2012, each containing fifty-one files - one for every state, as well as the District of Columbia. Each file, formatted as a comma separated value (.csv), lists an internal, 32-character alphanumeric “RNC ID”—such as, for example, 530C2598-6EF4-4A56-9A7X-2FCA466FX2E2—used to uniquely identify every potential voter in the database. These RNC IDS uniquely link disparate data sets together, combining dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name."

One segment of the files contained modeled data about each individual voter's likely positions on 46 different issues. Other portions of the data detail whether voters are registered, and whether they are currently on the federal "Do Not Call" list (you may recall that the RNC is currently supporting a proposal that would let them spam your voicemail inbox without your phone ringing). Collectively, this data was collected and used by a massive number of Republican outfits, including Americans for Prosperity, market research firm TargetPoint, Causeway Solutions, and more.

The security faux pas is considered one of the most monumental ever documented in any country. The 198 million American voters exposed by this screw up dwarves the previous biggest leak -- a leak of the voting data of 93.4 million Mexican citizens -- as well as the now-third biggest leak of this kind ever -- the exposure of the data of 55 million voters in the Philippines. On the plus side, a statement being provided by Deep Root to the media takes ownership of the screw up, without too much of the couching you often see after such breaches:

"We have engaged Stroz Freidberg to conduct a thorough review, and that process is underway. Based upon this review we have determined that the access that was made without our knowledge happened because of a change that was made in the files’ asset access protocols. We are in the process of determining how that change was made and take full responsibility for the change, but suffice to say we have updated the settings to prevent further access. We believe the change that was made happened post June 1 2017, which was when we last evaluated and updated our security settings. We do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery."

Still, it's not exactly a confidence builder to witness the largest leak of voter data in global history as we're busy trying to ascertain just how secure our clearly dysfunctional voting systems are to malicious outside influence -- and debating the slow-but-steady erosion of consumer privacy protections being spearheaded by the GOP.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 19 Jun 2017 @ 10:55am

    Remind me again what are the possible problems of amassing huge databases of personal data?

    I'm looking at you Googles and Facebooks of the world. Do we really need to collect and store so much data?

    Of course they probably have more than cardboard security to offer but it's still problematic.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jun 2017 @ 11:04am

      Re:

      How dare you question their right to profit. How dare you, sir.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Jun 2017 @ 11:47am

        Re: Re:

        total nonsequitor guys...

        that data is largely given to them for free by the people that gave it to them.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Jun 2017 @ 12:30pm

          Re: Re: Re:

          which they turn around and sell, thus profit - no?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Jun 2017 @ 12:54pm

          Re: free 'government' data

          By name voter registration & political donations records are mandated and made public by the GOVERNMENT.

          Government makes it easy for political parties & interest groups to find out who is voting and what their political affiliations are. Mandatory Census data also provides detailed demographic data down to the street/block level. Public government real estate records mandate exact name and address of home owners.

          GOP & Democrat Party want to know details of who is in the electorate.
          It's not just a GOP thing (and of course Democrat Party would NEVER let its private computer records be compromised)

          reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 19 Jun 2017 @ 11:52am

      Re:

      But it's ok when big corporations do it!

      It's just not ok when the government does it!

      Because you know, it's always a big bad evil government who's the villain in dys-utopian futures!

      reply to this | link to this | view in chronology ]

  • identicon
    Michael, 19 Jun 2017 @ 10:57am

    Let's just call this "meta-data". Then it's ok, right?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2017 @ 11:21am

    Databases like this allow propaganda targeted on the individual level. But since it's Americans meddling in American elections this is acceptable.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jun 2017 @ 11:23am

      Re:

      It also allows you to do things like flood the public comment boxes of the FCC with millions of comments using the names of millions of real people.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Jun 2017 @ 11:32am

        Re: Re:

        That did not necessarily need unauthorized access to the database.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Jun 2017 @ 11:37am

          Re: Re: Re:

          It didn't, but this breach sure would make it easy for anyone to do the same.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Jun 2017 @ 11:50am

            Re: Re: Re: Re:

            breach?

            Someone leaving information laying around is not a breach. Unless you are talking about a breach of trust, but if anyone thinks they can trust these guys then perhaps...

            reply to this | link to this | view in chronology ]

    • identicon
      Baron von Robber, 19 Jun 2017 @ 11:25am

      Re:

      Of course.

      "No title of nobility shall be granted by the United States: and no person holding any office of profit or trust under them, shall, without the consent of the Congress, accept of any present, emolument, office, or title, of any kind whatever, from any king, prince, or foreign state."
      https://en.wikipedia.org/wiki/Title_of_Nobility_Clause

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2017 @ 11:30am

    Is it really a leak if it's made of public information? Sure there's some sweat of the brow to put it all together but it can't have any legal protection since it's comprised of facts.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 19 Jun 2017 @ 11:36am

      Re:

      Just because something is a fact, does not make it public information.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Jun 2017 @ 11:40am

        Re: Re:

        "Just because something is a fact, does not make it public information."

        It makes it free from copyright. All of the information in this database was from publicly accessible sources so the argument is irrelevant anyway.

        reply to this | link to this | view in chronology ]

      • icon
        AC (profile), 19 Jun 2017 @ 2:34pm

        Re: Re:

        No, but the fact that all this information was gathered from other public databases makes a pretty strong argument for this being essentially public data.

        Embarrassing, sure. Stupid, absolutely. But there will be a number of people and news outlets calling for legal or financial penalties (including lawsuits, probably) that just aren't appropriate.

        reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 19 Jun 2017 @ 11:30am

    this is just politicians proving that encryption is bad!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2017 @ 12:00pm

    Protected Personal Information

    Check out what the the Code of Federal Regulations at:
    https://www.law.cornell.edu/cfr/text/32/701.115

    Has to say about a persons date of birth, home address, home telephone number, etc.

    Take note of item e

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2017 @ 12:44pm

    Typo: "this screw up dwarves the previous biggest leak" should be "dwarfs".

    reply to this | link to this | view in chronology ]

  • icon
    Richard Hack (profile), 19 Jun 2017 @ 2:38pm

    Putin did it!

    How long before Clapper and his ilk declare Putin did this to steal voter records? 5...4...3...2...

    There is as yet ZERO evidence establishing that the Russian government has done ANYTHING with regard to the US election.

    The ONLY "evidence" of ANY kind was that provided by CrowdStrike re the DNC leaks - and that was utter crap, thoroughly debunked as proving nothing by a company whose head is an Atlantic Council member with close ties to Ukraine.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2017 @ 2:40pm

    This is an exposure of (1) public information on voter rolls and (2) privately compiled information about voter opinions that was willingly provided. No credit cards, SSNs, etc. So it was stupid but not illegal.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2017 @ 5:18pm

    Is there anything you can't get from Amazon?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Oct 2017 @ 1:24pm

    I have no major problem with businesses trying to get revenue through ads. I do object to personal data being collected, sold on and combined with other datasets.

    People don't understand how powerful large personal datasets are.

    It may start as a lists of music you listened to, tv shows you watched, stuff you bought, sites you visited and contact lists, but you can infer all sorts of other things from it, including health, relationship status, religion, voting intentions, sexual orientation etc. Data you can openly buy is enough to build targeted political propaganda bots and worse.

    https://www.techdirt.com/articles/20170619/07021037612/gop-data-firm-left-personal-data-198-mi llion-american-voters-openly-accessible-amazon-server.shtml

    Governments can then combine all of this with everything government bureaucracies collect, from institutions like schools, courts, prisons, hospitals, tax agencies, police etc.

    American surveillance capitalism, and the dirty politics associated with it, is unsustainable and toxic. Europe is leading the way here.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.