GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server
from the whoops-a-daisy dept
A GOP data firm has accepted responsibility for leaving the personal data of 198 million Americans (aka: most of the country's voting populace) openly accessible on an Amazon server in the biggest voter data leak in global history. Deep Root Analytics, the owner of the data, has long been contracted by the Republican National Committee to measure voter opinions on a wide variety of issues, from health care to gun control. As part of their contract with the RNC, the group pulls voter information from a wide variety of sources, ranging from Reddit to the Karl Rove super PAC American Crossroads.
This data, which includes religious affiliation and ethnicity, is then utilized to help craft PR efforts and other messaging, as well as to determine turnout and voter preferences. And, according to analysis of the data and previous profiles of the company like this one over at Ad Age, this firm was hugely influential in getting Donald Trump's "populist" message out to voters during the last election cycle.
But last week, UpGuard cyber risk analyst Chris Vickery discovered that Deep Root had been storing a massive amount of this data on Amazon servers, publicly accessible via the internet, with absolutely no apparent security precautions whatsoever:
The data repository, an Amazon Web Services S3 bucket, lacked any protection against access. As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: “dra-dw”.
Vickery frequently hunts for misconfigured data sources on behalf of UpGuard's Cyber Risk Team, often finding everything from military engineering plans to lists of potential terrorists -- simply sitting out in the open. Vickery had recently exposed a top defense contractor for doing something similar, albeit on a notably smaller scale. In this instance, the openly-accessible data included names, addresses, birthdates, phone numbers, troves of stored online user posts, collected over the better part of the last decade:
"Within “data_trust” are two massive stores of personal information collectively representing up to 198 million potential voters. Consisting primarily of two file repositories, a 256 GB folder for the 2008 presidential election and a 233 GB folder for 2012, each containing fifty-one files - one for every state, as well as the District of Columbia. Each file, formatted as a comma separated value (.csv), lists an internal, 32-character alphanumeric “RNC ID”—such as, for example, 530C2598-6EF4-4A56-9A7X-2FCA466FX2E2—used to uniquely identify every potential voter in the database. These RNC IDS uniquely link disparate data sets together, combining dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name."
One segment of the files contained modeled data about each individual voter's likely positions on 46 different issues. Other portions of the data detail whether voters are registered, and whether they are currently on the federal "Do Not Call" list (you may recall that the RNC is currently supporting a proposal that would let them spam your voicemail inbox without your phone ringing). Collectively, this data was collected and used by a massive number of Republican outfits, including Americans for Prosperity, market research firm TargetPoint, Causeway Solutions, and more.
The security faux pas is considered one of the most monumental ever documented in any country. The 198 million American voters exposed by this screw up dwarves the previous biggest leak -- a leak of the voting data of 93.4 million Mexican citizens -- as well as the now-third biggest leak of this kind ever -- the exposure of the data of 55 million voters in the Philippines. On the plus side, a statement being provided by Deep Root to the media takes ownership of the screw up, without too much of the couching you often see after such breaches:
"We have engaged Stroz Freidberg to conduct a thorough review, and that process is underway. Based upon this review we have determined that the access that was made without our knowledge happened because of a change that was made in the files’ asset access protocols. We are in the process of determining how that change was made and take full responsibility for the change, but suffice to say we have updated the settings to prevent further access. We believe the change that was made happened post June 1 2017, which was when we last evaluated and updated our security settings. We do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery."
Still, it's not exactly a confidence builder to witness the largest leak of voter data in global history as we're busy trying to ascertain just how secure our clearly dysfunctional voting systems are to malicious outside influence -- and debating the slow-but-steady erosion of consumer privacy protections being spearheaded by the GOP.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chris vickery, gop, online security, privacy, rnc, security, voter data
Companies: deep root
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm looking at you Googles and Facebooks of the world. Do we really need to collect and store so much data?
Of course they probably have more than cardboard security to offer but it's still problematic.
[ link to this | view in chronology ]
Re:
How dare you question their right to profit. How dare you, sir.
[ link to this | view in chronology ]
Re: Re:
that data is largely given to them for free by the people that gave it to them.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
You are welcome.
Next time, try to figure these things out for yourself, instead of or at least before voting in the next election.
[ link to this | view in chronology ]
Re: free 'government' data
Government makes it easy for political parties & interest groups to find out who is voting and what their political affiliations are. Mandatory Census data also provides detailed demographic data down to the street/block level. Public government real estate records mandate exact name and address of home owners.
GOP & Democrat Party want to know details of who is in the electorate.
It's not just a GOP thing (and of course Democrat Party would NEVER let its private computer records be compromised)
[ link to this | view in chronology ]
Re:
It's just not ok when the government does it!
Because you know, it's always a big bad evil government who's the villain in dys-utopian futures!
[ link to this | view in chronology ]
Re: Re:
You think the GOP is 'the government"?
[ link to this | view in chronology ]
Re: Re:
That's usually because the corporations have co-opted the governments in dystopian futures
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Someone leaving information laying around is not a breach. Unless you are talking about a breach of trust, but if anyone thinks they can trust these guys then perhaps...
[ link to this | view in chronology ]
Re:
"No title of nobility shall be granted by the United States: and no person holding any office of profit or trust under them, shall, without the consent of the Congress, accept of any present, emolument, office, or title, of any kind whatever, from any king, prince, or foreign state."
https://en.wikipedia.org/wiki/Title_of_Nobility_Clause
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It makes it free from copyright. All of the information in this database was from publicly accessible sources so the argument is irrelevant anyway.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Embarrassing, sure. Stupid, absolutely. But there will be a number of people and news outlets calling for legal or financial penalties (including lawsuits, probably) that just aren't appropriate.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Protected Personal Information
https://www.law.cornell.edu/cfr/text/32/701.115
Has to say about a persons date of birth, home address, home telephone number, etc.
Take note of item e
[ link to this | view in chronology ]
Re: Protected Personal Information
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Putin did it!
There is as yet ZERO evidence establishing that the Russian government has done ANYTHING with regard to the US election.
The ONLY "evidence" of ANY kind was that provided by CrowdStrike re the DNC leaks - and that was utter crap, thoroughly debunked as proving nothing by a company whose head is an Atlantic Council member with close ties to Ukraine.
[ link to this | view in chronology ]
Re: Putin did it!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
People don't understand how powerful large personal datasets are.
It may start as a lists of music you listened to, tv shows you watched, stuff you bought, sites you visited and contact lists, but you can infer all sorts of other things from it, including health, relationship status, religion, voting intentions, sexual orientation etc. Data you can openly buy is enough to build targeted political propaganda bots and worse.
https://www.techdirt.com/articles/20170619/07021037612/gop-data-firm-left-personal-data-198-mi llion-american-voters-openly-accessible-amazon-server.shtml
Governments can then combine all of this with everything government bureaucracies collect, from institutions like schools, courts, prisons, hospitals, tax agencies, police etc.
American surveillance capitalism, and the dirty politics associated with it, is unsustainable and toxic. Europe is leading the way here.
[ link to this | view in chronology ]