GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server

from the whoops-a-daisy dept

A GOP data firm has accepted responsibility for leaving the personal data of 198 million Americans (aka: most of the country's voting populace) openly accessible on an Amazon server in the biggest voter data leak in global history. Deep Root Analytics, the owner of the data, has long been contracted by the Republican National Committee to measure voter opinions on a wide variety of issues, from health care to gun control. As part of their contract with the RNC, the group pulls voter information from a wide variety of sources, ranging from Reddit to the Karl Rove super PAC American Crossroads.

This data, which includes religious affiliation and ethnicity, is then utilized to help craft PR efforts and other messaging, as well as to determine turnout and voter preferences. And, according to analysis of the data and previous profiles of the company like this one over at Ad Age, this firm was hugely influential in getting Donald Trump's "populist" message out to voters during the last election cycle.

But last week, UpGuard cyber risk analyst Chris Vickery discovered that Deep Root had been storing a massive amount of this data on Amazon servers, publicly accessible via the internet, with absolutely no apparent security precautions whatsoever:

The data repository, an Amazon Web Services S3 bucket, lacked any protection against access. As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: “dra-dw”.

Vickery frequently hunts for misconfigured data sources on behalf of UpGuard's Cyber Risk Team, often finding everything from military engineering plans to lists of potential terrorists -- simply sitting out in the open. Vickery had recently exposed a top defense contractor for doing something similar, albeit on a notably smaller scale. In this instance, the openly-accessible data included names, addresses, birthdates, phone numbers, troves of stored online user posts, collected over the better part of the last decade:

"Within “data_trust” are two massive stores of personal information collectively representing up to 198 million potential voters. Consisting primarily of two file repositories, a 256 GB folder for the 2008 presidential election and a 233 GB folder for 2012, each containing fifty-one files - one for every state, as well as the District of Columbia. Each file, formatted as a comma separated value (.csv), lists an internal, 32-character alphanumeric “RNC ID”—such as, for example, 530C2598-6EF4-4A56-9A7X-2FCA466FX2E2—used to uniquely identify every potential voter in the database. These RNC IDS uniquely link disparate data sets together, combining dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name."

One segment of the files contained modeled data about each individual voter's likely positions on 46 different issues. Other portions of the data detail whether voters are registered, and whether they are currently on the federal "Do Not Call" list (you may recall that the RNC is currently supporting a proposal that would let them spam your voicemail inbox without your phone ringing). Collectively, this data was collected and used by a massive number of Republican outfits, including Americans for Prosperity, market research firm TargetPoint, Causeway Solutions, and more.

The security faux pas is considered one of the most monumental ever documented in any country. The 198 million American voters exposed by this screw up dwarves the previous biggest leak -- a leak of the voting data of 93.4 million Mexican citizens -- as well as the now-third biggest leak of this kind ever -- the exposure of the data of 55 million voters in the Philippines. On the plus side, a statement being provided by Deep Root to the media takes ownership of the screw up, without too much of the couching you often see after such breaches:

"We have engaged Stroz Freidberg to conduct a thorough review, and that process is underway. Based upon this review we have determined that the access that was made without our knowledge happened because of a change that was made in the files’ asset access protocols. We are in the process of determining how that change was made and take full responsibility for the change, but suffice to say we have updated the settings to prevent further access. We believe the change that was made happened post June 1 2017, which was when we last evaluated and updated our security settings. We do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery."

Still, it's not exactly a confidence builder to witness the largest leak of voter data in global history as we're busy trying to ascertain just how secure our clearly dysfunctional voting systems are to malicious outside influence -- and debating the slow-but-steady erosion of consumer privacy protections being spearheaded by the GOP.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: chris vickery, gop, online security, privacy, rnc, security, voter data
Companies: deep root


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 19 Jun 2017 @ 10:55am

    Remind me again what are the possible problems of amassing huge databases of personal data?

    I'm looking at you Googles and Facebooks of the world. Do we really need to collect and store so much data?

    Of course they probably have more than cardboard security to offer but it's still problematic.

    link to this | view in thread ]

  2. identicon
    Michael, 19 Jun 2017 @ 10:57am

    Let's just call this "meta-data". Then it's ok, right?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:04am

    Re:

    How dare you question their right to profit. How dare you, sir.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:21am

    Databases like this allow propaganda targeted on the individual level. But since it's Americans meddling in American elections this is acceptable.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:23am

    Re:

    It also allows you to do things like flood the public comment boxes of the FCC with millions of comments using the names of millions of real people.

    link to this | view in thread ]

  6. identicon
    Baron von Robber, 19 Jun 2017 @ 11:25am

    Re:

    Of course.

    "No title of nobility shall be granted by the United States: and no person holding any office of profit or trust under them, shall, without the consent of the Congress, accept of any present, emolument, office, or title, of any kind whatever, from any king, prince, or foreign state."
    https://en.wikipedia.org/wiki/Title_of_Nobility_Clause

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:30am

    Is it really a leak if it's made of public information? Sure there's some sweat of the brow to put it all together but it can't have any legal protection since it's comprised of facts.

    link to this | view in thread ]

  8. icon
    Ryunosuke (profile), 19 Jun 2017 @ 11:30am

    this is just politicians proving that encryption is bad!

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:32am

    Re: Re:

    That did not necessarily need unauthorized access to the database.

    link to this | view in thread ]

  10. identicon
    Michael, 19 Jun 2017 @ 11:36am

    Re:

    Just because something is a fact, does not make it public information.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:37am

    Re: Re: Re:

    It didn't, but this breach sure would make it easy for anyone to do the same.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:40am

    Re: Re:

    "Just because something is a fact, does not make it public information."

    It makes it free from copyright. All of the information in this database was from publicly accessible sources so the argument is irrelevant anyway.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:47am

    Re: Re: Re:

    This has nothing to do with copyright...

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:47am

    Re: Re:

    total nonsequitor guys...

    that data is largely given to them for free by the people that gave it to them.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 19 Jun 2017 @ 11:50am

    Re: Re: Re: Re:

    breach?

    Someone leaving information laying around is not a breach. Unless you are talking about a breach of trust, but if anyone thinks they can trust these guys then perhaps...

    link to this | view in thread ]

  16. icon
    ShadowNinja (profile), 19 Jun 2017 @ 11:52am

    Re:

    But it's ok when big corporations do it!

    It's just not ok when the government does it!

    Because you know, it's always a big bad evil government who's the villain in dys-utopian futures!

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:00pm

    Protected Personal Information

    Check out what the the Code of Federal Regulations at:
    https://www.law.cornell.edu/cfr/text/32/701.115

    Has to say about a persons date of birth, home address, home telephone number, etc.

    Take note of item e

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:30pm

    Re: Re: Re:

    which they turn around and sell, thus profit - no?

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:33pm

    Re: Re:

    I doubt anyone is saying it is ok at any time or place.

    You think the GOP is 'the government"?

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:44pm

    Typo: "this screw up dwarves the previous biggest leak" should be "dwarfs".

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:49pm

    Re: Protected Personal Information

    GOP is not a federal agency.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:54pm

    Re: Re: Re: Re:

    well of course, but that is not the point here.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:54pm

    Re: free 'government' data

    By name voter registration & political donations records are mandated and made public by the GOVERNMENT.

    Government makes it easy for political parties & interest groups to find out who is voting and what their political affiliations are. Mandatory Census data also provides detailed demographic data down to the street/block level. Public government real estate records mandate exact name and address of home owners.

    GOP & Democrat Party want to know details of who is in the electorate.
    It's not just a GOP thing (and of course Democrat Party would NEVER let its private computer records be compromised)

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 19 Jun 2017 @ 12:58pm

    Re: Re: Re: Re: Re:

    really? Do tell...

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 19 Jun 2017 @ 1:00pm

    Re: Re:

    "Because you know, it's always a big bad evil government who's the villain in dys-utopian futures!"

    That's usually because the corporations have co-opted the governments in dystopian futures

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 19 Jun 2017 @ 1:10pm

    Re: Re: Re: Re: Re: Re:

    Another poster just below this one has already done a great job of it.

    You are welcome.

    Next time, try to figure these things out for yourself, instead of or at least before voting in the next election.

    link to this | view in thread ]

  27. icon
    AC (profile), 19 Jun 2017 @ 2:34pm

    Re: Re:

    No, but the fact that all this information was gathered from other public databases makes a pretty strong argument for this being essentially public data.

    Embarrassing, sure. Stupid, absolutely. But there will be a number of people and news outlets calling for legal or financial penalties (including lawsuits, probably) that just aren't appropriate.

    link to this | view in thread ]

  28. icon
    Richard Hack (profile), 19 Jun 2017 @ 2:38pm

    Putin did it!

    How long before Clapper and his ilk declare Putin did this to steal voter records? 5...4...3...2...

    There is as yet ZERO evidence establishing that the Russian government has done ANYTHING with regard to the US election.

    The ONLY "evidence" of ANY kind was that provided by CrowdStrike re the DNC leaks - and that was utter crap, thoroughly debunked as proving nothing by a company whose head is an Atlantic Council member with close ties to Ukraine.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 19 Jun 2017 @ 2:40pm

    This is an exposure of (1) public information on voter rolls and (2) privately compiled information about voter opinions that was willingly provided. No credit cards, SSNs, etc. So it was stupid but not illegal.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 19 Jun 2017 @ 3:46pm

    Re: Re: Re:

    Shadowrunning much?

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 19 Jun 2017 @ 5:18pm

    Is there anything you can't get from Amazon?

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 19 Jun 2017 @ 6:19pm

    Re: Putin did it!

    Whoh whoh whoh. You are days late for Russian Troll Day. Sorry Comrade.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 30 Oct 2017 @ 1:24pm

    I have no major problem with businesses trying to get revenue through ads. I do object to personal data being collected, sold on and combined with other datasets.

    People don't understand how powerful large personal datasets are.

    It may start as a lists of music you listened to, tv shows you watched, stuff you bought, sites you visited and contact lists, but you can infer all sorts of other things from it, including health, relationship status, religion, voting intentions, sexual orientation etc. Data you can openly buy is enough to build targeted political propaganda bots and worse.

    https://www.techdirt.com/articles/20170619/07021037612/gop-data-firm-left-personal-data-198-mi llion-american-voters-openly-accessible-amazon-server.shtml

    Governments can then combine all of this with everything government bureaucracies collect, from institutions like schools, courts, prisons, hospitals, tax agencies, police etc.

    American surveillance capitalism, and the dirty politics associated with it, is unsustainable and toxic. Europe is leading the way here.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.