Data Democracy: Is Your Voter Registration Data Safe?

During the peak of primary election season, most active voters are more concerned with the candidates and their stances on key divisive issues. When it comes to election safety, most people gravitate towards thinking about the integrity of the electoral process and the security of the devices involved. In this blog post, I draw your attention slightly to the side of these issues as ask you: what do you know about your voter registration data and its accessibility? Let's dive in.

Voter Registration: Convenience versus Privacy

How often do you need to access your voter registration data? For most, it could be argued that this information is only referenced around key election dates, to check whether or not the registration is still active or to find the assigned voting location for the district that registration is tied to.

I first stumbled upon the accessibility of voter registration data and its variability from state to state when referencing my own records over time. Different local and state governments have different hurdles in place as gatekeepers to the information. The dilemma here is: are those hurdles high enough to protect our data but low enough to still allow us access in a relatively convenient manner?

Example 1: North Carolina

For example, my own voter registration record in the state of North Carolina. The criteria in place to pull a record is arguably not even a gatekeeper but rather almost a search function:

Search results already provide some contextualizing information, such as the county the voter is registered in as well as the city, state, and ZIP code associated with that registration.

Clicking on the record discloses the voter's registered address along with other information highlighted in the image below.

Positives:

• Convenience

Negatives:

• Low threshold for successful searches (only requires first and last name)

• Volunteers a plethora of information that can be used as pivots in building a profile of the person in question

Example 2: Solano County, California

Some voter databases make it slightly more difficult to access the information and are more restrictive with the data they return. In the case of Solano County, California, the person querying needs to provide the street number associated with the registered address, the zip code, and the person's date of birth. Let's say you have the first two, but don't have the last, like in the picture below:

There are no rate-limiting or brute-forcing mitigations on the site, so technically one could cycle through birth dates as many times as necessary to find the voter entry. In this case scenario, I've searched someone I know lives in the county. I have their address and I know they were born in January and what year, but I don't know the date. I cycle through dates in January until I not only deduce their date of birth through brute forcing, but also get their party affiliation:

Positives:

• Convenient to access own information

• Mild gatekeeping; requires research if you're not the voter

• Returns limited information on the voter

Negatives:

• Data required is searchable or brute-forceable

• Rate-limiting not implemented

Example 3: California

We dove into Solano County, but what about the state of California? Here, the bar is a bit higher:

In order to find an exact match in the database, the person querying needs to provide at least a driver's license/ID number or the last four of the person's social security number. Although these fields are not asterisked, attempts to proceed without entering data in at least one of them results in no progress in the search:

Also, checking the boxes below each of the fields does not permit bypass.

Positives:

• Data required to fulfill search is not easily accessible through open-source searches

• Site encourages best practices when performing benign searches (e.g. "Close your browser...)

Negatives:

• Mild inconvenience, may require you to grab your wallet to fulfill the search for yourself

Example 4: Alabama and Arkansas

If you look at the entries in the National Conference of State Legislatures, it seems like some states really set the bar high when it comes to accessing voter data. Take a look in the cases of Alabama and Arkansas:

Based on the "Who Can Request the Voter File" column, one would presume that the voter data is a bit harder to access. This is unfortunately misleading, as can be seen in the case of both states below:

As you can see, there are no paywalls or higher hurdles in place as it is made to seem according to the entries in the NCSL. Those entries could very well refer to pre-compiled lists of voters; although tedious, anybody could assemble their own list with a bit of research. It took me roughly 10 minutes to find a random entry in the Alabama voter registration database, and all it took was a Google search:

Alright, fine, my data's out there: who cares?

Not everyone experiences privacy paranoia: some folks just accept the status quo and figure their information is already blasted everywhere so why bother fighting this? The thing about voter registration data, like I alluded to earlier in the post, is that if it doesn't offer a social engineer some juicy data right off the bat, it offers a pivot for that person to work off of to gain access to more sensitive data. The information deduced from performing searches for voter registration information can, for example, provide the answers to security questions in place at workplaces, credit card providers, medical providers, among other entities. A date of birth and a county of residence can provide a starting point for collecting information that can snowball into a well-built dossier for a person to leverage in a social engineering campaign.

For reference, state-sponsored campaigns have already been conducted using this public information; Russia and Iran have leveraged the accessibility of voter registrations to perform disinformation campaigns during election season in the United States.

What can I do about this?

The accessibility of voter registration data, as you could probably deduce from the examples provided above, are determined by state legislation. If this is an issue that makes you uncomfortable or you feel warrants change in the state you live in, reach out to the lawmakers in your state. You can find your state representative using the search function at the US House of Representatives site here.

As not only a mindful citizen but a red teamer that regularly conducts social engineering engagements to assess the security posture of organizations, I encourage you to reflect on the price of convenience when it comes to data privacy. As exemplified in some of the examples provided, the cost of entry does not need to be set impossibly high to add safeguards to your personal information. Data brokerage and the information age has made it painfully simple to build out profiles on vulnerable targets, but any mitigation or checks we can add to getting access to that information chips away at the motivation and maneuverability of a threat actor. Any limitation or even discouragement that can be implemented is an improvement in data privacy and safety.