Some of the Information May Have Never Been Previously Released Publicly Exposed: Vote probabilities modeled for 198 million U.S. voters. (Source: UpGuard)
A data analytics company firm aligned with the Republican Party says it accepts “full responsibility” after it exposed online a list that includes virtually all U.S. voter registration records along with extensive research that attempts to guess how people feel about certain key issues.
The data came from Deep Root Analytics, which describes itself as a predictive media analytics company. Exposed were 198 million voter registration records, which included names, dates of birth, home addresses, phone numbers and registration details.
In a statement, Deep Root Analytics says the data was exposed after access settings were changed on June 1. The data was secured two weeks later.
“We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked,” the company says.
Chris Vickery, a cyber risk analyst with cybersecurity startup UpGuard who has uncovered several major data breaches by scanning the internet, discovered the data, according to an UpGuard blog post. The discovery followed Vickery in December 2015 finding a mysterious database containing 191 million U.S. voter registration records (see 191 Million U.S. Voter Registration Records Exposed?).
The Deep Root Analytics data recently discovered by Vickery was contained in an unsecured Amazon Web Services S3 “bucket,” which is the term for a storage instance on the popular cloud hosting service.
Anyone could have accessed the Amazon bucket by navigating to a subdomain with the letters “dra-dw,” an abbreviation for the Deep Root Analytics Data Warehouse, UpGuard writes. The publicly exposed data amounted to 1.1 terabytes.
Security researchers have warned that configuration and other mistakes by developers could result in sensitive information being exposed online. Using the Shodan search engine, which queries internet-connected devices, it is often possible to figure out if, for example, a database has been left online that doesn’t require a username and password.
“The fact that these confidential files were left on a publicly accessible server should not be a surprise,” says Mike Shultz, CEO of Cybernance, a risk management security firm. “An organization’s greatest threat is usually not an outside attacker, it’s the people inside the organization and their mistakes that are the most frequent offenders.”
What’s the Risk?
Vickery’s findings received substantial media attention on Monday. But whether the leak poses risks from a personal data perspective depends in part on the state where a registered voter lives.
Laws across the 50 U.S. states vary in relation to access and use of voter registration data. All but 11 states allow some public access to electoral roles. All states do, however, allow political parties and candidates to have access to voter registration records.
Wider public access varies. For the states with the fewest restrictions, it’s easy to find current voter registration records online. For example, the site VoterRecords.com claims to hold 50 million registration records from Alaska, Arkansas, Colorado, Connecticut, Delaware, Florida, Michigan, Nevada, North Carolina, Ohio, Oklahoma, Rhode Island, Utah and Washington.
According to that site’s FAQ, its data has been amassed from public sources. The data includes party affiliation, residential and mailing addresses as well as race-related information if a voter has chosen to share that during registration. The Deep Root Analytics’ cache has some of that data as well, UpGuard writes.
Reading Voters’ Minds
What’s perhaps more concerning about Deep Root Analytics’ cache is that the leaked data shows efforts to predict how voters feel about certain issues, as well as guess people’s race and religion.
But this shouldn’t come as a surprise. President Donald Trump’s campaign is believed to have worked with firms that specialize in very detailed profiling of voters. By using publicly available data, the profiles can be used to craft carefully tailored online advertisements that may be more likely to drive voters to back a certain candidate.
The data compiled by Deep Root Analytics also appeared to draw on two other companies that work for Republican interests: TargetPoint Consulting, a digital market and political research consultancy, and The Data Trust, a Washington, D.C., group that collects voter files.
UpGuard says it appears Deep Root Analytics has compiled 9.5 billion data points on 198 million U.S. voters with the aim to guess “their likely political preferences using advanced algorithmic modeling across 48 different categories.
“The result is a database of grand scope and scale, collecting the modeled personal and political preferences of most of the country – adding up to an unsecured political treasure trove of data which was free to download online,” UpGuard contends.
UpGuard also found data fields that read “modeled ethnicity” and “modeled religion,” suggesting that the companies took a stab at guessing those characteristics.
Scale of Zero to One
But are the predictions accurate? The author of UpGuard’s blog post, Dan O’Sullivan, writes that he located his information after finding his “RNC ID,” which is a 32-character alphanumeric number assigned to voters.
Vickery and O’Sullivan found that they could link other analyses in the leaked data sets to real people using the RNC ID. That would allow someone who had the data to tie the algorithmic predictions to real names.
“This reporter was able, after determining his RNC ID, to view his modeled policy preferences and political actions as calculated by TargetPoint,” O’Sullivan writes. “It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate.”
One 50 GB file gives an insight into the analysis, UpGuard writes. It contains a list of voters – listed by RNC ID number – and then columns that indicate what trait is trying to be predicted, such as whether a person agrees or disagrees with U.S. foreign policy.
What’s recorded is a decimal fraction. The closer the number is to zero, the less likely the voter is to support a particular policy, while a decimal fraction closer to one indicates that support is “very likely,” UpGuard writes.
It’s unclear what other sources the data analytics companies inputted into their algorithms in order to generate those scores. But UpGuard did find what it described as a large cache of posts from Reddit, the news aggregation and comments board. That suggests that other public data sources, such as social media postings, may have been scraped.
RNC Pauses Work With Deep Root
In its statement, Deep Root Analytics says the data found by UpGuard “was not built for or used by any specific client,” and claimed that it was instead “our proprietary analysis to help inform local television ad buying.”
The company added: “Deep Root Analytics builds voter models to help enhance advertiser understanding of TV viewership.”
But a statement supplied to the Washington Post by the Republican National Committee suggests that the data may indeed have been intended for use by a client. The RNC, notably, says it has “halted any further work with the company pending the conclusion of their investigation into security procedures.”
The organization adds: “While Deep Root has confirmed the information accessed did not contain any proprietary RNC information, the RNC takes the security of voter information very seriously, and we require vendors to do the same.”