Americans routinely hemorrhage personally identifiable information (PII) across social media and other websites. On almost a weekly basis, PII bleeds out in dramatic breaches like the recent one at Toyota that exposed 3.1 million customers or another at Georgia Tech in which an “unknown outside entity” illegally accessed data for more than 1 million students, faculty members and alumni.
Some 26 million Americans were victims of identity theft in 2016, according to the Bureau of Justice Statistics. One way thieves, scammers and psychopaths perform reconnaissance on their victims is to find them via Google or social media. A fair start — but information on the Internet is often inaccurate. If I were a malicious actor looking for a victim’s PII, I’d begin where the data is government-certified.
Tax records and housing data are PII treasure troves but not all records are digitized. Political contributions can be valuable — if a person gave money to a candidate over a certain amount. Yet, an exposed area still exists. States hold important personal records of American voters through their secretary of state (SOS) websites. In most states, some or all of this information is accessible to anyone with an Internet connection.
I have an Internet connection. And until recently, I ran the open source intelligence division at a cybersecurity firm.
So, I tried to access all 50 states’ (and the District’s) online voter registration systems. In the process, I was able to obtain personal information about the citizens of 40 different states, from Alaska to Arkansas, West Virginia to Wisconsin, New Mexico to North Carolina. In some states, that PII included personal addresses, historic voter data and race.
To show how sweeping these vulnerabilities are, I picked a specific person in each state: its governor. They often inhabit a taxpayer-funded mansion for their term in office but usually also maintain a private residence. These individuals are public figures who are, in theory, able to influence the laws and regulations that determine who can access this data in the first place. They are also people who should be concerned about protecting their own PII, whether for their own bodily safety or to protect themselves against people looking to manipulate them.
Some are wealthy — West Virginia Gov. Jim Justice (R) and Illinois Gov. J.B. Pritzker (D) are billionaires; Colorado Gov. Jared Polis (D) is a multimillionaire. Others seek higher office: Washington Gov. Jay Inslee (D) is running for president in 2020, and Montana Gov. Steve Bullock (D) is thinking about running. One could surmise they would all want to shield their PII from the outside world. But as of today, in many states, it is possible to obtain, or at least confirm, some of their private information — and if one is willing to dig further, that of their families.
Given its recent election irregularities, it is striking that North Carolina provides the most PII about its 6.57 million registered voters of any state in the nation. Enter a voter’s first and last name, and the North Carolina State Board of Elections and Ethics Enforcement provides a home address, voting status, voter registration number, party, race, ethnicity, registration date, polling place and a complete voting record. In the case of Gov. Roy Cooper (D), this record extends to 2002, noting when Cooper voted in person (eight times), voted early (19 times) or absentee (five times). Cooper’s chief political adversary, the state Senate’s president pro tempore, Philip E. Berger (R), is most nationally notable for drafting a voter ID law that a federal appeals court eventually struck down for targeting “African Americans with almost surgical precision.” His personal information is also open to anyone as well (he mostly voted in person on each Election Days since 1992).
It’s difficult for North Carolina voters to remove themselves from this database. State law indicates a voter needs to first obtain a protective order that indicates their physical safety would be jeopardized if a personal address was publicly available, and then submit it to the local county board of elections. Even with a protective order, that voter’s name, precinct and other data remains in the public record, even if it’s no longer as easily accessible. That voter could then be theoretically targeted on Election Day — because a malicious person will know where and when that person is likely to show up.
The Tar Heel State is not the only state that provides a great deal of PII on its voter database. For example, when I prompted Kansas’s SOS site with some basic details I’d pulled up on Wikipedia, it provided the personal address of the governor, Laura Kelly (D). The man she defeated in 2018, Kris Kobach (R) — a former Kansas secretary of state who tried to enact some of the nation’s most stringent voter ID laws — has his PII plainly available, as well, including his personal address and voter information dating to 1996.
Equipped with anyone’s full name and birth date, you can use many of these databases to determine the home addresses of the governors from Montana, Oregon, South Dakota, Washington state and Wisconsin. Augmented with data provided by a popular people search engine like Whitepages Premium, one can easily obtain this information — information that’s often better verified than elsewhere on the Internet — when the SOS websites request Zip codes or county. For example, South Carolina demands that visitors to the site identify a voter’s county before providing access to the database, which isn’t much of a barrier: South Carolina Gov. Henry McMaster (R) lives in Richland County, the county that encompasses the state’s capital. Armed with this information, you can view his personal address along with his race and other data.
I’ve also discovered at least one nationally known politician (I’m declining to provide his name, for privacy reasons) who has meticulously scrubbed his family’s home address from some of the larger data aggregators. He is, however, from a state with a public-facing voter database that provides his home address if you know his full name and birth date.
There is certainly a transparency-in-government argument to be made in making this data available to the public. Maybe having this information in the wild, for anyone to view, doesn’t seem worrisome; after all, some addresses and phone numbers are still in the phone book, assuming you can find one. It’s nonetheless troubling because an individual can opt out of the telephone directory, but one can’t opt out of being in the official voter database, unless a voter deliberately chooses not to ever vote again. Millions of American voters shouldn’t have to disenfranchise themselves to protect their privacy.
But there are already models to keep bad actors out. Several states make it difficult or cumbersome to obtain voter information. For example, California requires a first name, last name, date of birth, Social Security number and a state driver’s license or ID of the person you’re looking into before it will let you access data about them. Hawaii imposes similar requirements, as does Nevada. Wyoming’s secretary of state’s website doesn’t even have a digital capability to look up specific material. These simple steps made it impossible to get into the system without significant, granular information.
The Internet is full of scammers, thieves, Nosy Parkers and troublemakers. States shouldn’t give them a leg up on their reconnaissance of large swaths of the American electorate.