face palm
It's shit like this that will contribute to the crashing and burning of western civilization. And I suspect it will only get worse, due to the conversion to all digital voting equipment.
A database with personal information on 191,337,174 US voters has apparently been found unprotected online by a security researcher in Texas. Austin-based Chris Vickery – who earlier this month found records on 3.3 million Hello Kitty users splashed online – says the wide-open system contains the full names, dates of birth, …
People's home addresses aren't exactly secrets - until landlines went out of fashion most people had theirs available in the phone book. Sure, it is a concern for those like battered women who have reason to keep their address less easily accessible, but there are so many data breaches every year that anyone who aggregated that info would already have everything contained in this database. And there's no doubt there are people who have aggregated that data - including operators of web sites that promise to give you information such as address, phone number and more on anyone in the US. For a fee, of course.
For our non-US readers, this database won't contain anyone's voting record. That information is not stored on anyone, since ballots are secret. The party affiliation field in there would be populated with what party you registered under. You aren't required to register with a particular party (you can choose 'independent') and you don't have to vote your registered party, with the exception of some states where you can only participate in a particular party's primary/caucus if you are registered with that party.
For my part I chose a party I'm registered under because I found when you register independent BOTH parties call you up and try to get you to vote (and they treat registering under a third party as independent) So it is better to choose one just to cut by half the number of annoying calls you may receive during election season.
I can understand why some people view it as a relatively low-level issue so far as privacy is concerned but I can't see why people aren't annoyed because it's the principle - this is data about people that has been collected and it should be secured as a matter of course.
I think it is down to the ability to be able to Push a Button and you have all this information at your fingertips. It's like the Direct Mail companies who can sell a targeted list to umpteen companies. People prefer to know that their details are not so easily accessible to the companies that buy these lists. In this case it looks like there is no need for a marketeer to even buy the list - no "honeytrap" worries here of using a list beyond the rental period, it's effectively "public domain".
I presume the concern is that the voters did not necessarily give permission for this information to be given to anyone, without restriction -- or audit.
Privacy is not one dimensional: I really don't mind the UK secret services knowing what I use my VPN for, but it doesn't mean I want the council's parking control officer to know; I don't mind the latter knowing my address, but I don't want him to know my date of birth; etc.
There is also the issue of aggregation. Sometimes secrets that aren't even in the data can be given away by the data (e.g. a geographic clustering of security cleared people in a rural town). Databases which contain gender and D.o.B. information can be used to identify the locations of thousands of young women, for instance.
However, the key flaw in your argument is to assume that everyone else should be comfortable with your own personal privacy levels. I post here using my full name, but I don't expect everyone else to, and I'd be highly unimpressed with someone "outing" a fellow commentard who had used a handle or posted AC.
@King Jack
"In this day of equality, men are entitled to just as much privacy as anyone. The days of women getting special treatment are over."
I would hope that the days of anyone that is more likely to suffer at the hands of the vindictive/cruel being thought of as needing help are not over at all.
But maybe you are right...
"Privacy is not one dimensional: I really don't mind the UK secret services knowing what I use my VPN for, but it doesn't mean I want the council's parking control officer to know; I don't mind the latter knowing my address, but I don't want him to know my date of birth; etc."
That only works as long as your views are aligned with theirs (or at least you think they are). In your case you believe that your views on parking differ from the councils, but that UK Secret Sevice views are aligned with yours.
But that requires uniformity of opinion, that would prevent dissent and free political discourse.
Why should the spooks check and vet what I say in private? Who put them in charge of the thought police?
I ... don't mind the UK secret services knowing what I use my VPN for, but it doesn't mean I want the council's parking control officer to know
I think you'll find the secret services value their privacy more than they value yours - hence the secret trials, not being told the evidence against you, nameless witnesses, etc. Personally, I'd rather trust the council's parking officer.
And there's no doubt there are people who have aggregated that data - including operators of web sites that promise to give you information such as address, phone number and more on anyone in the US. For a fee, of course.
And no one seems to be upset that these companies also aggregate police records, credit records, just about anything they can on everyone. Once upon a time, if you wanted a lot of info on someone, you really had to dig for it. Today, you just figuratively swipe a credit card and the info is there. I find that is intrusive as hell.
Having said that, I do wonder if this "researcher" merely accessed one or more of these companies' database.
OK, suppose my details have been protected by a court order but somehow got mixed up in this mess? As you hint at, domestic abuse and organised crime affiliations could be compromised and next thing there's innocent families caught up in this mess all because one sloppy person doesn't bother to buy a "Databases for Dummies" book and find out the bare minimum about how security should work on a database.
It is not entirely clear why these records should be thought private; they are, after all, records collected for a public purpose by a government agency, and are records that are important to the conduct of the very important election process. The example given shows, for the data items I recognized, what is available in many or most states to political parties able and willing to pony up the cash to buy a copy.
While the location information included might increase the risk to some people who require protection, the probability of that is low because either their location already is known to those who threaten them, or they have moved to a place of hiding and had the presence of mind to omit notifying the voting officials.
"For our non-US readers, this database won't contain anyone's voting record. That information is not stored on anyone, since ballots are secret. The party affiliation field in there would be populated with what party you registered under. You aren't required to register with a particular party (you can choose 'independent') and you don't have to vote your registered party, with the exception of some states where you can only participate in a particular party's primary/caucus if you are registered with that party."
"For my part I chose a party I'm registered under because I found when you register independent BOTH parties call you up and try to get you to vote (and they treat registering under a third party as independent) So it is better to choose one just to cut by half the number of annoying calls you may receive during election season."
That nuance might be obvious to many, but it may not be so to a crazed dictator. Misinterpretation of the purpose of a table field is one of the scourges of database design.
Of all the arguments for "nothing to see here, please disperse"...
- Just because information is available in one database means it's okay for it to be available in another bigger database, just because.
... and...
- Just because it's available in another bigger database, access restrictions don't matter, just because.
... are particularly weak.
... it will only get worse, due to the conversion to all digital voting equipment.
Actually, it's necessary to convert all polling places in the US to digital voting equipment. Otherwise, election rigging will remain cumbersome and slow with timeouts for 'hanging chad' conferences. Much more convenient without those pesky paper backups.
Voter database? Surely ... all your data are belong to us!
There are those who say that the west coast voters generally don't care to go to polls once a "winner" has been declared. I tend to agree as why bother then except for the local and state elections. However, the state I'm in, we can vote by mail so our votes get counted and sometimes are figured into the predictions.
Well, in the case of Washington State, anyone who was going to vote would've already done so in advance as the state has gotten rid of all polling stations and switched to purely mail-in ballots. Of course that doesn't rally matter all that much in national elections anyway with the electoral college system where the race ends up getting called well before votes are even counted (Since there aren't enough electoral college votes to matter despite there being more than enough voters)
So far I've heard a lot of noise coming from this guy but nothing substantial, other than "he said so", to back up his words. I'm reaching a point where I don't trust it anymore.
Thing is: have you, as an individual, ever tried to take down a confiscated server? When it's located in China or other "vague areas" then good luck to you because you won't succeed. Even if you try to contact the data center directly and provide them with all the proof they need then more than often the server will remain as-is. Heck; this also often applies to US and EU located servers.
Yet here is this guy who finds huge privacy sensitive databases, no one other than him seems to have had access to it, and when he's done the information is also gone. My other point: if the people behind it would want to spread this info then they'd have utilized torrent and other means which make it pretty much impossible to take it down. If they didn't want it to be found... Well, any idiot can set up a firewall these days.
My last point: with the recent "high end" hacks, I'm talking about the Sony PSN breach for example, anyone who dug a little deeper could find traces themselves. But the stuff this guy manages to dig up... Nothing. And what a coincidence that his own personal info was in this last find as well.
Yes, I am a little cynical, I know. But I've seen too many fake companies, and individuals, trying to make a name for themselves by simply fabricating stories. I've also seen television shows do this to demonstrate just how easy it is to become a "reliable source" of information (referring, for example, to "Neveneffecten", a Belgian TV show).
Note: I'm not claiming that none of it is true. But I do have some serious doubts here.
I assume he's shown his own details because showing someone else's would be rather impolite, it's an SQL server instead of a web frontend which means it's a little more difficult to find, and he's not handing out the server address to all and sundry because 5 seconds later some clown would upload a copy to The Pirate Bay.
I'm the blogger/admin at DataBreaches.net. I verified Vickery's claims before starting to investigate the leak, i.e., I saw the dbase on the IP he gave me, the port was open, and I could access the database.
Vickery has been giving me tips on leaks since September. I've investigated at least 6 by now - but I'm losing count as there have been a lot. All of his claimed leaks were verified and accurate.
We've also verified that this database contained accurate records for six out of six probes we ran. A number of reporters also verified that data on them was accurate.
The MPAA can keep some first grader's cat video off the Internet, but we've got no mechanism for blocking access to something like this.
Or how about a mandatory civil fine of $50,000 for publishing it without any restrictions?
Yeah, real smart.
This is all the fault of the greedy bastards in Congress who don't give a shit about the average citizen.
It's the aggregation of the data combined with information that is normally not that easy to find out. For example, my comments indicate certain political leanings and I might on occasion explicitly state them. But should my leanings or party affiliation along with other juicy demographic details be accessible to anyone with an Internet connection? My take with many others is no as matter of course, ethics, and policy.
As a_yank_lurker has stated, it's the info aggregation that's the real issue.
No, there's nothing illegal with people knowing my name and address, I give that out to all and sundry, be my guest. However the problem starts when that's not enough, when they add sexual orientation, political affiliation, previous crime involvements, social security IDs, financial history, current financial status, previous relationships and let's not forget about the UK Gov's need to add previous years internet site visits, mobile phone calls and text messages.
In 10 years time I won't need to spend a week or two assembling a database of identities to rip off, I can simply login into My-DBA-Is-A-Fecking-Moron.net and snag myself a million 100% complete identities and make a bit of cash in a few minutes. Heck if that's too much work, I can just see how many of those I can blackmail and watch the cash roll in!
It wasn't that long ago that coloured citizens were blocked from registering to vote by law in some states.
Getting on the electoral role over there is a PITA compared to here in blighty. It is apparently controlled by the main parties. If that is not a chance for corruption then I don't know what it.
Then there is the 'Hanging Chads'
Democracy? The count is still in progress on that one.
"It wasn't that long ago that coloured citizens were blocked from registering to vote by law in some states."
You might mention non-property owning people in N. Ireland (mainly catholics) who couldn't vote up until the late 1960's, and the landlords there who had multiple votes because of this.
Only in the presidential election. Everything else is popular vote per state (or smaller unit depending on election). Example: US Senators are elected state wide, but US Representatives are elected by district within the state. Then you have individual state offices, county, municipal, etc.
"It wasn't that long ago that coloured citizens were blocked from registering to vote by law in some states"
The laws are more selective these days. They don't block on basis of colour but can have the effect of blocking coloured citizens disproportionately.
eg "Felony disenfranchisement" affecting the higher proportion of citizens being jailed in the US. The UK has been criticized for not letting people in prison vote, but in the US it can be difficult to vote AFTER your sentence has been served through requiring a petition to be made. (eg to "Application for Restoration of Civil Rights" to the governor of Kentucky)
Re: AC "Getting on the electoral role over there is a PITA compared to here in blighty. It is apparently controlled by the main parties. If that is not a chance for corruption then I don't know what it."
Voter ID laws have been struck down in many states. Here people are allowed to register to vote the day of election with nothing more than an electric bill. No state issued id needed, no photo id, just something purportedly proving -residency-. There is an important distinction between residency and citizenship. If that isn't proof of corruption of the voting process I don't know what is. Every time we try to enact stricter registration laws the ACLU and the like get involved. I'm not condoning actual poll taxes or overt hurdles to minority classes, but I don't think that having to have a free state issued photo id to register and then vote is an unnecessary burden, and having to register at some point before the election isn't either.
If it is even easier to register and vote in the UK (or whatever division of it you are inhabiting) you have a problem.
It has been half a century since a law prevented African-American citizens from either registering to vote or voting. As always, the Civil Rights Act of 1964 and the Voting Rights Act of 1965 were not always followed, complaints made under the laws were not always prosecuted with vigor, and prosecution did not always result in conviction and punishment. Nonetheless, it has not been legal in any state to deny voter registration or voting based on race since 1965.
Getting registered in the US requires an affirmative act, most often, I think, checking a box on a driving license application or, for those who do not have or seek driving licenses, completion of a form to be filed with a local or state voting registrar. Twenty-three states also provide online registration applications and forty-seven accept the printable mail-in form available from www.usa.gov. In general, procedures here are not materially more difficult or greatly different from those in the UK.
Registration is nowhere controlled by major political parties as a matter of law and cases in which the major parties control it in practice are at most local and extremely rare.
Aside from the fact that "hanging chads" on punch card ballots has nothing at all to do with voter registration, it is a problem logically equivalent to mismarked paper ballots: almost entirely a matter of voter error and rarely a result of poor ballot quality or punch pin wear. It is possible, but extremely unlikely, for the punch used to be pushed completely through the card and leave the chad attached to the ballot. Most of the hanging chads would be dislodged before or during machine counting.
No polling company records an individuals likely voting for hundreds of millions of people!
Remember Choicepoint? Remember Florida? Remember Database Technologies?
These databases are used to rig elections. They are used to draw up boundaries for Jerry Mandering. They are used to scrub people off electoral rolls. They've been used to generate challenge lists.
In Florida they were used to assign counting machines for punch, count voting. Where miscalibrated machines were allocated to Democrat wards so votes would be counted as null.
There's a $2 billion election coming up, with 1%ers spending big money to win an election. They don't spend it on polling!
"These databases are also widely used for legitimate purposes, such as get-out-the-vote efforts targeted at people who you think will be inclined to vote for your preferred candidate."
Inclinded? And what is the excuse for having the private details of DISinclined voters?
After the "Citizens United" decision, it's not uncommon to have employees subjected to political propaganda during work hours, now their employer can vet them for hiring and promotion purposes based on their political views.
We keep voting secret for a very very good reason, yet this database is from someone trying to unmask that data.
As an earlier poster noted, there is no requirement to indicate a party affiliation or anything that suggests political preference as part of voter registration. The example in the article shows this clearly. At most, indicating a political party preference establishes entitlement to participate in selecting the election candidates of that party.
Propagandizing during working hours has nothing to do with the Citizens United decision. Most private sector employers of any size will not allow it, and it is illegal in federal and most, if not all, state and local government offices.
The list, which I suspect may be a list created by a state government consortium to identify potentially fraudulent registration and possible voting in several states, shows nothing at all about actual voting behavior, which is secret. Nothing in the data described can be used to reveal any voter's ballot choices.
And yet governments worldwide are all pushing for more access to personal data, despite repeatedly proving that they are just they are just not competent to handle it.
That brings the US's score to a third of the fucking population; with extra focus on and details for civil servants because OPM.
Not sure how the UK is doing but I wouldn't bet my own money on anyone on the NHS or census or ID card databases not having their info collected by somebody. And remember we only hear about it when the good guys find it.
Lie glibly on forms is my advice.
AC wrote: "aside from actual interactions with the NHS, no one collects the NHS/CHI/whatever number"
But the whole idea of the continuing care.data fiasco is so that Timothy Kelsey (who has now fled to Australia until the flak dies down a bit) could sell detailed and itemised information about your health and mine. Once that has been "acquired" by insurance companies (who are ostensibly banned at present from having it, but when was that a barrier?) then watch out for forms asking for information that could identify your NHS number.
This post has been deleted by its author
The short answer is that voting is still secret. The database does NOT contain a record of who someone actually voted for.
However, registering to vote in the US involves claiming membership in a political party (or none, if you choose to be "Independent"). This party affiliation is a matter of public record and accessible to aggregation in databases such as the one described in this article. It determines which party's primary election you are allowed to vote in, and it also impacts which candidates will hound you for campaign fund donations.
The real issue, I think, is that aggregation of personal information is lawful (and extremely profitable - see Google, Facebook, mailing list vendors, etc.).
"Wouldn't it be much simpler to follow one from station to home after work?"
That would give you 1 address and would involve both more time and more risk. It's the same with a sexual predator following a young woman home, or an investment scammer following an older person home to see if they are likely to be asset-rich and income-poor (and a good target for an equity release scam). You'd still have more work to get a name and phone number (handy for "household surveys" where you can usually find out if someone lives alone --- especially if you have a handy conversation starter like registered political affiliation) but it's not going to be impossible.
What IS going to be impossible, though, is finding thousands of targets this way. Finding a wallet with someone's name, address and phone number is completely different to finding a DB with millions of addresses and phone numbers. Sometimes the scale of a quantitative difference is so large it is more effectively interpreted as a qualitative difference: my engineering inclinations would ordinarily, depending on the context, put that "switch" between about 3 and 6 orders of magnitude.
I was talking to a guy who buys junk cars and he has to be able to verify titles and the sellers. There is a database called PublicData where you can do pretty much the same thing. There are a host of others as well, some free, some with fees.
Name, SS, address, cars owned, license tags, driver's license number, the works.
We are ALL, already bagged and tagged. It is already far worse than you think.
Hope the Church of Later Day Saints, aka (the Mormons) gets a full download of the information to baptize the American Voters. Saves waiting for 2010 census reports. The "church" (which is the largest landowners in the US) holds the best genealogical data in 'Merica. It may be redundant since FBI and CIA are packed with my people, though this gives a good cover story.
This post has been deleted by its author
If you forget your password/PIN, most financial/telecommunications/utility institutions are happy to provide information or connection/disconnection/transfer/PIN change/password change services over the phone once the caller identifies themselves by providing information that is known only to the customer, name, Date of Birth, Address and telephone number. All nicely parceled up for 191million Americans....