The Privacy of Your Voting Data . . . or Not

Last week, the New York Times had an article, "Millions of Voter Records Posted, and Some Fear Hacker Field Day," highlighting the theft and publishing of 191,000,000 (that's "million") individual voter records from across the country.  The article highlights some of the same concerns expressed by Restonians reflected in the RA Board's vote to prevent the release of recent voter data to a Reston requester.  

Here's what it says about the theft and publication: 

 First and last names. Recent addresses and phone numbers. Party affiliation. Voting history and demographics.

A database of this information from 191 million voter records was posted online over the last week, the latest example of voter data becoming freely available, alarming privacy experts who say the information can be used for phishing attacks, identity theft and extortion. The information is no longer publicly accessible.

It is not known who built the database, where all the data came from, and whether its disclosure resulted from an inadvertent release or from hacks. The disclosure was discovered by an information technology specialist, Chris Vickery, and the findings were published on databreaches.net. . . .

The article goes on to highlight that almost all the data is freely available under law: 

Indeed, nearly all of the data that was released was already publicly available. But having it compiled in one place makes it particularly valuable.

As a result of the Help America Vote Act of 2002, state governments are each required to maintain a single, “interactive computerized” voter registration list with “name and registration information.” It leaves what that “registration information” consists of to the discretion of the states. But as big data increasingly plays a large role in politics and business, the presence of the publicly available information raises questions of privacy and security. . . .

So the intent of the law is to make it easier to encourage people to vote in national elections, an intent that could be abused by misuse of the available data based on some further analysis that voters (or voters of a particular stripe) are more or less inclined to buy something.  Whether it is particularly useful for cyber-criminal activities is actually less evident.

The article also highlights how important the availability of this data is to campaigns. 

Access to data is, of course, a necessity for modern campaigns. Voter databases vary from state to state — there is no federal agency overseeing voter data or registration — making it a messy field to navigate. It is this discombobulated system that makes companies like NationBuilder and NGP VAN, a software company that manages such data for Democrats, invaluable to campaigns.

"From our perspective, it is extremely important for campaigns to be able to know who can vote for them, and be able to do legitimate outreach and engagement,” said Jim Gilliam, the founder and chief executive of NationBuilder. “That’s the point of the democratic process: that you can talk to voters.”

But even without the streamlined databases of NationBuilder, such voter data is publicly available on a state-by-state basis.

So every state, even Virginia, makes this information available to the public and some states have a few protections to prevent its misuse.  As the article highlights: 

For example, in Pennsylvania, it costs $20 to download the whole voter file — which includes names, addresses, birth dates, gender and party — in a spreadsheet format. North Carolina offers free access to an online database of voters. Wisconsin makes its voter file available online, with privacy restrictions that leave out such information as dates of birth and Social Security numbers, and it charges $25, and $5 per 1,000 voter records.

Each state also has a varying set of rules and verification requirements to try to ensure the data is used solely for a political purpose. Anyone can search North Carolina’s free online voter database, for example, but in New Hampshire, people have to verify they are with a political party or committee before purchasing the voter file from the secretary of state. Many states and jurisdictions, from Alaska to the District of Columbia to Florida, allow for “unrestricted” use of the data, according to a database kept by NationBuilder.

In Virginia, in particular, the Fairfax County Office of Elections reports that the following information may be made available upon request “at a reasonable cost.”   Among the categories of people who may obtain this information are “Members of the public seeking to promote voter participation and registration by means of a communication or mailing without intimidation or pressure exerted on the recipient.”  This is very much what Mr. Flashman has said he is trying to accomplish in his request to RA.   
 

In contrast, a qualified person asking for official county, state, or federal election information could ask for and receive the following under Virginia law, among other categories of information:

• “List of Those Who Voted (LTWV) – a list of those persons who voted in a primary, special or general election in a specified jurisdiction, legislative, election district or statewide.”  

• “Vote History List (VHL) – a list of those persons who voted in a primary, special or general election in a specified jurisdiction, legislative, election district or statewide over a four year time period.” 

In both cases, the requester would receive, “(the) full name, residence address, mailing address, gender, date of birth, registration date, date last registration form received, registration status, locality, precinct, voting districts, voter identification number, election date, election type, and whether the voter voted in-person or absentee.”  In response to the vote history list, the requester’s response would additionally be organized chronologically by election.

Mr. Flashman’s request for the addresses of RA members who voted in the Tetra referendum seeks much less information by far than the state allows for similar voting record requests as this table shows:

Data type                                    Virginia                              Reston Assn.

 Name                                               Yes                                        No

 Residential Address                        Yes                                      Yes

 Mailing Address                               Yes                                         No

Gender                                              Yes                                         No

Date of Birth                                      Yes                                         No

Registration Date                              Yes                                         No

Date Registration Received              Yes                                         No

Registration Status                           Yes                                         No

Locality                                              Yes                                         No

Precinct                                             Yes                                         No

Voting District                                    Yes                                         No

Voter Identification No.                      Yes                                         No

Election Date                                     Yes                                     Known

Election Type                                     Yes                                     Known

In-person/Absentee Vote                    Yes                                         No

This brief comparison suggests that Mr. Flashman's request is exceptionally modest in terms of gaining access to the addresses of those who voted in the Tetra referendum.  There is no apparent reason why it should be denied unless that data is expressly deniable by the Virginia POAA.  To the contrary, it appears that the Virginia POAA requires that it be released as RA determined a year ago.   Indeed, Mr. Flashman has appealed to the Virginia state ombudsman for a legal determination of his right to access the data he has requested from RA. 

If the RA denial stands, Mr. Flashman could easily turn to county officials and request the much more complete voter data compiled by the County on all voters in Reston--most likely by its ZIP codes—under Virginia state law.  Moreover, it would result in acquiring data on at least hundreds of people who did not vote in the RA referendum and a number of people who aren't even members of RA (such as those in Town Center).  

It seems clear to us that RA should--on both legal and ethical grounds--provide Mr. Flashman the data he requested.  Not to provide this limited information undercuts the very goal RA tries to encourage:  That all dues paying RA members should vote in RA Board and other elections and referenda.  If the candidates or groups that wish to participate in such elections don't have that data, they will almost certainly be less able to effectively present their positions and priorities to likely Reston voters.  In turn and as a result of their limited access to candidates or issues, likely RA voters may be less inclined to participate in an RA election or referendum.