Key with text Vote on laptop keyboard showing danger of data breach of electoral voter data

Electoral Register Data Is Power, So Why Do Breaches Keep Happening?

A Maltese case study

Following the Cambridge Analytica scandals that showed the power of microtargeting during the 2016 US Presidential Election and the UK’s Brexit referendum, one might think that more care would be taken with voter data – in particular electoral registers.

One would be wrong.

In March this year it emerged that a massive (in terms of percentage of population) political data leak had taken place in Malta. While it is far from the first such case, it gives an interesting insight into how these occurrences can sometimes take place.

There are a couple of typical scenarios: user error (aka stupidity) or a malicious hack. For example, In 2016, the data of around 70 million registered voters in the Philippines was stolen after the website of the Philippine Commission on Elections the data was subjected to a sustained cyberattack. Anonymous Philippines and LulzSec Philippines claimed responsibility.

In Hong Kong in 2017, two laptops belonging to the Registration and Electoral Office, containing information about Hong Kong’s 3.78 million registered voters, were stolen at AsiaWorld Expo. Suspicions remain that it may have been an inside job.

But more commonly, such data breaches are down to simple human error. In April 2018, the Lebanese embassy in the UAE sent an email to an individual with an attached spreadsheet containing the personal details of more than 5,000 registered Lebanese voters. While in the US, cybersecurity researchers at UpGuard uncovered a misconfigured database on an Amazon server exposing the personal details of 198 million US voters in 2017.

The US case is somewhat similar to the Maltese breach, in that information was left exposed on a database that was freely accessible online. How that data ended up on such a list is a little more convoluted as we will see.

Alarmingly, the voter’s list showed not only the names, addresses, phones and dates of birth of 337,384 Maltese voters – that’s 75% of the entire population – but also their polling booth, polling box numbers and voting preferences. It is not hard to see how such information could be maliciously used to target voters.

According to TacticalTech compromised voter data generally comprises data from two possible sources: Official voter registers, administered by official state, regional or governmental bodies; or voter files compiled in-house by political parties or by political data consultants for campaigning purposes. TacticalTech points out that these voter files are “typically sourced from public or governmental records,” but are “enhanced by third-party datasets.”

In the Maltese case, it seems it was the latter type of database that was exposed.

The Maltese Electoral Commission, which organises local, national and European Parliament elections, and maintains the official register, gives updated information to the political parties to maintain “transparent” electoral processes.

A copy of this highly sensitive personal information “somehow” made its way onto a wide open directory indexed by Google held by C-Planet IT Solutions, a private Maltese IT company owned by Philip Farrugia … who just happens to be brother-in-law of the Labour Party’s Parliamentary Secretary for European Funds, Stefan Zrinzo Azzopardi.

The Labour Party, one of Malta’s only two main political parties – and currently in government – maintains that the IT system in question is not the same one used by the party.

Farrugia’s C-Planet maintains that the data is “old.” But that’s not much consolation to those who have had their data leaked.

In Turkey in 2016, a hacker posted the personal data of around 50 million citizens. Although the data appeared to be from 2008, Turkish privacy activist, Isik Mater, told Wired: “I searched my name on the list and reached all my family data. It doesn’t matter if the data is from 2008, because I still have the same name, same home address and obviously the same national ID number!”

The Information and Data Protection Commissioner’s office said it had been made aware of the breach through media reporting, but that an investigation would be launched.

In parallel, European privacy rights NGO, noyb.eu, the Daphne Foundation and Repubblika have teamed up and organised a platform that allows citizens affected by this data breach to sue C-Planet in a collective action.

“In a democracy, we cannot accept the processing of political data spiraling out of control. Political parties in particular should not be using voters’ information for purposes other than what the law permits them to do. Could you imagine your political preferences being used to deny you access to a public service or an employment opportunity?” said Romain Robert, data protection lawyer at noyb.

#Databreach of Maltese #voterdata including polling booth, polling box numbers and voting preferences may facilitate malicious microtargeting of voters. #privacy #respectdata Click to Tweet

The types of services offered by the likes of Cambridge Analytica are not going to go away. CA and their ilk claim to scrape social media for information, but if electoral committees are not willing or capable of keeping precious voter registration data safe, they are playing into the hands of those who would manipulate voters in unethical ways.

 

EU Policy Correspondent at CPO Magazine