The voter registration data of tens of millions of Americans has been bought and sold in a lesser-known region of the Internet known as the dark Web, raising concerns among security experts about identity theft and election security.
As of December 2019 — less than a year before voters will elect a president — dozens of anonymous users have purchased access to the file, which included voter registration data from 27 states including Connecticut and Rhode Island, according to a Massachusetts-based security firm.
In all, the data included the personal information of more than 81 million voters. And although some states make voter registration data available to authorized individuals or the public at large, this multi-state offering is not officially sold by any state.
Dark Web marketplaces where the voter data are for sale are frequented by users who wish to conceal evidence of their transactions from authorities. The sites are not indexed, which means they cannot be accessed using common search engines like Google or Yahoo. On sites like Apollon Market and Dream Alt Market, where the voter data was for sale, users can overtly buy and sell drugs, malware, and other private information.
The right to vote is fundamental to American democracy, and some officials and advocates say making voter registration data public provides a critical layer of governmental transparency. But the risks of having large quantities of personally identifiable voter registration information for sale on the dark Web are both personal and political, said Tom Kellermann, lead cybersecurity strategist at Waltham-based VMware Carbon Black, the company that discovered the data last year.
The data could be used to help steal the identities of tens of millions of people, Kellermann said — but that pales compared to the worst-case scenario: National or foreign entities hacking state voter registration databases to manipulate the information inside.
Since “the majority of elections systems are inadequately protected” and plagued by “tremendous weaknesses in their security” due to outdated software, Kellermann said, the people who compiled this data set could be talented enough to find a back door into the networks where voter data is stored in each state. He believes the listings on the dark Web could serve as a sort of advertisement for that more nefarious service.
If the vendors managed to enter the voter rolls, “they could change my street address by changing a road to a lane, and then change the actual numerical association of my house. Thus when I show up to present identification to be allowed to vote, I’m disallowed,” Kellermann explained.
That kind of threat has drawn the attention of federal law enforcement. Last October, FBI Director Christopher Wray told Congress that the field offices were already investigating foreign election influence plots. He specifically cited that the operations may include “criminal efforts to suppress voting” and “cyber attacks against voting infrastructure.”
Other work on election security is a higher priority than investigating voter data for sale, according to Matt Masterson, a senior cybersecurity advisor to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security.
“We have literally hundreds of people on any given day working on elections,” Masterson said. Some of those agents work with the major presidential campaigns and political parties, who store voter registration data for their own use, to help them secure the information.
But in general, “we see states taking very seriously the security of the database itself,” Masterson said.
In Massachusetts, only certain government officials can obtain the voter registration files of everyone in the state, and parties must sign a licensing agreement confirming they will never share or sell the information before they receive it, said Debra O’Malley, a spokeswoman for Massachusetts Secretary of State William Galvin. No voter registration data from Massachusetts was listed in the data set sold dozens of times on the dark Web.
But in Rhode Island, a database of limited voter data is publicly available to anyone for a $25 fee, and that information has been bought and sold online dozens of times as part of the larger data set sold on the dark Web.
Rhode Island redacts certain information before making the information available to the public, said Secretary of State Nellie Gorbea, including the driver’s license numbers, Social Security numbers, and full dates of birth of the approximately 760,000 people registered to vote in the state.
Gorbea defended the state’s practice of making the information easily accessible to the public. Names, addresses, and political party affiliations are visible, Gorbea said, because, among other reasons, access to the information allows voters to hold officials accountable if they turn registered voters away at the polls.
“I think we can have laws that make it a crime to use data wrongly,” Gorbea said. “But we lose transparency to government if we don't provide some basic information about the voter file.”
Meanwhile, Rhode Island has been investing in the security of other aspects of its election technology. Last December, Gorbea’s office updated Rhode Island’s aging voter registration software. In 2016, Gorbea replaced voting machine hardware that had been in use since the 1990s.
But democratic institutions at large may not be the only ones in harm’s way. For some victims and survivors of domestic abuse, public voter registration data is a concern, said Karen Jarmoc, the president of the Connecticut Coalition Against Domestic Violence.
In Connecticut, a state program called Safe at Home allows those who are or have been victims of domestic abuse to register to vote without having their street and house number saved to the state database. Jarmoc said the address confidentiality program has worked well for years, and the relationship that the coalition has with the secretary of state in Connecticut is strong. People already participating in the program would not have been among the 2.3 million Connecticut voters whose addresses were listed for purchase on the dark Web. A similar address confidentiality program exists in Rhode Island.
But Jarmoc said there are probably many individuals who have been victims or survivors who aren’t aware of the programs. Those people may still feel like they have to make a difficult choice between voting in the upcoming presidential election and potentially exposing their address to someone who might harm them, or not voting at all.
“Domestic violence abusers can be very resourceful and crafty around how they go about trying to locate their former partner,” she said. “We don’t want to have survivors who should have such a strong voice at the voting booth to be kept from voting for fear that they might be located.”