National (Record) Security

You may have heard that a guy from Texas stumbled across the voter registration information of something like over 100,000,000 Americans. That’s an incredible number, and it’s hard to imagine how it wasn’t protected at all. That’s right, no login required; it was 100% public.

Reading about it, I learned that each state decides for themselves how much of their voter registration info is public, what it can be used for, etc. Indiana’s only caveat, according to this site, is that it can’t be commercially used. So, naturally, as a non-commercial entity, I wanted to find out more and possibly pour over the database.

To make a moderate story short, it isn’t that easy. The whole database is encoded in a way I’m not familiar with, using GUIDs or UUIDs for everything down to which county a voter has registered in. Some of it looks like Base64, but it doesn’t translate back into anything English (or any other language as far as I can tell). Disclaimer: this info was found just from looking at the page source for the ‘Public Voter Registration Search’ page, found here. 

At that point, I just wanted to learn how the information is stored and what rights I have to it as a citizen. So, like any normal person would do at 7:45am while at work, I started reading the actual laws surrounding the ‘computerized registration list’. Indiana’s aren’t anything special, mostly they just refer back to 42 U.S.C. 15483. So, I decided to look at that as well.

There’s a subsection, (a)(3), titled “Technological security of computerized list”, and it is one sentence long. I’ll write it out here, since it clearly doesn’t take up much space. “The appropriate State or local official shall provide adequate technological security measures to prevent the unauthorized access to the computerized list established under this section.”

That’s the whole thing. That’s as secure as the federal government feels this information should be. One sentence. Indiana code goes a bit deeper into what info they’ll give you if you request it, and more importantly, what they withhold. But their security requirements aren’t any more robust or protective. “Security of list, Sec. 15. As required under 42 U.S.C. 15483, the election division
and each county voter registration office shall provide adequate
technologicalsecuritymeasures to prevent unauthorized accessto the
computerized list.”

I think this attitude is a huge problem in our culture and government. If there are laws to protect our information from foreign and domestic threats, shouldn’t it be a bit more specific about how it’s being protected? Maybe there’s somewhere in federal code about securing federal buildings holding records. Would it just say ‘doors must have appropriate locks, and other security measures are okay as well’? I don’t know for certain, but I don’t think so (and I’m not about to Google ‘how are federal buildings secured?’ — I’m already on enough lists, I’m sure). Why anyone thinks that technological security is any less important than physical security, I will never know.

This is the issue with privatization of government responsibilities, as I see it. The records found by the Texan were likely held by a private firm, contracted to manage that information, store it, or who knows what else? Maybe I’m too trusting, maybe I’m naive, but I believe that the vast majority of people who work for governments do it out of a feeling of civic duty. That’s why I want to work for the federales. I feel like it’s my responsibility to use what abilities I have to help my fellow man, even though the pay can’t compete with the private sector.

If all of these records had been maintained by someone who actually cared about the people inside, rather than only landing the contract to store it, I think it would have been better protected. I will gladly take less pay to work in the public sector, because I genuinely care about doing what’s right. Having said that, we clearly need to address the security of this kind of information being stored. We need more clarity in the laws about what has to be done.

Leave a Reply