Voter privacy and election security are broad terms we hear frequently as the Nov. 3 election approaches. Voter privacy, for example, might refer to protecting personal information collected during the voter registration process or ensuring the confidentiality of ballots cast by people who vote using accessible systems at the polls. Election security may encompass anything from detecting disinformation campaigns on social media platforms to cybersecurity training for election officials and poll workers. Privacy and security are crucial to the election process, especially as voter information continues to be collected and disclosed or sold to third parties.
Data collection from voters
Voter registration
One of the many factors that complicate U.S. voter privacy is that states administer elections differently and collect different types of information from voters during registration. The Help America Vote Act, passed shortly after the 2000 election, sought to standardize some of the election processes. HAVA required each state to keep a centralized and electronic database of registered voters. The National Conference of State Legislatures prepared a chart that illustrates the types of information each state maintains as part of its voter registration list and what information may be disclosed to third parties. While some states might include only your name, address and party affiliation on the registration list, other states might include your Social Security number, email, occupation, voting history and mother’s maiden name. The transition to the digitized registry list required under HAVA came with the recognition that this voter information should be kept secure.
Campaigns
Campaigns have collected public and private data for years to create profiles of nearly all U.S. voters. Data from social media profiles played a large role in 2016 campaigning, but MIT Technology Review reported that, in 2020, both candidates are collecting massive amounts of data through their campaign applications.
The value of voter data
Voter profiles created from this massive data collection are extremely valuable and can be used for a variety of targeted purposes, including predicting, encouraging or discouraging voter turnout. When the Hillary for America campaign donated its email list to the Democratic National Committee, it was Cambridge Analytica scandal revealed, companies have the ability to purchase voter registration data commercially and combine it with other information, like data from social media profiles, to build a comprehensive database that might be used for targeted political advertising. Companies and campaigns gather a lot of this initial voter information from state registry lists.
Accessing voter data
It varies from state to state if voter registration information is publicly accessible. In many states, personal information that is not already part of the public record can be purchased for a relatively low price. Connecticut provides instructions on how to purchase the entire Connecticut voter registry file for $300. As noted on that same website, someone who purchases the Connecticut registry file will gain access to who participated in past elections, how they voted, and other information provided at registration, aside from Social Security numbers. In Michigan, any person can purchase the registry list but the information provided will be limited to names, addresses and year of birth and cannot include, for example, a voter’s phone number, month and day of birth, or whether a person declined to register.
Other states have implemented laws to protect voter information. Massachusetts, one of the more restrictive states, maintains a “central registry of voters,” which includes names, addresses and registration dates. However, under Massachusetts law, names and addresses are kept off the public record and access to the list requires a designation by the state secretary. Some states only allow access to the registry list for campaign or political purposes. For example, Virginia only allows access by members of the public or nonprofits that are seeking to promote voter participation or registration. Virginia also restricts accessible information, making a voter’s birth month and day, Social Security number, and residence address (if they have listed a P.O. box instead) confidential. Nebraska’s voter registration file can only be accessed for non-commercial purposes, but it contains the name, address, party affiliation, voter identification, voter history, registration status, date of birth, phone number, etcetera.
Public access to names and addresses can be especially worrisome for survivors of domestic abuse or sexual assault and may even deter registration altogether. Recognizing this concern, several states have implemented address confidentiality programs to protect survivors.
Protecting US elections and voter data
In February 2020, a Gallup study found more than half of Americans report a lack of confidence in the honesty of U.S. elections. Federal Bureau of Investigation Director Christopher Wray voiced concern about that lack of confidence in September. We know election security is an important and pressing issue. The question is what is being done to address this concern?
Since the early 2000s, the U.S. government has provided several different resources to improve the administration and security of federal elections. In addition to the centralized registry requirement, HAVA also provided funding to the states and created the Election Assistance Commission, which accredits voting equipment and provides guidance on managing and administering federal elections. The act also appointed the National Institute of Standards and Technology to provide technical guidance on a variety of election-related matters, including the prevention of voter fraud, protection of voter privacy, and security of computers, networks and equipment.
The EAC provides a checklist that election officials can use to secure voter registration data and refers to NIST’s Cybersecurity Framework for more technical guidance. Some of the security protocols listed on the EAC’s checklist include the use of intrusion detection systems, data backups, encryption and data suppression. In 2018, President Donald Trump created the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security as the “nation’s risk advisor.” Since its creation, CISA has published a "Guide to Vulnerability Reporting for America’s Elections Administrators" and more recently, an "Election Disinformation Toolkit." The toolkit reminds voters to think twice before sharing content, rely on trusted sources, and to be wary of posting personal information online.
In 2019, the EAC reported that since 2003, states have spent more than 3.6 billion dollars in federal funding on improving the election process, more than 50% of which was allocated for cybersecurity. If you are curious how much your state has spent on improving elections and how the federal funding was allocated, you can view the EAC’s 2019 "Annual Grant Expenditure Report." As part of the 2020 Coronavirus Aid, Relief, and Economic Security Act, $400 million in emergency HAVA funds were offered to the states to protect the elections from the effects of COVID-19.
Despite these efforts, some cybersecurity experts warn we haven’t done enough to protect our elections, and many call for more federal funding and extensive training for election officials and poll workers. Election officials and election-related staff may want to consider completing the free Cybersecurity Training provided by the EAC and Center for Tech and Civic Life.
Public awareness and hope for the future
Since 2016, we have seen campaigns and companies face public scrutiny over voter privacy. President Trump’s campaign manager tweeted about the “biggest data haul” of all time in reference to the 800,000 tickets issued ahead of the Tulsa, Oklahoma, rally. The IAPP wrote about a reported on security concerns, voiced by several privacy and civil rights organizations, about Amazon’s election services that include the storage of voter data. On their website, Amazon notes there are more than 6,500 government agencies that use Amazon Web Services, noting their services can be used for election cybersecurity, election administration and voter engagement. This increased sense of accountability sets a precedent for future election cycles.
The 2020 election will help determine whether the U.S. has implemented adequate protections for our election systems and voter data. As Americans become more attune to privacy issues given the advent of state comprehensive privacy laws, like the California Consumer Privacy Act, perhaps that pressure will influence how the U.S. allocates resources for election security in the future. Perhaps we will even see a federal comprehensive privacy law, discussed in a