TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Trump's voter data request tests state public data rules Related reading: On big data, fake news and voter manipulation

rss_feed
iapp-privacycore
S18_Web_300x250-COPY
GDPR-Ready_300x250-Ad

On May 11, 2017, U.S. President Donald Trump established the Presidential Advisory Commission on Election Integrity through an executive order, with a stated mission to “study the registration and voting processes used in Federal elections.” The PACEI is chaired by Vice President Mike Pence, who selected Kansas Secretary of State Kris Kobach as a vice chair. There are currently eight other members, and the PACEI has scheduled its first meeting July 19, 2017.

In his role as vice chair of the PACEI, Secretary Kobach sent a letter June 28 to election officials in most states (some states claim they have yet to receive a letter) soliciting their “views and recommendations” to help identify factors that “enhance or undermine the American people’s confidence in the integrity of federal elections processes.” As part of the letter, the PACEI requested “publicly available voter roll data” for each state to be provided within two weeks, including, “if publicly available under the laws of your state,” the following data:

  • the full first and last names of all registrants, middle names or initials if available,
  • addresses,
  • dates of birth,
  • political party (if recorded in your state),
  • last four digits of Social Security number if available,
  • voter history (elections voted in) from 2006 onward,
  • active/inactive status, canceled status,
  • information regarding any felony convictions,
  • information regarding voter registration in another state,
  • information regarding military status, and
  • overseas citizen information.

In a sworn declaration, Kobach states that assembling the voter roll data will “enable the Commission to fully analyze vulnerabilities and issues related to voter registration and voting.”

Yet the request has raised questions about compliance with privacy laws at both the federal and state level. Our deep dive on these issues starts with state law, exploring what data is at stake if states were to comply with the information-sharing request. We then turn to federal issues, including an analysis of whether the PACEI may have failed to comply with requirements under the Privacy Act and E-Government Act.

Publicly available data varies by state

Given the widespread media coverage of the “avalanche of opposition” generated by the PACEI’s “sweeping request” for voter roll data, it is important to note that the request is explicitly limited to “publicly available” records. Public data can mean vastly different things in different contexts — leading some scholars to argue that there is no such thing — but in the context of a request for state voter registration data, the meaning is apparent. The PACEI has requested a copy of mostly the same data on registered voters that states routinely provide to political parties, elected officials, the press or individual citizens, often for a fee.

In the U.S., states independently manage their election laws and processes, leading to widely varying rules on voter registration and election procedures. Every U.S. state runs a single centralized electronic voter roll of that state’s registered voters, as required under the Help America Vote Act of 2002. Before this federal rule, some states managed voter registration at the local level rather than in a centralized state database.

SSNs will not be included in shared data, but dates of birth may be

The uproar over the PACEI request shows that consumers may be unaware of the public nature of their voter registration data. Almost every state allows some level of access to its voter registration records. Rules vary between states based on: 

  • Type of data collected and stored. Most state voter rolls include data about voters that roughly matches the data fields requested by the PACEI. This uniformity is at least in part due to the similar uses to which the data is put: ensuring accurate and up-to-date voter rolls for fair elections. But federal rules also play a role. For example, HAVA includes a requirement to collect from registered voters either a state driver’s license number or the last four digits of an SSN. Another federal law, the National Voter Registration Act of 1993, requires that states accept a standardized federal voter registration form developed by the Federal Elections Commission. In addition to standard name and address fields, that form includes blanks for a voter’s full date of birth, ID number and signature. 
  • Data collected but explicitly prohibited from public release. Because the PACEI did not request information beyond what is already publicly available, it is not accurate to characterize states as “refusing” the PACEI request when they vow not to share sensitive nonpublic information. This is particularly true of the last four digits of SSNs, which no state shares as part of its public voter registration data, even though states are required to collect this information from voters who do not have a state ID number. It is not surprising that no state has agreed to share SSNs or state ID numbers (the latter of which the PACEI did not request) since many state laws explicitly prohibit election officials from including this data in public records requests. However, many states do include full date of birth information in their public voting records, including Alabama, Arkansas, Connecticut, Florida, Missouri, Nevada, Ohio, Oklahoma, Pennsylvania, Rhode Island, Texas, Vermont and Washington. Other states consider date of birth information to be sensitive personal information, either removing it from public records entirely or removing the month and day.
  • Right to public access of voter rolls. Not all states allow for public disclosure of voter data. For example, Massachusetts law states that the names and addresses in its central voter registry “are not a matter of public record.” Public access under other state rules varies from transparency-based requirements that any person may request a copy for a small fee to limited allowances for specified types of entities to request a copy for noncommercial purposes at fees that can reach five digits.
  • Entities that may request voter registration data. Some states only allow political entities or government officials to request access to the voter rolls. Massachusetts, one of the most restrictive states, allows only “state party committees” and similar entities to access its voter rolls.
  • Purposes for which data may be used. Many states prohibit commercial uses of voter data or restrict access for strictly political purposes. A few states explicitly prohibit the posting of records online. Due to a lack of use limitations in some states, private entities have purchased the records and posted them online.

The Westin Research Center has created a spreadsheet of state voter registry laws, types of data shared in public access requests, and election official responses to the PACEI request. It is a work in progress but may be accessed here. We welcome comments, corrections and feedback.

A wide range of state responses (and 14 refusals, by our count)

Responses of state election officials to the PACEI request have ranged widely. Irrespective of political ideology, many state governors and secretaries of state seem to resent a perceived implication that their states require federal assistance to ensure election integrity. Alternatively, they see the outcome of the PACEI investigation as predetermined. As New York Governor Andrew Cuomo tweeted, "NY refuses to perpetuate the myth voter fraud played a role in our election." 

More than party politics, the strength of the responses by governors and secretaries of state line up with the amount of flexibility their state laws provide to grant or refuse data access requests. In states where record requests must be granted, no matter how vociferously the election official voices disagreement with the goals of the PACEI and vows to protect the privacy of their citizens, they still conclude that they will share data. For example, Rhode Island Secretary of State Nellie Gorbea promises in her press release to “safeguard the privacy of Rhode Island voters” and says that it is “deeply troubling” that Secretary Kobach has been made the vice chair of the Advisory Commission but nevertheless concludes that she will “respond only with data that is already publicly available.” Some media reports have counted such statements as refusals.

In fact, state responses have fallen into one of four categories:

  • Outright refusal to comply with the request (Arizona, California, Delaware, D.C., Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, New York, Tennessee, Virginia, Wyoming).
  • Refusal to comply unless the PACEI can provide assurances its use of data will meet the purpose and use limitations, or security requirements (Alabama, Iowa, Maine, New Mexico, Vermont).
  • Strongly worded statements of disagreement that nonetheless conclude data will be shared (Indiana, Rhode Island, Connecticut, Michigan, Montana, North Carolina), often under the condition that the PACEI pay the standard public records fee or go through the standard process for requesting voter data (Oregon, Pennsylvania, South Dakota, Utah, Wisconsin, Washington).
  • Expressing a willingness to share public data with no mention of fees or conditions as required by state law (Alaska, Arkansas, Colorado, Georgia, Idaho, Kansas, Missouri, Nevada, New Hampshire, North Dakota, Ohio, Oklahoma, South Carolina, Texas). An article in Vice, citing an official statement, says that Arkansas has already transferred its public data to the PACEI.

Public data, aggregated and matched

The fact that the requested data is already “public” does not change the extraordinary nature of the request by a White House committee to collect voter data from across the country. After an interview with Kobach, the Washington Times reported that PACEI would match voter data against the federal government’s list of non-citizens, in addition to checking for duplicates between states. As privacy professionals recognize, there are significant distinctions between data that is available for purchase from 50 different sources and data that is brought together in a single repository. Aggregated data provides both more utility and higher privacy risks than the same information in distributed form.

Accordingly, dozens of advocacy groups and privacy experts signed a letter to the National Association of State Secretaries urging them not to comply with the request. They write the PACEI has requested “sensitive, personal information that individuals are often required to provide to be eligible to vote” but has given “no indication how the information will be used, who will have access to it, or what safeguards will be established.” Likewise, the ACLU of New Hampshire has filed suit to block that state from sharing voter data with the PACEI.

Do federal privacy laws apply to the PACEI?

As EPIC outlined in its motion for a temporary restraining order against the PACEI, there is currently no evidence to show that the commission completed a privacy impact assessment, which is required under the E-Government Act before a federal agency initiates “a new collection of information” that “includes any information in an identifiable form permitting the physical or online contacting of a specific individual.” The DOJ responded to EPIC’s motion July 5, defending the lack of a PIA by claiming that the PACEI does not qualify as a federal agency for purposes of the E-Government Act. It pointed to a line of previous cases that have established a test for whether an entity within the Executive Office of the President counts as an agency for FOIA purposes: “The closer an entity is to the President, the more it is like the White House staff, which solely advises and assists the President, and the less it is like an agency to which substantial independent authority has been delegated.” 

This is complicated by the fact that different federal privacy statutes use different definitions for “agencies” subject to their requirements. Ironically, if the DOJ’s argument is sound, the PACEI’s formal “solely advisory” role may provide an exemption from complying with privacy rules for a data request that, as EPIC claims, appears to go beyond the PACEI’s advisory mandate to “study election integrity.”

 Is "public" data fair game for any purpose?

In its response memo, the DOJ writes, “In any event, EPIC’s members could not possibly be injured by the transfer of public information from one sovereign to another.” If it turns out that data’s “public” status is the test for whether a federal executive advisory committee can obtain bulk data on U.S. citizens, it will be important to engage in a serious inquiry into where this line is drawn. “Public” would certainly include states that have allowed private citizens to post voter rolls online, such as Arkansas, Colorado, Connecticut, Delaware, Florida, Michigan, Ohio, Oklahoma, Rhode Island and Utah. And it would exclude states such as Massachusetts, which shares data only with limited entities. But whether broad limitations on use or recipient are enough to remove data from the “public” sphere remains an open question.

A developing story

Before the court gets to the heart of the dispute, EPIC will need to survive the DOJ’s challenges to its standing and other initial legal hurdles. In a hearing scheduled for July 7, the district court will address questions about the PACEI’s ownership and control of the computer systems that will be used for “collection, storage, and transfer of data,” the PACEI’s authority to “systematically collect voter information,” the harm EPIC or its members will suffer if “only publicly available data” is collected, and the harm the PACEI would suffer if it conducted a PIA, among other issues. 

EPIC also submitted an emergency FOIA request to the PACEI asking for all information relating to its request for voter data, including information on its “failure to post a Privacy Impact Assessment” under the E-Government Act and Federal Advisory Committee Act and “failure to undertake a Systems of Records Notice” under the Privacy Act of 1974. 

Other reports have raised the question of whether the PACEI violated the Paperwork Reduction Act by failing to submit its request to states through the Office of Management and Budget’s Office of Information and Regulatory Affairs.

Though this remains a developing story fraught with partisan politics, the PACEI's request for voter data is testing the contours of public data and its proper use, the implications of which may have far-reaching consequences beyond state and federal government policy.

photo credit: USEmbassyPhnomPenh Preparing for Election Watch Party via photopin (license)

4 Comments

If you want to comment on this post, you need to login.

  • comment Mohd Qaiyum Bin Md Saleh • Jul 7, 2017
    terima kasih..banyak ilmu yang dapat dipelajari
  • comment John Berard • Jul 7, 2017
    The most important question in the post -- "Is 'public' data fair game for any purpose?" -- gets too little attention. A centralized database by definition presents a higher-value target for mischief, but its secondary use (like health data influencing employment decisions) raises a red flag big enough to see from wherever you are sitting.
  • comment Tom Alciere • Jul 9, 2017
    Utah no longer includes the date of birth on the public record. They did until Gov. Herbert signed SB 36 fifth substitute effective 13 May 2014. This after I built a website displaying all this information, which BTW is still downloadable from the Wayback machine and from Indymedia UK in a search for "Utah U.S.A. voter list"
  • comment Cobun Keegan • Jul 13, 2017
    Thanks for your comments!
    
    John, I agree, the question of whether "public" data is fair game for any use is very important... and I think the answer has to be "no." Have you seen Helen Nissenbaum's forthcoming paper on the public/private distinction? https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2875720
    
    Tom, thanks for that catch. And thank you for your websites, they were immensely helpful to me in creating the table attached to this piece. My table already reflects the fact that Utah's DOB data is no longer included publicly (though it is available to a restricted set of people). I'll remove it from the list in the article (though, of course, historical data is still available on your archived site and other public sites).