Every month, usually the second week of the month, I receive a CD-ROM from the Georgia Secretary of State Election Office. About two years ago, I requested a copy of the Georgia voter file to perform some analysis of Georgia voters. As a press outlet (yes, we really are), I continue to receive this disk every month, delivered like clockwork to my home address. It’s useful on occasion when preparing investigative pieces, or for background for voter trends in Georgia.
I tend to save the data every few months to have a ‘fresh’ version, but don’t keep every copy. There are plenty of political parties and for-profit entities that track this data, and can provide much more meaningful analysis than I can.
Yesterday, Erick forwarded an email he had received via both the Redstate and WSB contact forms from an investigator with the GASOS office. The investigator was looking for me, and didn’t have anything but my name and address. This, despite the fact that the SOS form that I filled out requesting the Voter File contained my mobile number and contact information. The investigator sent the requests to Erick at 3:20PM, he forwarded them to me at 4PM, and I called at 4:10PM. The investigator asked if I still lived at the “Newcastle Drive” address, and if I was at home. I was not, I told him, but I could take a look for the disk later in the evening. “OK, then”, he said, “I’ll turn around”.
Somebody wanted that disk back pretty badly.
Until yesterday evening, I had no idea that the very database I was receiving also, in it’s complete form, contains the full Social Security number, date of birth, and driver’s license number for every individual. And, apparently, I had been in possession of this information. For. Every. Single. Voter.
I returned home and found the November disk, which I originally thought I had thrown away. I reviewed the data, and found no difference from previous versions – there didn’t appear to be anything different. The investigator then confirmed that it was the October disk they were looking for, but he would take possession of November just in case it had the same problem. Clearly, there was a lack of information to be had, and priority number one was getting their hands on the disks.
After talking with the investigator, we agreed to meet this morning (November 18th) at one of the government remote offices (Chick-Fil-A North Point Mall). I checked his credentials, handed over the disk, and also a quickly typed signed statement that I had already disposed of the October disk.
Sadly, I’m sure that the SOS Elections Office thinks that getting the physical disks back amounts to some sort of meaningful control of the data. Unfortunately, just like the poor teenage girl who is convinced by her admirer to send indiscreet photos of herself, they will learn otherwise. Data has a life of it’s own, and the automated replication of data is unavoidable. Once it exists, it exists – forever.
Case in point – apparently, I had taken the (now infamous) October disk and made a copy of it to my computer. I don’t remember doing that – maybe I was on a conference call and multitasking or hadn’t yet had my coffee for the day. I only discovered this after meeting the investigator today and doing a more thorough search. (Note: I’ve now completely erased the October data using the DOD 5220-22-M standard for data erasure on magnetic drives.)
The point is that even the best intentioned folks can’t completely control data. It’s the biggest problem we have in the digital world we live in, and it’s only getting worse.
Stefan has already pointed out the various entities that receive this data. No doubt those folks are using Amazon, Google, Microsoft to spread the data around and this happens at the speed of light. The data I receive each month has never been encrypted, and comes in the form of a .zip and .txt file that anyone can open and view. Shown here is my own record in the ‘normal’ voter file, exactly as it’s supplied to me:
And here is my record from the November file, with the three additional fields obscured. They are SSN, DOB, and DL:
I’m not concerned about putting that information there, because it’s trivial to find out these bits on your own. It is truly scary what criminals are able to know about you. And in the dark web, the criminals have a very modern IT infrastructure that makes obtaining, buying, and selling personal and financial information quite easy. A would-be purchaser of your data and credit card numbers needs to have no more capability than shopping at Amazon, trust me.
There will be major ramifications to this data breach. Georgia law quite clearly defines the responsibilities of the parties, whether governmental or contractor.
They will offer you credit monitoring. Don’t rely on credit monitoring. Get a credit freeze today – it’s (nearly) free and very effective.