Skip to Content

Cybersecurity & Standards

Campaign Data Breaches: Political Toxic Waste

Calling last week’s news that security researchers found an abandoned political campaign database on the internet with detailed information on over 200 million voters from 2008, 2012, and 2016 troubling is a massive understatement akin to calling the Titanic a boating accident. It’s closer to a catastrophe. Moreover, it may represent only the tip of the iceberg; Gizmodo points out that, “Five voter-file leaks over the past 18 months exposed between 350,000 and 191 million files.” As data collection and usage play an ever-growing role in political campaigns, the iceberg below is starting to look ominous.

Data that political campaigns use to hone messaging and for get-out-the-vote efforts can be very sensitive. It typically consists of a variety of accumulated data elements about American voters of all political persuasions, including: voter file data (name, physical address, birth date, registered political party, phone numbers, and in some states emails and ethnicity), donation survey response data (“Thanks for donating, we’d like to get to better know you! Do you own a firearm?”), and marketing data purchased from data brokers (
which can be very detailed). This information can be used for nefarious purposes, such as those that we see happen in industries with frequent data breaches, including identity theft and reidentification of de-identified health data. And it can be used for worse; assuming the data is accurate, it can pinpoint residential addresses that contain firearms, which are expensive, attractive to thieves, and deadly.

The harms of collecting and storing, then losing, this data are akin to the long-term costs on the public and the planet from the industrial production of toxic waste and environmental pollution.

This is a difficult place to make effective policy that might reduce the risk or prevalence of political data breaches. While many states have data breach notification laws (the Federal Trade Commission regulates data security and stewardship in many sectors), these policy mechanisms often don’t apply to political campaigns or nonprofit organizations (many of the entities involved in political campaigns are nonprofits). Further, much like the issue of political gerrymandering where politicians are loath to make decisions that might reduce their power, politicians would be quick to exempt political campaign activity from even the most reasonable regulations that might make it more difficult to microtarget voters (as we’ve seen before with exemptions to the Do Not Call list). Candidates of all shapes and sizes have begun to microtarget voters, beyond those running for President, Vice-President, or Congressional seats. As more would-be politicians look to data as a path to victory, we are likely to see more campaign data breaches in the future.

The harms of collecting and storing, then losing, this data are akin to the long-term costs on the public and the planet from the industrial production of toxic waste and environmental pollution. The environmental movement in the 1960s, a collection of advocates, policymakers, and companies, recognized the potential catastrophic impact on humankind and acted to cure potential harms. Today, it’s up to us to recognize and deal with the societal costs of mass data collection, storage, and loss.

Leaks of this magnitude and level of sensitivity aren’t inevitable. CDT believes that a key component of preventing breaches includes adapting digital security training and hygiene efforts – well known to dissidents, journalists, and digital activists – to the specific activities and rhythms of political campaign operations. To this end, we believe it is time for a new project to ensure that campaigns are responsible stewards of our data. In partnership with political campaigns, Political Action Committees, consulting firms, and other NGOs that work in and around elections, CDT will lead efforts to draft a “campaign data stewardship pledge,” including templates for privacy policies, data security playbooks, and other materials that will move the principles reflected in a stewardship pledge into action.

Please reach out to us if you have ideas or are a part of campaign activity that would like to better protect the core assets you use to do your work.