2.4 Million Ontario Voters' Private Info Compromised

An anonymous reader writes "Elections Ontario, an agency tasked with the organization and conduct of general elections and by-elections in Canada's Ontario region, is warning voters about the loss and potential theft of two USB sticks containing private information of 2.4 million voters from approximately 20–25 electoral districts. The information at issue is limited to full name, gender, birth date, address, whether or not an elector voted in the last provincial election and any other personal information updates provided by voters to Elections Ontario during that time, as well as administrative codes used solely for election purposes. The information does not include how an individual voted."

Private?

[Lev13than]

Sounds like the same "private" information that every candidate and party has access to during the election campaign and on election day. Not sure about the birth date, but everything else is definitely on the voter registration and tracking printouts used by poll clerks and by party scrutineers during the election.

In Other News, Phone books missing

[retroworks]

I'm almost as alarmed by the sense of alarm. This sounds like harmless information. A ten year old hard drive is not the same as losing your current laptop, and being tagged in a Facebook photo is not as dangerous as having your social security information compromised. Maybe we should distribute useless USB sticks filled with past telephone book listings just to keep identity thieves busy..

What is this info doing on USB-sticks?

[santax]

What would be a valid reason to put that much info on 2 usb-sticks besides, wanting to sell it or altogether being to darn lazy to even think about security and consequences. Anyone?

Re:What is this info doing on USB-sticks?

[Sir_Sri]

moving data between computers. Not everyone knows how to do network sharing. they may also physically mail the encrypted USB sticks to people (or pass them around) for whatever reason. Ontario is a big place, and we've got about 13 million people over a large area, so there might be a lot of data moved around snail mail style by people who for whatever reason aren't linked up to a the central physical database.

They may also have data for static analysis. The 'real' data might be updated constantly as people change addresses and so on, which is fine, but if you want to analyze voting patterns, say related to a investigation of robocalling (http://en.wikipedia.org/wiki/Robocall_scandal), you need the data preserved as it applied to a particular point in time.

at least the made a public statement...

[acidfast7]

...versus most corps who do not unless forced to.

Re:Private information?

[Cabriel]

To ensure the person is of voting age?

Ontario region?

[Chonnawonga]

FYI, Ontario is a province. net-security.org should appreciate the value of precision, and /. editors need to edit.

Sincerely, an Ontarian. (Yes, that's a word.)

Re:So what?

If you've ever seen the way Canadian elections are handled, you'd know just how difficult that is to do. The steps involve a non-neutral representative from each party watching the ballot box, along with multiple neutral elections Canada employees watching it. All these people must be present whenever a vote is cast into the box, or if the box is moved (in my case, I had to walk to the hallway as a disabled person wished to vote and there were stairs leading to the voting area). All votes themselves are done completely secretly.

The box is opened with all these people watching and every single vote is counted aloud and all representatives may complain if they see a vote they aren't happy with (not marked properly, forged, stuffed box, etc). We all get to watch each voter enter and get crossed off the list as they vote. The number of votes much match what we all saw. Once the votes are tallied (or someone complains from the group about a vote) a special cellphone only to be used for the election is used on speakerphone to call in the results in front of all of us.

The box is then taped up with special security tape and driven directly to a secure storage location.

The only way to have any tampering would be for all involved parties to be corrupt. That would be odd co-operation since all involved parties (other than Elections Canada) don't like each other.

Seriously?

[Zamphatta]

On USB sticks???? What are they doing on USB sticks?!?!? Whoever put that on there, should be fired immediately, no questions asked.

Encryption

[subreality]

People think I'm paranoid because I encrypt all my drives... but when I lose a disk I never have to wonder if it potentially ended up in the wrong hands. Too bad it's only done by us loonies and not as standard practice everywhere.

Well, I'm Probably On The List

[TheSpoom]

So congratulations to the thief (or finder) for now knowing my birthday and former address.

can only be accessed and read by...

[game+kid]

The information contained on the two sticks wasn't encrypted and the sticks themselves weren't password-protected - as they should have. Still, it can only be accessed and read by using internal Elections Ontario proprietary software or specialized commercial software applications.

...and the thieves, once they (quickly) figure out how the fields are arranged and stored.

Re:So what?

[Mashiki]

In Canada we pretty much do everything by pencil and paper. What this is though is the register of voters of who's eligible to vote by district. There are places where you can vote by electronic machine, but most people don't use them, they don't like them. It's pretty simple and straight forward.

How it works is like this:
In Canada when you file your taxes, you get the option of allowing Revenue Canada to send your personal information(DOB, name and address) to Elections Canada and in the regional office for Elections Canada for the voting registry. This is then used to compile the voter registration database. You can refuse, there's no problem with that. You just show up on election day and they update the register then. You'll have to show Government issued photo id, and two bills within the last 30 days that have your name and address on it. Then you can vote. Also, if you vote, you must show photo ID. This Photo ID is matched with the registar book.

If you move, your name appears on the original registar still. But you can vote in your new district. The new district will often call your old district to have your name removed before allowing you to vote at your new one. Honestly, and to the point, I can't figure out what the big hoopla in the US is about over voter ID is anyway. But maybe that's besides the point.

Re:"How an individual voted"???

[Pope]

Really, it's like a lot of information that's technically "publicly" available, but scattered among multiple incomplete sources. This leak compiles a lot of that public info into one easy to digest package.

It's like how a lot of property ownership information was "publicly" available, but getting off your ass, down to City Hall, and filing the proper information requests. Once it hits the 'net, the effort needed to access that information en masse drops drastically. Then you can do nefarious things with it.

Re:Yes, but you have to *pay* for those

[Em+Adespoton]

So, your issue is not that private or personal information was leaked, but that the Canadian government was not adequately reimbursed for the leaked data?

I'm not really understanding your position on this matter. Are you for or against the release of this information?

If you are for it's availability, why do you feel that a fee associated with public information is appropriate?

If you are opposed to the release of this information, why would you be amenable to its release simply because a fee was paid?

I think he's meaning to point out that as you can purchase this information relatively cheaply, it doesn't really matter whether or not it was leaked.

Of course, Canada still isn't the US, and the data was encrypted, so nobody likely got their hands on the sensitive data.