US Voter Records From 19 States Is Being Sold on a Hacking Forum, Threat Intelligence Firms Say (zdnet.com)

← Back to Stories (view on slashdot.org)

US Voter Records From 19 States Is Being Sold on a Hacking Forum, Threat Intelligence Firms Say (zdnet.com)

Posted by msmash on Monday October 15, 2018 @08:00AM from the privacy-woes dept.

Catalin Cimpanu, reporting for ZDNet: The voter information for approximately 35 million US citizens is being peddled on a popular hacking forum, two threat intelligence firms have discovered. "To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data," said researchers from Anomali Labs and Intel471, the two companies who spotted the forum ad.

The two companies said they've reviewed a sample of the database records and determined the data to be valid with a "high degree of confidence." Researchers say the data contains details such as full name, phone numbers, physical addresses, voting history, and other voting-related information. It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy.

50 of 102 comments (clear)

Min score:

Reason:

Sort:

Duh by Tulsa_Time · 2018-10-15 07:33 · Score: 4, Insightful

It is worth noting that some states consider this data public and offer it for download for free
So why not make it clear in your headline what % of the data is not public before getting all excited...

--
5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
1. Re:Duh by Anonymous Coward · 2018-10-15 08:14 · Score: 5, Funny
  
  If you're not going to over react, please don't post.
2. Re:Duh by bobbied · 2018-10-15 08:21 · Score: 1
  
  AC, I so wish I had mod points today...genius!
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re:Duh by WindBourne · 2018-10-15 08:36 · Score: 1
  
  Colorado offers SOME of the data for free. I do not see it on there.
  The voting data is the interesting part. It tells you how active somebody is (not who they voted for).
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
4. Re: Duh by Anonymous Coward · 2018-10-15 08:45 · Score: 1
  
  How the fuck is this public info? Anyone can view your voting history? Is the USA a banana republic?
5. Re: Duh by EvilSS · 2018-10-15 08:52 · Score: 4, Informative
  
  How the fuck is this public info? Anyone can view your voting history? Is the USA a banana republic?
  Voter rolls (name and contact info) are public in most states. Additional data available is usually what elections you voted in, and in some states what primary ballot you pulled. These are usually restricted to campaign and other political uses by state law (marketers, not working on political issues, are usually barred from using it, for example).
  
  Note that how you voted (i.e. who you voted for) is not recorded and not part of any record.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
6. Re: Duh by NicBenjamin · 2018-10-15 08:59 · Score: 1
  
  In some states it's public info for free. Others charge. This is partly so political parties know who votes, and partly because it's much easier for third parties to confirm there's no banana republic stuff with the voter rolls.
  My current state makes it public record. Here's a link to my city's entire electoral role, including who voted when.
7. Re: Duh by Tulsa_Time · 2018-10-15 09:01 · Score: 1
  
  I recently ran for office...
  My state election board offers a spreadsheet of all registered voters and the last 5 dates they voted.
  Names, addresses, party, living at each address.
  Not who they voted for... just that they voted.
  Candidates can use this to target the voters that are most likely to vote in an upcoming primary for example...
  There are apps that provide canvasing lists of high value voters.
  The R and D parties also have their own lists, likely partly derived from this data.
  
  --
  5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
8. Re:Duh by NicBenjamin · 2018-10-15 09:01 · Score: 1
  
  "Voting history" does not mean who you voted for, it means which elections you voted in. It is public in every state, altho they generally charge for the records. That's how school board candidates know whether to bother you or not.
  Wh you voted for is not retained in any electoral file anywhere.
9. Re: Duh by Stormy+Dragon · 2018-10-15 09:26 · Score: 2, Interesting
  
  The last few election cycles, the Pennsylvania GOP has been targeting democrats and non-voters in Republican heavy areas by sending out threatening letters containing a list of your neighbors, who they registered for, and if they voted, and threatening to send the neighbors similar letters after the election if you don't switch parties and vote.
10. Re: Duh by youngone · 2018-10-15 09:35 · Score: 3, Insightful
  
  Please note A/C that in many US states voters also have to register their party preference.
  It is one of the many, many little ways the Republicans and Democrats keep their cosy little duopoly going and prevent the people of the US from having any real choice about who rules them.
11. Re: Duh by EvilSS · 2018-10-15 09:46 · Score: 1
  
  Link?
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
12. Re: Duh by filesiteguy · 2018-10-15 10:53 · Score: 1
  
  In most places it is public information, which through FIOA requests have been made available. My county, for example, sells it for $146. That's 4,000,000 records on the county voters.
  
  You can also go to the HAVA site to get information from any state or the 3,000 or so counties: http://voterlist.electproject.org/
  
  I would like to make my information private so I stop getting robocalls and massive amounts of flyers for various elections, but the only way to do that is not vote.
  
  --
  The Kai's Semi-Updated Website Thingy
13. Re: Duh by rtb61 · 2018-10-15 12:11 · Score: 1
  
  This smells of secret lists and entirely fake voters. Better it remain public, you sneaky fuckers.
  
  --
  Chaos - everything, everywhere, everywhen
14. Re: Duh by Ocker3 · 2018-10-15 13:05 · Score: 1
  
  Dodgy as all hell!
15. Re: Duh by astrofurter · 2018-10-15 17:21 · Score: 1
  
  Shouldn't that be dnc.cn?
They is? by Type44Q · 2018-10-15 07:36 · Score: 2, Insightful

Records is getting sold, is they?
1. Re:They is? by fleabay · 2018-10-15 14:18 · Score: 1
  
  Yes they be.
  
  --
  PlanetVulkan.com
"history" may be misleading by xaosflux · 2018-10-15 07:42 · Score: 4, Interesting

Keep in mind, that the "voting history" in the summary is easy to sensationalize. In most cases it only means you were issued a ballot, and possibly for mail-in ballots that you returned it. No state has a history of what actual voting selections were made.
1. Re:"history" may be misleading by bobstreo · 2018-10-15 07:45 · Score: 1, Insightful
  
  Keep in mind, that the "voting history" in the summary is easy to sensationalize. In most cases it only means you were issued a ballot, and possibly for mail-in ballots that you returned it. No state has a history of what actual voting selections were made.
  You hope.
2. Re:"history" may be misleading by bobbied · 2018-10-15 08:27 · Score: 2
  
  Keep in mind, that the "voting history" in the summary is easy to sensationalize. In most cases it only means you were issued a ballot, and possibly for mail-in ballots that you returned it. No state has a history of what actual voting selections were made.
  You hope.
  I know.... Seriously. The "Secret ballot" will remain so and unless you can somehow infer from the precinct results and list of who voted a specific ballot that was cast (Say for instance, EVERY vote cast was the same in a precinct, and YOU voted, so I can determine how you voted). But those situations are extremely rare. If you vote in a precinct where the votes cast isn't unanimous, you are safe from exposure of your unique vote.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re: "history" may be misleading by davide+marney · 2018-10-15 08:29 · Score: 3, Informative
  
  I know. I am an election official in Virginia. We're not idiots. Of course your vote is private.
  
  --
  "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
4. Re:"history" may be misleading by EvilSS · 2018-10-15 08:55 · Score: 2
  
  It's pretty much impossible to collect that data. Your identifying data isn't anywhere on the ballot or machine.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
5. Re:"history" may be misleading by Obfuscant · 2018-10-15 09:11 · Score: 2
  
  Your identifying data isn't anywhere on the ballot or machine.
  In a vote-by-mail state, your identifying data is on the envelope that contains your ballot. You TRUST that the election officials do not enter this data when they scan your ballot --- it is in a machine readable format so could be OCRd easily.
  This is the system that Wyden wants implemented for the entire country.
  When I voted in a "show up and vote on a paper ballot" system, there was a strip of paper on each ballot that contained the ballot number, which was recorded in the electoral rolls when it was given to you. You could see the election official remove that strip (after verifying the number against the number recorded next to your name) before your ballot joined the others in the box.
6. Re:"history" may be misleading by EvilSS · 2018-10-15 09:34 · Score: 2
  
  In my state the ballot is sealed in an envelope inside the one you mail in, which by law cannot have your identity on it. It gets thrown out if it does, which is why it has got big, bold letters telling you to not write anything on it. The mail in envelopes are opened under supervision of election judges from both parties, and the ballot envelopes are deposited into containers, taken to a different room, opened, and counted (again under supervision of election judges), so it would take a pretty solid conspiracy by the county clerk and both political parties to break that privacy. Even if they did, where would they record it? Everything is official, public record. They aren't going to keep some secret database of mail in voters. That would, inevitably, get discovered.
  
  As for the ballot ID, as you said, it was removed from the ballot before being counted.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
7. Re:"history" may be misleading by Obfuscant · 2018-10-15 09:49 · Score: 1
  
  The mail in envelopes are opened under supervision of election judges from both parties,
  
  Which is why I said that you have to trust that they don't record the information. All of the description you provided is how they operate so that they create this trust.
  
  As for the ballot ID, as you said, it was removed from the ballot before being counted.
  No, it was removed from the ballot before it was mixed into the box with the other ballots, and I saw it happen with my own eyes. Counting took place after the polls closed. If they had waited until "before counting" then I would have to trust that it was being done.
  Do you not understand the difference between "know" and "trust"?
8. Re:"history" may be misleading by EvilSS · 2018-10-15 10:20 · Score: 1
  
  The mail in envelopes are opened under supervision of election judges from both parties,
  Which is why I said that you have to trust that they don't record the information. All of the description you provided is how they operate so that they create this trust.
  
  As for the ballot ID, as you said, it was removed from the ballot before being counted.
  No, it was removed from the ballot before it was mixed into the box with the other ballots, and I saw it happen with my own eyes. Counting took place after the polls closed. If they had waited until "before counting" then I would have to trust that it was being done.
  So they counted them before they mixed them? Otherwise, pretty sure I'm still correct. Also do you not trust yourself? You witnessed it.
  
  Do you not understand the difference between "know" and "trust"?
  Just like you have to trust the local coffee shop not to serve everyone cyanide, or your mailman to not plant bombs in your mailbox. The odds of recording your vote info from either of the scenarios you mention is astronomically small. It's because we don't trust them that checks are put in place. If you can't trust anyone, well, you're screwed anyway. It would require vast conspiracies, involving tens of thousands of people, from polling places to county offices, to state office, and across the federal government, spanning across decades of time to keep it secret. So, I stand by my original statement: "It's pretty much impossible". Prove me wrong.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
9. Re:"history" may be misleading by Obfuscant · 2018-10-15 10:30 · Score: 1
  
  There is no realistic way for anyone to connect someone to a particular ballot much less create a database of how everyone voted.
  It is easy to do that. You take the incoming envelope and scan it on one system to bring up the stored signature on the display to validate it. You press OK. You remove the ballot from the "secrecy envelope" and scan it on another system. Oops, the systems are interconnected behind the scenes so a data collector can collect your ID from the first system and then how you voted from the second.
  I am NOT saying that this happens. I'm only pointing out that it is quite possible to do this.
  
  Vote by mail is far more secure than polling place balloting.
  
  Bullshit. First, you spread valid ballots out to the four winds and hope that only valid voters get their hands on one. With a polling place you validate the voter before you hand them a ballot. Second, once the ballot gets to someone, they can mark it as they please, or they can order someone else to mark theirs the way they want it marked in a way that they can verify that the order was complied with. With a polling place, you go into a booth away from everyone else and cast your vote, so even if someone tries to coerce you into voting their way they cannot verify that you have, or have not, done so. (Note that the verified coercion issue is a problem that every "verification of electronic vote" system has to deal with. If it is important for those systems, it cannot be irrelevant to by-mail voting.)
  You hand-wave away this issue by claiming nobody has ever done it. Well, if someone else has sufficient power over you to coerce you vote on election day, they will still have that power the day after, and the day after that, and you will still suffer the consequences if you turn them in. And there have been people here who have reported personal knowledge of employers coercing their employees, so yes, it has been reported.
  Third, when someone returns their "by mail" ballot the free way (which by law must exist, otherwise you'd have a poll tax) it can sit unwatched in a box in a location open to the public. For a polling place, there are people who watch the boxes until they are locked away out of public access.
  Fourth, the only validation of any ballot by mail is the signature, which can change over time or due to transient circumstances. (I broke my right wrist a few years ago -- why should that prohibit me from voting?) At a polling place you see a physical person who can present ID to prove who they are if there is any question.
  Vote by mail is a godsend to anyone who doesn't care about vote fraud at all. It is not more secure than in-person voting in any number of ways.
10. Re:"history" may be misleading by Obfuscant · 2018-10-15 10:46 · Score: 1
  
  No, it was removed from the ballot before it was mixed into the box with the other ballots, and I saw it happen with my own eyes. Counting took place after the polls closed. If they had waited until "before counting" then I would have to trust that it was being done.
  So they counted them before they mixed them? Otherwise, pretty sure I'm still correct. Also do you not trust yourself? You witnessed it.
  I said they count them AFTER THE POLLS CLOSE, which is long after the ballots are put into the box. How you get "before they mixed them" from "after the polls close" I do not know, but it has to be either a complete lack of reading comprehension or a deliberate attempt at misinterpreting what I actually said.
  Yes, pedantically, the strip is removed "before being counted", but that's only because the strip is removed before the ballot goes into the box. Just "before being counted" implies that it is removed after the ballots come back out of the box. Otherwise, you'd say it was removed before it went into the box -- which is what I said happens. So, if you wait to remove the strip until they are being counted, then NO, I do NOT see the strip removed with my own eyes. I have to TRUST that it was removed.
  
  Just like you have to trust the local coffee shop not to serve everyone cyanide,
  If the person in front of me doesn't fall over dead when he takes a drink from his coffee, I can be very certain they are not serving everyone cyanide. Further, there is no financial or political motive for them to do that. They gain nothing and have everything to lose. It is also something that anyone who buys coffee there, or interacts with someone who has bought coffee there, can easily detect. That means it is not "just like", there is a different level of trust needed. Don't be stupid by trying to equate outright murder of thousands of people with recording vote data.
  
  The odds of recording your vote info from either of the scenarios you mention is astronomically small.
  It is not astronomically small, and it not impossible as you claimed.
  
  It would require vast conspiracies, involving tens of thousands of people,
  
  There are not tens of thousands of people packed into every election office during the counting of by-mail ballots. At most ten for many offices. You vastly over-estimate the number of people involved, which makes your argument disingenuous at best. Bye.
  
  Prove me wrong.
  Already done. I've already given one easy method of doing it that could be missed by even a dozen observers.
11. Re:"history" may be misleading by l0n3s0m3phr34k · 2018-10-15 13:32 · Score: 1
  
  "I know.... Seriously." So, you have paid $42,000 and actually went over this information coming from these hackers? Unless you personally have looked at THESE FILES that TFA is talking about, you do NOT know.
12. Re:"history" may be misleading by EvilSS · 2018-10-15 14:43 · Score: 1
  
  Oh I see: you are mental. Ok bye.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
13. Re:"history" may be misleading by bobbied · 2018-10-16 00:02 · Score: 1
  
  Yes, I'm pretty sure about this, no I don't have the data.
  IF you want to prove this assertion wrong, go GET the data and do it. However, the law of this country is pretty clear on this so if you find information on actual votes cast by an individual, any individual, a crime has been committed that needs to be investigated and somebody needs to be charged and convicted for it.
  Now I've not seen anybody charged for this kind of thing and you know it would be HUGE news if it happened, so I'm about as sure of my claim as I am that the sun will rise in the east this morning. (Even though I may not see it because its raining cats and dogs here.)
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Everything is a "hack" now. by geekmux · 2018-10-15 07:45 · Score: 4, Interesting

"US Voter Records From 19 States Is Being Sold on a Hacking Forum...It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy."
Why am I willing to bet that 19 states do have this policy, turning this "hacking" story into nothing more than clickbait?
We used to get pissed when "hacking" was mislabeled or misunderstood. Now we're just pissed that no one has a fucking clue what a hack is anymore because everyone is labeling every stupid little thing as hacking. Found a shortcut to work? You "hacked" your commute. Used a microwave instead of the stove? You "hacked" your dinner prep. Downloaded free public information? You "hacked" the voting public.
Enough of the "hacking" shit already.
1. Re:Everything is a "hack" now. by 110010001000 · 2018-10-15 07:51 · Score: 1
  
  Well everything is "AI" now, so this fits in. I am developing a "hacking AI". It scans networks looking for vulnerabilities. Totally innovative. I call it nmap.
2. Re:Everything is a "hack" now. by Nidi62 · 2018-10-15 07:54 · Score: 2
  
  Well everything is "AI" now, so this fits in. I am developing a "hacking AI". It scans networks looking for vulnerabilities. Totally innovative. I call it nmap.
  I'm developing a hacking tool that trains AI with machine learning to break blockchains. And it has a VR/AR UI.
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
3. Re:Everything is a "hack" now. by 110010001000 · 2018-10-15 07:57 · Score: 1
  
  I'm opening my checkbook now. Just tell me the number to write.
4. Re:Everything is a "hack" now. by bjwest · 2018-10-15 08:06 · Score: 2
  
  Well everything is "AI" now, so this fits in. I am developing a "hacking AI". It scans networks looking for vulnerabilities. Totally innovative. I call it nmap.
  I'm developing a hacking tool that trains AI with machine learning to break blockchains. And it has a VR/AR UI.
  Phtttt. Unless you're creating a gooey interface in Visual Basic, you ain't hacking shit.
  
  --
  
  --- Keep the choice with the user..
5. Re:Everything is a "hack" now. by WillAffleckUW · 2018-10-15 08:14 · Score: 1
  
  I think you mean you used R with the AI packages.
  
  --
  -- Tigger warning: This post may contain tiggers! --
6. Re:Everything is a "hack" now. by CanHasDIY · 2018-10-15 08:23 · Score: 1
  
  ...AI ...machine learning ...blockchains. ...VR/AR UI.
  SHUT UP AND TAKE MY MONEY
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
7. Re:Everything is a "hack" now. by the_skywise · 2018-10-15 08:23 · Score: 1
  
  But are you sending that AI to college?
No need to worry by Blinkin1200 · 2018-10-15 07:52 · Score: 2

No need to worry. I have marked them all deceased and returned them to their source.
Re:Duh - FYI by Anonymous Coward · 2018-10-15 08:01 · Score: 1

All run by the same individual, and s/he has a system in place with which someone can get their name(s) removed from the lists.
also offers the raw data files so individuals can build their own systems.
https://arkvoters.com/
https://coloradovoters.info/
https://connvoters.com/
https://delawarevoters.info/
https://flvoters.com/
https://michiganvoters.info/
https://ohiovoters.info/
https://oklavoters.com/
https://rivoters.com/
heavy red states by WindBourne · 2018-10-15 08:33 · Score: 1

Amazing how nearly all are red states.
I wonder why that is?
In addition, the DBs are from this year due to updating. That means they have plenty of backdoors in the systems.

I hope that you red states can afford to have your ID and credit stolen.
Perhaps, you will finally back E-verify for real on all businesses.

--
I prefer the "u" in honour as it seems to be missing these days.
1. Re:heavy red states by EvilSS · 2018-10-15 08:59 · Score: 1
  
  That means they have plenty of backdoors in the systems. .
  Backdoors? You can just go download it from many states. It's not considered private info. When I was involved with local politics I used to download the county records several times a year, straight from the county clerk's website. No login or anything. Just a pinky-swear and threat of prosecution if you used it for unauthorized purposes (like non-political marketing).
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
Re:BS by jellomizer · 2018-10-15 08:34 · Score: 1

These are voter records, not voting history.
This is often your name and your address, which polling place you are registered at. Perhaps additional info, such as your age, and perhaps your signature, or picture.
However with this info + with general election results from a polling station. You can probably get a good picture on who to target and with what.
If you live in an area that voted 90% republican in your polling location, and it knows that you voted at that location. Then chances are you had voted republican, and are more acceptable to republican propaganda, vs democrat propaganda. So you will be targeted with words such as patriotism, and freedom. vs targeted words such as responsibility and liberty. They may be pushing the same agenda but will word it in ways that will make you feel more comfortable about it, vs hearing the other way which fills your heart with dread.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Re:Rigging by politicians - Brian Kemp; child abus by bobbied · 2018-10-15 08:36 · Score: 1

Oh boy, really?
Where I have no idea what the facts actually are here, I'm going to make two guesses (let me know if I'm wrong.)
1. Brian Kemp is ahead in the race.
2. There is a legal reason each these registrations have been held up/rejected which is clearly defined in the laws of Georgia.
As to the allegations of being a child abuser, these need to be investigated by the police. If there is sufficient evidence to charge he needs to be charged, otherwise, this is nothing more than political mud slinging by the opposition who is likely behind and has no choice but to go low..
Now, I've made my predictions based on years of observing political campaigns. Am I right or not?

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:BS by NicBenjamin · 2018-10-15 09:05 · Score: 1

In states with party registration your registration is also in the public voter file. If they've got voter history they also generally get which years you voted in the primaries, which will give anyone who knows the state's politics a very good way to figure out which way you lean.
diagram the headline sentence by swschrad · 2018-10-15 09:26 · Score: 1

records are. record is.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
Re:Rigging by politicians - Brian Kemp; child abus by RubberDogBone · 2018-10-15 14:34 · Score: 1

Kemp is not especially ahead in the race. Both candidates are around 46 percent in the latest polls.
The bit about holding a gun on a kid is a claim related to a TV ad Kemp himself aired. He had a shotgun on his lap and a kid, apparently the boyfriend of one of Kemp's daughters, in an adjacent chair. All of this was in Kemp's own ad and isn't disputable.
The claim is that he pointed the gun at this boy and that equals child abuse. He did not point the gun AT the boy in the ad that aired. It was pointed past the boy, not AT him. Not really even close. Thus the whole claim of child abuse is easy to disprove. However, as a gun safety nut, it irks me to see Kemp treating his gun as a joke, and he almost certainly DID aim it at people on the film crew in the process of making the ad. I find that offensive, stupid and a demonstration of awful behavior and poor judgement. But it wasn't child abuse.
All of that said, there are plenty of other things about Kemp that deserve to be investigated. He's running another ad where he claims to have pulled strings or something similar to get an organ transplant for a sick child. He's right there admitting he played favorites and pressured insurance companies to do what he wanted. It's right there IN his ad. He brags about it. This should be a scandal. Nobody cares.

--
Sig for hire.
Re:Rigging by politicians - Brian Kemp; child abus by bobbied · 2018-10-15 23:54 · Score: 1

So I went and looked.. RCP has this race at about 3% edge for Kemp, so I was right on #1. You don't address #2 and you totally missed my point about the child abuse claim. In the child abuse thing, I'm saying INVESTIGATE and charge him if necessary, but until that's done, shut up about it because it really smacks of political mud slinging which isn't very effective in the long term and turns off about as many voters on both sides at best and carries huge risks for the mud thrower should the claims look petty (and in this case, they do). My prediction is Kemp wins with somewhere north of 5% margin maybe as high as 10%, so get used to it.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101