On Monday afternoon, Washington, D.C.-based security researcher Collin Anderson set off a flurry of alarm with a tweet about the D.C. government publishing a full voter list online, including voters' addresses and political affiliations.
Anderson linked to the list, a PDF file, in his tweet; it's dated May 30 and lives on the website for the D.C. Board of Elections (click at your own risk, it's a large file). It's a complete list of registered voters in Washington, D.C. including each voter's date of registration, party affiliation, precinct, ward, home address, and whether or not they voted in elections dating back to 2012.
This may seem shocking but voting records, including where you live and whether you voted but not who you voted for, are actually public information. This is how campaigns get your address and send you all those mailings before poll time. Still, it seems to surprise people every election season, especially when it's used to shame people into voting.
Usually these public records sit in an elections office, available to people who stop by or request them by mail. What's different about the D.C. situation is that the records were put online and so became widely accessible.
The information security community was not impressed. Here's a small sampling of the reaction on Twitter:
Whoa. This is not smart: a textbook case of open data evangelism creating more risk for people. https://t.co/KbyVaj5ama
— Kate Crawford (@katecrawford) June 13, 2016
— Bec (@beccanalia) June 13, 2016
The D.C. Board of Elections wasn't silent on the matter. The agency responded to privacy researcher Jake Laperruque arguing that not only was the move legal, but that it's required by law to allow for challenges to individuals' eligibility to vote.
In its Twitter exchange with Laperruque, the BOE cited a section of the D.C. Code that, in the latest publicly available version, orders that the Board make an alphabetical list of voters that "shall be placed in the main public library."
The rejoinder to this is (duh) that the internet is not a public library, but the general counsel for D.C. bureau of elections, Kenneth J. McGhie, told FUSION that there's a misconception at play because the version of the D.C. Code online isn't up to date.
"The DC Board of Elections (DCBOE) has not interpreted ‘public library’ to mean the DCBOE website," McGhie said via email. "[W]e posted the listing on our website pursuant to D.C. Official Code §1-1001.07(h)(2A), which provides that '[t]he Board shall publish and display on its website for a period of not less than 14 days preceding each election held under this subchapter a searchable copy of the list of qualified electors registered to vote as of the date the voter registry closed.'"
McGhie says that the adjustment to the code went into effect on May 2, 2015, as part of the "Primary Date Alteration Act."
That act is available online. It doesn't stipulate what information the list has to contain, but McGhie writes that D.C. voter addresses are public and could be turned up by a FOIA request.
"All of the information contained in this listing is public information. Indeed, we indicate on our voter registration form that 'voter registration information is public, with the exception of full/partial social security number, date of birth, email, and phone number.'"
In the past, states have released that sensitive data by mistake, as when Georgia accidentally mailed out voter information on CD-roms that contained voters' social security numbers.
There's some recourse for D.C. voters who don't want their name and address out on the clear web. They can request that it be removed, but that requires an application and approval.
At the risk of moralizing (just kidding I love to moralize) there's a lesson to be learned here about open data. Open data in government is great, it's important, and lots of other nice adjectives. It also needs to be informed by privacy and security issues. An address is enough to get someone SWATTED.
The Board of Elections is following the law on this, but in this case the law doesn't account for the realities of online harassment, which can easily stretch into the physical world: a 2014 Pew study said 8% of those surveyed had been stalked online. An address makes such targets easier to find.
Ethan Chiel is a reporter for Fusion, writing mostly about the internet and technology. You can (and should) email him at email@example.com