
191M US Voters’ Personal Info Exposed by Misconfigured Database - rmxt
http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/
======
eli
This is _public_ voter data that anyone can get from their county office or
secretary of state's office. It's not being "exposed" because voter files and
party registrations were never secret.

~~~
btilly
The data is not a well-kept secret, but there are restrictions on its use, and
for some locations criminal laws about misuse. See
[http://nationbuilder.com/voterdata](http://nationbuilder.com/voterdata) for
state by state rules.

Note in particular, "Placing on the internet so anyone can find out where
anyone else lives" is not exactly an approved use in locations like California
and Hawaii. Which is why there are going to be consequences once the database
owner is tracked down.

~~~
specialist
Further, some records may never be public, depending on local rules. Witness
protection, victims of domestic violence, judges, etc.

------
cjoh
While it's poor form to have a leaky database, this information is largely
public and dirt cheap. You can buy a whole state's worth of data for a couple
hundred bucks or a few cents a name. That includes whether or not you're
registered to vote in any specific primary.

Doesn't look like who you voted for is disclosed -- I'm not sure that this
data even exists. I suspect in most states, you go in to vote, your name is
crossed off a list, you're assigned a hash, and that hash votes, and there's
no database of "John Smith voted for Jane Doe."

~~~
pavel_lishin
> _You can buy a whole state 's worth of data for a couple hundred bucks or a
> few cents a name._

Where is this data sold?

~~~
mikestew
Secretary of State's office for a particular state. WA charges some trivial
amount for the trouble.

There are companies that add a bit of value by collecting the data and
spiffing up the formatting a bit, then burning it to a CD/DVD for you. When I
ran for city council of Redmond, WA, I went 15 minutes down the road to a
place in Bellevue and just picked up the CD. It gives name, address, and
whether or not one voted in each of the last X elections. SELECT * FROM voters
WHERE "voter voted in 50% of elections" to get bang for the walking-door-to-
door buck, throw that into MapPoint (tells you how long ago it was), and print
out the walking sheets.

------
cbsmith
"Could it be one of their non-hosted clients leaking the database? Maybe.
Could it be that someone hacked one of their clients and stored a copy of the
database at this IP address? Maybe. Could it be that an employee of a client
decided to make themselves a copy for their own purposes? Maybe. The
possibilities are numerous. We really don’t know and DataBreaches.net declines
to speculate."

Umm... you just speculated.

~~~
NittLion78
They refuse to speculate if one of the speculations is superior to other
speculations. Thus, if all speculations are still on the board to be further
speculated upon, one cannot speculate further.

My head hurts.

~~~
cbsmith
You win the rationalization of the day award: two aspirins. ;-)

------
AlexCoventry
So where is the database?

If there's any legal or ethical problem with doing this using the Ohio Voter
Registration files, I would like to know. I recently made an interface to
it[1] to use when gathering ballot access petition signatures for Bernie
Sanders in Ohio[2]. It's freely downloadable data, though[3], and the Board of
Elections officials I shared it with weren't aghast at the idea.

[1] [http://gobernie.net/](http://gobernie.net/) Source code:
[https://github.com/coventry/voter_lookup](https://github.com/coventry/voter_lookup)

[2]
[https://www.facebook.com/groups/929112173802716/](https://www.facebook.com/groups/929112173802716/)

[3]
[http://www2.sos.state.oh.us/pls/voter/f?p=111:1:0::NO:RP:P1_...](http://www2.sos.state.oh.us/pls/voter/f?p=111:1:0::NO:RP:P1_TYPE:STATE)

~~~
occsceo
My team has these same questions, we are working on a unified voter db. Care
to collab on thoughts? looks like thehill just picked up on this. my username
at gmail

~~~
wwweMergescom
Be pleased to look for the source with you emerges.com@gmail.com

------
jwcrux
Seeing the "_id" : ObjectId() fields indicates to me that this is likely a
mongodb instance that was available to everyone.

There's been a lot of talk about these recently[1] that I'm surprised this
didn't come up sooner.

[1] [https://blog.shodan.io/its-still-the-data-
stupid/](https://blog.shodan.io/its-still-the-data-stupid/)

~~~
xPaw
Yeah, the screenshot is using MongoVUE.

------
r0m4n0
I own a few services that rely on voterfile data we acquire from many sources
and I am aware of quite a few others (so I feel like I need to chime in here
haha). I suppose sources aren't going to disclose the actual resource or IP
address until law enforcement tracks them down? I haven't been able to find
any reports of anything specific.

It may not be Nation Builder per se but it could be one of their many
integration points maintained by third parties:

[http://nationbuilder.com/apps](http://nationbuilder.com/apps)

~~~
kazazes
A well crafted shodan.io search given the already public information
(approximate size, in the US, no password, etc.) should give you a good start.
It's already been found once.

~~~
exhilaration
So here's a starting point:
[https://www.shodan.io/search?query=port%3A27017+country%3AUS...](https://www.shodan.io/search?query=port%3A27017+country%3AUS+os%3Alinux)

I'm not sure how to search by database size though. But I'd estimate that 190
million voter records, at 1 kb each, would be a little under 2 GB if my math
is right.

~~~
cynwoody
Here is a MongoDB named voters† that claims to be 472166432768 bytes long (a
little short of 2500 bytes per voter, if there are 191e6 voters).

I'm not familiar with MongoDB and don't have the time to learn right now. But
do check it out!

†[https://www.shodan.io/host/52.0.220.221](https://www.shodan.io/host/52.0.220.221)

~~~
exhilaration
Yup, you found it.

Confirmed: db.blackhole_nj.find({$and:[{"fname": "Christopher"},{"mname":
"J"},{"lname": "Christie"}]})

The governor's DOB in the results matches what's in Wikipedia.

~~~
josscar
how did you run that?

~~~
exhilaration
Any MongoDB client, I used Robomongo at the time. But when I tried again the
next day I could no longer connect.

------
dvcc
Using census info for age distributions, this most likely amounts to every
registered voter.

The site also seems to be having a rough time with the traffic. Here is the
cached page:
[http://webcache.googleusercontent.com/search?q=cache:BXSmNL6...](http://webcache.googleusercontent.com/search?q=cache:BXSmNL6bUa4J:www.databreaches.net/191-million-
voters-personal-info-exposed-by-misconfigured-
database/+&cd=1&hl=en&ct=clnk&gl=us)

------
jstalin
Earlier this year I spent $25 for a FOIA request for my state's entire voter
database. This isn't exactly private information.

~~~
whoopdedo
What benefit does revealing registrations provide? How would the public
interest be harmed by shielding names, addresses, and phone numbers from
disclosure?

A lot of comments here saying "so what it's public record." But not a lot of
asking if it should be. Something being the status quo doesn't make it right.

------
kristofferR
It seems like this is a MongoDB database.

Scanning the US IP ranges for Linux hosts (as mentioned in the article) with
port 27017 open with ZMap and then running a script that connects to the open
database and saves the size of the database in a file would be a good place to
start for those who want to find it.

~~~
hendzen
Also a good way to go to jail. Please think long and hard before accessing
random computers on the internet. The fact that they are unprotected is
unfortunate but irrelevant.

~~~
netcraft
im interested in the legality argument against this - if it is illegal how do
sites like this operate?

[https://www.shodan.io/search?query=port%3A27017+country%3AUS...](https://www.shodan.io/search?query=port%3A27017+country%3AUS+os%3Alinux&language=en#)

or even [https://scans.io/](https://scans.io/) which uses something like
[https://zmap.io/](https://zmap.io/)

Not saying you're wrong, wondering where the line is if there is one.

~~~
hendzen
Port scans (what Shodan does) are in a grey area. Actually using the port scan
data to connect to a networked service and exfiltrate data is definitely
illegal.

------
wwweMergescom
Look at our more detailed compilation of statutes at
[http://www.emerges.com/assets/images/docs/Restricted-
State-V...](http://www.emerges.com/assets/images/docs/Restricted-State-Voter-
Use-Affidavits.pdf). Note NationBuilder is wrong about permissible MS data
useage.

More critically, NationBuilder may erroneously be denying accountability.

“Nation Builder is under no obligation to identify customers, and once the
data has been obtained, they cannot control what happens to it,”

Specifically look at the statues for MA and CA. Clearly and in writing voter
list purchasers are required to get written pre-approval from the two
respective states PRIOR to releasing the data. But what if NationBuilder did
not sign the affidavit with the state, ie what if NationBuilder got the data
from someone in the Democratic or Republican national or state parties?

If either of the two major parties released the data without getting written
pre-approval from the state, then they may all be in breach of contract and
liable, NationBuilder included.

------
ryanlol
Not sure what LE is doing here unless this is operated by an org in one of the
states where it's illegal to publish this data.

e.g a Florida company publishing California voter records in Florida can't
possibly be committing a crime.

I don't see why FBI would get involved either, since there doesn't seem to be
any federal crimes happening here.

------
a2tech
Whats amazing is that there seems to be no way to contact anyone to take down
this database-its just sitting there happily serving up data to anyone that
asks. No contact info, no way to track down the owners.

Almost makes you think knocking it offline would be worthwhile just so someone
will take a look at it.

------
dyoon
1) this information is mostly public information, it contains information
about party affiliations and participation in elections but doesn't contain
details about votes. 2) it looks like the data came from nationbuilder, which
spent around 2-3 years building/compiling a voter registration database that's
more accessible to the public than other proprietary solutions

~~~
dyoon
[http://nationbuilder.com/voter_file](http://nationbuilder.com/voter_file)

------
DrSayre
Kentucky has it where you can find your party by using your name and birthday.
It also shows your home address. If you're wondering John Calipari is an
Independent while Rick Pitino is a Democrat. What's interesting is that it
shows Cal's address but Pinito only shows U of L.
[https://vrsws.sos.ky.gov/VIC/](https://vrsws.sos.ky.gov/VIC/)

------
balgan
We actually found a ton of this stuff couple of months ago
[http://blog.binaryedge.io/2015/08/10/data-technologies-
and-s...](http://blog.binaryedge.io/2015/08/10/data-technologies-and-security-
part-1/)

------
d43594
Would be interesting to validate the voting record in elections according to
the DB against the outcome.

------
Afforess
As far as I can tell, the only "breach" here is revealing what candidates or
parties voters chose. The voter registries are public in nearly all states.
I've used public voter registries to look up addresses, even when I only had a
name. Information such as a personal address, phone number, etc have always
been trivial to look up.

~~~
krisdol
I don't disagree with the general notion of your comment, but in

> As far as I can tell, the only "breach" here is revealing what candidates or
> parties voters chose

Why put "breach" in double-quotes? That's a very serious privacy concern if
voters did not want this information to be public.

~~~
JadeNB
> Why put "breach" in double-quotes? That's a very serious privacy concern if
> voters did not want this information to be public.

I think that this is a very important point. It doesn't matter how important
it is to _you_ that _my_ information is public; the seriousness of its
exposure depends on how important it is to _me_. (I am using 'you' and 'me'
here not to argue with you specifically—in fact I agree with you!—but rather
as generic pronouns.)

~~~
eli
It's not a breach because nothing was exposed that wasn't already public.
Public voter rolls are one way we prevent fraud.

~~~
krisdol
I don't expect who I voted for to be public record. I'm not a lawyer, but I
don't believe this information is intended to be public record. There are
risks of not only employers, but government workers and officials
discriminating against someone based on their vote. The ballot should be as
secret as possible.

edit: I pieced together information from other comments and noticed that who
one voted for is not available, even through this breach. That's great. My
comment here was addressing the breach as it was presented in this comment
thread.

~~~
oxguy3
Who you voted for isn't public, but if you voted in a primary, it is often
public which party's primary you voted in. Voting in a particular party's
primary doesn't necessarily mean you're an actual supporter of that party
though. I've heard of plenty of cases where members of one party voted in the
other party's primary because they wanted the less-electable candidate to be
that party's nominee.

