Chris Vickery could hardly believe what he was looking at: millions upon millions of bits of personal information belonging to registered voters in the United States, ranging from their cellphone numbers to whether they own a gun. If he could see it online, he knew anyone else could, too.
These days, it’s easier for malicious hackers to use personal information to steal identities for financial and other gain, and security experts say anyone compiling large amounts of personal information has an obligation to secure it online.
As best Vickery could tell, the data stemmed from evangelical Christian activists who had compiled it for political outreach. But who had leaked it or hacked it – and why? Even today, Vickery does not know. If regulators and law enforcers were inclined to do anything about it, where would they even begin?
Vickery told his story recently from a barstool at Sherlock’s Baker St. Pub in Austin, Texas, where he lives.
“It’s a lot more fun to hunt than it is to do the actual breach disclosure and try to get ahold of somebody who can take care of it,” said Vickery, a self-taught computer security expert who works in the technology department of an Austin law firm.
Vickery’s discovery of two breaches during the holiday season occurred just as presidential candidates such as Republican Texas Sen. Ted Cruz were beginning to make their own heavy investments in massive voter databases and doubling down like never before on microtargeting to gain an edge.
The initial breach exposed 191 million registered voters across the country and included whether individuals had voted in past elections, their names, party affiliations, dates of birth and home addresses.
Vickery also quickly uncovered a second, potentially more sinister online breach affecting about 18 million people. That data included dozens of additional details, from hunting interests and religious views to income levels and even whether the person is a fan of NASCAR.
Other categories included cellphone numbers, occupations and religious identities, as well as notations for whether individuals made campaign contributions, gave to religious organizations, had a “Bible lifestyle” or owned a gun.
Vickery spends his free time searching for weakly secured big data housed in corners of the Internet not generally accessible by Google. It’s his hobby. Discovering such a massive trove of personal information in one place, he worried, made it an alluring target for criminals.
At the time, the voter data was available on the search engine Shodan to anyone online who wanted it – no illegal hacking required. Whoever compiled the data had failed to secure it properly. The data since has been removed.
Vickery’s Internet sleuthing instincts were piqued. He looked further and turned up repeated references to the URL pioneersolutionsinc.com. A clue.
“If you go to pioneersolutionsinc.com and try to sign up for an account, you’ll get an email from United in Purpose,” Vickery said. “United in Purpose and Pioneer Solutions are run by the same guy.”
The CEO of United in Purpose, an evangelical Christian named Bill Dallas, told NPR in 2012 that the nonprofit’s mission is to use data mining to identify Americans with Christian values to help turn out the vote. Dallas – who says he found God while serving time in prison for embezzlement – learned that millions of Christians in the U.S. were not registered to vote or were not participating in elections. He wanted to change that.
So United in Purpose, according to NPR, “persuaded wealthy Silicon Valley conservatives to help fund the creation of a database of as many adults in the U.S. as they can find. So far, UIP has added 180 million. The company buys lists to build a profile of each citizen, and then assigns points for certain characteristics. You get points if you’re on an anti-abortion list or a traditional marriage list. You get a point if you regularly attend church or home-school your kids. You get points if you like NASCAR or fishing.”
Among other things, the data is made available to church pastors who want to know what percentage of their congregations is registered to vote. Pastors can even search for individual members of their congregations. Conservative activists also use the data to identify who in their communities is Christian but isn’t registered to vote. With the help of the data, campaign foot soldiers arrive at the doors of such Americans, or call or email them, to urge them to register and show up at the polls.
Internet domain and tax-exempt registration records show that United in Purpose is a 501(c)(4) nonprofit organization permitted to engage in political advocacy and led by Dallas. It lists an address near Pioneer Solutions Inc., which describes itself online as a “leading provider of membership information for membership organizations.”
According to United in Purpose’s 990 tax forms, the organization paid about $272,000 for “Pioneer data” in 2013 and nearly $997,000 for “Pioneer data” the year before that. The United in Purpose site states that Dallas also is the CEO of Pioneer Solutions Consulting. The organization’s 990 tax forms state that United in Purpose has an internal policy on potential conflicts of interest, but how it might affect these transactions is unclear.
United in Purpose and the Pioneer businesses have other links. The Web domain registrant for unitedinpurpose.org, Johanna Cabrera, also is a team member for pioneersolutionsconsulting.com. And the domain registrant for pioneersolutionsinc.com, Jay Bartels, also is a team member of Pioneer Solutions Consulting.
That’s where the trail goes cold. Reveal could find no business registration records for Pioneer Solutions Consulting, Pioneer Solutions Inc. or Global Alliance Solutions & Strategies – another name that appears on these websites. There’s no easy way to tell whether United in Purpose was directly responsible for the breach or whether it was the fault of a partnering organization or someone else altogether.
Emails sent to United in Purpose, Pioneer Solutions Inc. and Pioneer Solutions Consulting were not returned. A phone number listed at pioneersolutionsinc.com led to an unrelated company.
No response came from one of its states initiatives, called Champion the Vote, either. That group’s website says that it uses “industry standard data collection methodologies to securely collect and transmit your sensitive information.”
If such a breach had involved a major retailer like Target or The Home Depot or a hospital chain or a school district, Vickery believes the reaction would have been swift and involved federal regulators. But few in government seemed to be paying attention.
The Federal Election Commission said it had no jurisdiction over the data Vickery found. The U.S. Election Assistance Commission, another federal agency, said voter registration lists are maintained by the states, and it’s up to them to decide how the data must be handled. The FBI won’t say if it is investigating the breaches at all. A spokeswoman for the IRS said the agency could not comment on specific taxpayers or even hypothetical situations.
A political science professor at the University of Victoria in Canada, Colin Bennett, concluded in a paper last year that voter surveillance is increasingly popular among U.S. political campaigns as a method for targeting “narrower slices of the electorate in key electoral districts.”
“Sensitive data about political affiliations can be put in the hands of multiple volunteers and campaign workers, who may have no privacy or security training,” Bennett wrote. “In a world where data breaches are commonplace and daily occurrences, the decentralization of voter intelligence data could be a disaster waiting to happen.”
Much of the information that appears on a voter information card is publicly available to anyone. Political campaigns and activist groups often compile such data to more tightly target their outreach efforts. They’ve been doing so since as far back as the 1800s.
By 1897, politician William Jennings Bryan had compiled index cards on hundreds of thousands of his supporters. Barack Obama’s success as a presidential candidate is attributed in part to how successfully his campaigns used big data to get out the vote. Ted Cruz’s campaign launched a Cruz Crew mobile app that gobbles up detailed data on users who download it, including location information and contact lists, either through a Facebook login, email address or phone number.
Breaches are not the only threat posed by the big data revolution.
“Micro-targeting divides us into niche markets and avoids the hard work of building consensus and national visions,” Bennett wrote in his paper. “It arguably creates parties and candidates that do not convey a general ideological framework for governance, but a series of carefully chosen, focus-group analyzed, messages to key segments of the electorate in key marginal districts.”