Opinion: Iowa voter privacy breach demands action by attorney general, legislators

Douglas W. Jones and Aleksey Gurtovoy
·6 min read
2

If you are registered to vote, you probably remember that doing so involved giving the state of Iowa a substantial amount of personally identifiable information, or PII, about yourself, including your full legal name, full address, and date of birth. A reasonable assumption that most of us make when filling out a voter registration form is that the state has taken measures to restrict who can access that information, and that when it is being accessed, it's being accessed for a legitimate political purpose.

What might never have occurred to you is that the personal data you provided to the state could end up being indiscriminately disseminated on the internet. And yet this is exactly what has happened to over 2 million Iowa voter registration records earlier this year.

On Feb. 1, 2022, an organization called Voter Reference Foundation LLC, VRF for short, using a third-party collector of public records called Local Labs, obtained all of Iowa's voter registration records from the Iowa secretary of state and put them online in a searchable format on the VoteRef.com website. The 2.2 million unredacted Iowa voter records — readily available for any use to anyone with an internet connection — disclose an alarming amount of personally identifiable information in a single place, making it a perfect gift to identity thieves, disgruntled individuals, shady data mining companies, and other malicious actors. Compounding the individual privacy breach is the fact that each voter's family members' information is also just a click away.

Revealing the date of birth — officially categorized by the U.S. Department of Commerce as sensitive PII — is particularly problematic. In too many contexts, online and offline, including medical care, people are asked to provide their birthdays as the only required proof that they are who they claim to be. If you were born after 1988, your birthdate, together with a place of birth, can be used to guess your Social Security number. And zero-cost access to the date of birth, full legal name, and full address from a single, reliable source can incentivize identity thieves to invest resources into harvesting the remaining pieces of personal data to execute theft.

According to the Iowa Code, any person may request voter registration records from the state (Section 48A.38), but they can be used only “to request the registrant’s vote at an election, or for another genuine political purpose, or for a bona fide official purpose by an elected official, or for bona fide political research.” (Section 48A.39).

First-time visitors to VoteRef.com are presented with a consent dialog, asking for acceptance of the site’s Terms of Service that prohibit the use of information on the site “for any purpose unrelated to elections,” and the Voter Reference Foundation's stated goal is “to provide public access to official government data pertaining to elections, including voter registration rolls, with a goal of encouraging greater voter participation in all fifty states.” Nevertheless, we believe that in redistributing Iowa voter registration records on the internet, VRF is violating both the spirit and the letter of Iowa law.

Iowa Code Section 48A.38(3) explicitly codifies a record-keeping protocol for every person who receives a voter registration list, requiring the registrar to "maintain a log of the name, address, and telephone number of every person who receives a list under this section, and of every person who reviews registration records in the office of the registrar." In doing so, the law unambiguously establishes the registrar and by extension the state as the custodian of the voter records, and prohibits bulk redistribution of non-aggregated records by the recipient since, by definition, such bulk redistribution renders the mandated log keeping meaningless.

We also believe that bulk redistribution of voter records with a vague goal of “encouraging greater voter participation” does not constitute a “genuine political purpose” under Section 48A.39. The voter registration lists are public records, already available to members of the public who are interested in examining them. Republishing these records in bulk online might be well-intentioned, but it lacks a specific political use beyond those already enabled by the fact that these records are public, and the claim of “encouraging greater voter participation” is at best suspect. If anything, knowing that registering to vote in Iowa will lead to the exposure of a large amount of personal information, including sensitive PII, to the world at large is likely to suppress voter participation.

It is worth noting that the release of PII by VoteRef.com varies considerably by state. For example, Michigan lists only the birth year, while Ohio lists only the birth year and month. Lawsuits in several states have led to restrictions on the release of PII, specifically limits on the release of birthdates.

(The Voter Reference Foundation told the Register that its lawyers reviewed Iowa law before the records were published, and again at the Register's request, and concluded that VRF's use of the records is legal. "We are trying to provide transparency to our opaque voting systems, which many million Americans distrust. We all pay for these records and we ought to be able to see them.")

While blowing the whistle on this Iowa voter privacy breach, we would like to make it clear that we wholeheartedly support public access to Iowa voter registration data. An election in which the identity of the electors is not public knowledge is not a free and fair election. The Guidelines for Reviewing the Legal Framework of Elections, representing the joint opinion of the nations that signed the Helsinki Accords, states that “transparency requires that voter registers be public documents readily available for inspection.” It goes on, however, to say that “the legal framework should clearly state the permitted uses of information obtained from ... the voter registers … as well as establishing sanctions for the misuse of information obtained from voter registers.”

The Iowa Code provides such a framework, and the Voter Reference Foundation is violating it.

In the Nov. 7, 2022, announcement of a multistate settlement over Experian and T-Mobile data breaches that compromised personal information of more than 25,000 Iowans, Iowa Attorney General Tom Miller said that “protecting consumers’ personal information should be a top priority, not only for credit reporting agencies, but all businesses.” We can't agree more, and we contend that the state of Iowa should hold itself to the same standard.

We urge the Iowa attorney general to take swift action to remove Iowa voter records from the internet, and the Iowa Legislature to amend Iowa Code Section 48A.38(1.f) to mandate the replacement of a voter’s full date of birth with birth year only when preparing a voter registration list pursuant to that section.

You can send your thoughts on this issue to the attorney general at webteam@ag.iowa.gov.

Aleksey Gurtovoy
Aleksey Gurtovoy
Douglas W Jones
Douglas W Jones

Douglas W. Jones is an associate professor emeritus at the University of Iowa, with research primarily focused on computer security and electronic voting, and co-author of the book "Broken Ballots: Will Your Vote Count?" He is a former member of Iowa's Board of Examiners for Voting Machines and Electronic Voting Systems, and has testified before the United States Civil Rights Commission, the House Science Committee and the Federal Election Commission on voting technology issues. Aleksey Gurtovoy is a veteran software engineer and a longtime civil liberties advocate, with a particular interest in First and Fourth Amendment issues. They write on behalf of the Iowa Civil Liberties Council.

This article originally appeared on Des Moines Register: Opinion: Iowa voter privacy breach demands swift action