In the United States, each state government holds records on its voters. The type of information that’s deemed “non-confidential” and who has access to this data differs by state. Some only distribute names and addresses to political parties on a strict non-commercial basis. Others publish voter lists online so anyone (even those outside the US) can access the data.
Yet, when “hackers” get their hands on this data, there’s uproar. Recent examples include Michigan voter information being for sale on the Dark Web (authorities insisted this data wasn’t hacked, though, as the data is freely available to anyone through a Freedom of Information request), and the infamous Russian hack on election databases in 2016.
Should we be looking closer at the states that aren’t doing enough to protect the privacy of their voters’ personal data, rather than the hackers who are accessing what’s mostly available already?
Our team of researchers has been through each state’s voter registration legislation, voter list request processes, and cybersecurity standards to find out which states have the best privacy protections for their voters.
- 31 states grant the general public access to voter data with many others allowing access under supervision (i.e. at local elections offices)
- 11 states don’t specify how voter registration lists should be used (i.e. for non-commercial purposes) in their Elections Code and don’t have penalties in place for those using the lists for solicitation purposes
- No states provide in-depth third-party data warnings to voters when they register to vote. But some do offer privacy notices about the data that is made public upon registering
- Most states offer some added confidentiality agreements for certain groups, i.e. Address Confidentiality Program (ACP) participants
- Every state that allows voters to register online has an HTTPS-secured website. Less than half of these have the added security measure of CAPTCHA boxes
- Most states have strong cybersecurity measures in place but a handful are lacking in certain areas, i.e. no official cybersecurity training for election officials
- The cost to purchase statewide voter files varies widely. Some states offer them for free and others charge fees of over $30,000
- 22 states either don’t require any information before accessing the voter list, don’t give options to select smaller lists (i.e. by district), or don’t have declarations regarding what the list can/can’t be used for
- 21 states have (or are about to have) automatic voter registration
Please note: we have scored states from a privacy protection standpoint only. For example, while high fees to access voter records may be deemed to obstruct transparency, from a privacy standpoint, such fees reduce widespread access to the data. Likewise, automatic voter registration improves voter participation, but could negatively impact voters’ privacy.
What information is typically included in a voter file?
The majority of voter files available to the public or specific groups will include the name and address of the voter (unless they have additional privacy protections, in which case, their address may be withheld). Other information includes:
- Date of birth (often just the year)
- Phone number
- Email address
- Signature (often just to view, not copy)
- Voter ID
- Voting location
- Date of voting registration
- Date of last vote
- Voting status
- Party/affiliation preference
- Vote history
- Race and gender
Some states will keep parts of the aforementioned data confidential, as well as:
- Social security numbers
- Driver’s license numbers
- Month and day of birth
- Identity of voter registration agency/location of registration
A handful of states specify that a person’s declination to vote, felony convictions, last jury date, military ID, Indian Census (Tribal ID number), father’s name, or mother’s maiden name must remain confidential.
Some states fail to specify any requirements as to what information should remain confidential. As mentioned, a large number also have no specific rules around what the data can be used for. Others limit data use to political/election purposes only, while a number of others state non-commercial use.
Who has access to the data and to what level also varies by state. A large number allow anyone access (you may need to reside in the state you’re requesting data on, though), some restrict public access by only allowing an inspection of the list at local elections offices, and some will only share the information with political parties/persons. The latter has access to almost every state list.
To find out which states best protect the privacy of their voters, we scored each state on:
- Who has access to the lists (0 to 5 points)
- How much information is kept confidential (0 to 3 points)
- What the file can be used for (0 to 2 points)
- Whether voters are notified that their data will be made public (0 to 3 points)
- Penalties enforced for unlawful use of voter data (0 to 5 points)
- Who can request that their data be kept confidential (0 to 5 points)
- Security of the states’ online voter registration systems (0 to 2 points)
- Voter database cybersecurity standards (0 to 6 points)
- Record costs for statewide voter lists (0 to 5 points)
- What information requestors of voter lists have to give, how specific they can be about their request (i.e. by district/county), and whether they have to sign to declare that the data will only be used for X purposes (0 to 5 points)
- Whether the voter list is published online (0 to 3 points)
- Whether automatic voter registration takes place in the state (0 to 3 points)
Low scores indicate a lack of data privacy protections, while high scores indicate best practices.
The 5 states where voter data privacy is lacking
According to our data, the five states that lack data privacy protection for voter data are:
- North Carolina (12.5 out of 47): North Carolina receives the lowest score due to anyone being able to access the voter database online without any authentication. This gives anyone on the internet access to voter details such as name, address, age (year of birth), race, gender, party affiliation, and voter history. It does, however, score points for keeping certain information confidential by law (including SSNs and email addresses), providing ACP participants with added protection, having HTTPS on its voter registration website, and not having automatic voter registration. It also scores well for cybersecurity, only losing half a point for its voter registration system having not been replaced in the last 10 years (but it is maintained and updated regularly).
- Ohio (15.5 out of 47): Similar to North Carolina, Ohio’s poor score comes from the fact its voter list is published online without authentication required to access it. That being said, Ohio does stipulate that voter records may only be used for non-commercial purposes and imposes general sanctions on those disobeying the Election Code (up to 180 days imprisonment and/or a fine of up to $1,000). Ohio has also budgeted to replace its voter registration system, offers all of the other cybersecurity measures we analyzed, and has CAPTCHA codes on its voter registration site.
- Arkansas, Massachusetts, Oklahoma (17 out of 47): Arkansas and Oklahoma allow public access to voter registration lists but Massachusetts restricts its list to political committees/candidates/parties. None of these states have legal restrictions or penalties for the use of voter files and none require anything beyond basic details when requesting the file – only Arkansas has a fee ($50 for an electronic list). Arkansas also has all of the cybersecurity measures in place but Massachusetts and Oklahoma lack help from the DHS or National Guard and adequate training for election officials (MA has budgeted for the training, though) and both are in the process of updating their voter registration systems.
- Connecticut (17.5 out of 47): Similar to the above states, Connecticut offers public access to the voter list, has no restrictions or penalties on its use, and only requires a written request for access to the data. The cost of acquiring the data is $300. All of the cybersecurity measures are in place aside from an updated voter registration system (but this is planned for 2022) and its registration website has both HTTPS and CAPTCHA.
- Michigan (18 out of 47): Michigan allows full access to the voter database, has no specifications on what the file can be used for (and thus, no penalties), and provides no added protection for certain groups’ voter data. However, it has all of the cybersecurity measures in place, does have some cost (approx. $50) for accessing the list, and requires some information from requestors (they can also specify the precinct/district they require).
Voter Data Privacy - All States and Scores
|State||Score||Access to Voter Registration List||Information Kept Confidential||File Use||Public Data Warning||Penalties for Unlawful Use of Voter Data||Requests for Information to Be Kept Confidential||Online System||Voter Registration Cybersecurity Standards||Record Cost for Full Statewide List (Not Including Additional Charges for Paper Data)||Information Required to Access Data||Voter List Published Online||Automatic Voter Registration|
|District of Columbia||19.5||0||3||0||0||0||2||2||5.5||1||1||3||2|
The 5 states where voter data privacy is better protected
While no state scores full marks, five states did stand out for their privacy protections:
- Virginia (37.5 out of 47): Virginia comes out on top due to its all-around protections. Access to the list is limited to political parties, committees, and candidates and researchers, but others (i.e. the public) can gain access if they can prove it is to promote voter registration and participation. Anyone getting the list has to pay around $5,500 for it, provide full details, and declare that they won’t use it for unlawful purposes. Virginia restricts the use of the list to political activities only and those using the list for any other purpose can face prison sentences and/or fines of up to $2,500. All of the cybersecurity standards are implemented and automatic voter registration is in place.
- Indiana, California, Utah (34.5 out of 47): Despite the public having access to the database in Utah, there are severe sanctions for those who use the list unlawfully (criminal fines of up to $2,500 and civil fines that can exceed $48,000). Those requesting access to the file have to provide their information, can specify what type of list they’d like (i.e. by district), and have to declare that they know what the file can be used for. In California and Indiana, both states restrict access to political parties, researchers, and/or journalists and restrict file use to non-commercial or political purposes only. Those requesting the list in California must specify their full details, provide identification, and pay over $10,000 for access, and anyone misusing the list faces a fine of $0.50 per name that’s unlawfully used. Requests in Indiana are similar. The cost to access the data is $5,000 and those unlawfully using the data face fines of up to $1,000. On a cybersecurity level, California has all of the standards in place but Indiana’s voter registration system is over 10 years old and Utah is still in the process of upgrading its voter registration database system.
- Minnesota (33.5 out of 47): Only registered voters have access to the voter database in Minnesota (the public can view under inspection in local election offices) and the list can only be used for political/election purposes. Those who breach the code face being found guilty of a felony, resulting in over a year in prison and fines that can exceed $10,000. The cost of acquiring the list is low ($46) but requests have to be detailed and a declaration on the legal data use has to be signed. Minnesota also has all of the cybersecurity measures in place bar a new voter registration system (but a budget has been proposed).
- South Dakota (32 out of 47): Access to voter lists is limited to political entities/candidates, while the public can inspect at local elections offices. The cost of an electronic list is $2,500. It can only be used for political purposes and those using it unlawfully can face fines of up to $2,000 and/or a year’s imprisonment. Civil penalties of up to $2,000 may also be added. South Dakota doesn’t offer additional protection to vulnerable groups.
- North Dakota, New Hampshire, Louisiana (31 out of 47): All three states reduce access to the voter list – North Dakota and New Hampshire limit to political groups/persons while Louisiana only allows access under supervision at local elections offices (the public can also view at local elections offices in NH). All of the states impose fines for improper use and have large costs for accessing the lists. None have automatic voter registration.
- Access to Voter Registration List: States scored out of 3 based on how many people/organizations can gain access to voter registrations lists – as governed by state law. “Public” access may be limited to residents within the state.
- Information Kept Confidential: States scored out of 3 based on how much data is deemed “confidential” – as governed by state law. Scored based on any access to personal data – i.e. if a political party has access to some data but the general public don’t, the state is only scored on the information that is kept confidential from everyone.
- Use of Registration File – States scored out of 3 based on how the voter registration lists can be used (i.e. for political/election purposes only) – as governed by state law.
- Public Data Warning – States given a score of 3 if a privacy notice is provided on the online and/or mail-in form. A 0 if nothing is mentioned.
- Penalties for Unlawful Use of Data – States given a score out of 5 based on how severe the penalties are for using voter data unlawfully. The state must have a specific penalty listed in its Elections Code to be scored here or a general penalty that applies to clear rules within the code that haven’t got a specific penalty.
- Further Confidentiality Requests – States scored based on the # of groups that can obtain further confidentiality from public records – as governed by state law. I.e., those under the Address Confidentiality Program (ACP).
- Online System – States scored based on whether their online registration sites are HTTPS-protected (1 point) and include Captcha protection in the initial stages of registration (1 point).
- Voter Registration Cybersecurity Standards – States scored across six categories with one point for each or half a point for plans/updates that are budgeted for:
- Access control so only authorized personnel can access the voter database
- An intrusion detection system which monitors the network for any irregularities
- Regular vulnerability analyses on the voter registration system
- State enlisted the DHS or National Guard to identify and assess any potential threats to the database/system
- Election officials are given cybersecurity training
- State voter registration system updated within the last 10 years
- Cost for All Records ($) – States scored out of five based on how expensive it is to obtain a full statewide voter registration list. Smaller lists aren’t included and nor are printed costs (only electronic costs included).
- Type of Voter Information Request Form – States scored out of five based on how easy it is to gain access to statewide voter information and how specific one can be about the request (being required to specify a certain county rather than just being given access to the statewide list is better from a privacy perspective).
- Voter List Published Online – If a full list of voters is published online for any amount of time (legally), a state scores zero. Whereas, those who don’t have a legal obligation to publish data score a three.
- Automatic Voter Registration – States scored out of three based on whether they have automatic voter registraton
Massachusetts: We have contacted the elections department regarding the form political parties, etc. need to fill in to acquire the list. Due to no response the state has been scored based on the fact political parties only can access (so will need to provide details) and that there are no specific laws surrounding use.
New Hampshire: We have contacted the elections department regarding the form political parties, etc. need to fill in to acquire the list and the cost of getting this. Due to no response the state has been scored based on a recent quote to one political party – $8327 – and the fact political parties only can access (so will need to provide details) and that there are no specific laws surrounding use.
District of Columbia: Even though the election calendar states that the voter list will be published online 14 days before the General Election in November 2020, the section of law governing this (D.C. Official Code § 1-1001.07(h)(2A)) has been repealed. Therefore, DC has been scored as though the voter list isn’t published online.
For a full list of sources and all of the information on each category, see here: https://docs.google.com/spreadsheets/d/1QFidvrRNy3o3jOwLGxFtEyQBkF8PPslUClf0L6Om8xo/edit?usp=sharing