I Have Your PII


I have all of your PII (Personally Identifiable Information) from your voter registration. One caveat, I only did so for one of the US Congressional Districts in Texas, but I could have just as easily obtained all voter records. This article is about what it took to obtain records and the implications.

Background

Recently, I had a need to acquire a list of all registered voters in a particular US congressional district in Texas. I had never considered (1) how easy it would be to collect “all” records and (2) what information it would include. The results scared me a bit, so I wanted to share.

Details

We’re all aware of the aggregators of publicly available PII: spokeo.com, publicemailrecords.com, publicdata.com, etc. Although you can sometimes get much of a person’s information online through free and paid services, I have not come across a free (or modestly priced) service that would allow you to download ALL records.

Additionally, I always assumed things like ones full DoB (Date of Birth) was somewhat protected. To my surprise, it’s as easy as filling out and submitting a public information request to the state of interest (ex. Texas: https://www.sos.state.tx.us/elections/forms/pi.pdf). As you see, even full DoB is considered public information. The 500,000 records did come with a small administrative fee of $0.00070228 per record.

Implications

Think of the number of online services that use DoB for verification if you forget your username or password. And, unless something has changed, most identity experts say that DoB is one of the most critical pieces of information fraudsters need to obtain (in most cases) to commit fraud. As Brian Krebs had reported, SSN can potentially be guessed if the DoB and birth city is known.

I have to look no further than my father-in-laws death to see an example of this in my own family’s life. As part of his obituary, the family included his date and location of birth. In less than 3 weeks, a fraudster had opened a fake account at a large bank using his DoB as the “key” piece of information.

UPDATE, 01 FEB 2018: Another implication is physical address. There are those who use mailbox providers (US Post Office, UPS store, Mail Box Store, etc) to receive their mail. One reason, among many, is to keep their physical home address unpublished, as a matter of privacy. In some rare cases, they may do this for safety reasons. With a voter data request, I now have both the mailing and physical address of everyone registered as a voter.

Time for a Change?

  • Is it necessary for ones DoB to be public knowledge?
  • Could the state store the full DoB (for eligibility purposes), but maybe only allow age to be publicly releasable?
  • Are registered voters able to opt-out of allowing this to be made public?

Reply from my local election office

I sent the following email to my local election’s office…

I had a few questions about this: https://www.sos.state.tx.us/elections/forms/pi.pdf

Why is ones DoB being publicly available to anyone who requests a copy of voter records via the Secretary of State, Texas. Most identity experts say that DoB is one of the most critical pieces of information fraudsters need to obtain (in most cases) to commit fraud.

Is it necessary for ones DoB to be public knowledge?

Could the state store the full DoB (for eligibility purposes), but maybe only allow age to be publicly releasable?

Are registered voters able to opt-out of allowing this to be made public?

Thanks for your time.
Robert

They responded quickly to confirm that DoB was NOT protected information when someone files an open records request. Additionally, they stated that in current law there was no allowance to “opt-out” of this. If someone submits an open records request the state must provide the information.


Schedule a no obligation consultation with PEN Consultants today! Information & Cybersecurity Testing - Penetration Testing, Red Teaming, Vulnerability Scanning and Assessment services for Apps, Web Apps, Network, Wireless, and more!

Categories: Blog


© PEN Consultants, LLC 2013 -