Data convenience isn’t a crime, but treating it as one should be

It’s self-defeating to try to protect data by treating it all as if it’s equally sensitive

When a database of some 191 million voter records leaked just before New Year’s, the Internet freaked out over another massive data breach. Lost in the screaming was the fact that all of those millions of data points were already public information. The value to cyberthieves was solely a matter of convenience — a tidy pile of data all in one place. 

People, this is a problem. Speaking as someone who cares intensely about both data security and privacy, our tendency to react in the same way to anything remotely resembling a data breach serves little useful purpose. But it does undermine serious security and privacy efforts in many ways. 

As I’ve noted before, the more frequently the IT community overreacts to non-events in security and privacy, the weaker the protections we can give to significant security/privacy problems. 

Let’s first delve into this 191 million-record incident, as it’s a bit complicated. This started with information published by, which is a wonderful resource for compilations of all kinds of data collections that have been exposed. It noted that the entries “may contain your first and last name, your home and mailing addresses, your date of birth, gender, and ethnicity, the date you registered to vote, your telephone number, your party affiliation, your e-mail address if you provided one when you registered, your state voter ID, whether you’re a permanent absentee voter, and whether or not you’re on the Do Not Call list.” 

This brings us to the key question: “Isn’t all of that public data anyway?” The short answer is yes, but it’s not quite that simple. Actually, it is that simple, but given that many government workers — especially those within municipal and state governments — don’t understand how the Internet works, they craft rules that make no sense. Such is life. 

A statement issued by one company that said that it might somehow be kind of involved in the breach sheds a little light, albeit in an impressively squirrely way. Nation Builder issued a statement that said, “While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns. From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.” 

That statement got into the “public or not” debate with this comment: “Each state has different restrictions and we make sure that each campaign understands those restrictions before providing them with any data.” 

Therein lies the problem. Once the data is released and is being shared, it’s out. The Internet doesn’t respect national boundaries — if an Italian company doesn’t want to sell to someone in Albania, the onus is on that company to block such interactions — so it certainly won’t respect state rules. Also, the people being given this data, as opposed to, say, law enforcement employees or lawyers, are not licensed or managed in any kind of uniform way. 

These rules are based on earlier rules, which long predate the Internet and, for that matter, phones with RAM and disk space that rival that era’s mainframes. 

The idea is that the data is only supposed to be used for political purposes. But anyone can file to run as an independent candidate. Yes, they need to collect x number of verified signatures to get on the ballot, but no state rules say anything about being on the ballot. 

The New York Times noted that the voter databases for North Carolina, Alaska, Florida and Washington, D.C., are free for all. 

As an industry, we have to differentiate between restricted data — think payment card numbers, health records, bank account specifics — and unrestricted data. There can honestly not be much in between. If data is unrestricted anywhere, it’s unrealistic to consider it protected somewhere else. 

In this situation, are we to believe that the voting details of a North Carolina voter are less sensitive than those from a California voter? And how much faith do we realistically have that a political operative working in Iowa isn’t going to combine those records with those from Florida? And when data is combined, that it’s somehow going to be later segregated so that those files will comply with varying state ordinances? Really? 

By the way, an example of restricted data that I chose to not cite is from religious leaders. How long will it be before Catholic priests, for example, will save confession details in a desktop database — or, better yet, a mobile app (SaveASin?) — for easier reference? As a parishioner leaves one congregation, the original priest could email that person’s confession files to the new priest. 

The point is that we can’t get all worked up about the disclosure of data that was pretty much already widely disclosed. Technically, we clearly can get so worked up, but not if we want to be able to triage resources to safeguard truly sensitive data.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts