File this in the "seemed like a good idea at the time" drawer. The Help America Vote Act (HAVA) was passed in 2002, partially in response to the controversy surrounding the 2000 presidential election. Among the act’s provisions is a requirement that states create and maintain central databases of voter lists—a function which was traditionally handled at the county level. While a central database can certainly help reduce certain types of vote fraud and perhaps protect against some of the confusion that reigned in 2000 when numerous voters were wrongly listed as ineligible, it also puts all of the voter’s eggs in one very tempting basket for identity thieves. That alone would make the voter database little different from any other large collection of personal information, if it weren’t for the fact that concerns have arisen that many states are not taking proper measures to protect that data from intrusion.
One of the criticisms leveled at HAVA is that it does nothing to mandate any level of protection for the voter data. At the time, lawmakers probably felt that data security was such an obvious aspect of any large database, that requiring a certain level of it was nothing more than extraneous verbiage. They were right. In the ever-changing arms race of computer security, it would be almost impossible to write a law describing what type of protection is needed without having that requirement become outdated very quickly. Mandating a certain level of protection would almost certainly lead to some states settling only for the lowest level required, and that’s a recipe for disaster. Logically, it would be much better for the experts to respond to shifting threats accordingly.
Yet the government hasn’t really demonstrated that it knows how to properly secure its databases. While it would be misleading to imply that all or even most government databases are open books, recent data exposed by the Department of Veterans Affairs, the US Navy, and the Department of Justice lead some to believe that this information isn’t necessarily being secured by the best and the brightest. With no less than 50 centralized voter lists created and maintained by separate IT departments, some experts believe it won’t be long before cracks are exploited.
A recent audit of security procedures surrounding Florida’s voter database found some troubling gaps, including at least one employee who was incorrectly granted access, and a contract worker who was allowed to retain access after completion of the contract. Although no data has yet been found to have been compromised, the audit reveals what Leon County Elections Supervisor Ion Sancho calls "serious problems."
Additionally, a county worker in California has voiced consternation about collecting local voter data, then handing it over to a state-level department and trusting that it will be properly secured.
"The data I have collected and feel some responsibility for is now out of my hands," [Yolo County clerk recorder Freddie Oakley] said. "I have zero control over what happens once it’s in the custody of the secretary of state. We do know that nobody is excellent at managing databases with respect to privacy."
For their part, a representative from the California Secretary of State assures everyone that the voter data is properly protected on a dedicated network which is regularly analyzed. That certainly sounds good, but experience has shown that there is no easy route to data security.
Moving the information to centralized databases is a two-edged sword. While 50 or 100 county-level databases in each state certainly provide more opportunities for the data to be mishandled, a state-wide database makes a more tempting target for identity thieves. In the end, the goal of preventing disenfranchisement of voters is a good one, yet individual states must be encouraged to take proper care of the information with which they have been entrusted.