PRO BONO UPDATE: Let’s Talk About Voting, Personal Identifiable Information (PII) and Privacy Rights

November 10, 2017

What is the Interstate Crosscheck program? What does it have to do with voting and Personal Identifiable Information (PII)? Is your PII vulnerable to hackers because your state participates in crosscheck? 

Interstate Crosscheck is the Kansas Secretary of State Kris Kobach-backed program intent on uncovering voter fraud believed by the GOP to be rampant throughout our voter system.

Our firm has been doing its due diligence on this program – and its method of handling PII – through open records requests for the benefit of John Q. Public.

For most people – and especially for Millennials, who have grown up with the internet – the idea of privacy rights is becoming more of an idea and less of a reality in a cyber-world. However, the recent Equifax data breach and other cyber-security breaches during the past few years have proven the online world has become the current battleground over privacy rights and identity fraud, and if an entity is collecting, holding or transferring any type of PII (defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information linked to a specific individual”[1]), that entity must meet a minimum threshold with regard to privacy rights when handling PII. That standard is set out in The Privacy Act of 1974, 5 U.S.C. § 552a. As we are learning with the Equifax breach and as we have learned in other past data breach debacles, if we don’t start caring about our privacy now, these breaches will become the norm, with all of the pressure on the individual to correct the errors and attempt to maintain his or her identity in a world of cyber-criminals.

Enter Crosscheck, with its voter database that is collected, maintained and overseen by the Kansas Secretary of State office. This program involves sharing PII with member states and the transfer of electronic records for purposes of comparing voter records to purge “duplicate records.”

What We Know:  Putting Crosscheck to the test, an Illinois group, through an open records request, obtained current Crosscheck encryption passwords sent over plain text email, in addition to confirmation that the server hosted in Arkansas is not as secure as it should be to protect 100 million voters’ data. As the State of Kansas has not responded to our open records requests, we do not know at publication time whether or not the state carries liability insurance for any potential misuse of data or data breaches of voter information (which includes addresses, social security numbers, birth dates).[2]

What You Can Do:  Visit www.leavecrosscheck.com to find out more about the program and what you can do to safeguard your privacy rights. A list of states who are participating in the program can be found online. From there, if your state is participating in the program, you can write to your local representative or senator to express your concerns.

Notably, of the 35 Crosscheck member/former-member states that were contacted by our firm through an open records request, Kansas was one of only 10 states who did not respond to our request for records pertaining to the Crosscheck program.

[1] https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act

[2] https://www.leavecrosscheck.com/