A third set of privacy issues arises from insider access to the VRD. Insiders such as election officials could be expected to have access to the full set of information associated with any individual record, and possibly to some of the information in matched records existing in other databases. Although most election officials are trustworthy in this regard, a few might seek to use this access—improperly—for personal benefit or gain, and measures (such as immutable audit logs) are needed to deter and/or investigate such inappropriate insider access.

A fourth set of issues arises in the context of transferring a VRD to another party en masse. Such a bulk transfer may occur, for example, when two VRDs must be compared to each other (e.g., for the purpose of identifying duplicate registrations between them), to judicial authorities for jury selection, to political parties, or to any other party in accordance with applicable law. Because bulk transfers—by definition—involve personal information on a very large scale, potential threats to privacy are magnified in such circumstances.

For example, voters may well provide personal information for voter registration without knowing that such information may be used for other purposes. Even if such uses are entirely legal, it is still desirable to protect voter privacy to the maximum extent consistent with law. Thus, voter registration records transferred for comparing VRDs should only include the records that need to be used or matched, i.e., active records, and the fields contained on each record should be limited to the fields necessary to perform matching (such as name and date of birth but not party affiliation) and the voter’s state-assigned voter ID. (The latter is necessary because without such a pointer, a record cannot be recalled or updated and reconciliation audits become problematic.)

Bulk transfers of data are also likely to persist in the absence of specific actions taken to decommission (remove from service) the data involved. Persistence after the data have served the original purpose of the transfer increases the likelihood of unintended disclosure and/or repurposing inconsistent with the original reasons for bulk transfer.

Lastly, bulk transfers of data—by definition—involve large quantities of data. Without specific knowledge of precisely what data have been transferred (i.e., a complete copy of what was transferred), it can be very difficult to determine who needs to be notified in the event that a problem arises (e.g., a data compromise). All too often, the only information kept regarding the bulk transfer are the selection criteria used to generate the data to be transferred and the number of records sent—given changes to the database in the intervening period, this information is almost certainly insufficient to reproduce the transferred dataset.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement