When John Ratcliffe, the top U.S. intelligence official, said at a news conference last week that Iran and Russia had obtained American voter registration information, he left out an important point: American voters' data is already public and widely available.
"We have confirmed some voter registration information has been obtained by Iran and separately by Russia," Ratcliffe said last Wednesday. "This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion."
Iran had already weaponized some of that information in the form of threatening emails sent to some Democrats in Florida. The email campaign showed no signs of any successful effort to target Florida's election infrastructure.
But the campaign offered a stark reminder that voting in the U.S. comes with a strong chance that your personal information is shared online. While states' readiness to share the information may not be common knowledge, it has been the reality for more than a century, said Eitan Hersh, a politics professor at Tufts University and author of a history of how political campaigns target voters.
"I think there's a pretty widespread view across the political spectrum that if you want to participate in the political process, having a public record about it is part of what that means," he said. "It's amazingly hard to not have your name, address and birthday in the public record."
State legislators periodically introduce bills to change state laws about sharing the information, but "the mainstream of both parties are committed to the idea that parties should be able to contact you, so these bills are squashed," Hersh said.
Ratcliffe's message was largely centered on attributing an election interference campaign to Iran in which someone claiming to be part of the Proud Boys, a far-right extremist group that supports President Donald Trump, sent harassing emails to Democrats in Florida. The real culprit was Iran, Ratcliffe said.
It isn't settled how Iran got those Floridians' information. It was already easily accessible: Florida law sets regularly occurring dates on which it will send an updated file for every registered voter in the state to anyone who emails and asks. Plenty of fields are public by definition, like name, address, gender and race; some are ones that voters can opt out of making public, like their birthdays or email addresses.
State laws vary. Some make the list available to anyone who requests and some just to political parties; some require requesters to be researchers or to work in politics; some charge a fee. A handful are simply available to download from a state website at any time. But all 50 states and Washington, D.C., have at least some way to make access easy for requesters, according to a state-by-state tally by the National Conference of State Legislatures.
The ease of acquiring the data means that it's widely shared and repackaged not just by large data brokers around the world, but also by hackers trading people's personal information on the so-called dark web.
That doesn't mean everyone knows the voter information is public or is comfortable with who can access it, however. In September, GQ writer Julia Ioffe posted a since-deleted tweet warning that a Russian newspaper had found information from American voters in several swing states posted on Russian hacking sites — something cybersecurity researchers had known for years.
The tweet went so viral that the FBI and the U.S. Cybersecurity and Infrastructure Security Agency issued a public service announcement about it.
"While cyber actors have in recent years obtained voter registration information, much U.S. voter information can be purchased or acquired through publicly available sources," the agencies said.
Doug Jones, a computer scientist at the University of Iowa and author of a history of election technology, said that while making a vote registry public has long been considered a necessary step to transparently show that voters are being registered fairly and legally, there's less consensus about how to do it while not effectively offering up reams of data about voters.
"The need for a transparent voter registration process where everyone is able to check the voter register has only recently, with the advent of the Internet age, come into conflict with personal privacy problems," Jones said in an email. "We have yet to figure out how to reconcile an open system of voter registration, essential for democracy, with the need to protect voters from the abuse of that data."