On 27 December 2021, the Prime Minister of Barbados Mia Amor Mottley scheduled a snap election for 19 January 2022.
On 29 December 2021, a full data dump of all eligible voters in the country was published by the Government of Barbados on the open Internet. This occurred largely because the Representation of the People Act 13(1) states “The [Electoral] Commission shall cause to be prepared and shall publish not later than the 31st day of January in every year a register of electors for each constituency and a register of foreign service electors entitled to vote at any election.”
In the past, this list was made available in somewhat controlled environments to be queried by election officials, candidates, voters, etc. to ensure that elections accurately reflected the will of the people (in most all cases it was usually printed and held at libraries, constituency offices, polling stations, etc. to be reviewed by interested parties). To limit congregation of individuals in the previously mentioned locations during COVID-19 times, it was decided to publish the full voters list on the Internet to ensure access for all.
The 5250-page list contains approximately 250,000 individual records with the below personally identifiable information (PII). *
- Last Name
- First Name
- National Registration Number (similar to a Social Security Number in the United States)
- Date of Birth
- Residential Status
- Constituency (Voting District)
- Home Address
* The total population of Barbados currently hovers around 290,000 persons.
Instead of this data being restricted to a few thousand persons in Barbados, it was now accessible by all 4.6 billion Internet users, exposing 250,000 Barbadians to increased risks of data misuse and abuse, fraud, identity theft, and other financial and reputation risks. The information was quickly downloaded and posted on Reddit and a number of hacker/fraudster sites on the Dark Web, making it perpetually available to malicious actors. There is also a high physical risk to individuals with regards to stalking, home invasions, robberies, rape, etc.
PII, also referred to as personal data, covers a wide variety of information that can identify a living individual. If a piece of information is unique to that person, it can lead back to them in several ways, and it is private and needs to be protected with the greatest care.
Why Does Personal Data Need to be Kept Safe?
The reason this type of information requires protection is that it can be used to commit fraud or to steal an individual’s identity.
Depending on what a thief is trying to accomplish, he will need different types of information. To open specific accounts all that is needed is an email address, while in other cases an individual’s name, address, date of birth, a national registration number, and other information may be required.
It’s also critical to note that accounts of all types can be opened over the phone or via the internet without having to physically visit a location for your identity to be verified. This provides opportunities for criminals with appropriate stolen information to open bank accounts, enter into contractual agreements, or make claims using someone else’s information or identity.
If a criminal is fraudulently using your information, you might not even know it. They may not use the credit card you already own to make purchases (in which case you might catch them by looking at your purchase history). Most often, criminals open up new, separate accounts using the victim’s information, leaving the victim unaware of the damage that is being done until years after the fact. In that time criminals can rack up a lot of debt using your identity.
How Can Identity Thieves Use Your Personal Data?
There are several ways which identity thieves can use your personal data, including but not limited to the following:
- Open a new credit card account.
- Create fake social media accounts with your identity (e.g., Facebook, Twitter, Instagram, etc.).
- Take out a commercial bank loan.
- Obtain and use your debit card to withdraw funds.
- Change your billing address so your bills will no longer be delivered.
- Obtain expensive medical care or procedures.
- Open new utilities accounts in your name (e.g. electricity, water, natural gas, etc.).
- Obtain a mobile phone service.
- Open a bank account, obtain a cheque book, and write bad checks.
- Obtain a new driver’s license or national ID.
- Use your information when arrested or in a court action.
- Engage in bullying, stalking, harassment or otherwise cause fear.
- Inflict severe reputation damage.
- Combine it with additional data gathered from the Internet (e.g., Google search, Facebook, Instagram, LinkedIn, etc.) to create even more detailed profiles of individuals.
How Long Does It Take Fraudsters to Use Stolen Personal Data?
In 2017, the Federal Trade Commission (FTC) in the United States demonstrated how criminals can use your personal information within minutes. The FTC developed fake personal data and posted it on a website that hackers use to make stolen information available. It took a mere nine (9) minutes for the fraudsters to access the information, and over 1,200 attempts were made to access email, credit card and payment accounts. The research confirms how valuable personal information is to identity thieves, and if they can gain access to it, they will most definitely use it.
What Should the Government Have Done Instead?
While it’s not an exhaustive list, below are some of the key steps the government should have taken.
From a technology perspective, a searchable database should have been published on the Government Information Service (GIS) portal, where individuals could use personal data which they already knew to confirm that they were on the voters list. The full database could have been provided to election officials and campaign managers using a digital rights management (DRM) solution to control access and distribution of the document.
The Data Protection Act was approved by Parliament in July 2019 and came into force in March 2021. This statute introduces a strong privacy and data protection regime in Barbados, and its wide-reaching impact on overall data governance across sectors and industries should have triggered key updates to existing legislation, processes and operational guidelines (including the Representation of the People Act and any other legislation involving personal data processing). And this doesn’t even address the urgent need for broader legislative reforms in the country. There are way too many outdated pieces of legislation which are incompatible with progressive changes in technology, changing community awareness, changing community values, and changing expectations of the legal system.
Appropriate funding should be allocated to the Office of the Data Protection Commissioner to better equip them in investigating and monitoring data breaches and providing other types of regulation involving the public sector. Additionally, these financial resources can be used to deliver privacy awareness training to educate government personnel on how to protect individual privacy in their daily work. Simultaneously, a public campaign should be started to achieve broad public awareness on all issues related to the Data Protection Act and the new legal framework created. The Office of the Data Protection Commission is severely under-resourced at present, making it virtually impossible to implement and enforce the Data Protection Act, which focuses largely on preventing exactly these types of data leakages. For example, adhering to the principle of data minimisation would have significantly reduced the risk and impact of publishing the entire voters list. By this I mean the narrowing of data collection and processing to strictly what is needed – In this case, there is absolutely no reason to publicly release the National Registration Number (NRN) and Date of Birth of all eligible voters.
Why the Electoral and Boundaries Commission (EBC) is Dead Wrong
The Electoral and Boundaries Commission (EBC) has strongly (and wrongly might I add) defended its decision to publish the voters list online. Their position is that “We are obligated to publish the list now electronically so that more people can have access to it.” Chairman of the EBC Queen’s Counsel Leslie Haynes also maintains that “ID numbers are not private” and made reference to them “being published before the introduction of the digital age in public libraries, rum shops, the electoral office and other spaces.” Because a law states that you must publish information electronically doesn’t mean you should make it accessible to 4.6 billion Internet users (including hackers, fraudsters and other cyber criminals). There are numerous laws in Barbados that are outdated, poorly drafted, contradictory to other laws, and incompatible with existing technology – Should we follow them all to the letter or do we comprehensively update them to be more fit for purpose? Moreover, there are numerous technology solutions available for publishing said data online in a controlled manner to reduce the overall risk and exposure. And if they are not at fault, why did government officials remove the voters list from the public websites?
Finally, national registration number (NRN), date of birth (DOB) and home address are all private information, and there are established technical standards, privacy principles, and national laws or treaties around the globe that assert as much. From a data minimisation perspective, the requirements of the law could have been satisfied without including NRN and DOB.
Where online can you find the social security numbers (SSNs) for all eligible voting Americans? What about the passport numbers or driver’s license numbers for all voting Canadians? What about the national ID numbers for all voters in France, Denmark, Switzerland, Germany, etc.? The answer is NOWHERE!
[UPDATE] Sunday, 2 January 2022 – I have amended the original blog post in response to the EBC’s staunch defence of their decision to publish the voters list on the open Internet.