For weeks, Kansas officials have been insisting that Crosscheck, an interstate program run by the state of Kansas and intended to detect illegal double voting, has never suffered a data breach—despite the fact that its voter files and the passwords to decrypt them have been repeatedly exposed.
“We have never had any security breach—ever—since the crosscheck program has existed,” Kansas Secretary of State Kris Kobach told the Kansas House Election Committee earlier this month. And that’s true, provided you’re willing to disregard or radically alter the commonly understood and officially prescribed definition of the term “data breach.”
Last week, it was reported that the personal information of 945 Kansans had been exposed—including names, dates of birth, and partial Social Security numbers. The information, contained in a spreadsheet, was emailed by the Kansas Secretary of State’s office to its counterpart in Florida, which later released it inadvertently in response to an open records request.
Three year’s worth of Crosscheck data was similarly compromised last fall, including the passwords that would have enabled anyone to access it. And Gizmodo has collect half a dozen passwords that were used to decrypt Crosscheck data—all of which fell into the hands of the progressive Illinois activist group Indivisible Chicago. And although the voter data was reportedly deleted by then, Idaho officials mistakenly disclosed credentials that would have granted virtually anyone access to Crosscheck’s FTP server last fall.
Each of these incidents constitutes a “data breach” as the term is widely recognized, both under federal law and by security experts at large. There is no dispute: A data breach is the unauthorized disclosure of information compromising the confidentiality of personally identifiable information. The state of Kansas itself, in fact, defines “security breach” as the “unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information…” The federal Health Insurance Portability and Accountability Act (HIPAA) also defines a breach as the “unauthorized acquisition, access, use or disclosure” of protected health information—not merely the compromise of that information by hackers.
In other words, mishandling or mismanaging private data in ways that betrays someone’s security or privacy is a data breach, no matter how you slice it.
Yet, while being questioned about these incidents by members of the Kansas legislature this month, Kansas state officials, including Secretary Kobach himself, have repeatedly denied that any such security breaches have occurred.
Bryan Caskey, the state’s elections director, defended those remarks in a conversation by phone with Gizmodo on Monday. Here’s the relevant portion of the interview, which was edited for clarity:
Gizmodo: I’m curious, in light of the recent incident in Florida, if your office is still standing by the statement that there’s ‘never been a security breach ever since the Crosscheck program has existed.’ And I’m asking that largely because the definition of a ‘security breach,’ even by the US government’s own standards, is ‘unauthorized disclosure or mismanagement of information that compromises the security of personally identifiable information.’
Kansas Director of Elections Bryan Caskey: Unequivocally, yes, I am standing by that statement. In fact, I said it again this morning in testimony before a committee—before the Kansas legislature. What Florida did—there was a communication between Kansas and Florida concerning a list of potential double voters. So Kansas was sending Florida a list of double voters for additional research. Kansas did not send Florida a database or anything other than our own research on a list of potential double voters from Kansas and Florida. Kansas sent that to Florida and Florida provided that information, unredacted, to a third party.
That to me does not meet any definition of the word ‘breach.’ No systems were accessed. Florida provided the information that it should not have provided to a third party.
Gizmodo: Right. I guess the reason I’m having trouble wrapping my head around that not being a data breach is that the widely understood definition isn’t just‘a cyberattack occurred,’ but that there was unauthorized disclosure...
Caskey: But when you write the word ‘breach’ in your article, what you’re saying—people will read that and automatically assume that the system was breached, which is unequivocally not true. I get what you’re saying, but the standard definition of the word breach is, like, something with access that’s unauthorized. Like, ‘Hey, you breached the wall, you breached our system... the word ‘breached’ means something. And it doesn’t mean what you’re saying it means in this connotation. The information was willingly handed over by Florida. They should not have done that, but how is that a breach? Like, Florida, they didn’t give anyone unauthorized access. They willingly handed it over. That should not have happened and they’ve acknowledged that.
Gizmodo: Right. Well, that falls under ‘mismanagement.’ I understand what you’re saying, the perception of the word, to the public in general, is maybe different than what the official definition of ‘data breach’ is, but if you go to any US government website and find a definition of ‘data breach,’ it includes ‘mismanagement of information.’
Caskey: I understand what point you’re trying to make, but... I mean, I don’t know how to say this any more clearly. Florida should not have released that information, and that information, it was Kansas information that we shared with Florida.
Gizmodo: Yeah.
Caskey: It wasn’t like we sent the results files from Crosscheck to Florida.
Gizmodo: Right.
Caskey: So from my perspective this is all getting mushed together and people are coming to conclusions that I think are not true.
Gizmodo: Okay.
Caskey: I don’t want to minimize this at all because it is serious. This should never have happened. But to me, you have to concentrate on what did happen versus kind of, mixing it all up with the Crosscheck because... in my opinion this had nothing to do with Crosscheck.
“Whatever you want to call it, nearly 1,000 Kansans’ personal information was given away,” said Kansas Rep. Brett Parker, who had pressed Kobach earlier this month during testimony about Crosscheck’s security issues. “It was enough of a problem that Florida is paying for LifeLock subscriptions for those 945 voters.”
Added Parker: “As a non-security person, but as a Kansan, I don’t care what you label it. Nearly a thousand records were released. Whether it’s incompetence, oversight, carelessness, or cyberwarfare, the end result to those 900-plus people is the same: Their personal data is out there, and it would not be if they had not come up as false positives on this Crosscheck program.”
Although Crosscheck’s track record for data security (which recently prompted the State of Illinois to postpone its participation in the program) is rife with compromise and exposure, Caskey assured Gizmodo that none of the same systems used last year will be used again when Kansas begins, once again this February, amassing millions of voter records from across the United States.
“Basically, everything that’s in the public domain that we did before, we’re not using moving forward, period,” Caskey said. “When it comes to the transmission of data, from states to us, and from results files from us back to the states, that entire process, we’re starting from scratch.”
“What we did before, we’re not doing again,” he said.