Wednesday, March 01, 2006

republican spyware

courtesy atrios, who linked to thinkprogress, who linked to minnesota public radio (MPR), who broke the story.

the minnesota republican party sent out a fancy cd-rom to at least 25,000 voters. the cd-rom features video of MN republican officials speaking about same-sex marriage and a poll to guage the opinions of MN voters on various hot-button (wedge) issues.

MPR reporter bob collins got his hands on a copy of the disc and noticed something suspicious:

But here's the thing. The CD -- at least mine -- comes with an access code. And during the presentation, you're asked to "vote" on a couple of issues, including the 2nd Amendment.

OK, this is where I get suspicious. WHY is there a code. And where is that "vote" going? Is every voter being identified with a special code and therefore is input entered by the user during a presentation being sent back to the Republican Party of Minnesota?

I checked the "terms of use" and I could find nothing that gave me any indication. Nor is there a privacy statement anywhere that I could find.

bob got in touch with the spokesman for the MNGOP, who confirmed that the cd does gather information, which it reports back to the GOP. since there's no privacy policy on the cd, this arguably makes the cd illegal spyware.

ignoring the question of illegality, it makes sense that the GOP would want this info. this info gives them the political equivalent of a marketing profile and allows them to tailor their messaging to just those voters who are sympathetic to GOP politics. and conversely, it probably helps the GOP craft its message so that the wording etc appeals to the greatest possible number of voters. this is SOP and is not in itself illegal, though there are rules dictating how the data should be collected, disclosed, secured, and so on.

but bob collins kept digging, and discovered that the information collected from the cds was not secure:

people way smarter than me were able to figure out the destination for the data being accumulated, and then poked around and found the site. And the data was not secured at the site.

We could -- if we were malicious (and we're not ) -- change the questions that are "on the CD" because they're really not on the CD. The program connects to a database and provides the questions.

Imagine if thousands of CDs arrived in homes with the question "do you like Siegried and Roy?"

We could steal the data. In fact, the mailing list of more than 25,000 names is also on the site, and is easily downloaded into a spreadsheet. Cool. Twenty-five-thousand names and addresses. Free.

yes, the cd illegally collects user information without the knowledge or consent of the user, and the data was sent unencrypted over the net to an unsecure site, where knowledgable hackers could have stolen or changed the data. not bright at all.

bob pointed out this morning that "significant changes" have been made to the website in question—no doubt a consequence of bob's reporting the story in the first place. i would say the MNGOP is lucky that "the wrong people" didn't discover the vulnerability, but how do we know they didn't? any number of hackers could have stolen all that user data, and we'd never know.

1 comment:

Steph said...

True, but it would be Republicans who were victims of the scammers, which would be like a bit of Karma coming back on them.