Former Vice President Joe Biden’s presidential campaign inadvertently allowed access to millions of Americans’ private information, including their home addresses, date of birth and gender, according to a security researcher.
A Biden campaign app, Vote Joe, allows people to upload their phone contact lists and see if friends and family are registered to vote ahead of the November election, TechCrunch reported Monday, citing research from mobile expert App Analyst. The app uploads and matches user contacts with voter data through a firm called TargetSmart.
The app displays a voter’s name, age and birthday, and which recent election they voted in when a match is discovered through TargetSmart, TechCrunch noted. The technique helps users “find people you know and encourage them to get involved,” according to the app. TargetSmart claims to have access to files on more than 191 million Americans, the report noted.
The App Analyst discovered users could create fake phone contacts with random names and access any corresponding information.
The app collects much more data than is publicly shown, App Analyst told TechCrunch. Users can see home address, date of birth, gender, ethnicity and party affiliation, the report noted.
Biden’s campaign fixed the bug, according to Matt Hill, a spokesman for the former vice president.
“We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed,” Hill told TechCrunch. “We worked with our vendor quickly to fix the issue and remove the information.”
He added, “We are committed to protecting the privacy of our staff, volunteers and supporters will always work with our vendors to do so.”
Hill disputed App Analyst’s contention that addresses and other private data could be collected, and a representative for TargetSmart told TechCrunch that a “limited amount of publicly or commercially available data” was made accessible to other people.
Much of this information is publicly available, though firms provide additional information through other sources to enrich data for campaigns. TargetSmart reportedly compiled voter data in 2017 on close to 600,000 voters in Alaska that was left on an exposed server without a password, ZDnet reported in 2017.
President Donald Trump’s 2016 campaign hired former voter research firm Cambridge Analytica, which gained access to data on 50 million American voters through Facebook. Analytica’s sister company, Global Science Research (GSR), developed a quiz app through which Facebook users could consent to allow access to their data.
The TechCrunch report comes after Microsoft reported on Sept. 11 that hackers from China and Russia tried to break into U.S. political campaigns, including those of the Biden and Trump campaign.
Chinese hackers targeted Biden’s presidential campaign through email accounts belonging to people associated with the campaign, Microsoft’s report states, adding that the attempts were unsuccessful. Hackers from China also sought to compromise at least one person formerly associated with Trump’s reelection campaign, the report said.