The government has more of our data than ever but isn’t doing enough to keep it safe, argues Simon Bain, CEO and founder at OmniIndex.
Last year’s local elections in May were the first to require voters to show a form of identification before being issued with a ballot paper. The introduction of photo ID will require additional funding rumoured to total almost £40 million each decade and was justified as a means to tackle electoral fraud and protect our democracy despite little evidence to suggest that voter impersonation has had a significant impact on previous elections.
As this year’s general election quickly approaches, many voters across the UK will, for the first time, be required to hand over a form of ID to vote for their preferred member of parliament. Registrations for the electoral roll increase in the run-up to elections as members of the public opt to vote for the first time, meaning the government holds more of our data than ever before.
Those without an existing ID can apply for a free ‘voter authority certificate,’ which requires them to hand over a recent digital photo of themselves along with their national insurance number.
While much has been said of the legislation’s impact on the public’s ability to exercise its democratic right, there are larger issues at play concerning the protection of what is highly sensitive and private data. The government holds an immense volume of data on the general public, and frankly, it is doing very little to protect it from being stolen.
This leaves the public with a difficult choice: to maintain their privacy or sacrifice it in exchange for their vote.
Attack on the Electoral Commission
The government does not have a great track record when it comes to protecting our data.
In August 2023, the electoral commission posted an update to its website informing the public that it had suffered a data breach. Despite the date it was posted, the update details that attacks first accessed the systems in August 2021, meaning two years had passed between the data breach and the commission’s decision to inform the public.
Even worse, the commission didn’t identify the attack itself until October 2022, 14 months after attackers first gained access to the data. During this time, the public’s data could have been stolen, shared, used, and discarded, all without the government even knowing it had lost it—let alone the public.
Specifically, attackers had access to the commission’s servers that held copies of the electoral registers and its own email and control systems. On those registers were the names and addresses of anyone in Great Britain registered to vote between 2014 and 2022, those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018.
The update states that the attack’s impact on individuals is low, but it admits that names and addresses were accessed, which could be combined with other data in the public domain to infer patterns of behaviour or to identify and profile individuals, all without anyone knowing.
Lastly, it urges those in Great Britain on the electoral roll between 2014 and 2022, roughly 46 million people, to remain vigilant for unauthorised use or release of their personal data. Remaining vigilant only goes so far, though, as once data falls into the wrong hands, it can be used to destroy lives and cause untold amounts of stress on the public, all because it wasn’t protected properly in the first place.
Clearly, despite the legal requirement to hand over our data in exchange for the ability to exercise our democratic right, the government cannot guarantee the safety of it.
Lose data. Mitigate. Repeat.
Detailing its response to the incident, the commission stated that it had strengthened its network login requirements, improved the monitoring and alert system for active threats, and reviewed and updated its firewall policies. Given the nature of the data at risk, these are all standard improvements that could have been implemented prior to the breach and should have already been in place.
The government also continues to place its faith in outdated and inefficient technologies that hold little hope of keeping us safe. Given the length of time it took to identify the breach in the first place, trusting the government to protect your data seems, at best, unwise and, at worst, totally irresponsible.
Instead, any modern country’s government should openly embrace the latest technological advancements to ensure that data is protected adequately. The latest advancements in encryption, AI and web3 storage technologies mean that data can be stored in an encrypted state at all times so that criminals can’t access or steal it. Homomorphic encryption can allow the necessary parties to perform analytics on data sets and access the necessary insights while ensuring that it isn’t at risk of theft.
Stay vigilant, the government has your data
Frankly, the government ought to stop worrying about how it can address a problem that doesn’t exist and consider whether it can actually protect the volume of sensitive data that it demands from the public.
For the extortionate sum of money it is spending on implementing voter ID checks and provisions, the government could instead channel funds and time into adequate protections. Instead, we are left between a rock and a hard place, facing a decision over whether to protect our data from theft by keeping it private or exercising our right to vote.
