Wednesday, March 1

The Minnesota Republican Party's spyware CD

20060227_screenshow_2From Digg.com...
This week the Minnesota Republican Party is distributing a new CD about a proposed state marriage amendment. The problem ? the CD sends your answers back to headquarters, filed by name, address, and political views. No mention of that in the terms of use. No privacy policy at all.
I found this really stunning, but the most recent blog posts by senior editor Bob Collins of Minnesota Public Radio (1, 2, 3, and 4) reveal that the extent of the issue is actually much worse.

In addition to the offenses mentioned on Digg.com the collected data is being posted to an insecure and publicly accessible web-server, including a spreadsheet with all 25,000 names and addresses on the mailing list. All of it is publicly accessible by someone with the right technical know how.


gopscreenshot4From MPR: Polinaut: The GOP CD
I played around with it some more to try to figure what information is being gathered. The first clue the GOP was tracking was the fact when it starts it says something like "Welcome, John Smith." And if you're not John Smith, you can "apply" for an activation code (see photo). The data you have to submit is: Name, spouse's name, district, address, e-mail and phone. Only name, address, and phone are required.

I filled out this information using Tim Pawlenty's address and it gave me a code to allow me to continue further.

The first section "our culture" features a presentation with Mary Kiffmeyer, and then asks "which of the following BEST describes your position on abortion." The answers are "all abortions should be legal, abortions should be legal but only in the first 3 months, abortions should be illegal except in the case of rape, incest, or the life of the mother is threatened; and abortions should be illegal.

It then gives you another blurb of Kiffmeyer and then asks if you support the amendment on marriage. And then asks if you believe in the 2nd amendment. It does not say you can just hit SUBMIT and skip the answer. And it doesn't say the results are being transmitted.

And from the latest post as of this writing, GOP CD accumulates data, but data is not secured
... Now that's pretty basic stuff: what your IP is, what your CPU is, what your operating system is. But is it possible for me to find out how you vote in elections? What your position on abortion is? Or even how long it takes you to answer those questions? ? Can I get your private phone number, your address, your name, your spouse's name, your IP?

Yes. Someone did.



Using the stream indicated above, people way smarter than me were able to figure out the destination for the data being accumulated, and then poked around and found the site. And the data was not secured at the site.

I checked to see if two entries I made via the CD -- one for Tim Pawlenty and one for Joe Blow -- showed up in the database. Yep. this must be the place.

In typical "blog storm" fashion all this information has turned up following an original feature story yesterday (Feb. 27th), entitled GOP steps up efforts for constitutional amendment on marriage on Minessota Public Radio which mentioned the interactive CD. Interestingly the focus of the amendment would be to abridge the definition of marriage to being a "union between one man and one women". This and many other questions regarding political viewpoints from abortion, to gun control, to voting preferences were all contained in the interactive questionaire. All of this data compiled with name and address were then uploaded to a 3rd party web-server which is insecure and therefore publicly accessible.

Anyway, it would appear the GOP has done their constituents a HUGE disservice. Shall we recap the offenses?
  1. There is no disclosure the information is being collected.
  2. There is no disclosure of what's being done with the information, in other words no privacy policy.
  3. The collected data including a vast amount of personal and political information can be publicly accessed from an insecure web-server by any individual with a bit of technical know-how.
  4. INCLUDING the entire original mailing list of more that 25,000 names and addresses
There's no denying that this goes beyond foolish, to the point of being malicious. This isn't just some crackerjack programmer slapping together some code. It is according to the original editor Bob Collins very professional package, and therefore I assume a very deliberately put together package which is completely out of protocol with normal polling practices.

Even if there is a printed cover letter or some packaging that was overlooked that discloses the collection of information and it's intended use this is still one hell of a misguided attempt by the GOP to poll their constituents. I'm more than a little amazed and curious as to how this will play out.

Speaking of which, the story is continuing to unfold on Bob Collins blog on Minnesota Public Radio's website.

Technorati Tags: , , ,

No comments: