UPDATED 5/11/2018 9:06AM: Iron County Clerk Jon Whittaker replied with the following:
“Contrary to the title of the article, Iron County cares deeply about the security of personal information, as well as election security. I agree with Mr. Harris that this is a problem, and I appreciate his bringing it to light. I am the Iron County Clerk, and have been in contact with our IT Director regarding a more secure method of digital delivery. In the meantime, please do not send your affiliation requests via email for the reasons Mr. Harris noted. Instead mail it, or deliver it in person. Thanks. Iron County Clerk (435) 477-8340 My email: firstname.lastname@example.org”
Original article is below.
We’re all smart enough to know that some information doesn’t get sent via email. Your Social Security Number? Definitely not. Credit card numbers? No way. We’re trained to know that email is not a secure way to send sensitive information. But apparently, Iron County didn’t get that memo.
The form above was sent to my wife, a registered independent. County clerks in other counties have sent similar forms to people who might otherwise not be eligible to vote in a primary election or to clarify if they want to receive a Democratic Party primary election ballot (theirs are open) or stay non-partisan. The form itself is not a problem. But look at the way to return that form.
Yes, someone responsible for elections thought it a good idea to direct people to send a form with their signature via email (and to an individual’s mailbox no less). This is absolutely classified as sensitive personally identifying information (PII) by essentially every single security standard and organization in existence. When I contacted this email address to voice concerns that this was a major security risk and poor handling of PII, I was dismissed with a terse reply of “it can be turned in via postal mail or in person at our office”. There was zero concern expressed that this was being done incorrectly.
While I’m glad to see governments looking at ways to deliver digital services, it’s critical that it be done correctly, especially given the security threat landscape that currently exists. I hope that someone in IT services will address this quickly to defuse what presents a great risk to the personal information of voters in Iron County.