Responsible disclosure:

  • September 7th 2020: Vote Joe team is made aware of potential privacy issues.

  • September 11th 2020: Developers have addressed issues and iOS version appears fixed.
Disclaimer: The App Analyst is not an American website or associated with any political party. This is one of two election campaign apps analysed.

App Analysis: Vote Joe

The Vote Joe App is the official application of the Joe Biden campaign. It's been designed as an organization tool to help engage with voters. Signing up involves registering with an email (without verification) and an address; the bar to entry doesn't significantly prevent non-Americans access. Once a user is signed up they can begin using the application's features such as sending canned Joe Biden support texts, and more importantly reporting information about your contacts in a practice called "relational organizing".

As defined here, relational organizing is "when volunteers leverage their existing networks and relationships in support of our candidate, Joe Biden.". The way this is done in the app is by either syncing your phone's contacts, or by finding a voter in the Vote Joe App voter database, and reporting specific information about that contact/voter. This information includes things like which issues matter to them or whether they're a veteran, teacher, or student.

Relational Organizing: Finding Voters

The Vote Joe App allows any user who signs up with an unverified email access to the voter database compiled by Target Smart, a service who claims to have more than 191 million voter records. The Vote Joe App requires its users query the voter database using a first and last name, and state (age is required but it can be set as "All").

The returned information will list which elections the voter has participated in with either a check-mark to signify their participation or an X otherwise. While this is already interesting information about a voter, the JSON object returned from the server contains much more voter data.

Querying the voter data the JSON object returned says this voter has potentially voted both for Democrats and Republican candidates.

The returned object appears to contain "Y" to signify "Yes they voted", but there are other values such as "B" and "R". Theses values all correspond to showing the user voted, these may represent how Target Smart suspects the user voted. Using an "R" value to potentially represent "Red" or "Republican" and the "B" value to represent "Blue" or "Democrat". While the Vote Joe App claims they cannot know exactly who a user voted for as that's a secret, they did not clarify what these values represented, leaving the possibility the values could represent who they suspect the user voted for.

There is additional hidden information about the voter such as their specific date of birth, "voterbase_id" (a value unique to Target Smart and not an official voter id), and some Target Smart fields (prefixed with "tsmart") corresponding to the voters senate, congressional, and house districts (more "tsmart" fields found here.

Contact Syncing: Fake Contacts, Real Voters

When a user syncs their contacts with the Vote Joe App they will be presented with a corresponding voter entry from the Biden campaigns voter database. The contact data then enriches the database entry and is stored to help solicit their vote in the future.

An issue occurs when the contact in the phone does not correspond with the voter but the data continue to enrich the voter database entry. By adding fake contacts to the device a user is able to sync these with real voters. While the response from the "get_voter" server endpoint is minimized, after the data from the contact enriches the voter entry through the "set_voter" endpoint the non-redacted voter database entry is returned.

Querying the voter data the JSON object returned says this voter has potentially voted both for Democrats and Republican candidates.

This JSON object response contains information like the voter's home address and other sensitive information. It should be noted that this voter's information may never have been inputed by themselves; it is very likely this data is collected via another user syncing their contacts or a third party data feed.

All voting record data, user contact data, and survey data is then provided via the Vote Joe App to Target Smart. Target Smart in return provides the Vote Joe App with dashboards which illustrate trends within the data (see list below).

  • TS Scores: Religion
  • TS Scores: Moral Pillars
  • TS Scores: Issues
  • TS Scores: Action
  • TS Scores: Democratic Support
  • TS Scores: Demographics
  • TS Scores: Hunt & Fish
  • Intellibase: Business
  • Intellibase: Education, Occupation
  • Intellibase: Family
  • Intellibase: Finance
  • Intellibase: Property
  • Intellibase: Social Networking
  • Predictwise: Issue Clusters
  • Predictwise: Psychometric Variables
  • Vote History: Election Rollups
  • Vote History: General Elections
  • Vote History: Municipal Elections
  • Vote History: Primary Elections
  • Vote History: Presidential Primary Elections
  • Universe Top Lines
  • Universe Pollster Counts
  • Person Demographics
  • Phones, Cells, Emails
  • Voter Registration
  • TargetSmart Current Addresses & Districts
  • Voter Registration Addresses & Districts
  • TS Synthetics: Urbanicty & Census

It's not certain whether Target Smart is able to sell the data uploaded through the Vote Joe App to other third-parties, however they make no secret that their data on voters is being sold. In order to opt-out of having your data sold you can follow the "opt-out" instructions found in their privacy policy here.

Personal Information Sales Opt-Out and Opt-In Rights from the Target Smart privacy policy.

Conclusions

Relational organizing is a powerful tool at the disposal of the Biden campaign, however this begs the question whether it should be made available to anyone with a fake email. While this likely violates their Terms of Service that does nothing to stop a bad actor. The Vote Joe App allows for users to query the Target Smart voter database and retrieve potentially sensitive voting records and addresses on unknowing American citizens.

The Vote Joe App developers were alerted to this potential data leak and have addressed the issues. The response to these issues are apparent through the undefined and invalid date errors now seen in the App.

Errors occurring in App due to developer remedies.

What do you think? Tweet @theappanalyst1 with your thoughts. Thanks for reading!