In the age of COVID-19, technology has become increasingly important for human connection and communication. With November’s election rapidly approaching, online campaigning, political activism, and getting out the vote initiatives are no different. However, with an increased reliance on technology also comes an increased responsibility in regards to data privacy and data security.
Voting safely will be more important than ever during this pandemic, but we also need to make sure the way we use technology is equally safe. With the upcoming presidential election, Outvote may once again face media scrutiny for what some consider a controversial practice of making publicly available voter data more easily accessible, specifically in order to help people register their friends and get them to vote.
At Outvote, we take privacy and security very seriously and strive to be transparent with our approach on how we handle them. We’re sharing some of the ways we proactively protect the personal identity and information of our users:
Data Privacy
If you’re not familiar with the Outvote app, here’s an overview. With your permission, the app uses the names in your phone’s contacts to try to find your friends’ voter registration data, so that you can see things like who might still need to register, who lives in a battleground state, or who missed the last midterm (hint: that includes about 60% of us). In order to protect personally identifiable data when looking up your contacts, the app uses an age range instead of date of birth to search the voter file. It also uses city and state instead of showing a registered address. You can read more about how we use data for social good here.
Your Data is Yours
On the Outvote app, your contacts remain your data. We ask for permission to sync your contacts so that we can show you their voting history and district, and make it easy for you to send reminders. We never send messages on your behalf without asking you first. We do not sell your data. And you can delete your contacts at any time from the settings page and Outvote will delete them entirely from our servers.
Security Audits
Every year, Outvote hires a security firm to review the state of information and data security practices at our company. These firms will run penetration tests against all of our internal systems in addition to looking through Outvote code and running a series of automated hack attempts on the platform. This is an industry best practice and generally results in additional security updates to ensure we do our best to keep your data safe.
Employee Security Training
All Outvote employees are required to read Outvote’s information security practices documentation and undergo security training during the employee onboarding and compliance process. Outvote’s security standards follow the OWASP Security Knowledge Framework.
Data Encryption
All sensitive customer data is encrypted, including any authentication and authorization details, and any data transmitted is sent using securely encrypted protocols. You can read more about our information security practices here.
Internet and Cloud Security
Outvote uses Cloudflare to automatically detect and block all non-United States traffic within the app. Programs like Cloudflare are configured to protect electoral organizing efforts, monitor and automatically detect intrusion attempts or suspicious behavior, and immediately ban those users from our system. Cloudflare also works to protect users from cyber attacks, denial of service attacks, and malicious bots.
Bug Bounty Program
Finally, Outvote works with an outside firm to conduct a bug bounty program, in which professional cybersecurity researchers and white-hat hackers attempt to find cybersecurity holes and malfunctions in Outvote’s system for monetary reward so that the Outvote team is able to patch them internally.
We also realize there are many technologists who are interested in helping us protect elections and advocacy work that might not be part of our official program. If you are aware of any potential vulnerabilities on the Outvote platform, we encourage you to share those findings with us via our security page; you will be immediately eligible for a monetary reward based on the severity and scope of the finding.
Unfortunately, we are aware of bad actors and we routinely see them attempt to compromise our system. These bad actors are executing disinformation campaigns to influence election outcomes and exploiting social media channels for social engineering attacks. One of the most effective ways to hold bad actors accountable is to organize, and level the playing field — tools like Outvote help do that.
As CEO, my personal commitment to Outvote’s protection of data security and personal ownership of contacts in relational organizing is a top priority every single day.
— Naseem Makiya, Founder & CEO of Outvote