Since spring of 2025, the Department of Justice has been attempting to sweep up voter rolls across the nation. That fight has extended to the courts, where the DOJ has filed lawsuits against 24 states since September. Notably, most of those states have already provided publicly available voter registration information, but the DOJ has demanded full, unredacted rolls, which include sensitive, personally identifiable information like driver’s licenses and Social Security numbers.
Much of the discussion of this issue has focused on various legal arguments — including the basis and purpose requirement under the Civil Rights Act, the Privacy Act, and violations of state law — for why the DOJ is not entitled to such information. There is another, lesser-known reason: The DOJ has provided no detailed assurances about how it will protect U.S. citizens’ sensitive private information and seems to be ignoring federal law that requires it to do so.
Under federal law and many state laws, state officials must protect the security of their citizens’ voter registration information. At the federal level, the Help America Vote Act (HAVA) requires state and local election officials to ensure “adequate technological security measures” to protect statewide voter registration databases. States determine how to do so and can also require stricter protection than that specified by HAVA’s minimum standards.
Federal law also requires the federal government to take certain steps to secure any sensitive information it collects and holds. The Federal Information Security Modernization Act (FISMA) stipulates that U.S. government agencies and their contractors develop and implement information security programs to protect their computer systems and the information stored in them. The level of protection the law requires varies based on the level of risk posed by the information at issue and must be based on mandatory federal standards. FISMA also requires that federal agencies regularly monitor their and their contractors’ information security programs.
In theory, HAVA, FISMA, and state law should make sure any sensitive voter registration information remains secure. Unfortunately, the reality appears different. The DOJ’s proposed agreement governing the transfer of voter registration data with sensitive information from the states is simultaneously vague as to its security plans and, to the extent it lists them, woefully deficient. A recent analysis details the information-security shortcomings. The lack of protection is scary.
The security shortfalls include the following:
- There is inadequate data encryption, or the converting of voter registration information into unreadable code. Inadequate encryption means hackers can easily access voters’ personal data.
- There are insufficient access and data minimization controls. The agreement permits password-only access to the data, rather than requiring multifactor authentication. It also fails to limit any sharing of the data beyond the stated purpose of the collection.
- The DOJ has not explained how it will ensure that contractors, with whom it explicitly plans to share the data, are vetted and that they safeguard voters’ private information, as required by federal law.
- There is no audit log analysis or defined reporting process. No one will review or analyze who accesses the data, so no one will detect any problems that occur. In the event the DOJ does detect any problems, such as unauthorized access to information or other data breaches, there is no required timeframe to report problems back to the states.
- The DOJ plans to “archive” and store data after its analysis rather than destroy it. Archiving data will create a permanent federal registry of voters’ sensitive information that will always be available.
These cybersecurity failures exacerbate what is known as the mosaic effect. Voter registration lists include significant amounts of information about each voter — some combination of name, residential address, date of birth, driver’s license number, full or partial Social Security number, email address, telephone number, registration date, registration status, voting history, and political party. Aggregation of so much voter registration data, combined with other available information from commercial data brokers, financial leaks, and federal databases, offers an easy centralized target for bad actors.
Potential breaches of this data raise at least three concerns. First, the mosaic effect would allow a bad actor to use a voter’s information for identity theft. Second, by leaking information about a successful security breach, an adverse nation state could exploit the accumulated data to create fear, assert power, and undermine confidence in our government. Third, a bad actor could use this information to remove targeted names from voter registration lists without quick or easy detection.
Given recent examples of poor information security and data handling by federal agencies, it is not safe to blindly trust the DOJ’s processes. In 2025, federal employees inappropriately uploaded confidential Social Security Administration data to an unapproved private server and entered into a “voter data agreement” to transfer that information to a political advocacy group aimed at finding evidence of alleged voter fraud and overturning election results. The interim director of the Cybersecurity and Infrastructure Security Agency, an agency created to “defend and secure cyberspace,” uploaded sensitive agency files into the public version of ChatGPT, thereby allowing OpenAI to use that information to answer questions from any of more than 700 million active users. And the head of the DOJ’s own Weaponization Working Group, established under the current attorney general to review the activities of people who previously investigated or prosecuted the president and his businesses, leaked grand jury materials.
Protecting citizens should be the hallmark of any government. Given state officials’ obligation to protect their voters’ sensitive information, the DOJ’s apparent lack of adequate security measures under federal law is yet one more reason for states to resist the attempt to amass nationwide voter registration data.
