A CAQ site made data available from thousands of voters Quebec 2022 elections

After Radio-Canada contacted the CAQ to ask questions about it last Friday, the Planifievotrevote.org site was updated and the error corrected. CAQ claims that a malicious person has access to this data.

It’s a situation that worries a cyber security expert to whom we told the existence of this flaw. Since this is election-related information, knowing that foreign interference targeting voters is a serious and growing phenomenon makes the case more sensitive.As Alexis Dorais-Zonkas, cybersecurity expert at Proofpoint points out.

The expert also noted that Act 25, which deals with the protection of private data, came into effect in Quebec last week.

One of the important features of Bill 25 is that it protects information that can identify the person concerned not only directly but also indirectly. In this case, we reserve the right to ask whether the combination of surname, first name and postal code can be cross-checked with other sources of information in order to obtain an accurate identification of the relevant persons.Mr. Dorais-Joncas said.

We would like to assure people who have completed this form that we have taken all necessary steps so that the situation is rectified as soon as it is brought to our attention. We are sorry for this [situation]Claude Potvin, CAQ’s director of communications, responded.

CAQ takes a specialized firm to design the site Full responsibility About this error, the party communications director said.

Personal data can be easily accessed

According to analysis tool DomainTools, the Planifievotrevote.org site is hosted on the same IP address as the official CAQ sites. The Internet user is invited to enter his name and postal code. The site verifies that the information is valid, and then indicates the places where the user is eligible to vote.

We propose the dates on which it is possible along with the expected crowding at the polling stations. Users can enter their phone number or email address to receive a reminder to vote. He may also ask for transportation assistance to the polling station.

A cybersecurity expert, who did not want to be named, reported the site’s flaw to Radio-Canada last week. As of Friday afternoon, it was possible to contact the name and postal code of all people registered with Scheduleyourvote .org using some basic manipulations that any Internet user can perform without special tools.

According to our findings, there are about 20,000 files available on this website, but CAQ claims that only 2,800 people have registered.

Radio-Canada does not disclose the method used to protect data subjects. However, we were able to independently verify the existence of this flaw and the ease of access to users’ personal data before the site was updated.

Alexis Dorais-Zonkas points out that it is a A very common type of error.

All things considered, this is still less serious than many other leaks, but it remains a very popular type of error for which there are methods and best practices to prevent it from being introduced into a new system.He is a judge.

A site aimed primarily at CAQ supporters

CAQ Communications Director assured us that planifievotrevote.org is a platform. To all Quebec voters.

However, according to analytics tool CrowdTangle, the only accounts promoted on social media are those of candidates or party organizers. In addition, the site bears the CAQ logo and a statement that it is an authorized agent of the CAQ.

Although users can enter their email address and phone number, there is currently no indication that this data will be available to the general public. Can only contact name and postal code.

We have no reason to believe anyone else at this stage [que le journaliste de Radio-Canada] had access to this informationSupports CAQ’s Director of Communications.

However, this data could have been misused by a malicious person, points out Alexis Dorais-Zonkas. In addition, names and postal codes potentially increase the risk of being associated with voting intent, he said.

Everything must be done to protect voter information and make it more difficult for those who try to interfere with democratic processes.Mr. Dorais-Joncas opined.