When the Republican Party clinched close gubernatorial races in Mississippi and Kentucky in 2003, it relied heavily on its Voter Vault database to get people to the voting booths. Though party officials are tight-lipped about what's inside the Vault, they've acknowledged it contains records on an estimated 168 million voters.

PC World has recently learned that the major development work on the Voter Vault was done in India. Though the RNC began work on a national database of voters in the mid-1990s, the Voter Vault wasn't ready to be put into the field until the 2002 elections. Two years prior to the 2002 elections, the RNC hired Advanced Custom Software (ACS) of Seattle to build a Web-based database to help campaign workers target likely Republican voters. According to information posted on Elance.com, an online directory of outsourcing firms, ACS subcontracted development of the database to Compulink Systems of Maharashtra, India.

It's not necessarily risky to ship your data overseas, but Compulink Systems did suffer a security incident in May 2001. During the period when Compulink was working on the Voter Vault project, its Web site was compromised. On May 10, 2001, a Russian hacker using the handle RyDen defaced the Compulink site, as shown on a page maintained by Attrition.org.

A GOP spokeswoman says that all work done on Voter Vault since 2002 has occurred in the U.S., but would not comment on work done prior to that time.

Safe in Transit?

On the Elance site, Compulink had described the Voter Vault as "a warehouse of Voter Data, preferences, affiliations and a lot of demographic data that the Republican Party uses for its analyses before planning election campaign strategy." That page has since been removed but a cached copy from Google still shows the language.

Besides the political hot button of using offshore developers in the middle of a recession, some experts question the security of shipping possibly sensitive data around.

"Shipping data anywhere is risky," says Richard Purcell, CEO of Corporate Privacy Group in Seattle and former chief privacy officer for Microsoft. "But it may be just as risky to ship the data to Illinois or New Mexico as it is to India or Pakistan. There are no more legal protections in the US than there are in India. Outsourcing data is like outsourcing parenting, which we call 'babysitting.' Think about the care you exercise in selecting a babysitter. The question is whether companies exercise the same care and diligence when [choosing a company to handle] customer information."

A representative from Compulink directed requests for comment to ACS. ACS did not respond to repeated requests for comment. PC World could not independently determine whether Compulink was working on the Voter Vault at this time, nor whether Compulink had access to live voter data at any time during the project.

The hacker who defaced Compulink's site posted text claiming no data files were accessed, but claimed to have "cleaned" the log files. Hackers use messages like this to point out the damage that they could have done to a Web site, but don't actually do, in order to highlight security flaws. The same hacker compromised the Web site of the Taliban three times in 2001 and 2002. There is no evidence that the hacker who compromised Compulink's Web site accessed any of the RNC data the company was housing.

Hacking a Web site is typically an easier task than breaking into a corporate database, but any time a site is compromised it calls the company's security practices into question, says Lauren Weinstein, longtime security guru and cofounder of People for Internet Responsibility.

"By default, if your Web site is hacked, your security is screwed up," says Weinstein. "Most flaws that lead to defacements are just dumb configuration errors."

RNC spokesperson Christine Iverson declined to comment on any security issues surrounding the Voter Vault, but says that all work done on Voter Vault since 2002 has occurred in the U.S. She declined to answer questions about work occurring prior to 2002.

"All the vendors hired by the RNC for voter vault are American companies located in [the] United States," Iverson wrote in an e-mail message. "We are distrurbed [sic] by continued Democrat efforts to accuse the RNC of outsourcing using obscure Indian publications and vauge [sic] Internet sources."

Iverson says the RNC hired a different Seattle company, Advanced Data Center Systems, to perform work on its Voter Vault.

Washington State corporate records indicate that ADCS and ACS share the same address and were registered by the same agent, Steve I. Cummings. (A registered agent is the person who registered the corporation with the state, and could be an officer of the corporation, an attorney working for that corporation, or a business that provides this type of service.)

According to the Center for Responsive Politics, which runs the Opensecrets.org Web site, during the 2004 election cycle the RNC paid ACS $1.2 million for software licenses and computer maintenance and slightly more than $1 million to ADCS for maintenance and "voter data."

Not Alone

The Republican party isn't the only one using a massive voter database. Since 2002 the Democratic Party has relied on two databases--DataMart, containing the records of 166 million registered voters, and DemZilla, a smaller database used for fundraising and organizing volunteers.

DataMart, which would be considered the Democratic equivalent of the Voter Vault, is an open-source application created by PlusThree, a software developer with offices in Washington, D.C., and New York City. Vice President of marketing David Brunton says PlusThree did not outsource any of the development work on the DataMart.

Neither party is willing to reveal much about what's inside their databases. According to published reports, these databases combine publicly available data--such as voter registration records and individual political contributions--with consumer data obtained from data mining companies and personal information gathered from phone calls and door-to-door canvassing. According to a report in Business Intelligence Pipeline, a single record in the DataMart can contain more than 300 separate pieces of information.

Commentary: