A CAQ site has made data from thousands of voters accessible | Elections Quebec 2022
On this CAQ site, users are invited to enter their name and postal code. We check if the information is valid, then we indicate to the user the places where he will have the right to vote.
A site created by the Coalition avenir Québec (CAQ) to help Quebecers go to vote has inadvertently exposed the names and postal codes of at least 2,800 users to anyone who wants to spy on them, Radio-Canada has found.
After Radio-Canada contacted the CAQ to ask questions about this last Friday, the Planifievotrevote.org site was updated and the flaw was repaired. The CAQ claims to have no indication that a malicious person had access to this data.
It's a situation that nevertheless worries a cybersecurity expert to whom we told about the existence of this flaw. The fact that this is information related to an election makes the case even more delicate, knowing that foreign interference targeting voters is a very serious and rapidly growing phenomenon, underlined Alexis Dorais-Joncas, expert in cybersecurity at Proofpoint.
This expert also notes that Law 25, which deals with the protection of private data, came into force last week in Quebec.
One of the important features of Law 25 is that it protects information that can identify not only directly but also indirectly the person concerned. In this case, we are entitled to ask whether the combination of a surname, a first name and a postal code can be cross-checked with other sources of information in order to identify precisely the people concerned, says Mr. Dorais-Joncas.
We would like to reassure the people who have completed this form that we have taken all the necessary measures to ensure that the situation, as soon as it has been pointed out to us, be corrected immediately. We are sorry for this [situation], reacted the director of communications of the CAQ, Claude Potvin.
The specialized firm with which the CAQ did business for the design of the site takes full responsibility for this flaw, said the party's communications director.
.org is hosted on the same IP address as official CAQ sites, according to analytics tool DomainTools. The user is prompted to enter their name and postal code. The site verifies that the information is valid, then it indicates to the user the places where he will have the right to vote.
We then propose dates when it will be possible to do so as well as the expected traffic at the polling stations. Users can enter their phone number or email address to receive a reminder to vote. He can even ask for help with transportation to the polling station.
It was a cybersecurity expert who did not want to be named who reported the flaw in this site to Radio-Canada last week. Using a few basic manipulations that any Internet user can perform without specialized tools, it was possible, until Friday afternoon, to consult the name and postal code of all the people who had registered with Scheduleyourvote .org.
According to our findings, some 20,000 files were available on this website, but the CAQ claims that only 2,800 people registered.
Radio-Canada will not reveal the method used for the sake of protecting the data of the persons concerned. However, we were able to independently verify the existence of this flaw and the ease with which it was possible to access users' personal data before the site was updated.
< p class="e-p">Alexis Dorais-Joncas points out that this is a very common type of flaw.
All things considered, it's still less serious than many other leaks, but it remains a very well-known type of flaw for which there are methods and best practices to avoid introducing it into a new system. in the first place, he judges.
The director of communications of the CAQ ensures that Planifievotrevote.org is a platform that is intended for all voters in Quebec.
However, the only accounts to have promoted it on social media are those of candidates or party organizers, according to analytics tool CrowdTangle. In addition, the site features the CAQ logo and contains a statement that this is an expense authorized by the CAQ's official agent.
Although the users can enter their e-mail address and telephone number, there is no indication at this time that this data was accessible to the general public. Only name and zip code could be viewed.
At this stage, we have no reason to believe that anyone other [than the Radio-Canada journalist] would have accessed this information, maintains the CAQ's communications director.
Everything should be done to protect voter information and make it much more difficult for those who try to interfere in democratic processes, believes Mr. Dorais-Joncas.