The Expert's View with Jeremy Kirk

Anti-Money Laundering (AML) , Fraud Management & Cybercrime , Fraud Risk Management

Why Do Data Brokers Access the Australian Electoral Roll?

Restricted Data Access Required by Anti-Money Laundering and Anti-Terrorism Laws
Why Do Data Brokers Access the Australian Electoral Roll?

Credit agencies and data brokers are facing ever-increasing scrutiny over how they purport to protect individuals' personal data. Concern over the organizations' practices has been fueled by their egregious data security stumbles, which have leaked sensitive personal and financial details worldwide.

See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture

Take one of the giants in the field, Equifax, which suffered a 2017 data breach that exposed details for a massive number of consumers: 145.5 million in the U.S., 15.2 million in the U.K. and 8,000 in Canada (see: Postmortem: Multiple Failures Behind the Equifax Breach). In 2015, Experian, another major credit bureau, said hackers accessed a database that held personal information for 15 million T-Mobile customers.

That's why a report in The Sydney Morning Herald on Thursday raised eyebrows.

The newspaper reported that Afterpay, a popular short-term loan service, was using data in the Australian electoral roll "to identify individual customers." The company reportedly accessed the data via credit agency service provider Illion, formerly known as Dun & Bradstreet.

Australia's electoral roll is meant to be a tightly controlled batch of data.

But the report says that not only Illion but numerous other companies have access to electoral roll data, including data broker Acxiom and the gambling industry giant Betfair:

"The confidential electoral roll data of more than 16 million Australians is being used by buy now, pay later providers, debt collectors, betting agencies and marketing firms to identify individual consumers."

At first blush, the situation looks dire. Credit bureaus, which have massive repositories of consumer data, have been some of the worst stewards of it.

But a deeper dive into what's actually happening reveals a much more nuanced picture.

Primer: Aussie Electoral Role

First, a short primer the Australian electoral roll. Compared to the U.S., Australia has many more restrictions on who can access its electoral data and how it can be used.

Members of the public can view registration data, but copying or photographing it isn't allowed. But the Australian Electoral Commission, which holds the data, does make it available to political parties, approved medical researchers and electoral researchers. By law, Australians are required to vote and to keep their address up-to-date on the roll.

The government also bans commercial use of electoral data. That differs from the U.S., where data brokers eagerly scoop it up, and many states do not specifically prohibit commercial use of such data (see: The Privacy Penalty for Voting in America).

The Sydney Morning Herald reports that a legislative change published in November 2018 has resulted in the government opening the electoral roll to data brokers. But a deeper examination reveals that such a summation isn't exactly accurate. In fact, a handful of companies have had access to the data for more than a decade.

Here's why: Under Australian law, access to the electoral roll can also be allowed for "some companies who provide identity verification services," the Australian Electoral Commission says on its website. The companies are listed in the Electoral and Referendum Regulation 2016 as well as in the commission' annual report.

Companies that are allowed to check name and address against the Australian Electoral Roll as listed in the Electoral and Referendum Regulation 2016

The commission began listing the companies that have this kind of access in its 2008/2009 annual report. A that time, the list included Acxiom, Betfair, Perceptive Communication, The Global Data Company and Veda Advantage Information Services and Solutions.

The list hasn't changed much, aside from the addition of a sixth company, Experian. For some reason, the current list that's in the 2016 regulation doesn't reflect acquisitions in the industry: Equifax acquired Veda, and Perceptive Communication is now part of Illion.

According to the commission, the reason data brokers are allowed access is for their clients' compliance with two laws: the Financial Transaction Reports Act 1988 and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

Flag Matches

Here's how the situation outlined by the Herald involving Afterpay fits into this.

Afterpay uses Illion to conduct financial background checks on people who sign up for its short-term loan service, which is like layaway for the online age.

Illion runs its checks, including verifying a person's name and address against the electoral roll, by submitting it to the AEC. What the commission sends back to Illion is a "flag match" - the data either matches or it doesn't. Illion doesn't have full access to voter data, as it can only verify any basic information it already has. Such information would have come from one of its clients - say, for example, a bank that's received a credit application.

That personal information, in turn, gets provided by a consumer who presumably has read the bank's privacy policy and understands that as part of the application process, their personal data may be shared with credit agencies. (I know: I've likely assumed too much here.)

The bank - or in this case, the Afterpay short-term loan service - only receives credit risk advice back from Illion and no electoral data. Companies such as Illion are only allowed to do this on behalf of their clients who are themselves bound to obey Australia's anti-money laundering and anti-terrorism laws.

The AEC says it regularly audits companies with this kind of access.

In other words, some organizations in Australia are legally bound to submit customer data to services that vet it as part of government-mandated AML and anti-terrorism statutes.

Commercial Use Prohibited

Might this process be abused? "The electoral roll is never used, or sold, by Illion for marketing purposes," Illion says. "We do not disclose any personal information from the database to our customers.

Afterpay says that only its authorized, third-party provider has a link to the roll. "This is a common and well-established practice in Australia," it says.

"Afterpay does not access the electoral roll directly," the company adds. "Afterpay does not use data from the electoral role for commercial purposes."

Companies that aren't bound by the AML and anti-terrorism laws cannot verify their customers' details against the electoral role. That would violate the prohibition on commercial use of the data.

The half-dozen companies that are allowed to identify customers in this manner, however, could see a slight commercial side benefit: Electoral roll verification adds an extra, valuable data touch point to their verification profiles. Verified customers are more likely to be who they say they are.

So in the end, this customer identification process shouldn't seem as alarming as it might first appear.



About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.