"I picked two different counties that kind of represented opposite ends of the spectrum," Noah M. Kenney told The Register, describing a simple experiment that produced complex privacy risks.
Noah M. Kenney’s county comparison: Travis County (Texas) and Robeson County (North Carolina)
In a paper titled "Public Voting Records: A Record, or an Attack Surface?", Noah M. Kenney of consultancy Digital 520 analyzed public voter files from Travis County, Texas, and Robeson County, North Carolina to demonstrate how readily available voter data can be linked to other public data sets. Kenney chose the two counties because they "represented opposite ends of the spectrum": Texas' voter files publish fewer data points, while North Carolina's files are comparatively detailed. Yet Kenney's work finds that redaction of specific fields does not, on its own, prevent the re-identification scenarios he tested.
FEC cross-reference: ZIP 78704, 500 contribution records, and the 2024 cycle
Kenney used a Python script to merge county voter files with Federal Election Commission (FEC) individual-contribution records. He reports pulling 500 contribution records for ZIP 78704 (an Austin-core ZIP including South Congress and Travis Heights neighborhoods) from the 2024 cycle via the FEC OpenAPI on May 1, 2026. After de-duplicating to 181 unique contributors by exact match on (last name, first name, ZIP), and inner-joining to the voter file on the same key with no fuzzy matching, Kenney found:
- 105 contributors (58.01%) matched any voter record;
- 95 contributors (52.49%) matched a uniquely identifiable voter;
- Of the 105 matches, 74.3% had a non-trivial employer field in the FEC record.
Kenney notes that the 52% unique-match rate would rise to "90–95 percent" if the kinds of tools commercial data brokers use were applied, underscoring the practical difference between manual joins and broker-grade linkage capabilities.
Redaction, phone numbers, and exposed military families
The paper quantifies several straightforward fingerprints in public voter files. Name plus ZIP uniquely identify 95.81% of Travis County voters and 87.79% of Robeson County voters. In the North Carolina file, a phone number is present for a majority of voters, and 88.53% of voters who list a phone number have a number unique within the county — making phone numbers a strong key for joining external datasets. Turnout patterns are also highly identifying: among Travis County voters who have voted in 20 or more elections, 98.4% have a turnout pattern that is unique to them.
Kenney highlights specific failures of redaction. Texas redacts date of birth as a privacy measure, but the combination of available registration data with ZIP and gender still allows 28% of voters to be uniquely identified. The Travis County file also exposes 320 deployed military families through the publication of APO/FPO mailing codes, a detail Kenney flags as particularly sensitive.
Access controls, recommended technical fixes, and opt-out
Because redaction alone proved insufficient in Kenney’s tests, he argues for access controls as a more effective mitigation. His recommendations include rate limits on bulk file requests, identity verification and requiring state ID for access, maintaining audit logs of requests, and prohibiting the commercial resale of voter records. He also proposes data-specific adjustments: generalize voter registration dates to a year rather than a day, and remove armed forces mailing codes from public voter rolls. Beyond these technical measures, Kenney argues for allowing people to opt out of inclusion in public data sets and for broader data privacy protections.
Policy landscape: county variation and the Secure Data Act
Kenney emphasizes the uneven state of practice across the United States: "Even within a specific state, most of the counties are individually handling these public records requests, so they all handle them differently across the country," he said. "Some of them, you can't get them. Some of them, you need an ID to get them. Some of them you have to go through a request process for public records or you have to pay for them. The two counties I used are both freely available. You can go and download zip files of them without even putting in an email address or your name from anywhere in the world."
Last week, House Republicans introduced the Secure Data Act as an effort to create federal privacy rules. Kenney told The Register that the proposed law is "significantly weaker than a lot of state regulations" and that he does not expect it will pass; he noted it represents a third recent attempt at comprehensive federal data privacy, following previous efforts such as the American Data Privacy and Protection Act, which failed to pass.
What this means for deployed military families, employers, and identity-fraud rings
- Deployed military families: Published APO/FPO codes in the Travis County file exposed 320 deployed military families according to Kenney's analysis; excluding armed forces mailing codes or stronger access controls would directly reduce that exposure.
- Employers and background checkers: Employers who wish to screen for political affiliation could cross-reference primary ballot histories and contribution records with voter files — a capability Kenney demonstrates is practical using public FEC and voter datasets.
- Identity-fraud actors: Suspense indicators showing returned mail can be joined with voter files and used to identify addresses vulnerable to change-of-address fraud, and phone-number uniqueness in North Carolina-style files enables high-confidence linkage with external datasets.
Kenney’s findings are plain and procedural rather than theoretical: publicly available voter records, when stitched to other public datasets, create concrete avenues for identification and misuse. In his view, the most effective immediate remedies are not further redactions but tighter access controls, auditability, and legal limits on resale — changes that would shift the decision about who gets to use this data away from anyone with a web browser and toward accountable requestors.
