News: 1738238891

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Canvassing apps used by UK political parties riddled with privacy, security issues

(2025/01/30)


The Open Rights Group (ORG) has raised concerns about a number of security issues it found in all three of the canvassing apps developed on behalf of the UK's three major political parties.

Labour, the Conservatives, and the Liberal Democrats all offer different digital tools that aim to ease the burden of data entry for door-knocking campaigners looking to register voters' support.

All data was gathered during the run-up to last year's general election and the ORG claimed all three parties' apps had different types of issues affecting them.

[1]

The incumbent Labour government's three web-based activist tools – Reach, Doorstep, and Contact Creator – were investigated. All three are used interchangeably to build a database of voters, complete with specific information about them to aid voter profiling, the ORG said.

[2]

[3]

The main issue raised by the privacy campaigners here was that various URLs tied to the apps were associated with infrastructure operated by credit reference agency Experian. The ORG said Labour's privacy policy doesn't explain the relationship between the data collected in the apps and the degree to which it is shared with Experian.

Its findings were based on limited, static technical analysis. It didn't acquire login credentials for any of the apps, which ruled out more thorough testing, but nevertheless called on Labour to be more transparent about its relationship with Experian.

[4]

Two mobile apps used by Tory campaigners were also analyzed. VoteSource is a data entry tool for canvassers that returned nothing to concern the researchers. However, the party's Share2Win app was more problematic.

Share2Win essentially sends official Conservative public messaging to app owners, providing them with the functionality to easily share it across their own social media profiles, complete with official party multimedia assets.

Using MobSF, an open source tool that does a basic security-checking job, but isn't as thorough as the likes of Veracode or Checkmarx, the ORG said it discovered that both iOS and Android versions stored secret credentials, "potentially making it vulnerable to breaches."

[5]

The rights group's [6]report noted various other issues, such as that different versions of the app were vulnerable to [7]dependency confusion attacks – where external libraries on which the app depends are compromised.

Both Share2Win's Android and iOS apps lacked privacy controls such as attributes for sensitive personal data and privacy manifest files respectively. The Android version was also able to access Wi-Fi data, which the ORG said could lead to location tracking.

You may also recognize Share2Win from [8]reports circulating before the summer election about how the app was leaking party members' details.

Various MPs' phone numbers and home postcodes were leaked via the app, British broadsheet The Telegraph reported, including those of then-security minister Tom Tugendhat, Theresa Villiers, Vicky Ford, Greg Smith, and Sir Desmond Swayne.

Users were able to download a code version of the app's leaderboard that ranked members by the number of shared party messages. Downloading the leaderboard did not require any technical know-how.

The main issues around the Lib Dems' MiniVan app centered on its reliance on Google Firebase SDKs. The ORG's report stated that this "is not inherently problematic, [but] it does point to potential security issues."

The report went on to cite different pieces of research from the infosec industry concerning Firebase and how platforms built using it are routinely misconfigured, exposing sensitive data to the public internet.

Researchers found at least [9]900 Firebase-reliant websites were vulnerable in this way back in March 2024, exposing roughly 125 million user records. Likewise, Comparitech estimated that [10]24,000 Android apps were leaking user data due to Firebase misconfigurations in 2020.

[11]WFH with privacy? 85% of Brit bosses snoop on staff

[12]Amazon sued for allegedly slurping sensitive data via advertising SDK

[13]Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek

[14]CDNs: Great for speeding up the internet, bad for location privacy

Again, since the ORG wasn't able to carry out thorough testing of the apps during runtime and researchers didn't procure logins for all the platforms, more concrete conclusions couldn't be drawn.

It said the static application security testing methods it used were able to identify issues such as privacy violations, insecure data storage, and potential vulnerabilities. However, due to the absence of valid credentials, it couldn't observe any potential network-based data leakage, issues related to user interaction with the apps, and some tests may produce false positives and/or negatives.

Findings fall on deaf ears, mostly

Speaking to The Register , an ORG spokesperson confirmed that today's report would be sent to the Information Commissioner's Office (ICO) for review and that despite the organization's efforts to secure a sit-down with parties to discuss the findings, none replied.

Equally, Labour, the Conservatives, and the Lib Dems all failed to respond to The Register's requests. Sprinklr and NRG VAN, which assisted in the development of the apps used by Conservatives and Lib Dems, also didn't respond.

The ORG was able to reach the vendors responsible for the Conservatives' apps, but they claimed the versions examined by the researchers were old and no longer available. Therefore, any negative findings were moot.

"The app versions which were tested were in use during the election period, when the data was collected, and would be the versions downloaded by canvassers," the ORG countered in its report.

"That appears to confirm that the issues were present during the election period, when the app was in greatest use."

Speaking in relation to the [15]Data Use and Access Bill progressing through Parliament, James Baker, platform power program manager at the ORG, said: "With trust in our democratic systems at an all-time low, the government should be working to improve the public's confidence in electoral processes.

"Our report highlights that there is a data arms race to the bottom, pushing parties to make shortcuts in safety and privacy. The answer to this is fair and robust rules and enforcement.

"Instead, the government is doing nothing to make the ICO keener to act. The new data bill proposes to give ministers the power to make arbitrary rules about how our political parties can use our data, potentially timed to favor their own party in an election.

"This will further undermine public trust. We need transparency and a fair set of rules agreed by Parliament and enforced by an independent ICO and Electoral Commission." ®

Get our [16]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z5uwNFs9Y8CBTdjUR5iu1AAAAUw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5uwNFs9Y8CBTdjUR5iu1AAAAUw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5uwNFs9Y8CBTdjUR5iu1AAAAUw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5uwNFs9Y8CBTdjUR5iu1AAAAUw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5uwNFs9Y8CBTdjUR5iu1AAAAUw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.openrightsgroup.org/publications/moral-hazard-voter-data-privacy-and-politics-in-election-canvassing-apps/

[7] https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/

[8] https://www.telegraph.co.uk/news/2024/06/22/conservative-leak-home-addresses-revealed/

[9] https://env.fail/posts/firewreck-1/

[10] https://www.theregister.com/2020/05/12/report_thousands_of_android_apps/

[11] https://www.theregister.com/2025/01/30/forget_the_idea_of_wfh/

[12] https://www.theregister.com/2025/01/30/amazon_sued_for_snarfing_sensitive/

[13] https://www.theregister.com/2025/01/30/deepseek_database_left_open/

[14] https://www.theregister.com/2025/01/27/cloudflare_cdn_location_data/

[15] https://www.theregister.com/2024/10/24/uk_proposes_new_data_law/

[16] https://whitepapers.theregister.com/



The headline does not need that many words...

Mentat74

"apps riddled with privacy, security issues" is more than enough...

J.G.Harston

I don't like MiniVan, as you're juggling messing about with a tablet or phone while you're supposed to be actually talking to people and collecting data. Much prefer a proper clipboard with proper sheets of paper that I can then take home and properly enter on a proper computer.

Lazlo Woodbine

I resigned from Momentum after they emailed all constituency data managers, reminding them of the importance of data security.

The email had all our personal email addresses in the CC field.

Despite repeated requests for them to remove me from their mailing lists, I was still getting emails with other members details for over a year afterwards.

I reported them to the ICO twice, I'm not sure if anything happened, as I eventually blocked their emails

Is your Electoral roll data safe?

Anonymous Coward

After receiving a letter helping me decide on my postal vote, I complained to the Lib Dems and was informed they can do what they want with electoral roll data.

I asked if I could post his reply on the local community page, and was informed I could not.

I also asked to be forgotten under GDPR rules, still waiting for this reply.

Another rules for you on GDPR, but they can roll U over. What a Twit (misspelt)

Re: Is your Electoral roll data safe?

heyrick

" and was informed I could not "

Why not? If you were given a response to a legitimate non-personal question, they shouldn't mind if you publicise it as it'll be what they say to everybody who asks that.

This reaction suggests to me that you were given a brush off, the person is well aware of this, and doesn't want the hassle of being caught out.

The thing is, unless there is an aforementioned (and agreed by you) accord [*], there isn't any expectation of confidentiality, especially given as they are public servants and the question was in context of their public function.

If I was in your position, I would start by publishing it, because they're probably saying the same shit to everybody else and ignoring the law.

IANAL, etc.

* - Some crap at the bottom of an email doesn't count, it was never "agreed" to by you.

Re: Is your Electoral roll data safe?

Scotech

No idea about the rest of the exchange, but regarding the use of voter contact details from the unedited register, they are permitted to access this and use it for the purposes of official party-political campaign messaging, yes. It's either that, or we have an unequal system where whichever party is in government today effectively has all those details available by proxy, and all other parties are left to throw around as much money as they can gather, hoovering up whatever data they can from data-brokers, shady or otherwise. Personally, I'd rather our political parties were competing on as level a playing field as possible, and were given as few incentives as possible to cosy up with people who profit from selling my data. Getting the odd bit of junk mail that goes straight into the shredder on arrival is a small price to pay in my opinion, though I do make the effort to reach out whenever possible and advise them that it'd be better for their campaign budget and for the planet if they crossed me off their mailing list. Funnily enough, most parties have been fairly amenable to that - with the noticeable exception of the Scottish Greens...

Re: Is your Electoral roll data safe?

Doctor Syntax

A few elections ago our local Greens produced a big wodge of newsprint, unlike the other parties who simply printed small fliers. Their delivery of this wodge fell somewhat short. Instead of finding its way into my letter box it was dropped on the path as a piece of litter. But then the Greens have been wilfully ignorant of real green matters for uears.

Re: Is your Electoral roll data safe?

Anonymous Coward

Just publish the request and the reply on Social Media and then a link to it here.

Re: Is your Electoral roll data safe?

Doctor Syntax

"I asked if I could post his reply on the local community page, and was informed I could not."

You post his refusal to allow you to publish the original. That then has your readers wondering what it is that he's hiding.

Scotech

So basically, it sounds like only Share2Win had any actual security issues found. The fact that Firebase is often misconfigured doesn't automatically mean that the MiniVan app is insecure. As for the Labour apps, it's been pretty well publicised that they use Experian Mosaic to map postcodes to socioeconomic groupings as a means to target their campaign messaging, so it's no surprise their apps make calls to Experian URLs. So long as no personal information is changing hands, it's not even subject to GDPR.

Static analysis... Sounds to me like someone went on a fishing expedition, hoping to make a big headline here, and instead found basically nothing beyond the one app that was already known to be problematic. There's definitely a debate to be had around how these databases are built, managed and regulated in order to keep them secure and compliant, but I don't think this study added anything of value to it beyond pointing out that only expert regulatory scrutiny of the whole end-to-end ecosystem these apps operate in will be sufficient to assess their performance in those areas. It's worth remembering that these party databases are already subject to additional oversight when compared to business and public-sector, as parties must comply with the conditions laid out by the Electoral Commission in order to work with data from the Unedited Register. If they screw up, they risk not only some very embarrassing headlines, but stiff financial penalties too, and in the worst cases, they could put election results in jeopardy or even end up being barred from standing candidates, so they're even more incentivised to handle things responsibly than most other orgs out there.

TIPS FOR PERFORMERS:
Playing cards have the top half upside-down to help cheaters.
There are a finite number of jokes in the universe.
Singing is a trick to get people to listen to music longer than
they would ordinarily.
There is no music in space.
People will pay to watch people make sounds.
Everything on stage should be larger than in real life.