Data accessed in the Electoral Commission hack could help state-backed actors target voters with AI-generated disinformation, experts have warned.
The UK elections watchdog revealed on Tuesday that a hostile cyber-attack had been able to access the names and addresses of all voters registered between 2014 and 2022.
It said the integrity of the UK’s largely paper-based electoral system was not at risk, but experts said the data could still be used by rogue actors if deployed alongside powerful new artificial intelligence tools.
Michael Veale, an associate professor in digital rights at University College London, said the electoral register data could be combined with other leaked datasets to help target disinformation.
Veale cited the example of a vote suppression scandal in Canada in 2011, when automated phone calls impersonating election officials were made to voters, telling them falsely that their polling stations had been moved. A former campaign worker for Canada’s Conservative party was sentenced to nine months in jail for his role in the incident, which involved the misuse of a party database.
“Leaked electoral record data can result in serious electoral threats,” said Veale.
He added that generative AI – the catch-all term for tools that can produce convincing text, images and fake voices from human prompts – had now increased the potential for misuse of such information.
“Risk of misuse is only amplified by the extremely convincing personalised text or voice generation possible with generative AI systems. The more data you collate on people, the more convincing fake calls, text messages or emails can seem, based on writing styles and information about individuals and their social connections,” Veale said.
Michael Wooldridge, a professor of computer science at the University of Oxford, said gaining direct access to voters was a “gift” for rogue actors. “Providing direct access to voters is a gift for anyone attempting to subvert the electoral process. I’m very worried about voter manipulation by AI, and the data breach does rather seem to be a gift to the unscrupulous,” he said.
Wooldridge warned the Guardian in May that chatbots such as ChatGPT could produce bespoke disinformation targeted at voters in individual constituencies.
However, other experts have warned that any attempt at mass disinformation, even harnessed to the power of generative AI, would be a challenge.
“Unless you’re targeting a high-net-worth individual and are prepared to invest significant time and resources crafting a scam, it’s unlikely that generative AI would be used for large-scale attacks, yet,” said Dr Andrew Rogoyski, director of the Institute for People-Centred AI at the University of Surrey.
The Electoral Commission said on Tuesday it did not know for certain what files may or may not have been accessed, though it added that much of the data at risk was already in the public domain. The attack also breached its email system, which means the hackers could have accessed the email addresses of voters who had contacted the Electoral Commission, or any images they had sent to the organisation.
Russia, a state with a record of electoral cyber espionage, has been flagged as a potential architect of the attack. Sir David Omand, a former director of the British spy agency GCHQ, told BBC Radio 4’s PM programme that Russia was “first on my list of suspects”, while Sir Richard Dearlove, a former head of MI6, told the Daily Telegraph that the Kremlin would “be at the top of the suspects list by a mile”.