Sunday, December 27, 2015

DNC Penalizes Sanders Campaign For VAN Security Breach

On Thursday, December 17th at 11:47 p.m., the Washington Post broke a story reporting Democratic National Committee (DNC) Chairwoman Debbie Wasserman Schultz had cut off presidential candidate Sen. Bernie Sanders' campaign access to the DNC's master 50-state voter file managed for the DNC under a sole-source contract, by NGP VAN Inc., a private political data services vendor. Schultz accuses a VAN data base system expert working for the Sanders campaign of intentionally breaching VAN system security firewalls to gain access to Hillary Clintion’s campaign data about voters.

Russian intelligence services have increasingly been interfering with the elections western democracies since 2010. Could Russian hackers have breached VAN system firewalls to access voter data compiled by all the Democrats running for the presidential nomination? That’s a question Schultz is intent to ignore in her rush to bash Clinton’s leading contender.

WaPo headlined its story, "DNC penalizes Sanders campaign for improper access of Clinton voter data," with a lead paragraph reporting,
"Officials with the Democratic National Committee have accused the presidential campaign of Sen. Bernie Sanders of improperly accessing confidential voter information gathered by the rival campaign of Hillary Clinton, according to several party officials." The article's third paragraph said, "The discovery sparked alarm at the DNC, which promptly shut off the Sanders campaign’s access to the strategically crucial list of likely Democratic voters." The DNC had shut down access Wednesday morning.
That WaPo news headline replaced the day's headline story that Sen. Sanders received endorsements from the 700,000-member Communications Workers of America union, secured 88.9 percent of 270,000 votes cast in Democracy for America’s official endorsement poll, and received a record 2 million campaign contributions, with over $2 million raised in just 72 hours.

The initial Thursday night Washington Post story and all subsequent stories through the day Friday were clearly originally sourced from individuals at the DNC and NGP VAN. The frame of that sourced reporting - "Sanders campaign gained improper access to" and "breached" Clinton data - gives the impression Sanders campaign staffers with malice of forethought hacked system security to access Clinton campaign data. The DNC seemingly used that same framing language in notifying the Clinton campaign its data had been breach through four Sanders campaign VAN/VoteBuilder userids.

DNC Chair Wasserman Schultz, by taking the story public, stating to Washington Post reporters and other reporters she cut off Sanders campaign access to the DNC's voter information database, because Sanders' campaign staff had "improperly accessed confidential voter information of Hillary Clinton's campaign" and that "cutting the Sanders' campaign's access is the only way we can make sure we can protect our significant asset that is the voter file," Schultz instantly flipped Sanders' news momentum for the week, leading into the Saturday Democratic debate, from positive to negative.

The leading WaPo story headline read: DNC penalizes Sanders campaign for improper access of Clinton voter data. Through the day Friday, news stories from all media outlets repeated DNC Chair Schultz's story framing language that left the impression Sanders campaign staffers had maliciously and intentionally hacked the DNC's master voter file system security to steal Clinton campaign data:"
"They not only viewed it, but they exported it and they downloaded it," Wasserman Schultz told CNN's Wolf Blitzer. "We don't know the depth of what they actually viewed and downloaded. We have to make sure that they did not manipulate the information."

The DNC also sent out a strongly worded message from Wasserman Schultz to its members accusing the Sanders campaign of improper conduct: "Over the course of approximately 45 minutes, staffers of the Bernie Sanders campaign inappropriately accessed voter targeting data belonging to the Hillary Clinton campaign," Wasserman Schultz said in the message.

"Once the DNC became aware that the Sanders campaign had inappropriately and systematically accessed Clinton campaign data, and in doing so violated the agreement that all the presidential campaigns have signed with the DNC, as the agreement provides, we directed NGP VAN to suspend the Sanders campaign's access to the system until the DNC is provided with a full accounting of whether or not this information was used and the way in which it was disposed," Wasserman Schultz said in news interviews.
DNC Chair Schultz told reporters she would to not grant the Sanders campaign access to VAN until it has proved it destroyed all of the Clinton campaign data it had inappropriately accessed.

But the media virtually ignored how the story sprung to life in the first place; The DNC's data services company NGP VAN Inc. switched off data privacy protocols between every candidate's campaign data. The media also ignored that statements issued by NGP VAN Inc. did not match DNC chair Wasserman Schultz's account of what Sanders' staffer did do, or could do, or that NGP VAN Inc. management put distance between themselves and Wasserman Schultz's actions.
NGP VAN Inc. posted to the company blog the company played “no role” in making the decision to lock the Sanders campaign out of the file and that its staff worked long hours to quickly restore the campaign’s access following the agreement with the DNC. The blog post includes additional information and clarification on statements made by DNC and Clinton campaign senior officers through the 24 hour period after WaPo broke the story Thursday evening:

On Wednesday morning, there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.

First, a one [page] page-style report containing summary data on a list was saved out of VoteBuilder by one Sanders user. This is what some people have referred to as the “export” from VoteBuilder. As noted below, users were unable to export lists of people.

... no NGP data was impacted by this situation, nor any Action ID or FastAction data. No client websites or web site data were impacted, either. For VAN clients, no myMembers, myWorkers, or myCampaigns data was impacted. The one area that was impacted was voter file data. We are confident at this point that no campaigns have access to or have retained any voter file data of any other clients;
Another fact the media did not note or follow up is that while DNC chair Wasserman Schultz was demanding Sanders campaign provides an accounting of what the campaign's now fired staffer had done, as well as assurances that all Clinton data has been destroyed, the Sanders campaign could do neither while it remained locked out its VAN/VoteBuilder userid accounts.
As stated in NGP VAN Inc. company's posted statements, nothing was exported or downloaded from any VAN/VoteBuilder userid account except page-style report. All of Clinton data at issue was contained in the four VAN/VoteBuilder userids at issue. Statement issued by NGP VAN Inc. makes clear this was the fact and they were aware of it.

DNC and NGP VAN Inc. administrators of the VAN/VoteBuilder system themselves had the ability to view the 25 data searches and any data lists that resulted from those search on the four Sanders Campaign VAN/VoteBuilder userid accounts. Further more, DNC and NGP VAN Inc. system administrators had the ability to delete those lists or entirely delete the four Sanders campaign userid accounts, if they wished. That visibility into the four userid accounts, together with the audit log of activities executed within those four accounts, provided DNC and NGP VAN Inc. staffers and officers had all the information DNC Chair Schultz demanded Sanders campaign turn over to her as condition of restoring VAN/VoteBuilder system access to the Sanders campaign. NGP VAN Inc. company's posted statement also makes clear they knew an innocuous single page page-style report was the only item "saved" outside of the VAN/VoteBuilder system.

While the DNC and NGP VAN Inc did not make VAN activity logs available to the Sanders campaign while it was lock out of VAN, that information was given to the Clinton campaign. The Clinton campaign then released those activity log reports to the media accusing the Sanders campaign of malicious intent and illegal behavior. Clinton campaign press secretary Brian Fallon said in a statement on Friday, “We were informed that our proprietary data was breached by Sanders campaign staff in 25 searches by four different accounts." Fallon told Yahoo News that logs of Sanders campaign activities in VAN had been provided to the Clinton campaign by NGP VAN Inc. when the company told the Clinton campaign that Sanders' campaign staff had breached its data. Those logs were not given to the Sanders campaign until Saturday.

Again, the Sanders campaign was locked out of the VAN/VoteBuilder system and so had no data or information to turnover to DNC chair Wasserman Schultz or even know first hand the contents of the four Sanders campaign userid accounts at issue.   In the mean time, the DNC already had all of the information the DNC chair demanded from the Sanders campaign through their access to the four accounts.

Sanders’ campaign manager Jeff Weaver showed reporters an email he sent to DNC officers on Thursday, before Schultz broke the story with WaPo reporters, providing the information they had on the actions of the staffer they had already fired from the campaign.
What Is NGP VAN Inc.

NGP VAN Inc. is a private political information services company that provides voter information data, software and services to the DNC under a sole-source contract. The DNC contracts with NGP VAN to store and securely manage its master voter information data base and provide data services to DNC clients.

The DNC makes its master voter information data base along with NGP VAN data management services universally available by contract to its clients - Democratic candidate campaigns and other Democratic organizations throughout the 50 states. Those DNC clients then add their own proprietary information gathered by field workers and volunteers.

Firewalls are supposed to partition each client organization's proprietary data so only the staff of each client can view and update their own data. The DNC's sole-source contract with NGP VAN Inc. requires that company to securely manage the data each DNC client layers on top of the DNC's shared master voter information data base. NGP VAN Inc. is run by Stu Trevelyan, a veteran of Pres. Bill Clinton's 1992 presidential campaign "War Room" and then Pres. Clinton's Administration.

DNC Data Services Contracts With Candidate Campaigns

The DNC in turn signs data services contracts with candidates and other organizations for access to the DNC's shared voter data base through its services vendor NGP VAN Inc. Those contracts guarantee data added by each client will remain private through firewalls that securely partition each client's data.

The data services contract between the DNC and the Sanders campaign, and every campaign, requires the DNC to provide professional and secure data management services. The contract says:
"... the DNC shall not sell or transfer Campaign data to any third party without the express prior written permission if the Campaign. The DNC agrees to use security measures with respect to the Campaign data, that are consistent with good practices in the data processing industry. ... Neither Party shall be liable to the other Party or to any person claiming rights derived from the other party's rights ... "

The contract does not make any campaign responsible for the security of any other campaigns' data, as claimed by DNC Chair Schultz in her assertion the Sanders campaign staffer breached the contract by viewing Clinton campaign data. In fact, the contract is explicit that no DNC client is held responsible for the data of any other client.

The Agreement also states, in relevant part: Either party may terminate this Agreement in the event that the other party breaches this Agreement; "the non-breaching party sends written notice to the breaching party describing the breach; and the breaching party does not cure the breach to the satisfaction of the non-breaching party within ten (10) calendar days following its receipt of such notice." The Agreement does not permit either Party to suspend its performance of the Agreement prior to terminating the Agreement in accordance with the provision above. The Agreement does not permit either Party to terminate or suspend the Agreement without notice, or without providing the breaching Party with the requisite opportunity to cure.

The DNC did not provide to the Sanders campaign written notice of contract breach or allow 10 days for the Sanders campaign to cure the breach of contract complaint before suspending VAN DB access. In fact, the Sanders campaign did not breach any provision of the data services contract, and the Sanders campaign claims both the DNC and NGP VAN Inc. breached contractual obligations to the Sanders campaign, and all their clients, by dropping their security firewall and exposing every client's campaign data, whether or not anyone outside their campaigns viewed the data. The DNC was in further breach of contract with the Sanders campaign by suspending its VAN system access without giving written notice and a 10 day period to resolve the complaint.
There’s a compelling theory that the DNC leaked the controversy about the Sanders campaign to distract from the data security failure of their sole-source vendor NGP VAN. Indeed, whether political connections or mutual backscratching drives the relationship between the DNC and NGP VAN Inc., it’s clear the two entities are intertwined in a way that raises Democratic vulnerabilities for no good reason.

The Sanders campaign called this particular breach of contract a common occurrence: The Sanders campaign said in a statement firewall security was down in the voter file system run by DNC's sole-source vendor NGP VAN Inc. Michael Briggs, the Sanders' campaign spokesman, said in a statement by reported by the New York Times:
“On more than one occasion, the vendor has dropped the firewall between the data of different Democratic campaigns…”

“Our campaign months ago alerted the D.N.C. to the fact that campaign data was being made available to other campaigns. At that time our campaign did not run to the media, relying instead on assurances from the vendor.”

“Unfortunately, yesterday, the vendor once again dropped the firewall between the campaigns for some data…”
Sanders' campaign on Friday sued the DNC in federal court

The Sanders campaign filed a lawsuit on Dec. 18 asking a federal court judge to order the DNC to live up to the terms of the data services contract it signed with Sanders campaign and immediately restore VAN system access. At a press conference announcing that suit, Sanders campaign manager Jeff Weaver described the DNC’s behavior as an effort to “undermine” Sanders’ attempt to mount a progressive challenge to Clinton.
“By their action, the leadership of the Democratic National Committee is now actively attempting to undermine our campaign. This is unacceptable. Individual leaders of the DNC can support Hillary Clinton in any way they want, but they are not going to sabotage our campaign — one of the strongest grassroots campaigns in modern history,” Weaver said.
After filing its lawsuit in federal court, the DNC restored Sanders' campaign access to VAN. Even after having its VAN access restored, the Sanders campaign has said it will proceed with its lawsuit against the DNC. Sanders' lawsuit asks a federal court judge to compel the DNC and NGP VAN to make available VAN audit reports over a period of time to prove they are in compliance with their data security obligations.

Some Technical Background On The Data Exposure Event

The Sanders campaign guy guy accused of stealing Clinton campaign data was logged into his Sanders campaign VAN user account and noticed he could see Clinton data he should not have been able to see. So, he decided to gauge how deeply the Clinton campaign was able to search and view Sanders campaign data, by experimenting to see how much of the Clinton data he could search and view. That’s a bad call in this political campaign context, but by information security standards it’s not unthinkable: it’s what is known as a white hat intrusion, to investigate how much of the firewall was down by probing the other side and assuming your own data was revealed exactly the same way. It does matter in this circumstance, you still have to fire the guy because it created an appearance of wrong-doing.

NGP VAN Inc. software engineers wrote software to track and record in an activity log every action taken by every NGP VAN system user. This auditing facility is intended to deter DNC clients from viewing data of other clients when data security firewalls fail. The Sanders campaign guy is an experienced VAN administrator and therefore was aware every search creating every list on that Wednesday morning was logged. Knowing he was being watched, why would he steal Clinton data?

Lost in frenzy of media stories that cascaded from the DNC Chair Shultz's statements to the press: anything open to ‘view’ in the Clinton data partition was just as open to view in the Sanders data partition, literally. It’s the same system and the same firewall, and if the firewall mysteriously disappears, without prior warning or explanation from the vendor, any IT professional will wonder what’s up, and more relevantly, what of his data is being made available for others to see, which might explain why the firewall’s down, in the first place.

Who in the Sanders Campaign looked at Clinton's openly available campaign data, and why did he look?

Josh Uretsky (pictured right with Pres. Obama in 2008) was the Sanders campaign’s National Data Director who discovered NGP VAN had opened every candidate's campaign data for viewing by every other NGP VAN client user.

Uretsky, 39, was hired by the Sanders campaign in September, according to his LinkedIn profile. Uretsky writes his functional role was to be the campaign's national VAN data base system administrator, with a title of Data Director.

Uretsky was well known to DNC and NGP VAN officials and was in fact recommended to the Sanders campaign by people with ties to the DNC and NGP VAN - Andrew Brown and Bryan Whitaker. Uretsky gave Brown and Whitaker as references when he applied for a job with the Sanders campaign.

Andrew Brown is the DNC’s National Data Director and works closely with NGP VAN and candidate campaigns who use the DNC's shared master voter file.

Bryan Whitaker was COO at NGP VAN when he recommended Uretsky, but left the company immediately after. Whitaker was hired by TargetSmart Communications, a non-profit political information and communications technology management company, similar to NGP VAN, to the position of Chief Innovation Officer.

It’s worth noting Brown was the Iowa technology director for the Clinton campaign from 2007-2008 during her first presidential run. He replaced Bryan Whitaker as the Director of Technology for the DNC in April 2013 when Whitaker moved over to serve as NGP VAN Inc's Chief Operating Officer.

Uretsky's LinkedIn profile says he is from Philadelphia and before being hired by the Sanders campaign in September he had worked as the data and targeting manager for America Votes from November 2011. His resume includes being a regional field organizer for the Committee to Elect Seth Williams in Williams' 2009 campaign for Philadelphia District Attorney. Uretsky managed Williams' Northwest Philadelphia field office. Before that, Uretsky was co-chair of Philadelphia for Obama from Aug. 2007-Nov. 2008.

Uretsky graduated from the University of California-Berkeley in 1998 with a degree in bio-engineering, with concentrations in computer science and genetics. In addition to his work in politics, he worked as a C++ programmer at Mystic Wave Productions, a company that designed software for teachers, from 1995 to 1997. He was also a programmer at InfoUse, another educational software company, from 1998 to 2000.

Uretsky is an idealist and a progressive but not someone who would do something untoward to gain electoral advantage, friends and associates say his friends.
"He is not a schemer," said Adam Bonin, a Philadelphia election-law attorney and friend of Uretsky. "It's just impossible for me to imagine that he would be looking at this situation and say, 'Let's figure out how to exploit it for the campaign.'" Bonin said his friend was overwhelmed by the attention after initially offering explanatory interviews to national news outlets.

"He's dedicated his life to trying to implement things that he believes in," said Dan Fee, a longtime political consultant who runs The Echo Group in Philadelphia. Fee calls Uretsky a man of "integrity."

I have trusted Josh with data for a long time," said Kati Sipp, director of Pennsylvania Working Families, an independent political organization that champions progressive causes. Sipp said she worked with Uretsky on voter targeting efforts on various races over the past six years, including while Uretsky was on staff at America Votes Pennsylvania. One such campaign included the successful primary bid earlier this year by Philadelphia Mayor-Elect Jim Kenney.
CNN interviewed Uretsky shortly after WaPo broke the story Friday morning, December 18th. This is what he had to say:
"We knew there was a security breach in the data, and we were just trying to understand it and what was happening."
"To the best of my knowledge, nobody took anything that would have given the (Sanders) campaign any benefit."

“…I knew full well that I was creating a record that the administrators could see.”
Uretsky further explained in a MSNBC interview the campaign didn’t “take custodianship" because the result of every action was they took was logged by the VAN/VoteBuilder system and stored with the VAN/VoteBuilder system custodianship under the four VAN userids used to document that the NGP VAN company had dropped system firewall security between candidate client accounts.

Uretsky said he noticed data of other campaigns was visible to Sanders campaign VAN userid accounts on Wednesday morning.
"We investigated it for a short period of time to see the scope of the Sanders campaign's exposure and then the breach was shut down presumably by the vendor… We did not gain any material benefit."
According to Uretsky, his team notified his superiors in the campaign and then was about to call the DNC, when they called him.
“They [the DNC] called me fairly quickly after the breach was closed to inform me that there was something weird going on and that portions of the VAN system were shut down.”
Uretsky said he was deliberately testing the extent of the exposure of other campaigns data, knowing Sanders campaign data was visible to other campaign users of the VAN DB system. Uretsky said he was going through the system to demonstrate to people who know the VAN system that something was wrong. He said he was testing the depth of the problem. Uretsky was:
"…going through stuff that I wasn't supposed to have access to."
"This wasn't the first time we identified a bad breach in the NGP-VAN system… "

"In retrospect, I got a little panicky because our data was totally exposed, too. We had to have an assessment, and understand of how broad the exposure was and I had to document it so that I could try to calm down and think about what actually happened so that I could figure out how to protect our stuff."
Uretsky was likely behaving in the way a corporate IT systems administrator would behave to find the extent of the problem. But, with the high stakes politics of presidential campaigns and the highly volatile nature of this primary, using his “IT computer programmer sense” wasn’t the right decision for the national VAN DB administrator of a presidential campaign. This misjudgment is why the Sanders campaign fired Uretsky.

Tad Devine, senior adviser to the Sanders campaign, said Uretsky had mishandled things by not immediately reporting to top staffers that a VAN system problem had caused Clinton voter information to appear in Sanders' campaign NGP VAN user accounts Thursday. That's why he was fired that day, before it became public, he said. Uretsky's lack of experience on major campaigns - his highest previous post was crunching data for a progressive coalition of labor unions and other groups in Pennsylvania - "certainly could contribute to this," Devine said. Uretsky didn't have an appreciation of how his actions could be exploited to tarnish Sanders' campaign.

"It was 100% my responsibly and I take full responsibility for whatever happened," said Uretsky.


Understanding the circumstances of events, contractual obligations of all parties, VAN/VoteBuilder functionality, and a little of Josh Uretsky's political and professional background, one must question the motives of Democratic National Committee (DNC) Chairwoman Debbie Wasserman Schultz. Josh was a political IT guy known to both DNC and NGP VAN Inc. staffers to be of good professional and personal character. Why else would they recommend Josh to the Sanders campaign? One must ask, if in the rush to discredit Sen. Bernie Sanders, did DNC Chair Wasserman Schultz throw a good Democrat and talented IT professional under the bus?


Author's Note: Michael Handley, author of this story, is computer scientist and retired executive from the Independent Computer Software Industry with extensive experience in distributed application and data base system technology. Michael has extensive experience with NGP VAN Inc's distributed VAN/VoteBuilder system as a user and system/user administrator, having served many years as a County Democratic Party Precinct Chair, candidate campaign consultant, and County Party Political Director. Michael has trained and directed a variety of political activists in using VAN/VoteBuilder facilities to target voters for ID canvassing and get out the vote operations.

No comments:

Post a Comment