Wednesday, December 23, 2015

DNC Penalizes Sanders Campaign For VAN Security Breach

On Thursday, December 17th at 11:47 p.m., the Washington Post broke a story reporting Democratic National Committee (DNC) Chairwoman Debbie Wasserman Schultz had cut off presidential candidate Sen. Bernie Sanders' campaign access to the DNC's master 50-state voter file managed for the DNC under a sole-source contract, by NGP VAN Inc., a private political data services vendor. Schultz accuses a VAN data base system expert working for the Sanders campaign of intentionally breaching VAN system security firewalls to gain access to Hillary Clintion’s campaign data about voters.

Chairwoman Schultz intentionally misrepresents the facts after the Sanders campaign VAN administrator stumbled upon and investigated a VAN software bug introduced Wednesday morning, December 16th, at approximately 10:40 AM, when NGP VAN, the company whose software hosts the Democratic National Committee’s voter file, installed a routine software update. The update introduced a bug that allowed members of Hillary Clinton’s and Bernie Sanders’s presidential campaigns, among others, to filter the voter records they share using custom “scores” each campaign had independently tagged to those common voter records. Such custom scores tagged by individual campaigns are to be private to those campaigns, but the bug exposed that campaign specific scoring as public data to all VAN users. (about which more shortly).

Josh Uretsky was the Sanders campaign’s National Data Director who discovered NGP VAN had opened every candidate's campaign data for viewing by every other NGP VAN client user.

WaPo headlined its story, "DNC penalizes Sanders campaign for improper access of Clinton voter data," with a lead paragraph reporting,
"Officials with the Democratic National Committee have accused the presidential campaign of Sen. Bernie Sanders of improperly accessing confidential voter information gathered by the rival campaign of Hillary Clinton, according to several party officials." The article's third paragraph said, "The discovery sparked alarm at the DNC, which promptly shut off the Sanders campaign’s access to the strategically crucial list of likely Democratic voters." The DNC had shut down access Wednesday morning.
That WaPo news headline replaced the day's headline story that Sen. Sanders received endorsements from the 700,000-member Communications Workers of America union, secured 88.9 percent of 270,000 votes cast in Democracy for America’s official endorsement poll, and received a record 2 million campaign contributions, with over $2 million raised in just 72 hours.

The initial Thursday night Washington Post story and all subsequent stories through the day Friday were clearly originally sourced from individuals at the DNC and NGP VAN. The frame of that sourced reporting - "Sanders campaign gained improper access to" and "breached" Clinton data - gives the impression Sanders campaign staffers with malice of forethought hacked system security to access Clinton campaign data. The DNC seemingly used that same framing language in notifying the Clinton campaign its data had been breach through four Sanders campaign VAN/VoteBuilder userids.

DNC Chair Wasserman Schultz, by taking the story public, stating to Washington Post reporters and other reporters she cut off Sanders campaign access to the DNC's voter information database, because Sanders' campaign staff had "improperly accessed confidential voter information of Hillary Clinton's campaign" and that "cutting the Sanders' campaign's access is the only way we can make sure we can protect our significant asset that is the voter file," Schultz instantly flipped Sanders' news momentum for the week, leading into the Saturday Democratic debate, from positive to negative.

The leading WaPo story headline read: DNC penalizes Sanders campaign for improper access of Clinton voter data. Through the day Friday, news stories from all media outlets repeated DNC Chair Schultz's story framing language that left the impression Sanders campaign staffers had maliciously and intentionally hacked the DNC's master voter file system security to steal Clinton campaign data:"
"They not only viewed it, but they exported it and they downloaded it," Wasserman Schultz told CNN's Wolf Blitzer. "We don't know the depth of what they actually viewed and downloaded. We have to make sure that they did not manipulate the information."

The DNC also sent out a strongly worded message from Wasserman Schultz to its members accusing the Sanders campaign of improper conduct: "Over the course of approximately 45 minutes, staffers of the Bernie Sanders campaign inappropriately accessed voter targeting data belonging to the Hillary Clinton campaign," Wasserman Schultz said in the message.

"Once the DNC became aware that the Sanders campaign had inappropriately and systematically accessed Clinton campaign data, and in doing so violated the agreement that all the presidential campaigns have signed with the DNC, as the agreement provides, we directed NGP VAN to suspend the Sanders campaign's access to the system until the DNC is provided with a full accounting of whether or not this information was used and the way in which it was disposed," Wasserman Schultz said in news interviews.
DNC Chair Schultz told reporters she would to not grant the Sanders campaign access to VAN until it has proved it destroyed all of the Clinton campaign data it had inappropriately accessed.

But the media virtually ignored how the story sprung to life in the first place; The DNC's data services company NGP VAN Inc. switched off data privacy protocols between every candidate's campaign data. The media also ignored that statements issued by NGP VAN Inc. did not match DNC chair Wasserman Schultz's account of what Sanders' staffer did do, or could do, or that NGP VAN Inc. management put distance between themselves and Wasserman Schultz's actions.
NGP VAN Inc. posted to the company blog the company played “no role” in making the decision to lock the Sanders campaign out of the file and that its staff worked long hours to quickly restore the campaign’s access following the agreement with the DNC. The blog post includes additional information and clarification on statements made by DNC and Clinton campaign senior officers through the 24 hour period after WaPo broke the story Thursday evening:

On Wednesday morning, there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.

First, a one [page] page-style report containing summary data on a list was saved out of VoteBuilder by one Sanders user. This is what some people have referred to as the “export” from VoteBuilder. As noted below, users were unable to export lists of people.

... no NGP data was impacted by this situation, nor any Action ID or FastAction data. No client websites or web site data were impacted, either. For VAN clients, no myMembers, myWorkers, or myCampaigns data was impacted. The one area that was impacted was voter file data. We are confident at this point that no campaigns have access to or have retained any voter file data of any other clients;
Another fact the media did not note or follow up is that while DNC chair Wasserman Schultz was demanding Sanders campaign provides an accounting of what the campaign's now fired staffer had done, as well as assurances that all Clinton data has been destroyed, the Sanders campaign could do neither while it remained locked out its VAN/VoteBuilder userid accounts.
As stated in NGP VAN Inc. company's posted statements, nothing was exported or downloaded from any VAN/VoteBuilder userid account except page-style report. All of Clinton data at issue was contained in the four VAN/VoteBuilder userids at issue. Statement issued by NGP VAN Inc. makes clear this was the fact and they were aware of it.

DNC and NGP VAN Inc. administrators of the VAN/VoteBuilder system themselves had the ability to view the 25 data searches and any data lists that resulted from those search on the four Sanders Campaign VAN/VoteBuilder userid accounts. Further more, DNC and NGP VAN Inc. system administrators had the ability to delete those lists or entirely delete the four Sanders campaign userid accounts, if they wished. That visibility into the four userid accounts, together with the audit log of activities executed within those four accounts, provided DNC and NGP VAN Inc. staffers and officers had all the information DNC Chair Schultz demanded Sanders campaign turn over to her as condition of restoring VAN/VoteBuilder system access to the Sanders campaign. NGP VAN Inc. company's posted statement also makes clear they knew an innocuous single page page-style report was the only item "saved" outside of the VAN/VoteBuilder system.

While the DNC and NGP VAN Inc did not make VAN activity logs available to the Sanders campaign while it was lock out of VAN, that information was given to the Clinton campaign. The Clinton campaign then released those activity log reports to the media accusing the Sanders campaign of malicious intent and illegal behavior. Clinton campaign press secretary Brian Fallon said in a statement on Friday, “We were informed that our proprietary data was breached by Sanders campaign staff in 25 searches by four different accounts." Fallon told Yahoo News that logs of Sanders campaign activities in VAN had been provided to the Clinton campaign by NGP VAN Inc. when the company told the Clinton campaign that Sanders' campaign staff had breached its data. Those logs were not given to the Sanders campaign until Saturday.

Again, the Sanders campaign was locked out of the VAN/VoteBuilder system and so had no data or information to turnover to DNC chair Wasserman Schultz or even know first hand the contents of the four Sanders campaign userid accounts at issue.   In the mean time, the DNC already had all of the information the DNC chair demanded from the Sanders campaign through their access to the four accounts.

Sanders’ campaign manager Jeff Weaver showed reporters an email he sent to DNC officers on Thursday, before Schultz broke the story with WaPo reporters, providing the information they had on the actions of the staffer they had already fired from the campaign.
What Is NGP VAN Inc.

NGP VAN Inc. is a private political information services company that provides voter information data, software and services to the DNC under a sole-source contract. The DNC contracts with NGP VAN to store and securely manage its master voter information data base and provide data services to DNC clients.

NGP VAN was formed when two leaders in the progressive technology space, Voter Activation Network (VAN) and NGP Software (NGP) combined operations in a strategic merger of equals, effective December 31, 2010. The VAN company was the leading provider of database software enabling voter targeting and contact, volunteer management, and organizing tools to Democratic campaigns, labor unions, and non-profit organizations. NGP was the leading provider of fundraising and compliance, and new media software to Democrats and their allies.

The DNC makes its master voter information data base along with NGP VAN data management services universally available by license contract to its clients - National Democratic Party candidate campaigns, the state Democratic Party organization of each state that then licenses VAN to Democratic Party candidates running in the state, and county Democratic Party organizations. The DNC also grants licenses to other Democratic organizations throughout the 50 states. Those DNC clients then add their own proprietary information gathered by field workers and volunteers.

Firewalls are supposed to partition each client organization's proprietary data so only the staff of each client can view and update their own data. The DNC's sole-source contract with NGP VAN Inc. requires that company to securely manage the data each DNC client layers on top of the DNC's shared master voter information data base. NGP VAN Inc. is run by Stu Trevelyan, a veteran of Pres. Bill Clinton's 1992 presidential campaign "War Room" and then Pres. Clinton's Administration.

DNC Data Services Contracts With Candidate Campaigns

The DNC in turn signs data services contracts with candidates and other organizations for access to the DNC's shared voter data base through its services vendor NGP VAN Inc. Those contracts guarantee data added by each client will remain private through firewalls that securely partition each client's data.

The data services contract between the DNC and the Sanders campaign, and every campaign, requires the DNC to provide professional and secure data management services. The contract says:
"... the DNC shall not sell or transfer Campaign data to any third party without the express prior written permission if the Campaign. The DNC agrees to use security measures with respect to the Campaign data, that are consistent with good practices in the data processing industry. ... Neither Party shall be liable to the other Party or to any person claiming rights derived from the other party's rights ... "

The contract does not make any campaign responsible for the security of any other campaigns' data, as claimed by DNC Chair Schultz in her assertion the Sanders campaign staffer breached the contract by viewing Clinton campaign data. In fact, the contract is explicit that no DNC client is held responsible for the data of any other client.

The Agreement also states, in relevant part: Either party may terminate this Agreement in the event that the other party breaches this Agreement; "the non-breaching party sends written notice to the breaching party describing the breach; and the breaching party does not cure the breach to the satisfaction of the non-breaching party within ten (10) calendar days following its receipt of such notice." The Agreement does not permit either Party to suspend its performance of the Agreement prior to terminating the Agreement in accordance with the provision above. The Agreement does not permit either Party to terminate or suspend the Agreement without notice, or without providing the breaching Party with the requisite opportunity to cure.

The DNC did not provide to the Sanders campaign written notice of contract breach or allow 10 days for the Sanders campaign to cure the breach of contract complaint before suspending VAN DB access. In fact, the Sanders campaign did not breach any provision of the data services contract, and the Sanders campaign claims both the DNC and NGP VAN Inc. breached contractual obligations to the Sanders campaign, and all their clients, by dropping their security firewall and exposing every client's campaign data, whether or not anyone outside their campaigns viewed the data. The DNC was in further breach of contract with the Sanders campaign by suspending its VAN system access without giving written notice and a 10 day period to resolve the complaint.
A Brief History of VAN

As early as the 1960s Democrats began systematically assessing which precincts should be allocated campaign resources using statistics aggregated over fairly wide geographic areas. By the 1990s, the precinct was being supplanted by the individual voter as the unit of analysis, just as wall maps and clipboards were giving way to web applications and Palm Pilots.

The Help America Vote Act of 2002, which imposed standard formatting on voter registration information collected by the states, paved the way for party-maintained, nationally comprehensive registries of voters. By the 2006 midterm elections, Sasha Issenberg writes in The Victory Lab, Voter Activation Network’s eponymous system had “emerged from a pack of state-specific interfaces to become the national standard for voter contact on the left.” The VAN was a cornerstone of Obama’s unprecedentedly large and sophisticated Get Out The Vote (GOTV) efforts in 2008, ensuring its centrality to party infrastructure for years to come.

Democrats who were actively organizing during the 2008 election cycle will recognize the data management and VRM systems used by the Democratic Party affiliates and the OFA campaign:

VAN –– The Voter Activation Network was built by a private Boston-based company of the same name with partner Blue State Digital, another Boston-area company founded by veterans of the Dean campaign. At the foundation of VAN system is a national database of voters’ voting history and contact information that was originally populated with data from Howard Dean’s 2004 presidential campaign, data from legacy DNC DataMart and Demzilla voter files and other voter history data sources. VAN is primarily a database with a web front-end that provides data sorting, searching and reporting functions to slice and dice the data. VAN, now in its fourth major generation, does not yet provide analytic capabilities. VAN is available to Democratic Party affiliates in all fifty states as the DNC’s VoteBuilder web application.

VoteBuilder –– VoteBuilder is the DNC's branded version of the VAN data access web application for data sorting, searching and reporting slice and dice functions. The DNC makes VAN data available to all 50 state party affiliates, local democratic candidates and national Democratic candidates through the VoteBuilder web application.

PartyBuilder –– PartyBuilder is the DNC's social networking system designed to offer most of the functions found in commercial social networking systems such as MySpace and Facebook.

Catalist –– Catalist, a private data company run by Harold Ickes and Laura Quinn, maintains detailed scoring  information on 280 million Americans, nearly every registered voter and eligible voter in the United States. The Catalist scores database includes information on how people vote, how often they vote and what motivates them to vote. More than 90 groups subscribed to Catalist data in 2008, including the Obama campaign.

Catalist appends a unique identifier to each name as it flows through its master national file -- and this allows the various data silos to be synced and in effect "talk to each other."

Strategic Telemetry –– Ken Strasma's firm used data from a variety of sources to set targets and create the likely voter model used by the Obama campaign. The exact composition of that set of analytics and statistical model is a closely held secret by the company and Obama’s most senior advisors.

MyBarackObama.com –– MyBO was developed as the web portal of the OFA campaign and functioned as the volunteer social networking mobilization and fundraising hub of the campaign. MyBO provided the communication channel and organizing tools seen and used by campaign staff, field organizers and volunteers, In January 2009 MyBO was handed over to the Organizing for American organization as a subsidiary of the DNC.

The Obama campaign integrated Facebook “friends” data, supporter and volunteer data captured in MyBarackObama.com, Strategic Telemetry data, Catalist data and VAN/VoteBuilder data for analysis. All data sources were being updated in near real-time, particularly the VAN data, which was constantly updated by Obama’s own campaign volunteers plus Democratic Party affiliates in all 50 states down to the county level precincts. (MyBO’s 13 million email ids are held separately.)

The Obama campaign and Strategic Telemetry processed all this collected data through Strategic Telemetry’s analytics and statistical model software system to track the electorate’s key issues and create targeted persuasive messages for the campaign and the candidate to communicate back to the electorate.
Obama Makes VAN's Database 10 Times Larger
Credit: Technology Review / Thursday, December 18, 2008.

One side effect of Barack Obama's Webcentric presidential campaign is that it helped turn the Democratic National Committee's voter database--information on the political leanings and interests of millions of U.S. citizens--into a far more potent political weapon. In the final two months before Election Day, 223 million new pieces of data on voters accrued to the database, and the DNC now holds 10 times as much data on U.S. voters as at the end of the 2004 campaign, according to Voter Activation Network (VAN), a company based in Somerville, MA, that builds front-end software for the database.

Such information could prove vital for future elections in that it shows where to allocate resources most effectively--particularly when it comes to voters who are wavering between parties--and what kinds of messages will appeal to specific voters. While some of 223 million pieces of data added in the final stretch of the campaign are not particularly useful (it includes canvassers' or callers' notations that a voter "refused to talk" or "wasn't home"), overall, it's a gold mine, says Mark Sullivan, co-founder of VAN.

"The data collection in 2008 was a quantum leap from where we were in 2004," Sullivan says. "It also means that we start the 2010 cycle with vastly more knowledge about who voters are, and how we can best communicate with them, rather than feeling like we have to start all over again." This information could perhaps even help Obama govern if the DNC decides to ask average Americans to contact members of Congress about specific policy efforts related to, say, energy, health care, or the Iraq War.

The VAN database--Sullivan would not describe its exact size, but there are about 170 million registered voters in the United States--can be used by all Democratic candidates in national or state elections. In the case of primary campaigns, new data collected by a Democratic combatant is kept by the candidate and added to the national database after a winner emerges.

While most campaigns add something to the database, the biggest contributor this year was, of course, the Obama campaign. For example, tens of thousands of times, volunteers logged in to Obama's social-networking site, my.barackobama.com (MyBO), and downloaded small batches of voter names and phone numbers, dialed them up, and followed various scripts. The aim was to learn their political and issue leanings, encourage people to vote for Obama and to ask supporters to make sure they go to the polls. These responses were recorded by the volunteers using a Web interface, adding to the database instantly.

In the final four days of the campaign alone, four million such calls were made through MyBO, says Jascha Franklin-Hodge, cofounder and CTO of Blue State Digital, which built MyBO as well as the interface to the VAN voter list. "This was just using our tools in that short window of time--never mind what the actual field organization was doing on the ground," he says. MyBO was hardly the only source: the DNC, local campaign offices, traditional phone banks, and canvassers also added data in various ways.

Beyond the data gathered on voters, the Democrats and Obama also have access to a network of willing volunteers who can be used to recontact voters. "They've got a whole volunteer structure that gathered all this information that can be put to used in the 2010 midterms, and can hopefully be available for a reelection [of Obama]," Franklin-Hodge says. "There is a tremendous amount of data mining and analysis that goes on within the party and political organization that allows a better understanding of how people vote and how they make decisions."

This approach--"micro targeting" voters based on their feelings toward specific issues--was once the domain of the Republican National Committee. But even leading Republican figures now acknowledge that the days of GOP voter-data dominance have ended. "For decades, the RNC has had a significant advantage in their voter file, and in their ability to identify and turn out voters," says Mike Connell, founder of New Media Communications, an Ohio-based Republican new-media firm. "With the Obama campaign and the efforts over the last couple of years, [the Democrats] have made significant strides and have caught up."

A key reason for the DNC's data advance was a decision by DNC chairman Howard Dean to improve data sharing among Democratic organizations at the state level. "Four years ago, Howard Dean 'got it,'" Connell says. "Not a lot of people give him credit, but he made a transformation."

Since then, the DNC and VAN have steadily improved the database interfaces. This year, the newest tool in the arsenal was a Google Maps application developed by VAN that makes it far easier to chop up lists of voters in specific precincts for canvassers to personally visit. In the new application, called "turf-cutter," voters' homes are displayed as icons on a map. A few clicks of a mouse allow organizers to draw boundaries around clusters of voters' homes and print out the resulting list for volunteers.
How Does the NGP VAN System Help Candidate and Party Organizers?

VoteBuilder is comparable to a shared Google spreadsheet, each row of which represents one of the tens of millions of persons currently registered to vote. The DNC is responsible for compiling this list from voter registration data available to the public from state governments, which they clean up in various ways (e.g., removing duplicate records and the records of the deceased).

The ideal upshot of this process is a unique “VANID” for each registered voter in the country that can be used to track the person from election to election, potentially from state to state, and determine whether and how to attempt to persuade the voter to support a particular candidate. At a minimum, each record will include the voter’s name and address. In some states, party affiliation, voting history (whether, but not how, one voted), gender, and phone number are also available. This is the core data to which all Democratic campaigns have access; think of them as the columns in the spreadsheet everyone in the party can see.

It’s worth noting that NGP VAN’s relation to this data is exactly analogous to Google’s relation to your data when you paste it into Google Docs. The VAN provides a bespoke means of accessing and manipulating the voter file, but the DNC retains all intellectual property rights.

Particular campaigns can, so to speak, add columns to the spreadsheet that only their staff can see and act upon. For example, when a volunteer contacts a voter, she’ll typically rate the voter’s level of enthusiasm for the candidate on a numeric scale. It is not unusual to see a half-dozen such ratings associated with the record of a voter in an important district.

Additional columns are often derived from data on consumer habits (e.g., magazine subscriptions) available from data brokers or polling done at the behest of the campaign. Large campaigns may have an in-house team to enrich their voter files, but most of this work is conducted by outside firms specializing in political marketing analytics like Catalistor TargetSmart.

The considerable cost of compiling and maintaining this information is justified by the promise of efficient employment of the campaign’s volunteer resources in the pursuit of vote totals. When field staffers in a regional office are confronted with fifty volunteers three months before a primary, they turn to the VAN to generate marching orders. Who should get a phone call? Who should get a visit from a volunteer?

As Election Day nears, the pace at which such decisions are made quickens, with the available data and prevailing strategic thinking (e.g., “ought we target women more aggressively?”) changing all the while.

What Are Scores?

The central issue in this story is the column(s) of custom ”scores” tagged to each voter’s record information by individual campaigns are most often hidden from all other VAN users. A score is an estimate of the probability that a voter possesses some attribute. The two essential scores provided by VAN to all users are those for support — how likely the voter is to be supportive of the candidate — and “turnout” — how likely the person is to vote (the product of these terms being the likelihood that they turn out and vote for the campaign’s candidate).

Beyond these, scores are computed for a dizzying array of voter attributes salient to campaigns: Democratic Party Support, Likely College Graduate, Frequency of Church Attendance, Likely Gun Owner, Source of TV (Likely Cable, Likely Satellite, Likely Broadcast), Spanish Language Preference, Fiscal Progressive, Choice Support, Immigration Progressive, Climate Change Priority, Progressive Activist Score, Unmarried Score, etc. (these examples are drawn from (Clarity Campaigns and a VAN training manual). In addition to this scoring data provided by VAN and available to all, individual campaigns can attach additional tags and scores from data collected about voters by the individual campaigns.

The stock-and-trade of campaign field staff is finding ways to narrow the universe of voters:
Creating a universe for a national or statewide campaign is a complex process that campaigns hire teams of experts to create — think the data team from the Obama campaign in 2012 — but spending time deciding on a universe for your campaign is an important planning step. You’ll want to make sure that you think through why you contact certain voters and certain times. While there is no generalizable universe that will work for all campaigns, a good place for a Democrat running in a non-partisan race to start would be with all voters identified as Strong Democrats, Leaning Democrats, Undecided, or Leaning Republican for their Likely Party. Adding in voters who are listed as “Unknown” or “No Data” can help expand beyond the current information in VoteBuilder, but will inherently mean that you risk speaking to more strong opponents than otherwise.
Let’s say you’ve been tasked with sending canvassers to find young people in Dallas, Texas, who might themselves volunteer to canvass. The volunteers you have on hand are in the North Park neighborhood, so you begin by restricting your query to the surrounding area. The VAN informs you your query resulted in a list of several thousand doors you could knock. That being too many, you begin narrowing down your query: residents of the area surrounding North Park, younger than thirty, who have at least 90 percent chance of being Democratic voters, an 8 percent chance of being progressive activists, and have not yet been visited by a volunteer.

If the count is still too high for your liking, you might lower the age or raise a score threshold.
What staff are doing here is no more remarkable than selecting rows in a large spreadsheet by the values in a few columns. As a volunteer for the Obama campaign in DFW metro area during the 2008 election cycle, I spent a great deal of time running such queries and segmenting them geographically to generate lists of addresses to hand to canvassers (a process known as “cutting turf”).

Back to the Sanders Campaign Stumbling Upon the VAN Bug

In VAN, there are two ways one can “save” the list produced by such a query. The first stores a representation of the query itself, the second a list of VANIDs. Using the former method, the set of voters included in the list may vary as, for example, scores are updated. Whichever of these Sanders staff used, no VANIDs, much less complete voter records, would leave NGP VAN servers. They would, however, have the number of voters who satisfied their query parameters.

NGP VAN CEO Stu Trevelyan described the incident this way:
On Wednesday morning, there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.
In other words: after the update that introduced the bug, someone in the Sanders campaign noticed that the campaign specific scores tagged to voter records by the Clinton campaign were available in the query builder described above. Uretsky and his staff then filtered voter records that all Democratic campaigns share using Clinton’s scores.

The access logs the VAN automatically generates have not found their way to into the press, and this isn’t surprising, as they would be near-unintelligible to all but a few NGP VAN engineers. What has been released is a summary of the logs, presumably written by just such an employee.

They tell us that Uretsky and his staff created a series of lists with names like “HFA Support <30”, which we can assume is a list of voters whose Clinton support score is below 30 percent. The searches are semi-systematic: in one series of queries for voters in South Carolina, they first include supporters who meet a very lax cutoff (60–100 percent), then a marginally more stringent one (50–100 percent), then those least likely to support (>30 percent), and finally those who could go either way (30–70 percent).

In addition to the standard turnout and support scores, they employed variants titled “Primary Prioritization” and “Combined Persuasion.” They only looked at states with primaries before or on Super Tuesday (Alabama, Texas, New Hampshire, South Carolina, Iowa, Colorado, Arkansas, Virginia, Texas, and Tennessee) or shortly afterward (Utah and Florida).

There’s a compelling theory that the DNC leaked the controversy about the Sanders campaign to distract from the data security failure of their sole-source vendor NGP VAN. Indeed, whether political connections or mutual backscratching drives the relationship between the DNC and NGP VAN Inc., it’s clear the two entities are intertwined in a way that raises Democratic vulnerabilities for no good reason.

The Sanders campaign called this particular breach of contract a common occurrence: The Sanders campaign said in a statement firewall security was down in the voter file system run by DNC's sole-source vendor NGP VAN Inc. Michael Briggs, the Sanders' campaign spokesman, said in a statement by reported by the New York Times:
“On more than one occasion, the vendor has dropped the firewall between the data of different Democratic campaigns…”

“Our campaign months ago alerted the D.N.C. to the fact that campaign data was being made available to other campaigns. At that time our campaign did not run to the media, relying instead on assurances from the vendor.”

“Unfortunately, yesterday, the vendor once again dropped the firewall between the campaigns for some data…”
Sanders' campaign on Friday sued the DNC in federal court

The Sanders campaign filed a lawsuit on Dec. 18 asking a federal court judge to order the DNC to live up to the terms of the data services contract it signed with Sanders campaign and immediately restore VAN system access. At a press conference announcing that suit, Sanders campaign manager Jeff Weaver described the DNC’s behavior as an effort to “undermine” Sanders’ attempt to mount a progressive challenge to Clinton.
“By their action, the leadership of the Democratic National Committee is now actively attempting to undermine our campaign. This is unacceptable. Individual leaders of the DNC can support Hillary Clinton in any way they want, but they are not going to sabotage our campaign — one of the strongest grassroots campaigns in modern history,” Weaver said.
After filing its lawsuit in federal court, the DNC restored Sanders' campaign access to VAN. Even after having its VAN access restored, the Sanders campaign has said it will proceed with its lawsuit against the DNC. Sanders' lawsuit asks a federal court judge to compel the DNC and NGP VAN to make available VAN audit reports over a period of time to prove they are in compliance with their data security obligations.

Some Technical Background On The Data Exposure Event

Josh Uretsky, the VAN administrator for Sanders campaign who the DNC chairwoman accused of stealing Clinton campaign data, was logged into his Sanders campaign VAN user account and noticed he could see Clinton data he should not have been able to see. So, he decided to gauge how deeply the Clinton campaign was able to search and view Sanders campaign data, by experimenting to see how much of the Clinton data he could search and view. That’s a bad call in this political campaign context, but by information security standards it’s not unthinkable: it’s what is known as a white hat intrusion, to investigate how much of the firewall was down by probing the other side and assuming your own data was revealed exactly the same way.

NGP VAN Inc. software engineers wrote software to track and record in an activity log every action taken by every NGP VAN system user. This auditing facility is intended to deter DNC clients from viewing data of other clients when data security firewalls fail. The Sanders campaign guy is an experienced VAN administrator and therefore was aware every search creating every list on that Wednesday morning was logged. Knowing he was being watched, why would he steal Clinton data?

In an interview with MSNBC’s Steve Kornacki, Uretsky justified the actions of Sanders staff this way:
Kornacki: “What we’re able to see from these documents is that people from your campaign — for over forty minutes – were able to access . . . were able to look at, search, and make copies of . . . Clinton supporter lists, from her side of the wall. What is the justification for doing that?”
Uretsky: “. . . So I guess what I want to say is that we knew that what we were doing was trackable and we wanted to create a clear record of the problem before reporting it so we could make sure we weren’t crying wolf . . . so that the extent of the exposure of our data, to the other political entities . . . We had to assume that our data was equally exposed and updated reports prove . . . show that it was. We wanted to document and understand the scope of the problem so that we could report it accurately.”
Later in the interview, Uretsky took issue with the characterization of his actions as “making copies”:
Kornacki: You were making copies of her voter list, weren’t you?
Uretsky: I guess you could phrase it that way, but we never . . . but those systems were all within the VoteBuilder/VAN system . . . the Voterbuilder/DNC system . . . it was all within their custodianship. If that makes any sense. So we didn’t . . . at least to my knowledge, we did not export any records of voter file data that were based on those scores. So yes we did establish proof there was a problem so that A: we understood what that problem was and B: we could accurately report that up the chain.
Uretsky was entirely justified in pushing back on this. Running queries to build lists is not necessarily a step toward exporting them.

Similarly, Uretsky told CNN:
In retrospect, I got a little panicky because our data was totally exposed, too. We had to have an assessment, and understand of how broad the exposure was and I had to document it so that I could try to calm down and think about what actually happened so that I could figure out how to protect our stuff.
That he was concerned the problem was symmetrical — that Clinton’s staff could see their scores if they could see Clinton’s — is believable, and factually what did happen.

The focus on the possibility of an export is misplaced. NGP VAN’s official statement makes clear that he did not have sufficient permissions to do so. But even if he had, the scores are only useful for filtering VAN entries, so there is no reason to export them.

Lost in frenzy of media stories that cascaded from the DNC Chair Shultz's statements to the press: anything open to ‘view’ in the Clinton data partition was just as open to view in the Sanders data partition, literally. It’s the same system and the same firewall, and if the firewall mysteriously disappears, without prior warning or explanation from the vendor, any IT professional will wonder what’s up, and more relevantly, what of his data is being made available for others to see, which might explain why the firewall’s down, in the first place.

Who in the Sanders Campaign looked at Clinton's openly available campaign data, and why did he look?

Josh Uretsky (pictured right with Pres. Obama in 2008) was the Sanders campaign’s National Data Director who discovered NGP VAN had opened every candidate's campaign data for viewing by every other NGP VAN client user.

Uretsky, 39, was hired by the Sanders campaign in September, according to his LinkedIn profile. Uretsky writes his functional role was to be the campaign's national VAN data base system administrator, with a title of Data Director.

Uretsky was well known to DNC and NGP VAN officials and was in fact recommended to the Sanders campaign by people with ties to the DNC and NGP VAN - Andrew Brown and Bryan Whitaker. Uretsky gave Brown and Whitaker as references when he applied for a job with the Sanders campaign.

Andrew Brown is the DNC’s National Data Director and works closely with NGP VAN and candidate campaigns who use the DNC's shared master voter file.

Bryan Whitaker was COO at NGP VAN when he recommended Uretsky, but left the company immediately after. Whitaker was hired by TargetSmart Communications, a non-profit political information and communications technology management company, similar to NGP VAN, to the position of Chief Innovation Officer.

It’s worth noting Brown was the Iowa technology director for the Clinton campaign from 2007-2008 during her first presidential run. He replaced Bryan Whitaker as the Director of Technology for the DNC in April 2013 when Whitaker moved over to serve as NGP VAN Inc's Chief Operating Officer.

Uretsky's LinkedIn profile says he is from Philadelphia and before being hired by the Sanders campaign in September he had worked as the data and targeting manager for America Votes from November 2011. His resume includes being a regional field organizer for the Committee to Elect Seth Williams in Williams' 2009 campaign for Philadelphia District Attorney. Uretsky managed Williams' Northwest Philadelphia field office. Before that, Uretsky was co-chair of Philadelphia for Obama from Aug. 2007-Nov. 2008.

Uretsky graduated from the University of California-Berkeley in 1998 with a degree in bio-engineering, with concentrations in computer science and genetics. In addition to his work in politics, he worked as a C++ programmer at Mystic Wave Productions, a company that designed software for teachers, from 1995 to 1997. He was also a programmer at InfoUse, another educational software company, from 1998 to 2000.

Uretsky is an idealist and a progressive but not someone who would do something untoward to gain electoral advantage, friends and associates say his friends.
"He is not a schemer," said Adam Bonin, a Philadelphia election-law attorney and friend of Uretsky. "It's just impossible for me to imagine that he would be looking at this situation and say, 'Let's figure out how to exploit it for the campaign.'" Bonin said his friend was overwhelmed by the attention after initially offering explanatory interviews to national news outlets.

"He's dedicated his life to trying to implement things that he believes in," said Dan Fee, a longtime political consultant who runs The Echo Group in Philadelphia. Fee calls Uretsky a man of "integrity."

I have trusted Josh with data for a long time," said Kati Sipp, director of Pennsylvania Working Families, an independent political organization that champions progressive causes. Sipp said she worked with Uretsky on voter targeting efforts on various races over the past six years, including while Uretsky was on staff at America Votes Pennsylvania. One such campaign included the successful primary bid earlier this year by Philadelphia Mayor-Elect Jim Kenney.
CNN interviewed Uretsky shortly after WaPo broke the story Friday morning, December 18th. This is what he had to say:
"We knew there was a security breach in the data, and we were just trying to understand it and what was happening."
[…]
"To the best of my knowledge, nobody took anything that would have given the (Sanders) campaign any benefit."

“…I knew full well that I was creating a record that the administrators could see.”
Uretsky further explained in a MSNBC interview the campaign didn’t “take custodianship" because the result of every action was they took was logged by the VAN/VoteBuilder system and stored with the VAN/VoteBuilder system custodianship under the four VAN userids used to document that the NGP VAN company had dropped system firewall security between candidate client accounts.

Uretsky said he noticed data of other campaigns was visible to Sanders campaign VAN userid accounts on Wednesday morning.
"We investigated it for a short period of time to see the scope of the Sanders campaign's exposure and then the breach was shut down presumably by the vendor… We did not gain any material benefit."
According to Uretsky, his team notified his superiors in the campaign and then was about to call the DNC, when they called him.
“They [the DNC] called me fairly quickly after the breach was closed to inform me that there was something weird going on and that portions of the VAN system were shut down.”
Uretsky said he was deliberately testing the extent of the exposure of other campaigns data, knowing Sanders campaign data was visible to other campaign users of the VAN DB system. Uretsky said he was going through the system to demonstrate to people who know the VAN system that something was wrong. He said he was testing the depth of the problem. Uretsky was:
"…going through stuff that I wasn't supposed to have access to."
[…]
"This wasn't the first time we identified a bad breach in the NGP-VAN system… "

"In retrospect, I got a little panicky because our data was totally exposed, too. We had to have an assessment, and understand of how broad the exposure was and I had to document it so that I could try to calm down and think about what actually happened so that I could figure out how to protect our stuff."
Uretsky was likely behaving in the way a corporate IT systems administrator would behave to find the extent of the problem. But, with the high stakes politics of presidential campaigns and the highly volatile nature of this primary, using his “IT computer programmer sense” wasn’t the right decision for the national VAN DB administrator of a presidential campaign. This misjudgment is why the Sanders campaign fired Uretsky.

Tad Devine, senior adviser to the Sanders campaign, said Uretsky had mishandled things by not immediately reporting to top staffers that a VAN system problem had caused Clinton voter information to appear in Sanders' campaign NGP VAN user accounts Thursday. That's why he was fired that day, before it became public, he said. Uretsky's lack of experience on major campaigns - his highest previous post was crunching data for a progressive coalition of labor unions and other groups in Pennsylvania - "certainly could contribute to this," Devine said. Uretsky didn't have an appreciation of how his actions could be exploited to tarnish Sanders' campaign.

"It was 100% my responsibly and I take full responsibility for whatever happened," said Uretsky.

Motives

Understanding the circumstances of events, contractual obligations of all parties, VAN/VoteBuilder functionality, and a little of Josh Uretsky's political and professional background, one must question the motives of Democratic National Committee (DNC) Chairwoman Debbie Wasserman Schultz. Josh was a political IT guy known to both DNC and NGP VAN Inc. staffers to be of good professional and personal character. Why else would they recommend Josh to the Sanders campaign? One must ask, if in the rush to discredit Sen. Bernie Sanders, did DNC Chair Wasserman Schultz throw a good Democrat and talented IT professional under the bus?

More:

Author's Note: Michael Handley, author of this story, is computer scientist and retired executive from the Independent Computer Software Industry with extensive experience in distributed application and data base system technology. Michael has extensive experience with NGP VAN Inc's distributed VAN/VoteBuilder system as a user and system/user administrator, having served many years as a County Democratic Party Precinct Chair, candidate campaign consultant, and County Party Political Director. Michael has trained and directed a variety of political activists in using VAN/VoteBuilder facilities to target voters for ID canvassing and get out the vote operations.

No comments:

Post a Comment