Select Page

I asked the reverend once, “What are we supposed to do in the face of so much senseless pain?” And he said to me, “What else can we do but take what seems meaningless and try to make something meaningful from it?”

Read more

No, we can’t just get a new VAN, part 2

Note: My thoughts and conclusions posted here are not meant to be accusations or proof of anything.  It is just my analysis of what information is out there.  I know that some may not believe that NGP is being accurate in what they are saying or that there is some vast conspiracy out there, and the like, but I am simply looking at the information that has been shared and using this to piece together what I think happened.  (Aside, I think I need to stop watching crime procedural dramas on Netflix.)

In the last 24 hours, some additional information has been reported about the Sanders/DNC/NGP data issue, and since I’m a nerd that like to think about random things, I’ve been doing a bit of what I am calling “CSI:VAN”.

Yesterday evening, the Executive Director of the DNC put out a statement on Medium.

A few parts of it stood out to me in particular:

On Wednesday morning, there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.

As a result of this analysis, NGP VAN found that campaign staff on the Sanders campaign, including the campaign’s national data director, had accessed proprietary information about which voters were being targeted by the Clinton campaign — and in doing so violated their agreements with the DNC.

These staffers then saved this information in their personal folders on the system, and over the course of the next day, we learned that at least one staffer appeared to have generated reports and exported them from the system.

So this is in line with what I gathered from the earlier reports – the Sanders staff was able to access information that was supposed to be private to the Clinton committee and saved it.

While some people on Twitter were saying “but they didn’t download anything and they didn’t save anything either.”  It appears that information was indeed downloaded/saved.  One main issue is that many of the people on Twitter have never likely used the VAN so don’t know that there are many ways to save information from the system.  So even though they didn’t save it on a file on their desktop, they did create folders within the system to save the lists.

NGP also reported:

First, a one page-style report containing summary data on a list was saved out of VoteBuilder by one Sanders user. This is what some people have referred to as the “export” from VoteBuilder. As noted below, users were unable to export lists of people.

Based on the logs that have been shared (while not ‘official’, it’s all I’ve seen), my guess is that they printed the results of the 4 counts and crosstabs reports one of the staffers ran.  This would give them a good 30,000 foot view of some of the lists they had run and saved.  I won’t go into details on how it would do this, but those who have used the VAN will understand.

As I explained in my previous post, data is not just a name, address and phone number. It is a comprehensive collection of data points on a voter that help you know whether they support your candidate, etc.  This can include previous support, ID questions, or other information about a person (are they interested in a specific issue or something like that).  This information is the result of a lot of hard work by individuals – often volunteers – and reflects and helps inform the overall campaign strategy.

NGP VAN also did take steps to limit access “to affected areas of the VAN product for all users and limited access to data exports.”  My guess is that this action probably kept full lists of voters from being exported in bulk.  This seems like standard procedure when an issue is flagged.

It also seems as though the Sanders team did not lose complete access to the system right away, but lost it after it became clear through logs that someone had attempted to save the information for future use.  Again, this seems fair, especially given my experience with signing VAN user agreements here in Minnesota.  To me, this is like your ATM card not coming out of the machine because you put your PIN in wrong too many times.  It sucks, but you just have to prove that it is your card and then you get it back.  It is an inconvenience, but better than having your card stolen and someone being able to put in numbers until they guess it correctly.

Now, I am not entirely sure what happened between the Sanders campaign and the DNC with trying to restore access.  The DNC says the Sanders campaign was not responding right away to show it was in compliance with the user agreement.  The Sanders campaign has said (basis for the suit filed) that they should not have been cut off right away, but they had 10 days to comply if not in compliance with the agreement.  Either way – if this was me, I’d trying to do whatever I could to remedy the situation.

Also, things like this are not helpful in general:

Second, there has been independent confirmation that NGP VAN has not received previous notice of a data breach regarding NGP VAN.  Josh Uretsky, the former National Data Director for the Sanders campaign confirmed on MSNBC (at 5:47), and also on CNN, regarding the previous incident: “it wasn’t actually within the VAN VoteBuilder system, it was another system.” (source)

In conclusion:

  • you can think that both the DNC and the Sanders campaign did not handle this well.  I do and hope that there are actions taken by both sides to prevent this from happening again.
  • just because you can, doesn’t mean you should.
  • data is important to modern day campaigns and we should be able to agree that inappropriate access to that data by opposing campaign staff is not cool.

No, we can’t just get a new VAN. . .

So, at this point everyone should have heard about the data issue that happened involving the the Democrats running for President.  However, there seems to be a lot of misinformation floating around out there about what happened, along with people just having no concept of what the VAN is/is not and what is can/cannot do.

I am not committed to any candidate for 2016, but as of late have been leaning towards supporting Hillary Clinton.  However, my thoughts below do not come from a place of being biased toward one candidate or the other.  It comes from a place of being a campaign hack and using the VAN for almost 10 years.  If you want to assume that I have it out for Sen. Sanders and his campaign, just don’t.  I am not a part of some vast DNC conspiracy.  Cool?

Key Terms

VAN: This is the shorthand way to refer to VoteBuilder, a platform developed by NGP-VAN, that is a way to analyze and access Voter File informaiton

Voter File: This is a list of registered voters, that will often include name, address, phone number, and email address.  This is public information that people – campaigns, the Party, etc – can request from their Secretary of State or Elections Office.

Data: For a campaign, this is not just the basics – name and contact information.  It is a comprehensive collection of data points on a voter that help you know whether they support your candidate, etc.  This can include previous support, ID questions, or other information about a person (are they interested in a specific issue or something like that).  This information is the result of a lot of hard work by individuals – often volunteers – and reflects and helps inform the overall campaign strategy.  The VAN allows campaigns to have private data that only members of their committee can see.

Committee:  Each campaign has a committee in the VAN, with campaign staffers and volunteers having a unique log-in to the system.  To put it simply, this is a room of campaign information that only approved members have the ability to access.

Database: A Presidential campaign likely has many things that can be referred to as a database.  They will likely have a platform to handle blast emails, one that tracks donor information, one for volunteers, and one for voters.  There is not one database to rule them all. 🙂

Some of my thoughts. . .

  1.  This was not a “hack”.  Based on what has been reported, it does not appear that the Sanders campaign staffers somehow access the Hillary for America (HFA) committee in the VAN.  Depending on the circumstances, that could be a hack, but since it didn’t happen here, doesn’t apply.

It seems, instead, that there was a set of data which was private to the HFA committee that showed up as accessible to users in the Sanders campaign committee.  To put it another way – imagine if you logged in to your email, and in addition to your email, all of a sudden you noticed you were getting someone else’s.  You didn’t log directly into their account, but somehow you are seeing their information.  This is similar to what seemed to have happened here.

2.  It does not seem like the Sanders staffers were just documenting a known issue.  Based on the search logs that have been released, they completed many searched across many different states and saved information to folders on the system and shared with colleagues.  In my opinion, the pattern of the types of searches they ran and how they were saved showed that they were trying to mine the data to use for their campaign.

Others viewed this the same way:

A question was raised in @IASTartingLine’s timeline that I think also is important to consider:

If the reports that private campaign data was exposed to all of the campaigns, it is interesting that only one of the three campaigns accessed and saved data from another campaign.  If you are in the VAN, it would be obvious if you had a code or something that wasn’t yours.  At some point, the Sanders staffer made the decision to create a search using a data point that wasn’t theirs.  That to me, is problematic.  I believe the staffer that did this has lost his job, but still claims he was just trying to document the issue.  As was pointed out above, the search patterns seem to indicate otherwise.

To the staffer(s) that were involved – just admit you did something wrong. Learn from your mistake, and don’t do it again. Cool?

3.  You can think the DNC overreacted and should restore access AND that the Sanders campaign also did something wrong. These are not mutually exclusive.  However, I personally think that a brief disruption in access would be appropriate once it was discovered there was an issue.  Perhaps the DNC should reconsider their contract language to protect if things like this happen, while also having an established mechanism to get access restored. #justsayin.

In MN, per the user agreements I’ve had to sign to access the VAN, campaigns can lose access if people are misusing the system without warning. I think this makes sense and not the 10-day window that the DNC has in their contract right now. Imagine how much data they could have mined in 10 days.  Eeek.

I also think that the lawsuit was an over the top response.  As I mentioned above, the campaign did something wrong, and facing some sort of consequence is appropriate.  Playing the victim? Yeah, not really working with me.

4.  This is about more than just access to data.  Remember how pissed people were when the Patriots were spying on other campaigns to learn their signals on the field?  This is kind of like that.  It also says a lot about a campaign team and the operation they are running.  And as I explained above, the information accessed wasn’t just basic details, it was internal campaign information.

The VAN works well because we have a shared commitment to the tool, and respect that other campaign data is not ours. This action violated that trust in my opinion.

Campaign staff and volunteers spend so much time and campaign resources gathering information about voters, and for someone from another campaign to come in and attempt to use it is inappropriate.

5.  To pretend that you wouldn’t be just as pissed if your campaign’s information was taken is foolish.  Stop playing.  Keep it real.  You’d be pissed and calling for people to be fired and whatnot.  To say otherwise just is shady.  At the end of the day, we should all be mad that a campaign did something shady and call on all campaigns to do better.  The stakes are too high to have a huge internal squabble.


I’m glad that the Sanders campaign is now able to access the VAN to reach out to voters and  I hope they drop the lawsuit.  The DNC should also reassess it’s contract language to protect against instances where it appears someone is accessing data inappropriately to protect the integrity of the data and also establish a way to restore access ASAP.



20 Hours in America. . . .

There’s a lot going on in the world right now – with the bad over shadowing the good.  I have a lot of thoughts and feelings going through my mind, but at this time I am unable to translate them into something coherent.  Since my own words are lacking, I am going to share some words from President Bartlet from one of the greatest episodes of TV ever.

“The streets of heaven are too crowded with angels tonight. They’re our students and our teachers and our parents and our friends. The streets of heaven are too crowded with angels, but every time we think we have measured our capacity to meet a challenge, we look up and we’re reminded that that capacity may well be limitless. This is a time for American heroes. We will do what is hard. We will achieve what is great. This is a time for American heroes and we reach for the stars. God bless their memory, God bless you and God bless the United State of America. Thank you.”