Select Page

Note: My thoughts and conclusions posted here are not meant to be accusations or proof of anything.  It is just my analysis of what information is out there.  I know that some may not believe that NGP is being accurate in what they are saying or that there is some vast conspiracy out there, and the like, but I am simply looking at the information that has been shared and using this to piece together what I think happened.  (Aside, I think I need to stop watching crime procedural dramas on Netflix.)

In the last 24 hours, some additional information has been reported about the Sanders/DNC/NGP data issue, and since I’m a nerd that like to think about random things, I’ve been doing a bit of what I am calling “CSI:VAN”.

Yesterday evening, the Executive Director of the DNC put out a statement on Medium.

A few parts of it stood out to me in particular:

On Wednesday morning, there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.

As a result of this analysis, NGP VAN found that campaign staff on the Sanders campaign, including the campaign’s national data director, had accessed proprietary information about which voters were being targeted by the Clinton campaign — and in doing so violated their agreements with the DNC.

These staffers then saved this information in their personal folders on the system, and over the course of the next day, we learned that at least one staffer appeared to have generated reports and exported them from the system.

So this is in line with what I gathered from the earlier reports – the Sanders staff was able to access information that was supposed to be private to the Clinton committee and saved it.

While some people on Twitter were saying “but they didn’t download anything and they didn’t save anything either.”  It appears that information was indeed downloaded/saved.  One main issue is that many of the people on Twitter have never likely used the VAN so don’t know that there are many ways to save information from the system.  So even though they didn’t save it on a file on their desktop, they did create folders within the system to save the lists.

NGP also reported:

First, a one page-style report containing summary data on a list was saved out of VoteBuilder by one Sanders user. This is what some people have referred to as the “export” from VoteBuilder. As noted below, users were unable to export lists of people.

Based on the logs that have been shared (while not ‘official’, it’s all I’ve seen), my guess is that they printed the results of the 4 counts and crosstabs reports one of the staffers ran.  This would give them a good 30,000 foot view of some of the lists they had run and saved.  I won’t go into details on how it would do this, but those who have used the VAN will understand.

As I explained in my previous post, data is not just a name, address and phone number. It is a comprehensive collection of data points on a voter that help you know whether they support your candidate, etc.  This can include previous support, ID questions, or other information about a person (are they interested in a specific issue or something like that).  This information is the result of a lot of hard work by individuals – often volunteers – and reflects and helps inform the overall campaign strategy.

NGP VAN also did take steps to limit access “to affected areas of the VAN product for all users and limited access to data exports.”  My guess is that this action probably kept full lists of voters from being exported in bulk.  This seems like standard procedure when an issue is flagged.

It also seems as though the Sanders team did not lose complete access to the system right away, but lost it after it became clear through logs that someone had attempted to save the information for future use.  Again, this seems fair, especially given my experience with signing VAN user agreements here in Minnesota.  To me, this is like your ATM card not coming out of the machine because you put your PIN in wrong too many times.  It sucks, but you just have to prove that it is your card and then you get it back.  It is an inconvenience, but better than having your card stolen and someone being able to put in numbers until they guess it correctly.

Now, I am not entirely sure what happened between the Sanders campaign and the DNC with trying to restore access.  The DNC says the Sanders campaign was not responding right away to show it was in compliance with the user agreement.  The Sanders campaign has said (basis for the suit filed) that they should not have been cut off right away, but they had 10 days to comply if not in compliance with the agreement.  Either way – if this was me, I’d trying to do whatever I could to remedy the situation.

Also, things like this are not helpful in general:

Second, there has been independent confirmation that NGP VAN has not received previous notice of a data breach regarding NGP VAN.  Josh Uretsky, the former National Data Director for the Sanders campaign confirmed on MSNBC (at 5:47), and also on CNN, regarding the previous incident: “it wasn’t actually within the VAN VoteBuilder system, it was another system.” (source)

In conclusion:

  • you can think that both the DNC and the Sanders campaign did not handle this well.  I do and hope that there are actions taken by both sides to prevent this from happening again.
  • just because you can, doesn’t mean you should.
  • data is important to modern day campaigns and we should be able to agree that inappropriate access to that data by opposing campaign staff is not cool.

Share This