Breach and Overreach

Clinton and Sanders at the 1st Democratic debate
Clinton and Sanders at the 1st Democratic debate
Finally some drama in the race for the 2016 Democratic Presidential nomination!

Thursday night it was revealed that the Bernie Sanders campaign viewed and possibly downloaded proprietary information from the Clinton campaign for about 40 minutes.

This happened due to a mistake in an update pushed by DNC data vendor NGP Van.

Sanders’ access to the web-based software was suspended for a day, until he sued in Federal court and the DNC finally relented.

There’s been a lot of hoopla about this, some of it real, some manufactured, but there are really just a couple of critical points that are brought us to where we are today. So, in an effort to focus on what’s real and what’s conjecture, here’s the list.

NGP dropped the ball

NGP, the vendor the DNC uses to manage and support its voter list admitted to pushing a flawed software update. That update allowed campaigns to access each others data. While the issue was dealt with fairly quickly, but for the flawed update, the Sanders campaign never would have been able to access the data, and none of this would have even been a possibility.

I’m not sure about the details of the contract between the DNC and NGP, but if I had a vendor make such a critical error, I would definitely have some words for them. I would also be reviewing the contract to find out what kind of recourse is available, if any, and most likely write recourse into any subsequent contract with the company.

In our data driven world, the security of proprietary data is paramount. NGP is tasked with maintaining that security and should have to suffer consequences when they fail at their own hand.

Breach vs Access

DNC Chair Debbie Wasserman Schultz
DNC Chair Debbie Wasserman Schultz
The media, as well as the DNC, has characterized this as a ‘breach’ of data. I think that overstates what actually happened.

Sanders’ campaign was able to access Clinton’s data housed on NGP servers.

Breach, meaning ‘a hole or opening in something (such as a wall) made by breaking through it’ gives the impression that the Sanders camp hacked into something or intentionally set out to gain access in a fraudulent manner.

While they should not have accessed the data, that they had access doesn’t constitute a ‘data breach’ on their part, akin to a hack or some other mischievous activity.

Having access is a breach of contract on the part of the vendor. A campaign accessing unauthorized data is a breach of contract, on the part of the Sanders campaign. But the use of the word ‘breach’ as in a ‘hack’ is either intentionally misleading or just plain ignorant and lazy, depending on how tightly you’re wearing your tin foil hat.

Breach is certainly a more damning word than access and download, which, to my understanding of the situation, is what actually happened.

The Clinton campaign’s contention that the data was ‘stolen’ is just using the situation to a political advantage…which is unfortunate, but pretty par for the course.

Unethical Behavior

Sanders’ former data director, Josh Uretsky acted unethically when he directed four people in the campaign to access Clinton’s data.

Uretsky has been subsequently fired by the Sanders camp, and rightfully so.

Uretsky previously stated they looked at the Clinton data to ‘prove to the DNC that their data had been breached’.

But this isn’t the way to handle a problem. Rather than rooting around in Clinton’s data, Uretsky could have simply called NGP or the DNC or both, to report the issue and issued a halt on data work until the issue was resolved.

Had Uretsky acted in this way, he would have kept the Sanders campaign safe from the 24 hour bar that kept them from their voter file.

Buggy but powerful

I’ve been a VAN user off and on since 2008. In fact, the VAN is the tool Dr. Joe Weinberg and I used to identify the over 3000 voters who got incorrect ballots in the 2012 Shelby County primary election.

I can tell you that over the years I’ve been able to see other campaign’s data profiles from time to time, though I never intentionally accessed it nor attempted to.

In one instance I found that after logging in and running some searches, the results of which were inconsistent with the kind of search I was trying to perform, I discovered that I was in someone else’s profile. I’m not sure how it happened, but I quickly logged out and then back in, checked to make sure I was correctly in my profile, and went about my business. While I know my way around, I would never intentionally access someone else’s stuff, if for no other reason than fear of accidentally breaking something.

This highlights both the power and the potential pitfalls of such a massive integrated system. This instance may have an element of intention, in that the data director instructed people to use their unauthorized access, but people need to understand that access to other people’s data is not as uncommon as NGP would like you to believe.

Crime and Punishment

I believe a 24 hour hold on the Sanders campaign’s access to the VAN is an appropriate response to the use of unauthorized access that the campaign admits happened.

However, there are some problems with the DNC response:

First, the DNC really let NGP off the hook with their response. There has been no public rebuke of NGP for their failure to adequately secure data, mistake or not. In the high stakes world of the national nominating process, NGP’s failure to ensure the safety of client data should be a huge concern for all involved. That the DNC basically gave NGP a pass is troubling.

Second, the Sanders campaign did the right thing in firing the manager who ordered the unauthorized searches. But instead of the DNC acknowledging this correct response, they have used this to impugn the Sanders campaign in total. That’s just not fair. I don’t know when the dude got fired. I don’t know all the folks involved. But I do know that getting rid of someone who acts unethically is the correct response.

Finally, one has to wonder why this issue was brought into the public in the first place as well as who brought it out and for what purpose. This is an important question because no one, except for the Clinton campaign, looks good in this situation. Which has led some to opine that the DNC itself leaked the story. I won’t get into all of the details, but in another time, this never would have made it to the media, it would have been dealt with quietly and with the firing of people (which happened by the way). Why and for what purpose it became a national story is suspect.

Everybody Looks Dumb

I don’t think this materially changes the likely result of the Democratic primary contest. Not having access for one day doesn’t permanently cripple the Sanders campaign. But everybody looks dumb in this situation, and that could have a lasting effect on people’s willingness to come together after the nominee is decided…which is likely just three months away.

NGP and the DNC look dumb for making a federal case out of something that could have been dealt with in house. The DNC’s ham handed response is both unfortunate and self-defeating. People feel passionate about their candidates, and in the wake of the DNC’s actions, some people may feel that the DNC isn’t behaving as an unbiased arbiter of the nominating process. That’s not going to be good for the convention, and could lead to problems in November.

The Sanders campaign looks dumb, though not for their immediate response to the problem. They did the right thing in firing Uretsky, but their subsequent response overstates the harm to the campaign, and understates the unethical behavior committed that led to the hold on their account.

The Clinton campaign looks a little dumb for further escalating the situation by saying the data was ‘stolen’. Statements like that make it appear that the data is now gone. It isn’t, and there’s no evidence at this point that the Sanders campaign used the results of any data accessed for nefarious purposes. On the other hand I’m glad the Clinton campaign called for a speedy resolution of Sanders’ access. Surely they realize it doesn’t make them look good for people to feel like they’re piling on the little guy.

Finally, I hope this won’t be turned into a debate topic tonight. We don’t need the precious few debates that are scheduled this season to devolve into the kinds of shit shows that have been the hallmark of the GOP debates. Let’s stick to the top-line issues, not the inside baseball.

The American public, as a general statement, doesn’t give a damn about this, and they shouldn’t. Hopefully, the candidates will agree to stick to the issues that really matter. A discussion of this doesn’t help create jobs or opportunity, or highlight anyone’s vision for the future of our country. Honestly, all it does is sew division in our ranks, which is exactly what we don’t need going forward.

6 Replies to “Breach and Overreach”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.