Staffers on Bernie Sanders' campaign deliberately and improperly accessed information about the Hillary Clinton campaign during a brief (30-40 minute-long) data security lapse.
On 18 December 2015, presidential candidate Bernie Sanders’ campaign became embroiled in a controversy with the Democratic National Committee (DNC) over alleged improper access of voter data by the Vermont senator’s staffers.
A New York Times article published on that date (“Clash Erupts Between Bernie Sanders Campaign and Democratic Party”) reported that the allegations originated with a “dropped firewall” in proprietary campaign software managed by the outside firm NGP VAN. The paper’s reporting indicated that the data contractor was “making a tweak to its system” that inadvertently created a situation in which “the campaigns could see each others’ information” but “only the Sanders campaign accessed data that was proprietary.” The precise circumstances under which that data was accessed (or how the disputed access occurred) was not detailed in initial reports.
After news broke, the Sanders campaign terminated staffer Josh Uretsky, who was managing three other staffers (with all four being accused of improperly accessing Hillary Clinton’s campaign data). Uretsky asserted in an interview that “he had merely been trying to verify the breach,” not obtain any information that should have remained private:
“We did so in a way that we know would create a record that the D.N.C. and NGP VAN would have access to. We deliberately did not download or take custodianship of the records.”
Mr. Uretsky acknowledged that it was clear that Clinton data was being looked at, but said that he was trying to assess how available the Sanders campaign information was to others.
“We could have spent the time trying to get something useful out of it, and we didn’t,” he said.
In an interview with MSNBC, Uretsky again asserted that the actions were taken purposefully in order to generate proof that a breach was possible, but we were unable to locate any corroboration of his claim made by anyone knowledgeable about the particular software package in question:
As a result of NGP VAN’s “dropped firewall” and the data access controversy, the New York Times reported that the “Democratic National Committee [DNC] acted swiftly to deny the Sanders campaign future access to the party’s 50-state voter file, which contains information about millions of Democrats and is invaluable to campaigns on a daily basis.” Uretsky maintained that the DNC’s immediate sanctions effectively paralyzed key functions of the Sanders campaign at a critical juncture:
It makes it very difficult for the campaign to conduct its daily activities. The campaign routinely relies on these lists and data.
A Washington Post article (titled “DNC Penalizes Sanders Campaign for Improper Access of Clinton Voter Data”) described the dispute as a “strategic setback for Sanders which raised “questions about the DNC’s ability to provide strategic resources to campaigns and state parties.” The paper also reported that Uretsky claimed the Sanders campaign was investigating the impact of the breach on their own data, not attempting to improperly access Hillary Clinton’s campaign information:
Sanders spokesman Michael Briggs said four Sanders campaign staffers accessed Clinton data, and that three of them did so at the direction of their boss, Josh Uretsky, who was the operative fired.
Uretsky told CNN that he and others on the campaign discovered the software glitch and probed the system to discover the extent of their own data’s exposure. He said there was no attempt to take Clinton information but said he took responsibility for the situation.
Much of the reporting centered around NGP VAN’s propriety software and its functionality, operative details to which most news outlets weren’t specifically privy. DNC chair Debbie Wasserman Schultz told CNN’s Wolf Blitzer that Sanders staffers “downloaded” and “exported” the data in question:
They not only viewed it, but they exported it and they downloaded it … We don’t know the depth of what they actually viewed and downloaded. We have to make sure that they did not manipulate the information … That is just like if you walked into someone’s home when the door was unlocked and took things that don’t belong to you in order to use them for your own benefit. That’s inappropriate. Unacceptable.
Given the proprietary and specialized nature of NGP VAN’s software, Wasserman Schultz’s “unlocked door” analogy was difficult to assess. CNN’s coverage quoted a message from Wasserman Schultz to DNC members in which she accused the Sanders campaign of “systematically” engaging in improper data access:
Over the course of approximately 45 minutes, staffers of the Bernie Sanders campaign inappropriately accessed voter targeting data belonging to the Hillary Clinton campaign … Once the DNC became aware that the Sanders campaign had inappropriately and systematically accessed Clinton campaign data, and in doing so violated the agreement that all the presidential campaigns have signed with the DNC, as the agreement provides, we directed NGP VAN to suspend the Sanders campaign’s access to the system until the DNC is provided with a full accounting of whether or not this information was used and the way in which it was disposed.
Much of the reporting about the dispute hinged on the reliability and functionality of NGP VAN’s software. Unlike with commonly used software (such as Microsoft’s Excel or Word), the only source available from which to gauge the level of potential malfeasance was DNC statements in news reports. However, a statement issued on 18 December 2015 by NGP VAN about the controversy appeared to contain some meaningful contradictions to Wasserman Schultz’s assertions.
Among those discrepancies was the firm’s description of the data in question, and another was the use of the term “export”:
First, a one page-style report containing summary data on a list was saved out of VoteBuilder by one Sanders user. This is what some people have referred to as the “export” from VoteBuilder. As noted below, users were unable to export lists of people.
The one area that was impacted was voter file data. We are confident at this point that no campaigns have access to or have retained any voter file data of any other clients; with one possible exception, one of the presidential campaigns. NGP VAN is providing a thorough report to the DNC on what happened and conducting a review to ensure the integrity of the system.
The statement reiterated that during a “brief window” of unspecified duration, a limited amount of unauthorized data was viewable. However, NGP VAN stated that the affected data was not exportable, savable, or actionable:
For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.
We immediately began an audit to determine if any users had intentionally or unintentionally gained access to data they normally would not have access to within the limited timeframe when the bug was live. Our team removed access to the affected data, and determined that only one campaign took actions that could possibly have led to it retaining data to which it should not have had access.
On Reddit, an r/technology thread about the controversy included comment from a self-identified 2008 Obama campaign staffer who claimed such breaches were both common but of limited strategic value:
As an ’08 Obama staffer who used the VAN extensively, it went down like this, “Oh, that’s weird. It looks like we can pull lists from Hillary again. Hey Erin, do a quick search…” Then everyone in the office room (there were 4 total accounts who did a search) tried the search too.
Any data they pulled would not have been that useful, especially considering both campaigns use the VAN. They couldn’t just turn around and re-enter the Clinton supporters as 5’s, etc. That’s not how it works … The breach is a non-issue, however how it is being handled by the DNC (in addition to the way the debates, etc) is the telling issue about how undemocratic the Democratic National Party has become.
Another comment in that thread asserted that lack of public knowledge with respect to the software’s interface made assessing the chain of events problematic for both the media and voters:
Did they actually know that they were [breaching data], though… or did they believe that they were seeing Sanders’ campaign data? Do we know anything about what this interface looks like?
This sounds like an excuse to handicap the Sanders campaign.
On 18 December 2015, the Sanders campaign filed suit against the DNC [PDF via Politico] requesting immediate injunctive relief (including restoration of access to the data). The suit referenced the “Defendant’s [DNC] ongoing breach of the Parties; Agreement Regarding Use of DNC National Voter File Data” and held that under the terms of an agreement entered into by the Sanders campaign and the DNC on or about 26 October 2015, both parties were contractually entitled to a ten-day period in which to remedy contractual breaches:
On or about October 26, 2015, the Campaign and the DNC entered an agreement captioned “Agreement Between the DNC and Presidential Campaign Committees Regarding use of DNC National Voter File Data” (the “Agreement”) … In view of the national political importance of the Campaign — and by extension, the importance of the Voter Data and the Agreement — the Agreement substantially restricts both Parties’ rights of termination to cases of prolonged and voluntary breach.
The Agreement states, in relevant part:
Either party may terminate this Agreement in the event that the other party breaches this Agreement; the non-breaching party sends written notice to the breaching party describing the breach; and the breaching party does not cure the breach to the satisfaction of the non-breaching party within ten (10) calendar days following its receipt of such notice … The Agreement does not permit either Party to suspend its performance of the Agreement prior to terminating the Agreement in accordance with the provision above … The Agreement does not permit either Party to terminate or suspend the Agreement without notice, or without providing the breaching Party with the requisite opportunity to cure … The Agreement requires the DNC to “use security measures, with respect to the Campaign Data, that are consistent with good practices in the data processing industry.”
Another portion of the suit pertained to what was referred to as the “Prior Incident” in the body of the filing. The Sanders campaign’s suit held that a similar breach favoring the Clinton campaign in 2008 occurred but did not prompt sanctions for her campaign and constituted persistent data security lapses on the part of the DNC:
Upon information and belief, a similar security incident arose with the NGP VAN software during the 2008 national presidential primaries, resulting in the unintentional transmission of Confidential Information to the campaign of Democratic primary candidate Hillary Clinton (the “Prior Incident”). Upon information and belief, no action was taken in response to the Prior Incident in 2008, nor was any candidate’s access to Voter Data suspended as a result of that Incident. [The DNC] has failed to exercise reasonable care and diligence in ensuring that the security breaches that occurred during the Prior Incident, under Defendant’s supervision, would not recur.
In summation, all parties agree that for a short window of time (spanning between 30 and 45 minutes) on or around 16 December 2015 four staffers for the campaign of Bernie Sanders had access to restricted data hosted by a third-party campaign company. The senior staffer in charge of the other three was fired following disclosure of the breach, that staffer maintained that staff were aware their actions were tracked and sought to create a record of the breach. The DNC immediately moved to suspend Sanders’ access to the program, effectively crippling his campaign in the lead up to primaries and inhibiting the campaign’s ability to engage in voter outreach. The Sanders campaign filed suit against the DNC; the suit alleged that the DNC failed to provide ten days for the Sanders campaign to rectify the breach as stipulated in an October 2015 contract, and further claimed that Hillary Clinton’s 2008 campaign engaged in a similar transmission of unauthorized data with no sanctions applied. While the controversy was widely reported, little was known about the function of NGP VAN’s proprietary software, how it operated, or what the staffers’ intent in accessing the data ultimately entailed. The suit is pending, and Sanders’ campaign remains restricted from accessing the voter data.
Update: Shortly after midnight on 19 December 2015, ABC News reported that the Sanders campaign and the DNC reached an agreement. The Sanders campaign stated that the DNC “capitulated,” and the DNC indicated the campaign was in compliance with its request and it would in turn “restor[e] the Sanders campaign’s access to the voter file”:
A campaign spokesperson for Bernie Sanders said that the voter data access issue has been “resolved” — after the Democratic National Committee had earlier blocked the campaign’s access to the data, which then prompted the Sanders campaign to sue the DNC.
Michael Briggs of the Sanders campaign told ABC News Friday: “It’s resolved. DNC capitulated. We get to see voter files by Saturday morning.”
The resolution to the issue was later confirmed by the Democratic National Committee in a statement:
“The Sanders campaign has now complied with the DNC’s request to provide the information that we have requested of them. Based on this information, we are restoring the Sanders campaign’s access to the voter file, but will continue to investigate to ensure that the data that was inappropriately accessed has been deleted and is no longer in possession of the Sanders campaign. The Sanders campaign has agreed to fully cooperate with the continuing DNC investigation of this breach.”
A New York Times reporter tweeted a copy of the DNC’s statement on the agreement:
Here’s the DNC statement on the deal reached with the Sanders campaign: pic.twitter.com/HJjkqQN1Qz
— Nick Corasaniti (@NYTnickc) December 19, 2015
On 29 April 2016, the Sanders campaign withdrew its suit against the DNC following a months-long investigation into the purported data breach. The Hill reported:
The move came Friday after an independent investigation into Democratic presidential campaigns’ handling of party voter data.
The Sanders team said the investigation vindicated them and showed no evidence that they improperly accessed information belonging to Hillary Clinton’s campaign.
“An independent investigation of the firewall failures in the DNC’s shared voter file database has definitively confirmed that the original claims by the DNC and the Clinton campaign were wholly inaccurate,” the campaign said in a statement.
“The Sanders campaign never ‘stole’ any voter file data; the Sanders campaign never ‘exported’ any unauthorized voter file data; and the Sanders campaign certainly never had access to the Clinton campaign’s ‘strategic road map.'[“]
The DNC declined to make their findings public, and said in a statement:
The audit confirmed that one campaign gained unauthorized access to the data of another, and the audit further confirmed that the results of those searches were saved within the system and that data was exported. Following the conclusion of the audit that confirmed the DNC’s original findings, the Sanders campaign withdrew its lawsuit.
The Washington Post further reported that the DNC “declined to release the study itself by the firm CrowdStrike.”