In recent election cycles we’ve heard a lot about big data in political campaigns, and in the future it’s possible we’ll hear a lot more about big campaign data breaches, too.
Last week, a data breach nearly upended the race for US president on the Democratic Party side of the contest, after it was discovered that the campaign of Vermont Senator Bernie Sanders had accessed a private database of voter information collected by the rival campaign of Hillary Clinton.
The Sanders campaign fired the staffer who improperly accessed the private Clinton voter database, and Sanders personally apologized to Clinton when the two met on the debate stage on Saturday, 19 December.
Clinton said she was eager to “move on” from the incident, noting that American voters have much more pressing concerns on their minds.
But Americans who value their privacy might not want to move on quite so fast – let’s review what happened.
The Democratic National Committee (or DNC, the organizing body of the Democratic Party) maintains a big database of voters who are likely to vote for Democrats in future elections, based on a variety of information about those voters.
This “master list” of voters is rented out to individual campaigns at the state and federal level, like the Sanders and Clinton presidential campaigns, and the campaigns can combine that list with their own data to better target voters.
The DNC’s master list is maintained by a private company called NGP VAN, which provides data and fundraising tools to its clients, including thousands of political campaigns.
According to NGP VAN, it released a patch for its VoteBuilder software on Wednesday, 16 December, which itself contained buggy code that made proprietary voter scoring data available to unauthorized users.
In a span of 45 minutes, a staffer for the Sanders campaign was able to search and view scoring data that the Clinton campaign used to rank voters on their likelihood to turn out to the polls in Iowa, New Hampshire and other states holding early primary contests.
On Friday, 18 December, the DNC directed NGP VAN to block the Sanders campaign from accessing the party’s database of likely Democratic voters, as well as Sanders’s own data, until it could investigate whether the data was improperly used.
The Sanders campaign immediately swung into action, filing a lawsuit against the DNC with the US District Court in Washington, DC, to restore its access to the system.
Sanders is waging an uphill battle against Clinton – some prediction markets pick her as the favorite to win the nomination with more than 90% certainty.
Sanders has stayed in the fight thanks to his large base of small donors, but losing access to the NGP VAN system threatened to cost the Sanders campaign $600,000 in donations per day, “crippling our campaign,” Sanders said.
Sanders accused the DNC of stacking the deck in favor of the Clinton campaign, but the DNC relented and restored the Sanders campaign’s access to the system by Saturday, 19 December.
The DNC acknowledged that the data breach was possible because of a glitch in the software and was “not a hack.”
Even so, any time private information is exposed, it makes little difference whether it is intentional or accidental to the people whose data is breached.
And with all of the data that campaigns and political organizations are gathering on voters, it’s time to ask more questions about how this private data is collected, and how it is secured.
Political campaigns gather lots of information about voters that can be used to determine how they might vote – from demographic information like gender, age and occupation, to data about the things they buy and what websites they visit.
The presidential campaign of Republican Senator Ted Cruz has been gathering data on “tens of millions” of Facebook users, without their permission, in order to build “psychological profiles” of potential supporters, according to an investigation by The Guardian.
Yet there are no privacy regulations about what data political campaigns can collect or how they use that information.
Maybe we should also ask if political campaigns’ use of big data means the secret ballot, a vital aspect of free, democratic elections, is under threat.
Image of Bernie Sanders and Hillary Clinton courtesy of Joseph Sohm / Shutterstock.com.
Sean
Any comment on Sanders campaign’s claim that they brought this bug to NGP VAN’s attention in October?
John Zorabedian
Thanks for pointing that out. Sanders did say there was a previous bug in October. From his press release:
“In one instance, about two months ago, Sanders campaign staffers discovered a vulnerability in the DNC software program and quietly reported the problem to the DNC. On that occasion, Sanders said, “our staff at that point did exactly the right thing” and reported the flaw to the party. The DNC once again “screwed up” in a second instance last Wednesday. On that occasion, however, Sanders’ campaign aides “did the wrong thing” and looked at Clinton campaign records. The data director for the campaign was fired and the campaign is investigating whether others acted improperly.”
https://berniesanders.com/press-release/dnc-screwed-sanders-says-calls-probe-apologizes-fired-staffer/
NGP VAN has responded thusly:
“For clarification, NGP VAN played no part in the October data issue that has been mentioned.”
http://blog.ngpvan.com/data-security-and-privacy