Democrats' Data Breach Exposes Risks of the Political Data Beast
The Democratic National Committee's decision to shut the Bernie Sanders campaign out of its own voter data and the subsequent battle exposed more than just a rift between a primary underdog and party leadership. It laid bare the way human behavior can turn data marketing from a cool, scientific competency -- as reports on the 2008 and 2012 Obama campaigns often portray it -- into a reflection of its practitioners.
On a rainy evening in Washington, D.C., in August 2014, Democratic campaign operatives and left-leaning data geeks convened in a small theater to hear the DNC announce its official alignment with the data firm NGP VAN, and for executives from the company to unveil the new bells and whistles that would benefit the party. Colleagues of Stu Trevelyan, NGP VAN's CEO, joked that he had considered donning a Steve Jobs-ian black turtleneck. (He wore an untucked blue button-down instead.)
The gathering, which was also live-streamed, marked a watershed moment for Democratic data and technology. In effect, the party had christened a single platform upon which other app developers, ad platforms and analytics software providers must integrate or risk obsolescence for Democratic campaigns. The choice created significant momentum for a unified method among Democrats of using data to evaluate and communcate with voters.
But unity turned to dischord last week after Mr. Trevelyan's firm implemented a software update that inadvertently let campaigns access their opponents' voter data -- and Sanders staffers did just that.
Data risks in a 24/7 campaign culture
Many software companies and administrators take their systems offline to perform updates as a safeguard against problems. NGP VAN did not, by design.
"These campaigns work around the clock," Mr. Trevelyan told Ad Age, calling the company's "zero down-time" approach a best practice that sets NGP VAN apart in an always-on political world. He said he had no plans to change course.
"Moving forward, we are adding to our safeguards around these issues," Mr. Trevelyan wrote on the NGP VAN blog.
The incident also cast a spotlight on the DNC's decision to make a single company the hub for its voter data efforts. The GOP has not followed suit; Republican campaigns can access Republican National Committee voter file data through the Data Trust and i360, for example.
"This definitely illustrates some of the risks of using a single vendor, but having a single vendor also brings plenty of strengths," said Colin Delany, a digital strategy consultant serving advocacy and political clients on the left. Allowing multiple vendors to access party voter files "could open more risks of outside parties breaking in," he suggested.
The Sanders campaign, meanwhile, was barred from accessing its own data on Friday, on the DNC's orders. Mr. Sanders fired Josh Uretsky, his national data director, and the DNC reversed its decision later that day. But Sanders staffers were still able to get to the campaign's fundraising data, Mr. Trevelyan told Ad Age.
The foundational information used by the Clinton camp and the Sanders camp is publicly-available data on voters such as names, addresses, party affiliation and the elections in which someone has voted. The true value lies in all the stuff that's layered on top during each election cycle -- the scores showing a voters' likelihood to support a candidate or their stances on issues such as gun rights or immigration -- along with the sophisticated analytics applied to model the data into segments for smarter communications with those voters.
That additional information might be added after a volunteer calls a voter who's later pegged as undecided, or when an analytics firm runs its algorithms to add its own brand of scores to each voter profile. It is fluid and, much like the consumer data showing you at a previous home address, easily rendered obsolete.
When the Obama campaign handed over its data to the DNC before the 2014 midterms, insiders suggested its value would be limited because attempting to apply information that evolved during the 2012 cycle to future campaigns would be something like fighting yesterday's war. Customized equations used in 2012 to categorize and target voters were already considered less-than-useful, in part because they evaluated voter sentiment in relation to then-Republican presidential hopeful Mitt Romney, and reflected a two-year-old political climate that was had shifted by 2014. (Consider the effect of something like the passage of Obamacare, for example.)
"We're not using the same models … but the same techniques we used to develop them do still apply," BlueLabs co-founder Chris Wegrzyn, who served as the DNC's director of data architecture from 2011 to 2013, told Ad Age at the time.
Actionable or not?
Just what the Sanders camp saw and whether it was usable is unclear. Mr. Uretsky has said he only accessed the breached Clinton data in order to validate the problem, and did not grab anything he could actually use in a meaningful way.
"It's perfectly believable that upon discovering a potential software problem, the data director would attempt to investigate it," Anthea Watson Strong, a Google Civics team member and the 2012 Obama for America Voter Experience Manager, said on Twitter.
The breach allowed the Sanders campaign to search the VAN system for lists of voters matching certain criteria, say women ages 25 to 65 who voted in the last three elections, Mr. Trevelyan said. However, the campaign could not export that data to systems for robo-calling or door-to-door canvassing or email, for example. "It wasn't very actionable," he said.
That still may have been useful. "They could certainly analyze what they were seeing, even if they couldn't export it," said Mr. Delany.
And audit logs of the incident posted on a Turner/CNN domain show what appear to be creation of lists by the Sanders camp of "Primary Priority" voters in several states including Iowa, New Hampshire, and Florida from the Clinton database over a period of nearly two hours.
Here's the audit log. At 10:54 pm he creates a saved list of HRC's persuadables. This is a smoking gun. https://t.co/PHIZS6xVVM— Chanukah Mike Sager (@msager) December 19, 2015
The Sanders campaign made a quick and decisive move by firing Mr. Uretsky after his data dive was revealed. It remains to be seen whether severing an important limb of the campaign two months before the Iowa Caucus could hurt the Sanders campaign.
Mr. Delaney agreed with the decision, citing Sanders's "strong emphasis on ethics." In an email sent to Ad Age he noted, "Firing the data director seems entirely justified to me….. Considering the potential blowback, it's political malpractice. Did he think none of this would be logged? They could have reported the bug and waited for an answer."
Indeed, NGP VAN's contract is with the DNC, not the candidates' campaigns, who agree to abide by certain rules in exchange for using the voter file data through the VAN platform, said Mr. Trevelyan. The company did not push for the Sanders campaign's access to be reinstated.
"That's not really our lane to be involved in, the politics of those decisions," he said.
What may have originated as a wrist slap by DNC leadership, however, brought the data control issue to the front burner. At least one voter targeting firm working for clients on the right hoped to capitalize on the data breach scandal by playing up the data ownership angle. "This is a chilling reminder why candidates and causes must control their own data. Nobody gets veto power over your clients here," CampaignGrid said on its Facebook page on Friday.
A lawsuit filed Friday by the Sanders campaign against the DNC, before its voter data access was reinstated, is not the first political data-related legal move and it won't be the last. The American Democracy Legal Fund alleged in November 2014 that the Republican National Committee, along with its top data partners, large right-wing Super PACs and a slew of GOP midterm candidate campaigns, had been swapping voter information illegally. The complaint has lingered in Federal Election Commission limbo since it was filed.
Nor will data breaches end with last week's incident, despite the renewed focus. There are "extreme cyber security risks," involved with political data, former GOP Chief Technology Officer Andy Barkett told Ad Age in July as he launched his data analytics startup Digital Core Campaign.
"We're literally dealing with that every single day," said Mr. Barkett.