It has been established that members of the Sanders campaign data team looked at the Clinton Campaign’s private data during a software patch which dropped a firewall by the vendor, NGP Van, that runs the system.
They performed the patch Wednesday, December 17th, that allowed all users to access data belonging to other campaigns. The Data Director, Josh Uretsky, says that he was exploring the extent of the security lapse. The Sanders campaign terminated his employment and issued an apology to the Clinton campaign and to Sanders’ supporters.
The vendor was contacted by a third party about the data breach. They investigated and determined only one campaign, the Sanders campaign, had accessed data inappropriately. They reported their findings to the DNC, who then contacted the Sanders campaign. Bernie Sanders was not aware of the issue until he was personally contacted the following day by DNC Chair Debbie Wasserman Schultz.
According to the DNC, the Sanders campaign had not responded or provided information regarding the Clinton data, which led to the Sander’s campaign being locked out of VAN on Thursday.
Wasserman Schultz continued: “Once the DNC became aware that the Sanders campaign had inappropriately and systematically accessed Clinton campaign data, and in doing so violated the agreement that all the presidential campaigns have signed with the DNC, as the agreement provides, we directed NGP VAN to suspend the Sanders campaign’s access to the system until the DNC is provided with a full accounting of whether or not this information was used and the way in which it was disposed.”
(All bolding thoughout for emphasis mine.)
Late Friday the Sanders Campaign filed a lawsuit, the main purpose being to have their access to VAN restored. The DNC restored access that night, saying the information they requested had been provided.
Note that I have never read anywhere either party claiming that the DNC terminated the Sanders Campaign contract. Both sides refer to a suspension or a lockout. If anyone has a credible source otherwise, please provide it.
I am unsure why the Sanders campaign used the 10 day right to rectify in case of contract termination in their court filing when it is obvious there was no termination of the contract. The clauses being quoted are not applicable to the situation.
Another grievance listed in a lawsuit filed by the Sanders campaign is that the DNC is at fault for not providing proper security, failing to uphold the terms of their contract regarding data protection. Sanders team claims that the DNC is at fault for the Clinton data being improperly searched because the DNC or vendor were notified of a problem with security in VAN back in October, and that the DNC failed to correct the problem.
Regarding that claim that VAN had been notified of a prior firewall problem:
…there has been independent confirmation that NGP VAN has not received previous notice of a data breach regarding NGP VAN.
Josh Uresky confirmed on MSNBC (at 5:47), and also on CNN, regarding the previous incident: “it wasn’t actually within the VAN VoteBuilder system, it was another system.
They may still use the argument that their team would not have had the opportunity to access the private data had VAN not made the error. Had Sanders Campaign been the victim I think they would have a strong argument. Pointing fingers with dirty hands isn’t usually a good idea.
The massive data system was created when Howard Dean was chair of the DNC. He wanted all democrats to be able to access voter information and help build on existing information that would provide an affordable way for campaigns to achieve maximum voter outreach.
The security and privacy of our customers’ data is a top priority. Over the company’s 19 year history, we’ve not had a problem with that; but on Wednesday, we did have a brief isolated issue for users of one of our products.
Regarding the claims that the vendor, NGP VAN was involved in the dispute between the DNC and Sander’s campaign:
At the request of the DNC on Thursday, Sanders campaign access was suspended pending the campaign reporting on its access of the data; NGP VAN played no role in making that decision, and contractually could not.
http://blog.ngpvan.com/data-security-and-privacy
Another issue that will not die is the question of whether or not the Sanders data people running lists and seeing confidential data during the software patch was illegal:
Summaries of data logs provided to the AP show the Sanders team spent nearly an hour in the database reviewing information on Clinton's high-priority voters and other data from nearly a dozen states, including first-to-vote Iowa, New Hampshire and South Carolina.
Some of these voter lists were saved into a folder named "Targets," according to the logs. Uretsky's deputy appeared to focus on pulling data on South Carolina and Iowa voters based on turnout and support — or lack of support — for Clinton.
The Sanders campaign employees who accessed the Clinton voter information without authorization appear to have run afoul of the federal Computer Fraud and Abuse Act, said Jason Weinstein, a former supervisor of the Justice Department's computer crimes section.
Those employees "have reason to be concerned about legal exposure," he said, for what appears to fit the definition of illegal hacking.
It would seem to be common sense that purposely accessing information that is beyond your rights would be illegal. And this says that it the case.
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer.”18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well.
https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29
The use of data agreement that is attached to the contract is at the link below. Here is an excerpt:
8.RemediesLicensee shall require any agents or vendors to sign confidentiality agreements requiring compliance with the limitations on use of Database set forth in this Agreement.Licensee assumes liability for damages arising from any breachof this Agreement by its vendors and agents, including unauthorized use or disclosure.
For those that would like to see the court filing containing the contract and agreement:
http://www.politico.com/f/?id=00000151-b72f-d9b7-ad79-f7ff512d0000
I understand there is a conspiracy theory being floated that the Sanders data director was a plant the DNC placed to discredit the Sanders campaign. I include nothing of that nonsense here, as I find it idiotic.