This was NOT the diary I wanted to write today :/
Like another diarist posted, I am also involved in the IT world. However, my work revolves around Software Development. I write code that makes websites like Votebuilder work.
I don’t work for NGP VAN and have no knowledge of the internal workings behind Votebuilder, but I can make some educated guesses on how their system is setup. It appears that Votebuilder is an ASP.NET “Webforms” website. ASP.NET is a Microsoft technology that adds programmable functionality to web sites through compiled “code-behind” files. You can tell that Votebuilder is built using Webforms by the .aspx extension in the page URLs. Webforms are outdated, but are still in heavy use in Enterprise “legacy” applications.
In Enterprise applications (including Votebuilder), there’s a common need to restrict access to certain pages or data based on the permissions of the user that is logged in. In an ideal situation, users who aren’t logged in get redirected to a login screen, administrators get access to everything, and everyone else get varying levels of access. There is code behind each page that checks the current logged in user’s level of access. The code is supposed to either redirect the user if they have no access to the page, or hide/show elements based on the user’s access.
For example, an employee and a manager of a department may both have access to a time entry portion of a web site, but the code will only give the employee access to their own timesheets and the timesheet entry screen while the manager may get access to view all of their employees’ timesheets.
I’m guessing that a similar scheme is in place with Votebuilder. Volunteers get access to call/walk lists that organizers setup for them. Organizers get a bit more control over a small area of data. Regional field directors get to setup lower level users and can build voter lists from a larger area, etc. The point is that the data is restricted based on role, and the data is supposed to be restricted to the campaign it belongs to.
Apparently the bit of code that would check if a user was accessing the Hillary voter data vs. the Sanders voter data wasn’t working. This raises a few questions:
1. Why would ANY campaign on Votebuilder possibly have access to notes from another campaign? Shouldn’t there be a major degree of separation between campaigns in the Votebuilder system?
2. Are the notes/voter responses for both the Bernie and Hillary campaigns stored in the same database? Why aren’t they separated?
3. What does the Quality Assurance process look like within NGP VAN? Is there a QA process in place?
4. Was user access to other campaign data tested during the QA process? If not, why not?
I’m placing blame on the NGP VAN Developers, QA staff, and possibly management for letting such a serious flaw get to the Production environment. They, more than anyone else, need to answer why and how the voter data is being compromised.
I am a fan of the visual and functional overhaul that Votebuilder recently received. However, if that came in at the expense of keeping the data intact, then we have a BIG problem on our hands.
I’m as much of a Bernie fan as many on this site, but I’m not placing blame in either campaign’s camps. This is a software failure that is blown up because of the sensitive data involved. No campaign should be using the NGP VAN system until this issue is resolved and vetted by an independent audit.
My main concern is that one campaign had access to another campaign’s data at all. Unless that data is explicitly shared through a manual upload, the data from the other campaign should be completely separate. This breach implies that there is a central database where ALL of the campaign data is stored, and then access to notes/responses is served based on the campaign the user accessing that data is coming from. Each campaign should have its own copy of the database, on its own dedicated server, on its own installation of Votebuilder. Relying on one central database for ALL of the DNC campaigns is a terrible idea! What happens if this ONE database gets leaked?!? I really hope I’m wrong on this…
This covers more than just the Sanders or Clinton campaigns. How can I trust that the data will be secure for folks running for the state legislative races or Congressional seats? When I talk to candidates about getting voter lists for their local campaigns, should I be looking somewhere else besides NGP VAN for this data?
The last thing anyone wants is for some GOP candidates or other unsavory folks to get their hands on our voter data.