Polinaut: February 28, 2006 Archive

Briefing - Tuesday February 28, 2006

Posted at 7:51 AM on February 28, 2006 by Bob Collins

I just finished a column about there being no Rasmussen on Minnesota today when, voila!... there it is.

Bottom line in the Senate. Everyone appears to be within the margin of error, although I find the notation that Klobuchar does better than Bell among moderates and unaffiliated voters to be interesting. But I don't have Rasmussen's premium service (see below) so I can't get access to the crosstabs.

Nothing from Rasmussen today on the Minnesota poll. Maybe tomorrow. We've been kicking around polling options for the last week or so at MPR. We used to use Mason-Dixon but we did so in partnership with the St. Paul Pioneer Press. But the guy who handled it has fled to the Strib and the PiPress is being groomed for sale so things are questionable on that front. MPR political editor Mike Mulcahy was at an event yesterday discussing polling and said a ton of people were there from the Star Tribune's polling unit, but they report they have budget issues too, and may not do anything until September.

Meanwhile, we've been looking at Rasmussen, to at least tap into the polls they're already doing but the word from the "experts" is that Rasmussen uses automatic dialers, and apparently that's a no-no in polling circles.

Sounds to me like there won't be a lot of media polls until late in the game this year, and maybe that's a good thing.

Around the planet today, DFL gubernatorial candidate Kelly Doran is on Midday today at 11. After listening to all of these shows in the last couple of weeks, I think it would be cool to invite them all back and do another, limiting all answers to questions posed by the public with a "yes" or a "no."

I'll also reintroduce the "blog" item I wrote from the Democratic convention a few years ago and, as you listen, when you hear the words "we need" at the beginning of an answer, you're probably not getting one.

AMFA chief to run for state Senate

Posted at 10:22 AM on February 28, 2006 by Bob Collins

Ted Ludwig, the president of the striking AMFA union locally is announcing he's running for state Senate in District 25. AMFA has a little bit of interest in some issues before the Legislature.

The GOP CD

Posted at 10:26 AM on February 28, 2006 by Bob Collins (17 Comments)

Following up on yesterday's questions I had about the marriage-amendment CD being mailed out to voters by the Republican Party, I posed them to Mark Drake, the GOP Minnesota spokesman.

I wrote:

I really enjoyed the production work on the CD for the marriage amendment. It was first-rate stuff and as a Flash novice, made me a little bit envious. The copy that Tom Scheck gave me required an access code. Do all the CDs being mailed out come with an access code? If so, I'm curious as to why that is and wondering if the "votes" I'm asked to take during the presentation are reported back to the MN GOP? And, if so, are they matched to the access code and do you keep a record of what code is mailed to what person?

Mark was kind enough to respond promptly:

Thank you for the kind words regarding the high tech merits of the cd. Like any political survey done by the Party, it is our hope the cd will help us recruit more volunteers, provide valuable voter ID information and hopefully allow us to raise money so we can continue to send the cd out to more Minnesotans.

On Friday, the cd will be released to the public. The cd's packaging will make clear that the cd is interactive in nature.

A follow-up e-mail from me:

So by interactive in nature, do you mean the results are being reported back to the GOP and, if so, are they identified by the access code?

And a response:

Yes- very similar process to if you got a free AOL cd at the grocery store.

So if you run the CD in your personal computer, by the end of it, the Minnesota GOP will not only know what you think on particular issues, but also who you are. I'm not sure how polling firms do this. Do they keep track of the individual answers by identity? Maybe so. Maybe not.

Let me think out loud about how this could play out. Depending on what data the GOP is gathering, you get home, you see the CD, you pop it in your computer. Now, the sponsor knows you played the thing. Do they know how long you played the thing? How many features you watched? When it comes time answer some questions (and I don't think you're required to answer them, but it doesn't say that), you go ahead and click the answer. As far as I could tell, nothing tells you that the answers are about to be e-mailed or otherwise transmitted to the Minnesota GOP.

So you finish, and then the phone rings. "Hello, Mr/Mrs. Voters, it's Joe and I notice you support gun control and the marriage amendment, would you like to donate some money to us?" That might startle the person who may have thought he/she was viewing the presentation in the privacy of the computer room.

It'll be interesting to see how that data will be used and the extent to which it's collected.

(Update 11:50 a.m.)

I played around with it some more to try to figure what information is being gathered. The first clue the GOP was tracking was the fact when it starts it says something like "Welcome, John Smith." And if you're not John Smith, you can "apply" for an activation code (see photo). The data you have to submit is: Name, spouse's name, district, address, e-mail and phone. Only name, address, and phone are required.

I filled out this information using Tim Pawlenty's address and it gave me a code to allow me to continue further.

The first section "our culture" features a presentation with Mary Kiffmeyer, and then asks "which of the following BEST describes your position on abortion." The answers are "all abortions should be legal, abortions should be legal but only in the first 3 months, abortions should be illegal except in the case of rape, incest, or the life of the mother is threatened; and abortions should be illegal.

It then gives you another blurb of Kiffmeyer and then asks if you support the amendment on marriage. And then asks if you believe in the 2nd amendment. It does not say you can just hit SUBMIT and skip the answer. And it doesn't say the results are being transmitted.

More Kiffmeyer, and then it asks how you usually vote on Election Day - always Republican, always Democrat, sometimes Republican, sometimes Democrat, and other.

Six issues are then presented -- taxes, performance pay for teachers, designated motor vehicle sales tax to transportation, illegal immigration, eminent domain, and the marriage amendment...with a rating of 1 to 6.

Checked again to find a privacy notice. Nothing.

Anybody got a good decompiler?

(1:55 Updating) From an information standpoint, having a better handle on who is out there and who exactly supports your position makes perfect sense. You can target your focus better, you can more easily identify potential contributors, and you can create a good database on Election Day to make sure those folks are voting. Why waste your money blanketing folks who aren't going to support you? My suggestion would be to tighten up the program a bit to give people the option not to send data. After telling them the program is, of course.

In the comments section, someone asked for screenshots of the questions. Here you go.

Comment on this post

GOP CD accumulates data, but data is not secured

Posted at 6:38 PM on February 28, 2006 by Bob Collins (18 Comments)

Let's suppose I got the Republican CD advocating the marriage amendment in the mail. And let's assume -- and remember this is a hypothetical here -- I had enough intelligence to decompile the program and figure out what data is being captured and sent. Could I do it?

Yes. Someone did.

No.", "Time", "Source", "Destination", "Protocol", "Info" "1", "17:11:52.780492305", "***.1**.***.*2*", "*0.2.*.81", "TCP", "1106 > http [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460" "2", "17:11:52.794481754", "**.*.*.**", "***.***.1*5.***", "TCP", "http > 1106 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460"

(Update 9:08 p.m.: This is not the available data. This is the internal stream as we ran the program. We're not going to show any of the data we actually found and in the image below, you're not going to get any useful data. We'll show the actual contents of the packets if the subcontractor denies the existence of the information. We're not interested in exposing the subcontractor to a malicious attack while this information is still available. This is a privacy issue, not about how to compromise the site with the information. )

Now that's pretty basic stuff: what your IP is, what your CPU is, what your operating system is. But is it possible for me to find out how you vote in elections? What your position on abortion is? Or even how long it takes you to answer those questions? ? Can I get your private phone number, your address, your name, your spouse's name, your IP?

Yes. Someone did.

Using the stream indicated above, people way smarter than me were able to figure out the destination for the data being accumulated, and then poked around and found the site. And the data was not secured at the site.

I checked to see if two entries I made via the CD -- one for Tim Pawlenty and one for Joe Blow -- showed up in the database. Yep. This must be the place.

The screenshot above is a sample of several we took. Another has the answers along with the code of the submittor, the identity of whom can be ascertained easily with the data above.

What's worse, the information is on an unsecured Web site. I'm not going to tell you what site we found it on (until it's been secured), just to let you know that the data is there. And it can be found by anyone who can decompile the program on the CD.

We could -- if we were malicious (and we're not ) -- change the questions that are "on the CD" because they're really not on the CD. The program connects to a database and provides the questions.

Imagine if thousands of CDs arrived in homes with the question "do you like Siegried and Roy?"

We could steal the data. In fact, the mailing list of more than 259,000 25,000 names is also on the site, and is easily downloaded into a spreadsheet. Cool. Twenty-five-thousand names and addresses. Free.

This is a significant security flaw. And it's coming to a mailbox near you in a few days.

It also leaves a cookie behind on your computer, although we haven't figured out what that does yet. (Update: The cookie is likely nothing - just a way to autofill some information if you decide to go back later and resubmit your answers.)

This is why it matters when someone raises concerns about data. This is why it matters if someone asks you if you're collecting it. This is why it matters if someone asks you what you'll do it with it. This is why it matters if someone asks if you're protecting it. Privacy concerns are bipartisan.

But didn't anyone ask these questions already?

Comment on this post