Disclaimer: I work in politics professionally, as a digital consultant.
ActBlue is better at security (and just in general product) than NGP, but neither supports physical 2fa keys.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption, but it would be hard to get the finance side 100% correct, automated FEC & compliance and all. This built up moat I personally believe lets them stagnate on technology. I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
One attack vector I dont see mentioned is locking down domains and websites. Campaigns are incredibly cheap, it only took a few consultants selling shitty pre-built wordpress themes and now it's tough to get a Congressional to pay much or anything. We now build static websites for clients who pay, but I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
Emailing passwords in plain text and shared twitter passwords for candidate accounts which are 'victory!2020' are VERY common and we've been trying to correct this behavior.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution? (remember non-technical (no PGP) campaign staff and not in same geo a lot of time).
In writing up some campaign plans this cycle I made some security notes, especially for a top 5 race target client we have (if win primary) I suggested separate senior staff office in a more secure location which no volunteers know about. This wont work at Congressional level, where anyone can get access to call time room or CMs office if they try..
Yes because I'm overly paranoid but also sadly because security in politics now means protecting from some random nut bag with a gun. Which is really scary to me.
But mostly I'm surprised at Maciej's willingness to spend money (and valuable time) doing this. Sadly I think the willingness to help anyone including 'Green Party candidate in a district the Republicans carried by 60 points' combined that with the general (and I can understand and am not judging) attitude that 'the system' is broke, is probably a factor to why he was not taken as serious as I think he would have liked.
Sorry this got really long.. I could go on and on (if @Maciej or is it @idlewords ? sees this would be happy to chat on DM).
love seeing politics on HN a topic I have specialized knowledge in for once ;0
Making a throwaway because I too work in politics and have worked with your firm before. Also I might disagree with lots of your points but if you actually want to build something better than what currently exists there are tons of resources, Higher Ground Labs is probably a good place to start [0]
ActBlue is better at security... than NGP
By what metric? They're vastly different products serving completely different end users. That's like saying that Uber is better at security than Oracle.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption
Your comments show that you have some understanding of the ecosystem but I'm not sure what you're getting at here. First, NGP VAN serves two different purposes - NGP does FEC compliance while VAN handles voter files and direct volunteer contact.
Automated compliance is really hard, a lot of companies do this but none are as good at NGP. More than 40 companies are register with the FEC to provide this service [1] with some of the larger ones being Aristotle, Blue Utopia, and Trail Blazer (this does not include R only companies like CMDI).
Managing voter data is also really hard [2] ots of other companies do that too though. Off the top of my head I can think of NationBuilder, PDI, L2, Crowdskout, and VoterHub. There's also a whole group of start ups working on new voter files, including one backed by Reid Hoffman [3] and one with Howard Dean [4]. Note for non political folks: VAN does not provide data, it's the software platform used to slice and dice data that the DNC + others collect. I'm getting off track but while VAN is far from perfect (and could be better!) it's a pretty great solution when all is said and done [5].
I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
Well that's just false. VAN has both import [6] and export [7] functionality via API. The older NGPs don't have all these feature but the newest version does too.
Campaigns are incredibly cheap
Yes lol so much yes.
I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
I also agree that this is a risk. If I were you I'd start by updating DMARC, DNS, and SMTP records on your firms website minimize the chance of your clients being phished.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution?
Use Signal. Everyone involved with a campaign should have Signal on their phone.
I didn't want to go point for point but I started writing and this will be my last reply:
AB engineering and security is way better from the outside looking in.
NGP does have a contribution form product so I think it's a fair comparison. Also comparing UI, speed, API, and willingness of staff to communicate and work together is fair IMHO. I've found and seen AB fix security critical bugs. the AB UI is pretty good and most important the donate pages & donate api is fast and I've never experienced catastrophic failure over many years when it matters. AB is also great to work with, quick, willing to listen and work together. NGPVAN on the other hand...
I agree on the compliance that's what I wrote I think they have that moat and while I think it would be fairly easy to make a better product I dont think it would be easy for a new product to get compliance correct right out of the gate (which is what would need to happen).
the actual (now kind of combined UI design) NGP VAN UI I think is poor and even basic queries / lookups are slow. i also think in terms of toolset there is a lot of room for innovation (e.g. from voter contacts ML for me similar voters, better leverage data across platforms, and much more I dont want to write publicly since we offer some of these patchwork services ourselves). if you've ever had to use their email platform that alone speaks for itself to this point...
plus ngpvan routinely suffers from 'going down for maintenance' or 'adding capacity' during peak problems that from the outside looking in seem to come from legacy tech/problems.
The VAN side of API does allow more data in, NGP not at all. I can't add any custom data to users, I can only tag an external ID and add what's basically a tag to a person. Most important I can't get donation data out. Last I talked to them I kind of off hand mentioned I could script against their internal api and they shut me down with TOS. While the VAN API does at least allow for some data in, the export jobs you give are pretty limiting imho and maybe even an example of legacy choices or internal fears I can't tell I dont work there. a counter example for AB is we subscribe to webhooks which POST json of all incoming data; even the idea of an NGPVAN API is somewhat new if I remember.. trying to scratch head I think I remember NGP only accepted like XML SOAP requests not that long ago (like a cycle or two). Whenever I do data work with VAN first step I do is export it all and dump into bigquery lol.
the thing with managing voter data is that I dont think the party provides as much value as they could (should). anyone can get voter file data either through state SOS or buy it from one of many companies; you mention a few. i dont think the party does a good job of collecting and using data across clients across cycles and i think there are a few R for-profits that do a better job at generating value here; but there are a lot of obstacles e.g. each campaign wants to control their own data, what about primaries, etc. for instance you dont see the party enabling/selling 3rd party targeting via oracle on issue scores collected from voter contacts across clients across cycles like a few R companies have done.
Campaigns have not replaced email with signal no matter how hard tech people want them too it's just not the same functionality and use case as email. in the case of sending a temporary password idk seems apples to oranges as a 'one time secret' link in the end just dont want someone who gains access to email to also gain access to plaintext passwords which are routinely emailed (but idk maybe there is a better solution which is why I asked). even if did have signal in the first place, prob dont have on the computer they are trying to login on (copy and paste password)
ActBlue is better at security (and just in general product) than NGP, but neither supports physical 2fa keys.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption, but it would be hard to get the finance side 100% correct, automated FEC & compliance and all. This built up moat I personally believe lets them stagnate on technology. I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
One attack vector I dont see mentioned is locking down domains and websites. Campaigns are incredibly cheap, it only took a few consultants selling shitty pre-built wordpress themes and now it's tough to get a Congressional to pay much or anything. We now build static websites for clients who pay, but I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
Emailing passwords in plain text and shared twitter passwords for candidate accounts which are 'victory!2020' are VERY common and we've been trying to correct this behavior.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution? (remember non-technical (no PGP) campaign staff and not in same geo a lot of time).
In writing up some campaign plans this cycle I made some security notes, especially for a top 5 race target client we have (if win primary) I suggested separate senior staff office in a more secure location which no volunteers know about. This wont work at Congressional level, where anyone can get access to call time room or CMs office if they try..
Yes because I'm overly paranoid but also sadly because security in politics now means protecting from some random nut bag with a gun. Which is really scary to me.
But mostly I'm surprised at Maciej's willingness to spend money (and valuable time) doing this. Sadly I think the willingness to help anyone including 'Green Party candidate in a district the Republicans carried by 60 points' combined that with the general (and I can understand and am not judging) attitude that 'the system' is broke, is probably a factor to why he was not taken as serious as I think he would have liked.
Sorry this got really long.. I could go on and on (if @Maciej or is it @idlewords ? sees this would be happy to chat on DM).
love seeing politics on HN a topic I have specialized knowledge in for once ;0