For months now, Barack Obama’s Presidential campaign has been praised for its expert use of computer technology. The website and other communications media were all supposed to be so well done for reaching out to voters and fund raising. His was a website made by expert. It is therefore unlikely, then, that the fraud-friendly Obama donation form with its flaws found by Matthew Mosk was designed that way with any intent other than the assistance of credit card fraudsters donating to the campaign.
There are basic steps that could be taken by the Obama campaign to prevent fraud, both in his campaign accepting donations from foreigners, and in accepting money stolen from hijacked credit cards, and his refusal to do so appears to be illegal.
A campaign has the responsibility of not accepting donations from foreigners. I am no FEC expert, but I say this on assurances from the FEC itself:
Soliciting, Accepting, or Receiving Contributions and Donations from Foreign Nationals
As noted earlier, the [Federal Election Campaign] Act prohibits knowingly soliciting, accepting or receiving contributions or donations from foreign nationals. In this context, “knowingly” means that a person:
- Has actual knowledge that the funds solicited, accepted, or received are from a foreign national;
- Is aware of facts that would lead a reasonable person to believe that the funds solicited, accepted, or received are likely to be from a foreign national;
- Is aware of facts that would lead a reasonable person to inquire whether the source of the funds solicited, accepted or received is a foreign national. 11 CFR 110.20(a)(4)(i), (ii) and (iii).
Pertinent facts that may lead to inquiry by the recipient include, but are not limited to the following: A donor or contributor uses a foreign passport, provides a foreign address,
makes a contribution from a foreign bank, or resides abroad. Obtaining a copy of a current and valid U.S. passport would satisfy the duty to inquire whether the funds solicited, accepted, or received are from a foreign national. 11 CFR 110.20(a)(7).
The last two sentences of the above quote are key. If a donation comes from a foreign address, the campaign has a duty to verify the legality of the donation. This matters because Web-based Internet donations have two kinds of addresses. One is the billing address of the credit card, and the other is the Internet Protocol address of the Web transaction.
There are two addresses, but the Obama campaign is doing nothing to ensure that either address is legitimate, and therefore is not doing what the FEC requires it to do in order to fulfill its duty to reject foreign donations. Its actions also aid credit card fraudsters in giving donations easily. Which of these effects is the intended one and which is the side effect I cannot say, but there is no way this is accidental.
The first address the Obama campaign is ignoring is the billing address of the credit card. Mosk has found that the campaign will take your money without even checking until later:
When asked whether the campaign takes steps to verify whether a donor’s name matches the name on the credit card used to make a payment, Obama’s campaign replied in an e-mail: “Name-matching is not a standard check conducted or made available in the credit card processing industry. We believe Visa and MasterCard do not even have the ability to do this.
“Instead, the campaign does a rigorous comprehensive analysis of online contributions on the back end of the transaction to determine whether a contribution is legitimate.”
So an American citizen who borrows a foreigner’s credit card will get right past the Obama system. They know this is possible, but they make excuses and ignore the problem. Blame Visa, not us, they cry. But they happily take the money. And yes, they claim a ‘rigorous, comprehensive” analysis, and yet the Obama campaign has taken $174,800 in fraudulently made donations in the name of Mary T. Buskup of Missouri, Mosk found. If that’s rigor for Obama, it’s no wonder he left academia for politics.
If that weren’t enough, there is still the matter of the IP address that the Obama campaign is ignoring. Every single time a person fills in the donation form and submits it, that submission carries with it to the Obama campaign web server the exact IP address of the computer used to send it. This address can be traced to a specific part of the world, in the same was a mailing address can because blocks of addresses are parceled out by country and corporation.
However evidence on the Obama donation page suggests that instead of using the information automatically embedded in every transaction, the campaign is instead letting the user falsify his own IP address in the submitted form. To quote the source code of the donation page:
<form name="contribution" onsubmit="if (document.getElementById) { var submitbutton = document.getElementById('processbutton'); if (submitbutton) {submitbutton.disabled = true;}} return true;" action="/page/contribute/splashd1_exp" method="post" id="contribution">
<input name="_qf__contribution" type="hidden" value="" />
<input name="ip_addr" type="hidden" value="[My address removed]" />
While it is the case that the ip_addr field correctly showed my address, there is nothing that would prevent me from changing that field when I submit the form. Any expert in the field knows a form can be submitted without a browser, with hidden or visible fields changed in any way the submitter likes, which means if the Obama campaign is using this field, they are knowingly allowing people to falsify their address.
What if they aren’t using that address, you ask? Well if they weren’t using it, why put that input in? There’s no reason at all to put that field into the form unless it was being used to store that address in a database with the rest of the information on the donation, instead of using the unfalsifiable* actual source address received due to how the Internet works.
Am I assuming malice where incompetence could be an excuse? No. How am I sure? If the people who made the donation form did not know how to extract an IP address from an HTTP request, they would not have been able to put my IP address into the form just now, as I quoted above. If they knew how to do it when sending the form, they knew how to do it when receiving the form. Therefore, using the data in the form was an intentional choice.
There is no excuse. The Obama campaign welcomes fraudulent donations. Republicans would be wise to remember that when looking at how much money the campaign is taking in, and must not be cowed. The FEC also now has a duty to investigate this, because the Obama campaign is simply not fulfilling its duties under the law and the relevant regulation. The fact that this is technology newer than the Self-Addressed Stamped Envelope must not be allowed to be an excuse.
* Yes, proxies can technically falsify a source address, but I would not hold them accountable for that. However the Obama campaign isn’t even making fraudsters use a proxy.