Data and civil liberties: CellHawk helps law enforcement visualize large quantities of information collected by cellular towers and providers

Sam Richards, Intercept, December 23 2020

UNTIL NOW, the Bartonville, Texas, company Hawk Analytics and its product CellHawk have largely escaped public scrutiny. CellHawk has been in wide use by law enforcement, helping police departments, the FBI, and private investigators around the United States convert information collected by cellular providers into maps of people’s locations, movements, and relationships. Police records obtained by The Intercept reveal a troublingly powerful surveillance tool operated in obscurity, with scant oversight.

CellHawk’s maker says it can process a year’s worth of cellphone records in 20 minutes, automating a process that used to require painstaking work by investigators, including hand-drawn paper plots. The web-based product can ingest call detail records, or CDRs, which track cellular contact between devices on behalf of mobile service providers, showing who is talking to whom. It can also handle cellular location records, created when phones connect to various towers as their owners move around.

Such data can include “tower dumps,” which list all the phones that connected to a given tower — a form of dragnet surveillance. The FBI obtained over 150,000 phone numbers from a single tower dump undertaken in 2010 to try and collect evidence against a bank robbery suspect, according to a report from the Brennan Center for Justice at NYU.RelatedHow Cops Can Secretly Track Your Phone

Police use CellHawk to process datasets they routinely receive from cell carriers like AT&T and Verizon, typically in vast spreadsheets and often without a warrant. This is in sharp contrast to a better known phone surveillance technology, the stingray: a mobile device that spies on cellular devices by impersonating carriers’ towers, tricking phones into connecting, and then intercepting their communications. Unlike the stingray, CellHawk does not require such subterfuge or for police to position a device near people of interest. Instead, it helps them exploit information already collected by private telecommunications providers and other third parties.Join Our NewsletterOriginal reporting. Fearless journalism. Delivered to you.I’m in

CellHawk’s surveillance capabilities go beyond analyzing metadata from cellphone towers. Hawk Analytics claims it can churn out incredibly revealing intelligence from large datasets like ride-hailing records and GPS — information commonly generated by the average American. According to the company’s website, CellHawk uses GPS records in its “unique animation analysis tool,” which, according to company promotional materials, plots a target’s calls and locations over time. “Watch data come to life as it moves around town or the entire county,” the site states.

The tool can also help map interpersonal connections, with an ability to animate more than 20 phones at once and “see how they move relative to each other,” according to a promotional brochure.CellHawk helps police exploit information already collected by private telecommunications providers.

The company has touted features that make CellHawk sound more like a tool for automated, continuous surveillance than for just processing the occasional spreadsheet from a cellular company. CellHawk’s website touts the ability to send email and text alerts “to surveillance teams” when a target moves, or enters or exits a particular “location or Geozone (e.g. your entire county border).”

On its website, Hawk Analytics claims this capability can help investigators “view plots & maps of the cell towers used most frequently at the beginning and end of each day.” But in brochures sent to potential clients, it was much more blunt, claiming that CellHawk can help “find out where your suspect sleeps at night.”


A screenshot showing the previously more honest version of their marketing.

Screenshot: Sam Richards

Data Sharing and Loose Regulation in Minnesota

The sheriff’s office in Hennepin County, Minnesota, which includes Minneapolis, certainly seemed impressed after it started using the software in early 2015. One criminal intelligence analyst lauded CellHawk’s ease of use in a February 2016 email comparing the subscription software to a competing tool. “CellHawk is pretty new and a lot cheaper! The great thing about cellhawk is that it is ‘hands off’ by the user, as the software does everything for you. It is drag and drop. The software can download calls from all major phone companies. The biggest selling point is of course the mapping. it also has animation, which is cool!”

Hennepin County Sheriff’s Office uses CellHawk as part of an effort to share intelligence through a Minnesota fusion center known as the Metro Regional Information Center, which brings together the FBI and eight counties serving up to 4 million people, according to the St. Cloud Times. In February 2018, the latest year for which The Intercept obtained HCSO invoices, the sheriff’s office renewed its annual subscription, providing the capability to store 250,000 CDRs.

A spokesperson for the sheriff’s office, Andrew Skoogman, said the office used certain CellHawk features infrequently. For example, it is “extremely rare” for HCSO to analyze tower dumps, he said, and “fairly rare” for it to use CellHawk’s automated location alerting service, which is used “based in the analytical needs of the investigator.”

The telecommunications data at the heart of CellHawk is shared extensively by providers. For example, Verizon in 2019 received more than 260,000 subpoenas, orders, warrants, and emergency requests from various U.S. law enforcement entities, including more than 24,000 for location information. But the legal requirements for obtaining that information are sometimes unclear. The American Civil Liberties Union in 2014 called the legal standards related to tower dumps “extremely murky.” A 2018 Brennan Center report stated that the courts were “split” on the handling of such dumps, with some lower courts allowing access to the data using a court order, which under the Stored Communications Act is obtained using a lower evidentiary standard than a warrant, requiring only “reasonable grounds to believe” the records are relevant to an ongoing investigation. Location records particular to a given subscriber, meanwhile, can be obtained with just a court order — unless they span seven days or more, in which case police need to get a full warrant, according to a 2018 Supreme Court ruling. Courts have also been divided on whether police need a court order or warrant to obtain “real-time” cellular location data.Hennepin County defined its own legal standards to rely upon in deploying technology like CellHawk.

Hennepin County defined its own legal standards to rely upon in deploying technology like CellHawk. These were articulated in a sheriff’s office policy document dated August 2015 — months after CellHawk was already in use. The document, titled “Criminal Information Sharing and Analysis,” was released following a data request that was initiated in 2018 and fulfilled several years later following the election of a new sheriff. It stated that the office needed “[r]easonable suspicion,” which was deemed “present when sufficient facts are established to give … a basis to believe that there is, or has been, a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise.”

The policy does not say that investigators must receive approval from a judge to retain information. Skoogman did not respond to The Intercept’s question about what legal standard is applied to the collection of CDRs.

Chad Marlow, senior advocacy and policy counsel for the ACLU, when asked to review Hennepin County’s CellHawk policy, said the CellHawk technology was “not inherently problematic” but that the county set a low standard for how it handles the collection of CellHawk data. Requiring “reasonable suspicion” is a typical threshold for traffic stops, not for intrusive searches, which require probable cause. CellHawk’s capabilities — combing through data from calls, texts, ride-hailing applications, etc. — are patently more intrusive than a traffic stop. Beyond that, Marlow said, the county’s “definition of reasonable suspicion is bizarrely convoluted” and should require that investigators “have to have a reasonable basis for a crime being committed not MAY BE being committed.”

Hennepin County’s policy continued:

Criminal intelligence information shall be retained for up to five years from the date of collection of use, whichever is later. After that time, this information shall be deleted unless new information revalidates ongoing criminal activities of that individual and/or organization. When updated criminal intelligence information is added into the file on a suspect individual or organization, such entries revalidate the reasonable suspicion and reset the five year standard for retention of that file.

The policy empowers HCSO investigators to scoop up this data and retain it for five years based on a fairly low legal standard.

And while this policy says the sheriff may not retain information based “solely” on support for “unpopular causes” or an individual’s “race, gender, age or ethnic background” and “personal habits and/or predilections that do not break any laws or threaten the safety of others” — mentioning activities covered by the First Amendment — if a crime were to occur during a protest, as is routine, that data is considered fair game by law enforcement. Under such low standards and with such a powerful surveillance utility, it wouldn’t take long to map out the social network of an entire protest movement.Under such low standards and with such a powerful surveillance utility, it wouldn’t take long to map out the social network of an entire protest movement.

For instance, during a protest outside a detention center in downtown Minneapolis to show solidarity with demonstrations in neighboring Wisconsin following the shooting of an unarmed Black man by the Kenosha Police Department, Dave Hutchinson, the Hennepin County sheriff, said, “11 individuals were arrested and are being held on probable cause riot, damage to property and unlawful assembly,” according to an HCSO press release. Should the criminal intelligence investigators at the fusion center run those individuals’ information through CellHawk, it is not at all a stretch to say that the police would then possess a map of those individuals’ associations based on calls, texts, and other records. That map of social interactions could include thousands of activists who were not at all party to the crimes of which those 11 individuals are accused. Hawk Analytics markets such social network analysis as a primary feature.

When asked whether the use of CellHawk undermined the presumption of innocence — essentially reversing the investigative process, so that evidence comes first and suspicion of a specific crime after — Skoogman replied, essentially, that innocent people had nothing to fear. “People come under suspicion of having committed a crime based on information developed by investigators,” he wrote. “Based on evidence developed by those investigations, a suspect’s cell phone records may be obtained and analyzed. On occasion, that analysis has developed information suggesting that the suspect did not commit the crime under investigation. This is the investigative process. It is exactly why data is analyzed. To determine whether the data available supports continued focus on an individual as a suspect or perhaps rules them out.”


Screenshot from a Hawk Analytics promotional video displaying “link analysis,” which reveals a large network of “co-conspirators and associates” in a matter of seconds. The more data points, in this case cellphone numbers, run through CellHawk likely exponentially expands the number of other individuals roped into an investigation.

Screenshot: The Intercept

Deployed — and Promoted — Across the Country

Hawk Analytics CEO Mike Melson, whose bio on the company website describes him as a former NASA engineer, offers free trials to law enforcement organizations to which he hopes to sell his product. Additionally, Melson has worked as an expert witness, ready to testify on behalf of prosecutors. His testimony sometimes appears in local news outlets without mention of the fact that he is the CEO of the company that could stand to financially benefit, albeit indirectly, from a conviction. Hawk Analytics failed to comment on the record after multiple attempts were made over the phone and by email.“This highlights how the rapid development of surveillance tech outstrips existing laws.”

In December 2013, Heather Elvis went missing from her South Carolina home after becoming embroiled in a lovers’ quarrel. Several years later, an 11-day trial resulted in two 30-year sentences for one Tammy Moorer. During the second day of that trial, Melson made an appearance as “an expert witness when it comes to analyzing cell phone data,” according to WBTW News 13. The station did not include that Melson was intimately involved in the creation of software that helped connect the dots in this case.

Additionally, according to reports from Northern Virginia, Hawk Analytics was reimbursed for their expert services which led to “the prosecution of a man convicted of first-degree murder in the 2017 shooting death of a … CVS store manager.” For their “cellular data analysis and two days of expert testimony,” Hawk Analytics was paid $8,175. That certainly isn’t a windfall, but it rivals the amount made from the sale of a small number of CellHawk subscriptions, and it effectively compounds revenue streams from multiple sides of the criminal justice system.RelatedPolice Surveilled George Floyd Protests With Help From Twitter-Affiliated Startup Dataminr

CellHawk is not the only technology that investigators in the Twin Cities use to process intelligence about suspects and others. Hennepin County and their law enforcement partners use automated license plate readers; stingrays and competing, similar devices; aerial surveillance; and social media intelligence, among other spy tech. CellHawk alone is powerful — but added to the area police’s already expansive arsenal, it tips local law enforcement toward becoming more like intelligence agencies than municipal cops.

Lengthy data retention policies and the power of these surveillance tools create a litany of frightening possibilities for overreach and abuse. While HCSO has acknowledged its use of some of these tools, it has not released any public reports on its use of CellHawk. Rachel Levinson-Waldman, deputy director of the Brennan Center’s liberty and national security program, who reviewed Hennepin County’s policy said, “The reference to use is concerning, since that could significantly expand the time for retention.”

Minnesota state law requires an individual whose electronic device was subject to a tracking warrant be notified within 90 days if that evidence did not end up in court. This “tracking warrant” law has been on the books since 2014 and yet, judging from press reports in recent years, it’s not clear any one in the state has ever received such a notice or if a tracking warrant has ever been unsealed by the courts. The law seems to have been thwarted in part by police avoiding warrants and obtaining instead court orders under the much lower “reasonable suspicion” standard. This, despite the fact that Minnesota law clearly states, under a subdivision titled “Tracking warrant required for location information,” that “a warrant granting access to location information must be issued only if the government entity shows that there is probable cause the person who possesses an electronic device or is using a unique identifier is committing, has committed, or is about to commit a crime.”

Julia Decker, policy director for the ACLU of Minnesota, said that “there doesn’t seem to be oversight” for the use of CellHawk in the state, even though surveillance should get oversight of “the highest standard possible.” She also said that Hennepin’s policy to retain CellHawk and similar data for five years raises the potential for harm to civil liberties.

“I think this highlights how the rapid development of surveillance tech outstrips existing laws, and how that can be really problematic,” said Decker. “Without oversight/regulation, powerful surveillance technology is integrated into already-existing investigatory frameworks, instead of being examined and considered beforehand for its potential to actually expand or push the limits/bounds of those frameworks and encroach on civil liberties. … In this moment of talking about police reform, use of surveillance tech needs to be part of the discussion.”

Hawk Analytics has many clients around the United States. This reporter conducted a survey using the Freedom of Information Act to collect invoices for CellHawk subscriptions from agencies referenced on CellHawk’s website, referred to in CellHawk’s training sessions, or mentioned in local news reports. He found numerous agencies fielding the technology: Atlanta and Fayette County, Ga.Kansas City, Kan.Franklin County, Va.Utah County, Utah,; Fort Collins, Colo.; Hidalgo County, TexasOrange County, Calif.; and, of course, the FBI all have paid for CellHawk in the last several years. The Madison, Wisconsin, police department appears to have thousands of potential CellHawk records from 2018 alone but has demanded close to $700 to examine and provide them.


Solarwind Hack of Utilities

December 24 2020, 12:33 p.m.

THE HACKING CAMPAIGN that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries who were also running the software, according to a security firm conducting investigations of some of the breaches.

In addition to the critical infrastructure companies, the SolarWinds software also infected three firms that provide services for such companies, says Rob Lee, CEO of Dragos, Inc., which specializes in industrial control system security and discovered some of the infections.

The service companies are known within the industry as original equipment manufacturers, or OEMs. They sometimes have remote access to critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breached the OEMs could potentially use their credentials to control critical customer processes.

“If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. “But just because you have access doesn’t mean you know what to do or how to do it. It doesn’t mean they can then flip off the lights; they have to do more after that.”

But compromising an OEM does magnify the potential risks to infrastructure.

“[I]t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” said Lee, a former critical infrastructure threat intelligence analyst for the NSA. “Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.”“Compromising one OEM could lead to access to thousands of organizations.”

Lee notes that in some cases the OEMs don’t just have access to customer networks — they actually directly infected their customers with the SolarWinds software. That’s because some of them use SolarWinds not just on their own networks, but also have installed it on customer networks to manage and monitor those, sometimes without the customers being aware this was done.

Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in them.

SolarWinds was compromised in March, modified with a so-called “backdoor” to provide an attacker access to the network of anyone who downloaded it. Government officials have linked the hack to Russia. The backdoor, which security researchers at cybersecurity company FireEye have dubbed SUNBURST, gathers information about the infected network, then waits about two weeks before sending a beacon to a server owned by the hackers, along with information about the infected network, to signal that the infected system is open for them to surreptitiously enter. The hackers would have used that information to  determine which targets they wanted to burrow into further. Once inside an infected system, the hackers could download more malicious tools and steal employee credentials to gain access to more critical parts of the network — collecting information or altering data or processes there.

Kevin Mandia, CEO of FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.

Lee said the infections in the critical infrastructure sector occurred not just on companies’ IT networks but also sometimes on actual industrial control system networks that manage critical functions.

There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

He says all of the infected companies are “doing the necessary hunting and [are] assuming they are compromised.” But without logging to catch the infection and track the hackers’ movements through the network, the companies have to hunt for what looks like malicious behavior. “And this is an adversary that burrows in deep and is very very hard to root out.”“Almost none of them have network logs.”

If the hackers came in through the infected OEMs instead, using those companies’ credentials and privileged access, it could be even more difficult for OEM customers to spot the hackers’ activity since it would look legitimate.

Dragos notified the three OEMs that they were infected, as well as government officials and officials in President-elect Joe Biden’s incoming administration. An alert published last week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that critical infrastructure entities were compromised by SolarWinds software, but didn’t indicate which industries were affected and didn’t note that this included the OEMs for critical infrastructure.

Internal computer internet servers are seen at the Telvent GIT SA company headquarters in Madrid, Spain, on Tuesday, July 19, 2011.

Internal computer internet servers are seen at the Telvent GIT SA company headquarters in Madrid on July 19, 2011.

Photo: Denis Doyle/Bloomberg via Getty Images

Potential Operations Against a “Pretty Resilient” U.S. Power Grid

It’s not the first time an OEM in the industrial control system has been hacked. In 2012, hackers believed to be from China breached an OEM called Telvent and stole engineering drawings and accessed files used to program industrial control systems. Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. and Canada, as well as some water control system networks. The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems.

“When you look at industrial networks, many people still believe them to be highly segmented, but that only means segmented from the” corporate enterprise network, Lee said. “While they might be segmented from the enterprise, they have a vast series of connections to OEMs and others who are connected to those networks for maintenance and other [purposes].”

The SolarWinds hacking campaign came to light earlier this month when FireEye revealed that it had been breached by hackers who took software tools the company uses to find vulnerabilities in customer systems. The company then revealed days later that the intruders had gained access to their network using a backdoor that had been implanted in network monitoring software made by the Austin-based company SolarWinds. The software is used widely across government and industry to manage and monitor networks, and SolarWinds has revealed that up to 18,000 customers could have downloaded the infected code.

Investigators in the security community have said they have seen nothing to attribute the SolarWinds campaign to a particular known hacking group or nation, but officials in the government have attributed the operation to Russia, though they haven’t indicated what has led them to this conclusion.

“It’s so many different people in the government [attributing this to Russia], you wouldn’t get this sort of statement if there wasn’t something there,” says James Lewis, a former government official who oversees cybersecurity programs at the Center for Strategic and International Studies. “[T]he forensic guys are looking at what’s left behind [on networks], and that may not be the best way to attribute something. Governments use other methods to look for attribution. So the fact that the forensic people haven’t discovered it isn’t determinative; they don’t have the full picture.”

Russia has denied responsibility for the hacking operation.

The scope of the hacking operation is still unknown, but so far reports indicate that the departments of Homeland Security, Commerce, and the Treasury; at least two national laboratories; the Federal Energy Regulatory Commission; and the National Nuclear Safety Agency, which maintains the nation’s stockpile of nuclear weapons, were all infected. MicrosoftCisco, and Intel are among those in the tech sector that were also infected. A number of the intrusions at government agencies went beyond merely being infected by the SolarWinds malware. Sen. Ron Wyden revealed this week that the hackers were able to read and steal emails of some of the top officials at the Treasury Department.

Currently, the campaign is being characterized by security professionals and government officials as an espionage operation. But the compromise of critical infrastructure could have put the hackers in a position to do more than simply steal data, if they wanted to do so. Although there is currently no evidence this was or would have been their intention, Russia has a history of engaging in disruptive operations in critical infrastructure.

In 2015, Russia hacked several Ukrainian power distribution plants and took out power for about 230,000 customers for up to six hours in some cases, in the middle of winter. They repeated their operation again in Ukraine in 2016, taking out power to some customers for about an hour, and also struck the State Administration of Railway Transport, which manages Ukraine’s national railway system. The operations led experts to conclude that the Russians were using Ukraine as a test bed to refine hacking techniques that could be used in other countries, such as the U.S.

On Sunday, speaking on CNN’s “State of the Union,” Sen. Mitt Romney said, “What Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications.” He continued, “This is the same sort of thing one can do in a wartime setting, and so it’s extraordinarily dangerous, and it’s an outrageous affront on our sovereignty and one that’s going to have to be met with a very strong response.”

But Suzanne Spaulding, former undersecretary for the Department of Homeland Security who led the division that oversees critical infrastructure security, cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached networks in the electric, oil, and gas industries, this isn’t the same as having the ability to cause disruption or damage.

“But you can [still] get a lot of information … that can help you to plan a truly disruptive attack,” she noted. Because the hackers in the SolarWinds campaign were also able to breach FERC, this could have provided them with information on vulnerabilities and security measures in the U.S. grid that they could later leverage for an attack. She points to the 2015 Russian hack of the Ukrainian distribution plants: The hackers were in the plant networks at least six months doing reconnaissance to understand the equipment and how it worked before taking out the power in December that year.“You can get a lot of information … that can help you to plan a truly disruptive attack.”

But even an attack aimed at disrupting the U.S. electric grid would be limited in its effect, she notes.

“It’s hard to have a really impactful attack, particularly on our electric grid, which is pretty resilient,” she said. “[But] we don’t know that that’s what they’re doing.”

In the past, when Russian hackers have targeted the oil and gas industry in hacking operations, Spaulding said the U.S. government assessed that they may have just been looking for information that could make their own oil and gas industry more efficient. “So I don’t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,” Spaulding said. “I do think that we should always, for planning purposes, assume that and take measures to reduce the damage that could be done. But we can’t know that [this is their intention]. And there’s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.”

Spaulding says this doesn’t mean anyone should take the SolarWinds campaign lightly.

“I don’t think this is just traditional spy vs. spy espionage. This is of a scale and scope that really is beyond traditional espionage,” she said. “Particularly because we have been told that over half the victims were not government, but were private sector. And if it’s critical infrastructure, not just defense-industrial base, that is not traditional kinds of espionage and that’s very serious.”

Lee cautions that there is no indication yet that the SolarWinds hacking campaign is anything other than espionage at the moment, but just being in critical infrastructure networks gives the adversary potential political power they might not otherwise have. “I’m thinking about president-elect Biden. The last thing I want him to have to worry about is getting into international relation discussions with Putin or others and not knowing if a foreign adversary can turn their access [in these networks] into a foreign operation on key parts of the infrastructure.”

Although other intruders have been inside the U.S. electric grid before, Lee says this is different. If Iran or China compromises industrial control systems in critical infrastructure, “you assume they could [disrupt operations] but you don’t know [if they have the knowledge and ability],” Lee said. But if Russia is behind the SolarWinds attack, “Russia has shown an ability to go beyond access to disruption. So when they get access you no longer have the question could they use it? The question is how long would it take them and would they?”


DNC Involvement in Caucus Debacle


In a closed-session Iowa State Democrats meeting, members pushed for answers on the DNC’s role in the caucus debacle.

Jordan Chariton

Jordan Chariton
December 23 2020, 9:14 a.m.

THE DEMOCRATIC NATIONAL COMMITTEE refused to cooperate with investigators and was “directly involved in the development process” of the infamous Shadow app ahead of the 2020 Iowa caucuses. That’s the conclusion of the former U.S. attorney leading the investigation into what went wrong during the first-in-the-nation caucuses, as relayed to the Iowa State Democratic Party in a closed-session meeting last week, according to a transcript of the meeting obtained by The Intercept. Related The Iowa Democratic Party Did the Opposite of What It Should Have Done to Secure Its Disastrous App

The DNC was directly involved in the development process,” Nicholas Klinefeldt, a former federal attorney appointed by President Barack Obama, told the Iowa Democratic Party state steering committee in the December 12 meeting about the findings of an investigation he led alongside former Iowa Attorney General Bonnie Campbell.

Klinefeldt’s revelation about the committee’s involvement counters the DNC’s claim it made immediately after the Iowa caucuses. Back then, the DNC claimed it had “absolutely no involvement” in the development or coding of the Shadow app, which was supposed to record and report caucus results.

When Third District state party member Kim Callahan asked investigators to expand on the DNC’s involvement, they failed to elaborate, simply confirming that the DNC wouldn’t cooperate with its investigation.

Without the DNC’s cooperation in the probe, investigators were hamstrung. “There seemed to be a great deal of culpability by the DNC,” Jim Bunton, a Third District Iowa state party member, said to Klinefeldt in the meeting. “There doesn’t seem to be a lot of cooperation from the DNC from what you’re saying. … How can we hope to have a better outcome next time around? Because the actor we can’t control is the DNC.”Join Our NewsletterOriginal reporting. Fearless journalism. Delivered to you.I’m in

In the closed-session state party meeting, Third District state party member Gabriel De La Cerda asked the attorneys leading the investigation if it was correct that the state party, and Shadow app, had the correct results on caucus night for the delegates won — 26.2 percent for Pete Buttigieg, and 26.1 percent for Bernie Sanders — and could have reported it if not for the DNC’s demand not to. Part of the delay was related to the party’s promise to, for the first time, release popular vote totals, which proved more difficult than tabulating delegates.

“On election night, we knew it was going to be a one-tenth percentage difference” between pledged delegates won, De La Cerda said. Klinefeldt conceded: “They were in fact the same as the results that were finally reported.”

In a statement to Politico, DNC spokesperson David Bergstein said, “Evaluating the nominating process always happens following the election so that DNC staff can remain focused on winning the general election, and this cycle that work helped contribute to President-Elect Biden’s historic victory.”

The DNC-mandated several-day delay in reporting results led Buttigieg to infamously declare victory without any actual results released, with the Sanders campaign claiming its internal results showed it had won the popular vote. The mainstream media elevated the former South Bend, Indiana, mayor’s victory narrative, boosting him in polls for the New Hampshire primary, set eight days after the Iowa caucuses.

“The whole thing didn’t feel right, the whole [DNC] intrusion into the Iowa process didn’t feel right,” James Zogby, a 28-year DNC member who supported Bernie Sanders’s candidacy, told The Intercept.

The DNC’s meddling, which included a last-minute demand that developers of the Shadow app create a special software that would allow the DNC real-time access to the raw numbers before they went public, didn’t sit well with Zogby.

“Why would [the DNC] need to see that?” Zogby said about the DNC’s insistence on access to the raw caucus results before they went public. “Why wouldn’t you trust the state party to make the determination?”

In the transcript from the closed-session meeting held by the state party, members suggested that the DNC’s goal was to strip Iowa of its prestigious first-in-the-nation status.

“I think we’re all aware that the DNC wants us to no longer have first-in-nation status specifically with caucuses,” De La Cerda said, before asking the attorney in charge of the investigation a question about the legality of potentially changing the Iowa caucuses to a ranked-choice voting system in the future.Related New Details Show How Deeply Iowa Caucus App Developer Was Embedded in Democratic Establishment

In the meeting, attorneys Klinefeldt and Campbell stressed their review didn’t “use any sort of legal compulsory process” to obtain documents or other information in this case. When Second District state party member Wesley Clemens asked if the attorneys had looked into any financial records as part of their inquiry, the attorneys said they looked at contracts between the Shadow app and others. The Shadow app was developed by veterans of Hillary Clinton’s 2016 campaign. Buttigieg’s campaign used the firm Shadow Inc. as a vendor, paying the developer $42,500 for text messaging software.

State party members received the caucus report at the beginning of the closed-session meeting; soon after, before they could read it, details of it were published by Politico.

“We’re already getting information from the press that the report, as I feared, would be [leaked] as soon as it was released to the State Central Committee,” state party Chair Mark Smith said. First District state party member Lindsey Ellickson later added, “It’s been two minutes since we got the report, so I feel like the report had to have been leaked honestly even before this.”

A state party source told The Intercept that the refusal of high-ranking DNC executives, including Chair Tom Perez, to cooperate undermined the credibility of the caucus investigation. State members also suspect that DNC members leaked details of the report to Politico before state party members received it.

“Without knowing exactly who at the DNC, or how that went, I think the DNC has to work with the state party in Iowa to figure out what didn’t work in terms of that app and also what’s a good process for 2024 so that small states have representation and not just large states like California,” Larry Cohen, board chair of progressive group Our Revolution, told The Intercept.

On January 23, the Iowa State Democratic Party will hold elections for a new chair; Smith, who took over after Chair Troy Price resigned a week after the caucuses, said he will not seek reelection. Perez also has announced plans to step down as DNC chair.


The high-profile liberal firm Acronym is denying it played a role in the Iowa caucus debacle. But Acronym and the app developer, Shadow, are deeply intertwined.

Lee Fang

Lee Fang
February 4 2020, 1:34 p.m.

DEMOCRATIC OPERATIVE Tara McGowan is denying that her high-profile liberal firm ACRONYM played a role in the Monday evening caucus debacle, claiming that her firm was merely an investor in the company Shadow Inc., which developed the app at the center of the controversy. But internal company documents, a source close to the firms, and public records show a close and intertwined relationship between Acronym and Shadow.

In addition, ahead of the caucuses, questions swirled inside Shadow over the company’s ability to deliver a quality product, and there was concern from at least one staff member that senior leaders of Shadow and Acronym — both of which were launchedas a new Democratic bulwark against President Donald Trump — have been far from neutral in the Democratic primary.Join Our NewsletterOriginal reporting. Fearless journalism. Delivered to you.I’m in

Throughout the caucus yesterday, Democratic officials reported widespread problems downloading the app and inconsistencies uploading caucus results, leading to the Iowa Democratic Party’s decision to take the unusual step of delaying the release of the results. This is the first year the app was used, and ahead of the caucuses, the Iowa Democratic Party asked that the app’s name be kept secret. The New York Times reported that “its creators had repeatedly questioned the need to keep it secret.”

Kyle Tharp, a spokesperson for Acronym, released a statement on Monday night downplaying his company’s affiliation with Shadow.

“ACRONYM is an investor in several for-profit companies across the progressive media and technology sectors,” Tharp said. “One of those independent, for-profit companies is Shadow, Inc, which also has other private investors.”

David Plouffe, a former campaign manager to Barack Obama’s 2008 presidential bid who joined Acronym’s board, also distanced himself from the company during an MSNBC panel last night. “I have no knowledge of Shadow,” said Plouffe. “It was news to me.”

But previous statements and internal Acronym documents suggest that the two companies, which share office space in Denver, Colorado, are deeply intertwined.

Last year, McGowan, a co-founder of Acronym, wrote on Twitterthat she was “so excited to announce @anotheracronym has acquired Groundbase,” a firm that included “their incredible team led by [Gerard Niemira] + are launching Shadow, a new tech company to build smarter infrastructure for campaigns.” McGowan also noted that “With Shadow, we’re building a new model incentivized by adoption over growth.” The acquisition was announced in mid-January of last year.

In an interview on a related podcast last month, McGowan described Niemira as “the CEO of Shadow, which is the technology company that Acronym is the sole investor in now.”

What’s more, internal documents from Acronym show a close relationship with Shadow. An internal organizational chart shows digital strategy firm Lockwood Strategy, FWIW Media, and Shadow as part of a unified structure, with Acronym staff involved in the trio’s operations.

In an all-staff email sent last Friday, an official with Lockwood Strategy reminded team members about “COOL THINGS HAPPENING AROUND ACRONYM.” The list included bullets points such as, “The Iowa caucus is on Monday, and the Shadow team is hard at work,” and “Shadow is working on scaling up VAN integration with Shadow Messaging for some Iowa caucus clients.” (VAN refers to the widely used Democratic voter file technology firm.) Acronym staffers also attended the Shadow staff retreat.A person with knowledge of the company’s culture, who asked to remain anonymous for fear of reprisal, shared communications showing that top officials at the company regularly expressed hostility to Sen. Bernie Sanders’s supporters. McGowan is married to Michael Halle, a senior strategist with the Buttigieg campaign. There is no evidence any preference of candidates had any effect on the coding issue that is stalling the Iowa results.The Iowa Democratic Party and the Nevada Democratic Party retained Shadow to develop its caucus app. Shadow has also been retained for digital services by Buttigieg’s and Biden’s campaigns.

Acronym launched with a promise to compete with the Trump campaign’s strong emphasis on digital media, launching Democratic messages through paid advertisements on Facebook and other platforms. But the source said the company in many ways was woefully unprepared for the many challenges it had taken on, including the Iowa caucus app.

A precinct captain for Sanders, who requested anonymity because they were not authorized to talk to the press, confirmed that the rollout was rushed. “We didn’t know about the app until like a month ago. And we didn’t have access to the app until like three days ago,” the source said.

“This app has never been used in any real election or tested at a statewide scale and it’s only been contemplated for use for two months now,” David Jefferson, who also serves on the board of Verified Voting, a nonpartisan election integrity organization, told the New York Times.

Federal campaign finance records show that the Iowa Democratic Party and the Nevada Democratic Party retained Shadow to develop its caucus app. Shadow has also been retained for digital services by Buttigieg’s campaign, which paid the company $42,500 for software-related services last July, and by Joe Biden’s campaign, which paid Shadow $1,225 for text messaging services, last July as well.

Shadow was launched by former staffers to Hillary Clinton’s 2016 presidential campaign, including Niemira, Krista Davis, Ahna Rao, and James Hickey, according to professional biographies listed on LinkedIn. Shadow did not respond to a request for comment.

Acronym, which includes a hybrid model of a 501(c)4 entity that does not disclose donors and a Super PAC that does, has been a favorite for deep-pocketed Democratic donors. Donald Sussman, the founder of Paloma Partners, and Michael Moritz, a partner at Sequoia Capital, each donated $1 million to Acronym last year. Filmmaker Steven Spielberg gave $500,000. Investor Seth Klarman, once a major donor to Republican causes, gave $1.5 million to Acronym.

Acronym appears to have deleted portions of its website showcasing its involvement in Shadow. “ACRONYM is thrilled to announce the launch of Shadow, a new technology company that will exist under the ACRONYM umbrella and build accessible technological infrastructure and tools to enable campaigns to better harness, integrate and manage data across the platforms and technologies they all use,” wrote Niemira in a now-deleted blog post.

This morning, William McCurdy II, the chair of the Nevada Democratic Party, released a statement announcing that the party will not be using the Shadow app for its February caucus.

“NV Dems can confidently say that what happened in the Iowa caucus last night will not happen in Nevada on February 22nd. We will not be employing the same app or vendor used in the Iowa caucus,” said McCurdy. “We had already developed a series of backups and redundant reporting systems, and are currently evaluating the best path forward.”