See below for an update.
The United States has just endured a two-year investigation into alleged collusion between the Trump campaign and Russia. Democrat leaders in Congress and 2020 presidential candidates have not only accused Trump of colluding with and being improperly influenced Russia, but they have also raised money off these claims. But, every single Democrat candidate for president in 2020 is using a donation portal called ActBlue, which has, for years now, been under fire for not incorporate basic, industry-standard fraud protections for its credit card donations, which makes it easy for foreign and illegal donations to be made.
ActBlue is a nonprofit technology organization established in June 2004 and based out of Somerville, Massachusetts. ActBlue “enables Democrats, progressive groups, and nonprofits to raise money on the Internet by providing them with online fundraising software.” According to their website, as of today, they’ve helped raise more than $3 billion for Democrat/progressive candidates and causes since their founding.
ActBlue’s lack of industry-standard protections has been known for years. In 2008, Michelle Malkin reported on ActBlue’s “flagrant disregard for online security,” which, even a decade later, has not been fixed. Last year, the New York Post reported that left-wing actress Rosie O’Donnell used multiple New York addresses with variations of her name to make donations in excess of the legal limit to at least five different Democrat candidates—using ActBlue’s donation portal. ActBlue was not requiring a Card Verification Value (CVV) number, or using the Address Verification System (AVS) while processing donations.
Using the most up-to-date list of declared Democrat presidential candidates and candidates with exploratory committees, I visited each campaign’s/committee’s official websites and verified that every single candidate is using ActBlue as their donation portal.
With years of publicity of ActBlue’s noncompliance in using basic industry standard anti-fraud protections, the final question is whether they have, for the 2020 election cycle, finally started incorporating, at a minimum, CVV and AVS technology to ensure foreign and illegal donations aren’t being made through their system and into the campaigns of presidential candidates. To test this, I went to Cory Booker’s campaign site, and attempted to make a donation through his ActBlue donation portal.
The donation page where I could determine the size of my contribution featured the following notice:
1. I am a U.S. citizen or lawfully admitted permanent resident (i.e., green card holder).
2. This contribution is made from my own funds, and funds are not being provided to me by another person or entity for the purpose of making this contribution.
3. I am making this contribution with my own personal credit card and not with a corporate or business credit card or a card issued to another person.
4. I am at least eighteen years old.
5. I am not a federal contractor.
First I clicked on the Donate button to enter the donation portal and set my donation amount at $2.00. Then it asked for my details.
I used the name “Iam Spartacus”, with an email address created just for the purpose of this test. For my address, I used a random Chick-Fil-A restaurant in the state of Florida. I also included as my occupation “Thracian gladiator” and employer “Roman Republic.” All completely bogus information. After this step, it asked for my payment information. I used my real credit card number, which, I should point out, is linked to my New York state home address—if any AVS was in place, the attempted donation would not have worked. I can’t even fill up my gas tank without verifying my zip code, and if I enter an incorrect number the transaction will not process. From the start, things didn’t look good for ActBlue. You will see from the screenshot below they do not ask for the CVV number, just the expiration month and year.
The next page asked me to leave a tip to ActBlue. I did not leave a tip.
Then I got a pop-up window asking that I make my donation a monthly donation. I did not.
And then I clicked on.
The payment was accepted. Not only did it accept my bogus information, and not ask for a CVV number, but there is also no Address Verification System in place, otherwise it would have flagged the Florida-based zipcode as not being linked to my credit card, which is linked to a New York State zip code.
I received a confirmation receipt about an hour later:
This test was repeated over at Elizabeth Warren’s ActBlue page, but, using Tor Browser to establish a France-based proxy IP address, to see if there were any attempts by ActBlue to flag the donation as a possible foreign donation. For this attempt, I used a different, but nonexistent address, with an invalid zip code (66666). The donation went through without a hitch.
ActBlue also allows for the use of PayPal to donate to campaigns—which is another easy way to enable foreign, and illegal excessive and straw donations. Since each 2020 Democrats’ campaign is using ActBlue, they are all similarly flawed.
To conclude this investigation, I went to Donald Trump’s campaign site to see whether his campaign has these basic security protocols in place. I found that his donation portal does require a CVV number, and only accepts credit card donations—no PayPal.
The Democrats’ fear-mongering over Russian collusion and influence over Donald Trump has definitely increased awareness and sensitivity with regard to foreign influence in the electoral process, but that awareness and sensitivity has not caused a single Democrat candidate for president to use a donation portal that uses basic industry standard safeguards to ensure they are only accepting legal donations from American citizens that are within campaign contribution limits. As noted above, the FEC requires every campaign make its “best efforts” to ensure proper collection of donor information, which, at a minimum means requiring a CVV number, to ensure the donor physically has the card, and AVS to verify that the donor is using a legitimate address that is tied to the card being used. None of the 2020 Democrat campaigns are doing this—even though they’ve got to be very much aware of the potential for fraudulent and foreign donations.
In 2012, serious questions were raised about Barack Obama’s fundraising and the possibility that his campaign was foreign and fraudulent donations. Unlike his general election opponent Mitt Romney, Barack Obama’s online donation page did not require the use of a Card Verification Value (CVV) number, nor did they in 2008, either. During that election cycle, a China-based Obama bundler “whose business is heavily dependent on relationships with Chinese state-run television and other state-owned entities,” purchased Obama.com, which redirected to Obama’s official campaign donation page. Nearly 70 percent of the domain’s traffic was foreign-based, and with the lack of anti-fraud technologies in place, it is likely this enabled foreign donations to Obama’s campaign, according to the report. Even if the Obama campaign didn’t deliberately exploit this loophole—though disabling CVV and AVS suggests they did—they were still responsible for making a legitimate effort to ensure the donations they were receiving were actually legitimate.
In 1999 the Federal Election Commission approved the practice of campaigns accepting donations via the Internet. To protect the integrity of the election process, the FEC requires every campaign to make its “best efforts” to collect identifying information on all contributors over $50. This identifying information must include the donor’s name, mailing address, date, and amount of contribution. For contributions over $200, campaigns are asked to also collect the name of employer and occupation.
That comes from a September 2012 report published by the Government Accountability Institute, following an eight-month long investigation, published a report called America the Vulnerable. You can download the entire GAI report here. The report gave four recommendations to ensure donations being made to campaigns are legal and not coming from foreign nationals. One recommendation was to require campaigns “to use industry-standard anti-fraud security technologies including, but not limited to, the Card Verification Value (CVV) and a rigorous Address Verification System (AVS).” While it’s clear that Republican candidates got the message, none of the Democratic candidates for president in 2020 seem at all concerned about potentially receiving foreign and other illegal types of donations because ActBlue, fifteen years after its founding, refuses to incorporate industry-standard fraud protections.
Update March 27, 3:22 p.m EDT: At approximately 7 a.m., I received an email from ActBlue:
Thanks for contacting ActBlue! This email is to confirm that we have refunded your contribution (reference #: [redacted]) made on 26 Mar 2019:
I never contacted ActBlue requesting a refund, and I’d already received a receipt for the donation, which I received approximately an hour after the donation was made. The $2.00 donation appears on my online banking statement as “Processing.” I have contacted ActBlue for a response. Further updates will follow.
Matt Margolis is the author of The Scandalous Presidency of Barack Obama and the bestselling The Worst President in History: The Legacy of Barack Obama. His new book, Trumping Obama: How President Trump Saved Us From Barack Obama’s Legacy, will be published in 2019. You can follow Matt on Twitter @MattMargolis