Then they trended downward — with ups and downs along the way — through Coleman’s concession on the last day of June.

The court battle itself offered occasions for Coleman to exploit for fundraising opportunities, and his recount committee augmented those by reaching out to potential contributors via email, video and his website.

But a major snafu put a bite into Coleman’s recount income in March, after donors learned that their financial data had been exposed in a database breach at colemanforsenate.com. The month started with a high of 43 individual donations for a total of $110,000, his fifth-best week. But four weeks later, after news of the leak had made national headlines, he took in only six checks, his fifth-worst week, for $21,500.

It was a turning point for Coleman’s fundraising methods: The campaign yanked the website’s online donation function, asking donors to mail in checks instead. (A U.S. Secret Service investigation into the data leak was still pending this month.)

Weekly receipts continued to rise and fall afterward but never again reached $100,000. The Coleman Minnesota Recount Committee reported receiving its last check on June 16: $10,000 from David Fisher, founder of the Gap.

Two weeks later, the Minnesota Supreme Court told Coleman it couldn’t help him close his 312-vote gap with Al Franken, and within hours Coleman was letting his supporters down gently, telling them his re-election efforts had reached the end of the runway.

Click to enlarge

The records the Coleman campaign kept on Franken fans are scattered within a vast database of nearly 50,000 contacts. A spreadsheet created by the secretive Wikileaks organization, which made the donor database available on the Web last month, contains several hundred comments apparently left at the Coleman campaign Web site.

Unlike the smaller donor database, the contacts’ data include no financial information — only names, mailing addresses, e-mail addresses, IP addresses and sometimes phone numbers.

About 800 of the records, including some duplicate entries, have the word “Franken” listed for “signup_type.” These appear to be contacts generated after Coleman placed a full-page ad in the Star Tribune in September 2007. Titled “‘Ridiculous,’” the ad takes Franken to task for using that word to describe a U.S. Senate vote that condemned MoveOn.org’s own full-page ad, titled “General Petraeus Or General Betray Us?”

Coleman’s ad asked readers to “Send Al Franken a message to condemn these ridiculous personal attacks on our military … Log on to www.colemanforsenate.com/ridiculous to find out how.”

Judging by the leaked data, most who logged on as instructed did use the opportunity to attack Franken. But a significant proportion had only praise for Franken and venom for Coleman:

Im writing from colemanforsenate.ridiculous Thanks for not being being a venomus (sic) hypocritical turd like norm “can’t even win st paul” coleman.

Future-Senator Franken: Thank you for not having a knee-jerk reaction to MoveOn.org’s ad. It’s not a matter of whether the ad is correct; it’s a matter of free speech and not using the ad for political posturing. Feel free to contact me for campaign work on your behalf.

Good Job Al Franken! You will get my vote… Keep it up!!

GOOD FOR YOU AL FRANKEN – YOU ARE NOT AFRAID TO SPEAK THE TRUTH!!! It is RIDICULOUS that NORM COLEMAN want so to censure FREE SPEECH in this country.

Dear Al, I am so glad that the Coleman campaign has given me this opportunity to tell you that I agree with you 100% . It is amazing that the people associated with the Swift boat campaigns can be so hypocritical!!. Coleman is the slimiest weasel ever to be a Senator from Minnesota, and it is rather nice that his mean spirted (sic) lackies (sic)  would take out a full page ad of this kind. … By the way — nice picture!!

Al, you are right on. I thank you for what you said. Thank you for being honest; thank you for standing up for the constitution and our right to dissent with this government administration.

Thank you for pointing out how riduculous (sic) this whole “General Betray Us” nonsense is. With thousands of American lives at risk and millions of dollars wasted in a stupid war in Iraq “to protect our freedom”, the US Sentate (sic) votes to condemn a newspaper ad and in the process condemning free expression in our own country. “RIDICULOUS” is exactly the right word.

Please don’t let this incredibly poor effort on the part of the Coleman camp deter you. It is ridiculous and you are right on. You have my vote. ps. it will be interesting to see if Colemanites send this message

Go, Al!! You were absolutely right. The entire situation was ridiculous. The Senate voting on an ad!! I’m so embarrassed to be represented by two Senators who don’t know that issue ads by groups with a bias are part of the political scene right now, that I would vote against both of them if the election were held tomorrow. … Al was right! Ridiculous!

Thanks, Al, for continuing to stand up for this country, against idiots like Norm Coleman, who can’t even get his email list correct. I wish you every success in your fight against the Bush/Cheney kleptocracy and the Republican idiocracy. I also wish you success in exposing and halting the shameful, immoral war of choice that Bush, Cheney, and the neocons have lied us into.

Hi Al, I saw Norm’s ad in the paper attacking you and thought I’d visit his site to add my two cents. On Normie’s bandwidth. I totally agree with you. While I’m not surprised by Norm’s ridiculous vote, I was disappointed that Amy Klobuchar followed suit. … Keep up the good work and good luck in your thrashing of Norm next November.

Norm Coleman is a disgusting excuse for a representative, who has colluded with the President and lobbyists, in blatant disregard of his constiuants (sic). Please continue to stand up to him.

Thanks Al for your principles. I’m going to your website now to send you money.

Dear Al: Thanks for all you do. I think it’s great to use Mr. Coleman’s weblink to say hi. The photo of you here looks as if you’re saying (appropriately) “Hey Norm! Pull my finger!”

Thank you Al for doing the right thing. I am a Republican who will vote for you in next year’s election because it is time we have a Senator who doesn’t folow (sic)President Bush and his corruption.

Among the dozen or so Franken supporters contacted by the Independent, not all recalled the “Ridiculous” ad, while others said they did, but only vaguely. A few said they suspected instead that they had landed in Coleman’s files via e-mails they had sent or comments they had submitted on other occasions. None seemed upset about their personal data being exposed, in part because Coleman’s online donors had suffered much more seriously from the breach.

“I believe we contacted Coleman via his SENATE web site asking him to vote against drilling in ANWR,” said John Pususta in an e-mail co-signed by Janine Holter. “We … were contacted by Wikileaks via email [about the breach] … We received no information from the Coleman office. … It distresses us that donor information was compromised. Lucky for us we did not donate to Mr. Coleman.”

Another Franken backer identified as A. Tagento said: “I have heard much about the leak, but did not realize that common constituents’ info was leaked in addition to that of donors to his campaign. I have not been contacted by Sen. Coleman or his people in regard to this leak.”

David Wunderlin said: “I had signed up for campaign news from Coleman during the election. Just to see what misinformation Coleman was spreading against the Democrats.”

Richards' appearance on The Rachel Maddow Show last week

Hacker. Unprofessional. Immoral. A “black hat” villain. For her role in finding Norm Coleman’s unsecured donor database in January, IT consultant Adria Richards has been the target of anger from Coleman supporters, including some who had their personal information revealed in the Web site breach. She received a phone call on Friday from one such man. The caller was irate, offering the vague threat, “I live less than a mile away from you!” She later calmed him down.

Despite the vitriol aimed her way, what Richards did wasn’t illegal, nor were the actions of the Web site Wikileaks.org, which received the database and shared its contents with the world — at least not if similar cases and the word of a top digital-rights lawyer, are any indicator.

Jennifer Granick is the civil liberties director for the Electronic Frontier Foundation (EFF), the country’s leading digital-rights advocacy group. She immediately dismissed the term “hacker” to describe anyone — whether Richards, who spotted and shared info about the unprotected database, or Wikileaks.org — in this case.

“It’s not a term I use,” she said. “It’s not a legal term and it doesn’t answer the question whether it’s unlawful.”

She looks to the federal law, particularly the Computer Fraud and Abuse Act, which deals with accessing sensitive data by unauthorized individuals for the purpose of defrauding others, aiding in criminal activity or causing damage to the contents of a “protected computer.”

Based on her knowledge of this case, as well as the law, Granick said it was legal for Richards to view the Web directory on which Coleman’s donor list resided.

“There has to be some kind of indication that information is locked away,” she said.

For comparison, she offered a similar story of politics and unprotected online information. In the 2006 gubernatorial election in California, aides to Democratic candidate Phil Angelides found personal audio files on Gov. Arnold Schwarzenegger’s Web site through “backward browsing”–shortening the URL for a page of the governor’s speeches to find a directory of files. The captured conversations, from a speech-writing session, included Schwarzenegger opining about a Latina city official’s “hot” temperament: “I mean, they [Cubans and Puerto Ricans] are all very hot…they have the, you know, part of the black blood in them and part of the Latino blood in them and together that makes it.”

Like Coleman’s donor list up until late on Jan. 28, the Schwarzenegger files were on an open directory: Users seeking to download the files were not asked to enter a password.

The California governor asked the California Highway Patrol (CHP), the agency in charge of protecting state property, to investigate the case. After a four-month study, they chose not to file charges, finding that Angelides’ staffers broke no law in downloading the audio files, and advised the governor’s office to improve the “overall security of their computer network.”

Civil courts have interpreted the Computer Fraud and Abuse Act in differing ways, though, said Granick. Some cases have tried to argue that the intent of the Web site’s creator should be considered. In Coleman’s case, the database’s listing of supporters’ credit card numbers and three-digit security codes could suggest that the site operator intended this information to be protected.

“But without any indication of any kind of blocking of information, it’s hard for a user to know what the owner wants,” Granick said. “The statute is really designed to protect the integrity of a computer system, not to protect the desires” of the site’s owner.

While Richards only pointed out that the security breach existed, Wikileaks.org published some of the database’s contents.

“I don’t think Wikileaks is in any danger here,” said Granick. “I’m not aware of something that prevents you from publishing information that you obtained legally as long as that publication isn’t part of a conspiracy or attempt at identity theft or crime.”

Regardless of how Wikileaks obtained the database — as long as the site was an “innocent receiver” of the information and didn’t solicit the data — there’s legal precedent protecting it. Granick said it’s part of a “long journalistic tradition,” including, most notably, the Supreme Court case ruling on the Pentagon Papers, a classified report on 20 years of U.S. political and military actions in Vietnam that was leaked in 1971.

“The law could not stop The New York Times from publishing it. And that’s national security information,” said Granick. “Wikileaks benefits from that tradition… Once it’s out, we let history decide if it’s better kept secret or not.”

“American law tries to be extremely narrow about what speech we prohibit,” she added. “It’s dangerous to punish the republication of information, especially if the publisher obtained the information legally. Even if you have info that was taken improperly, it may be of public concern.”

Some have questioned Richards’ motives as well as those of others who’ve reported on this story. Bob Collins at Minnesota Public Radio, for instance, questioned the ethics of crunching the numbers obtained from the Wikileaked spreadsheets. Before raising the topic with Smart Politics’ Eric Ostermeier, who looked at where Coleman’s funders live and what they do, he pondered whether there’s a “compelling public interest” in Wikileaks’ releasing partial information from the database.

Granick pondered these questions.

“It’s a really serious privacy concern… because many people perhaps contributed to the campaign anonymously or confidentially,” she said, referencing FEC rules that require candidates to disclose donors’ identities only after they they give more than $200 per election cycle. “That’s protected political speech. The First Amendment has long supported the right to this kind of speech.”

“But if the information’s up there and it’s published, people are going to want to check it and see if they’re in the database… There’s a legitimate reason for people to want to look at it.”

Critics and data security experts have suggested that the Coleman campaign erred when it failed to disclose an alleged breach of donor’s credit card information in late January.

Coleman authored the “Federal Agency Data Breach Protection Act,” which was introduced in the U.S. House in July 2007 and would have required “timely notice to be provided to those individuals whose sensitive personal information could be compromised as a result of such breach.” The bill didn’t get a hearing.

The bill reads:

Establishing policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result, specifically including —

(A) a requirement for timely notice to be provided to those individuals whose sensitive personal information could be compromised as a result of such breach, except no notice shall be required if the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct regarding such individual;

Coleman’s Peachtree State supporter, Andrew Dempsey, says he gave twice. The first donation landed him on the database that the campaign left in a publicly accessible place on its Web site in January. His question for Coleman: Is his second donation, made in February with a different credit card, also cause for concern?

But all he gets at the number Coleman offered for worried donors to call with questions is a recorded message. (Other donors have expressed the same gripe to MnIndy.) So he called me to ask my opinion of his situation, since I was the one from whom he learned about the database breach on Wednesday.

In fact Dempsey still hasn’t received notification about it from Coleman, he says. He read Coleman’s donor message at the MnIndy Web site. It’s a failing that could yet get the Coleman campaign into hot water. State law requires organizations to notify anyone whose private information they hold whenever such data leaks are disclosed, but the campaign didn’t tell its donors after the January breach.

MnIndy continues getting return e-mails and calls after contacting  around 600 people listed on the database made public by Wikileaks.org this week. Many say our e-mail was the first they’ve heard of the data leak. We posted a sampling of reactions on Wednesday that we got by phone and e-mail — ranging from “I owe you” to “Go pound sand.”

Now Wikileaks is getting into the supporter-reaction business. Here’s an e-mail from Wikileaks.org received today by a person on Coleman’s database of supporters (as opposed to donors, a list that likewise leaked from the campaign site):

From: Wikileaks Press Office
Date: Fri, Mar 13, 2009 at 2:15 PM
Subject: Media inquiry, re: Senator Coleman leak
To: undisclosed-recipients

Dear Coleman subscriber. The national media would like your feedback in relation to the Senator Norm Coleman leak.

Your email address and personal details appear on a list of 51,000 Coleman supporters / donors / contacts accidentally released by the Coleman Campaign on January 28, 2009.

The list:

http://wikileaks.org/wiki/Senator_Norm_Coleman:_detailed_list_of_51%2C641_supporters_and_web-site_users%2C_28_Jan_2009

Background context:

http://wikileaks.org/wiki/The_Big_Bad_Database_of_Senator_Norm_Coleman

Uni of M. statistical analysis of leaked Coleman Donors:

http://wikileaks.org/wiki/Coleman%27s_Compromised_Donors:_Where_They_Came_From

You are on the list because you gave the Coleman for Senate Campaign your email address OR because Senator Coleman purchased your email address from another
mailinglist.

As you might be aware, the accidental leak by the Coleman Campaign has attracted national media interest this week:

http://news.google.com/news?pz=1&ned=us&hl=en&q=wikileaks&scoring=d

Several national news organizations, such as the AP, and local organizations in MN have asked us for your feedback. Rather than have the these organizations mail you and clutter your inbox, we have all agreed to to pool resources and ask you for this one-time comment.

We will publicly release all comments longer than one paragraph. If you ask for your comment to be anonymous, or “not for attribution,” your identity will be kept strictly confidential and removed before it is passed onto other media groups.

We will release all comments longer than one paragraph, ordered by quality of writing. No comments, provided they are over one paragraph will be excluded.

Q: What is your reaction to the Coleman leak?

Thank you, and have a nice weekend,

Jay Lim,
Wikileaks Press Office
Sunshine Press
Stockholm – Nairobi – Washington

Norm Coleman’s attorney, Fritz Knaak, stated Thursday that the campaign had “a high degree of confidence” that the late-January exposure of its unprotected donor database didn’t result in the loss of sensitive data. A day earlier, Knaak initially leveled the claim, noting that Secret  Service investigators looking into the database breach “did not discover that any individual had been able to obtain confidential, personal financial information.”

But this week’s news that Wikileaks.org had obtained the 4.3 gigabyte database casts doubt on that statement — and so does Bruce Schneier, the Twin Cities-based technology expert dubbed a “security guru” by The Economist. Reached by phone at a Washington, D.C., technology conference late Thursday, Schneier characterized the campaign’s claim as “complete and utter bullshit.”

“It’s impossible to make that claim,” he said. “Either they misunderstood what the [Secret Service] said or they’re out-and-out lying. How can you determine the absence of something happening?”

The Secret Service has confirmed for the Minnesota Independent that an investigation is under way but said it couldn’t comment on ongoing cases.

Schneier said he didn’t know that IT professional Adria Richards had uncovered the security flaw with no advanced tools, but after learning it from the Minnesota Independent, he said of the Coleman campaign’s tech security: “It sounds like they didn’t have any, if what you’re saying is true. That seems pretty sloppy.”

He noted that it’s correct to call the exposure of the database a “breach,” as the campaign has done. “When someone who’s not authorized does it, we’d consider it a breach.”

But he wouldn’t call what Richards did — find and take a screen capture of an unprotected public Web directory — hacking.

“It’s not like it’s skilled hacking,” he said. “If I walk into an open door and steal a purse, am I cat burglar? … It’s not in the fine tradition of hacking because it took not a lot of skill. I wouldn’t use the term, but others might.”

He acknowledged that the law surrounding online security is “squirrely.” For instance, he said he’s unclear on whether viewing the unprotected Web directory where, for a few hours on Jan. 28, the directory existed could be considered a criminal act or whether this reporter could be prosecuted for clicking a direct link to the database that was left in comments in January at Minnesota Independent. (For the record, I didn’t download the file.)

“This law is still evolving, and some of it is really stupid,” he said. “People have been convicted for this. … It’s possible you would’ve been prosecuted.”

The exposure of the donor information, which included credit card numbers and three-digit security codes for them, is big news, he said, mainly because it involves a former U.S. senator who’s now locked in a political battle to regain his seat.

But he says such breaches — and mistakes about security for sensitive information — happen all the time.

“Companies do this, governments do this again and again and again,” he said. “While they definitely should know better, we’ve learned repeatedly that organizations don’t know better. It’s not, ‘Oh, God, look what they’ve done!’ It’s more: ‘Oh. It happened again.’”

“This couldn’ve happened to anybody – and it does.”

UPDATE after the jump.

This is what the Coleman privacy policy used to say: “We do not retain records of contributors’ credit card numbers.” But, as the current policy states: “We reserve the right to change this privacy policy at any time …”

UPDATE: The change in Coleman’s policy regarding the storage of donors’ credit card data appears to have occurred sometime between January 23, 2008 and (thanks to a tipster for this) February 11, 2008. DataBreaches.net notes that the earliest entry in Coleman’s leaked donor database is from March 19, 2008. So the leaked database apparently includes entries made only after Coleman dropped the no-data-saving policy.

Here is the full text from the Coleman for Senate privacy policy from January 23, 2008:

Security
The servers that house ColemanForSenate.com are maintained in a manner that safeguards the information in our databases effectively.

Contributions
In particular, when you contribute online at ColemanForSenate.com, the transaction is processed using encrypted code on a secure donation site, on a secure and dedicated web server. The personal information that is requested is the same that we would request for donating through the mail. We do not retain records of contributors’ credit card numbers.

Personal Information
Unless you voluntarily provide us with any personal information, such as your e-mail address, this site does not collect personal information about you without your knowledge.

When you visit our site, we collect the following information: The name of the domain from which you access the Internet (for example, aol.com, if you are connecting from an America Online account). The date and time you access our site. The Internet address of the web site from which you linked directly to our site or the Internet address of the computer used to link to our site. This information is used for Site Management purposes only.

NOTICE: Unless you choose to provide such information, we do not collect or maintain personal information about you when you visit our site. If you send us an e-mail message or complete a web form containing personal information, we collect and store the personal information which you choose to provide, such as your mailing address, e-mail address and the content of any request for information or any comments you may have.

Use of Information
If you choose to provide any personal information, such as your mailing address or phone number, we may use that information to contact you.

Here’s the full text from the current Coleman for Senate Web site “Privacy Policy” page:

Privacy Policy
We at ColemanforSenate.com are committed to protecting your privacy and personal information. Below you will find our online privacy policy. If you have questions about this policy, please let us know.

Personal Information
This website does not collect any personal or identifiable information about you, such as an e-mail address, unless you voluntarily provide us with that information.

When you visit ColemanforSenate.com, we collect generic information that allows us to improve the value of this website. The website collects information such as which website linked you directly to this website, the date and time visits occur, the name of the domain from which you accessed this website (such as Comcast.com, or Aol.com if you use those services), and which web pages visitors view. This information is used for site management only.

If you voluntarily chose to provide personal information through this website (such as a mailing address, e-mail address, name, or phone number), this information will be safeguarded as outlined below and may be used to contact you.

The Federal Election Commission requires us to collect particular information from every donor who gives us money. For this reason, we collect information that can be directly tied to a particular person. The information required includes Names, addresses, telephone numbers, and e-mail addresses and any changes that may occur to the law. This information is only given to those who require this information.

Newsletter
The ColemanforSenate.com website provides an e-mail newsletter to those interested in staying updated on the campaign. This newsletter is only sent to those who voluntarily signup to receive it. People who receive the newsletter may opt-out of the newsletter at any time via the website.

Text Messaging
The ColemanforSenate.com website provides update via text messages to those interested in staying updated on the campaign. The text messages are only sent to those who voluntarily signup to receive them. People who receive these text messages may opt-out of the service at any time via the website.

External Sites
ColemanforSenate.com may link to other websites and blogs that we do not control and you will have to review their own privacy policies as we are not responsible for them.

Use of Cookies
Cookies are used to personalize the site and enhance your experience with it. A cookie is very small text file placed on your computer. Cookies do not contain any personal information about you. You can opt-out of our use of cookies by disabling cookies in your browser settings.

Security
In order to protect information collected by this website, we use commercially reasonable tools and techniques to safeguard against unauthorized intrusions.

Our servers are located in secure locations where a very limited number of people have access to them. The data stored on the servers is restricted to only those who have a reasonable need to have the data.

When transacting credit card information, we protect your information during the transfer process by using Secure Sockets Layer (SSL) software, which digitally encrypts information you enter.

Policy
We reserve the right to change this privacy policy at any time but the most current privacy policy will always be posted on the website or you can contact us and request one.

Photo by The Consumerist

The campaign of former Sen. Norm Coleman has alerted donors that a database containing personal data, including credit card numbers, has been circulating on the Internet.

Minnesota has a number of consumer protection laws that govern the use of personal information, which has raised questions about whether the Coleman campaign has violated state law.

Coleman attorney Fritz Knaak told AP yesterday that he’s confident the campaign complied with the law. But concerns have surfaced particularly about when the campaign notified those whose data had been exposed and what credit card information it kept on its database.

According to the Coleman’s campaign’s newly posted FAQ about the database breach, the campaign knew or at least suspected that the data had been exposed in January.

“We had reason to believe that someone had illegally accessed our website in late January,” the FAQ states. “At that time we immediately notified the Secret Service. They conducted an initial forensics review of our server and concluded that there was no evidence that any private or confidential information had been downloaded.”

Minnesota statute says that when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,” it must be disclosed “in the most expedient time possible and without unreasonable delay” to the people whose data was acquired.

Hamline University law professor David Schultz says not alerting the donors in January could have been illegal.

“[Coleman's] campaign potentially violated state law by not promptly notifying card holders of the disclosure of their card info,” Schultz told Talking Points Memo. “Assume the campaign did suffer a breach in security, his campaign faces fines under state law and it is possible a card holder could sue the campaign for any damages. It would be hard for the donors to sue Coleman personally and prevail.”

Coleman’s campaign also retained to the verification codes listed on the backs of donors’ credit cards, according to the databases. The FAQ also notes, “The only information … made public so far [from the leaked version of the database] are the last four digits of individual’s cards and the security code on the card.” Under a law passed in 2007, retaining those numbers is prohibited:

“No person or entity conducting business in Minnesota… shall retain the card security code data, the PIN verification code data, or the full contents of any track of magnetic stripe data,” says state statute 325E.64. “A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction.”

Jay Lim, a spokesman for Wikileaks, told the AP yesterday, “Coleman should not have kept this information” and that “his team should not have released the information out onto the open Internet for anyone to download.”

“[Coleman] should have informed those concerned,” Lim said. “We shouldn’t have had to do it for him.”

Coleman attorney Fritz Knaak expressed confidence that state and federal law enforcement agencies “will get to the bottom of this.” But Knaak conceded that “we are deeply concerned about what this means to our relations with our supporters.”

Coleman and Knaak made the comments to reporters outside the Minnesota Senate election contest trial in St. Paul, which is nearing its end after nearly two months.

“We became aware of the fact that someone had tried to access the server” more than a month ago, Knaak said. But after what he termed a “very thorough” forensic investigation, the campaign decided “there had not been a compromise of the data at that time.”

The campaign learned of the breach from donors on Tuesday night. “Obviously we are going to have to review … the process,” Knaak said, adding, “The system is secure.”

Video of the full statements to reporters by Coleman and Knaak is available at the UpTake.

Marty Owings of KFAI-FM contributed to this report.