Sen. Rand Paul’s (R. Ky.) presidential campaign is leveraging his high-profile fight against NSA surveillance to collect personal data from American citizens, which it says it may share with third-party groups, vendors, and law enforcement.
While most political campaigns solicit personal information from supporters to build mailing lists, privacy advocates said it is not necessary for campaigns to reserve the right to share the data with third parties, as Paul’s website does.
"If a campaign is telling you in a privacy policy that they are reserving the right to hand over the information to third parties, that would be of some concern to me," said Pam Dixon, founder of the World Privacy Forum. "Because you just don’t know where that’s going. And here in the U.S., you do not have the right to find out where that’s going."
Paul vowed to end the NSA surveillance program and urged supporters to sign a "petition" on his campaign website via a promoted Twitter advertisement on Sunday night.
"Today, I’ll force the expiration of the NSA’s illegal spy program," Paul wrote in the promoted tweet. "Add your name if you’re with me!"
Users who clicked the link were taken to a page on Paul’s presidential campaign website, RandPaul.com, and asked to enter their name, email address, and zip code. They were then directed to a second donation page that requested more detailed information, including their employer, occupation, home address, and phone and credit card numbers.
According to the website’s privacy policy, Rand Paul for President could share personal identifying information "with vendors, consultants, and other service providers or volunteers," as well as "organizations, groups, or causes that we believe have similar viewpoints, principles, or objectives."
RandPaul.com said that visitors to the site could have their IP addresses and browsing data collected by third parties such as Yahoo! and Google.
The campaign website also maintained the right to turn over personal information in response to "lawful requests."
According to the privacy policy, this information could be shared "when we believe in good faith that we are lawfully authorized or required to do so or that doing so is reasonably necessary or appropriate to comply with the law or legal processes or respond to lawful requests, claims or legal authorities, including responding to lawful subpoenas, warrants, or court orders."
Privacy advocates said consumers should be wary of vague language in sections such as these on websites.
"The very best thing you want to see is you want to see an actual legal instrument instead of just a ‘request,’" said Dixon. "Some websites say ‘legal request.’ We like it to be very specific, like ‘warrant.’"
Paul has led the opposition against NSA data collection, winning a victory on Sunday by blocking renewal of the Patriot Act.
However, the Kentucky senator has also defended the collection and use of personal information by political campaigns, telling Politico last year that, "there's a difference between the government collecting things without a warrant and people voluntarily allowing their information to be used."
Paul’s campaign did not immediately respond to a request for comment.
Update: Ron Schnell, the campaign's chief technology officer, provided the following statement:
We are very proud of the transparency of our privacy policy. We fully disclose any potential use of personal information, and don't play any word games that might otherwise mislead people. I think it's important to note that the information we request from our generous donors is required in order to fulfill FEC regulations; we don't have a choice in this matter. In terms of IP addresses procured by Google, Yahoo, or other advertisers, this is typical of most any site on the Internet, and again we are proud of our transparency compared with other sites.
Correction/clarification, June 2, 5:25 P.M.: A previous version of this article incorrectly stated the name of the World Privacy Forum founder was Pat Dixon. Her name is Pam Dixon. Additionally, Dixon said her comments were not directed at any specific campaign, but on privacy policies in general.