12 July 2018 (Naxos, Greece) – The claim is rather thrilling. The UK’s Information Commissioner Office (ICO) said its investigation into the nexus between data analytics, social media and political campaigning is now “the largest of its type by any data protection authority”. Elizabeth Denham, the information commissioner, said in a BBC interview earlier this week (BBC 1 and 2 via satellite down here in the Med, thank God) that the ICO had been “astounded” by the amount of personal data in the possession of the UK’s major parties.
Note: The ICO opened its probe in May 2017 “to explore practices deployed during the UK’s EU referendum campaign but potentially also in other campaigns”. The ICO had sent warning letters to 11 political parties and notices compelling them to agree audits of data protection practices, and started a criminal prosecution against Cambridge Analytica parent SCL Elections after accusing it of failing properly to deal with a data request.
All of Britain’s main political parties, the various factions in the Brexit referendum campaign – including an insurance company owned by prominent Leave supporter Arron Banks who seems to have more Russian connections than Donald Trump – data brokers and management businesses, and even a company that provides advice and gift packs to mothers-to-be, are part of the ICO probe. The ICO investigation has shone new light on the extent to which political parties were using personal data sold on by data brokers without consent.
So far only Facebook has been fined by the ICO, a total of £500,000 (the maximum financial penalty under previous data protection laws in force during the period in question) for the leak of users’ data to Cambridge Analytica. It accused Facebook of not protecting user data and failing to be transparent about how it shared information with third parties. As I noted in a post yesterday, on my reading of Facebook’s Q1 financial report, this amounts to (roughly) the gross revenue Facebook earns in 7 minutes. Said Denham:
We think they broke the principle of fair processing; we think it was unfair processing. Data controllers are supposed to have reasonable safeguards in place to process data and we felt they were deficient in that and in their response on questions and follow-up about the data leak.
Facebook, which has 28 days to contest the fine, said it had been working with UK authorities and acknowledged that it should have acted earlier in the Cambridge Analytica case.
The ICO also said it had found evidence that Aleksandr Kogan, the Cambridge academic who built the app used by Cambridge Analytica to gather Facebook data, had passed the information to other third parties. In an interview with the Financial Times, Denham said Cambridge Analytica’s data had been accessed from other countries but did not comment on whether Kogan’s data had been accessed from Russia. The ICO will conduct an audit of University of Cambridge’s Psychometrics Centre (Kogan’s group, which researched social analytics using Facebook data). The revelations could reopen the debate over how far Facebook’s data travelled and how it was used. Among its findings, the ICO said that U.S. voter data had been processed in the UK by British employees of Cambridge Analytica. U.S. election rules restrict the work that can be carried out on domestic political campaigns by foreign nationals.
Granted, much of the chatter has focused on the small size of the fine levied on Facebook and how laughably easy it will be for the tech giant to shrug it off.
But beyond that, the two reports the agency issued are well worth reading because the details are in fact quite shocking (even to me, a certified cynic), even after months of controversy, and show just how profound and wide-ranging the problems with politics and data-sharing still are.
The reports
I think the ICO’s main intent was to fire a warning shot against several other entities as it voices fears of what one report calls “voter surveillance by default”. The agency issued two reports:
- A progress report that offers details about the specific case at hand involving Cambridge Analytica (it is 42 pages and a quick read)
- A second report called “Democracy disrupted? Personal information and political influence,” which takes a much wider view of the subject across the British political spectrum (59 pages and a meatier, slower read)
I am still parsing them so just a few quick points. Let’s start with the first report.
- To begin with, the fine comes as part of an ongoing investigation, not one that is finished. The ICO made the unusual decision to disclose the fine before the investigation was concluded because the case was of such national and international importance. Meanwhile, the ICO is expanding its work and has sent letters to Britain’s major political parties warning them that they will be audited over their use of personal data.
- The report says: “We have concluded that there are risks in relation to the processing of personal data by many political parties. Particular concerns include: the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, and use of third-party data analytics companies with insufficient checks around consent.”
- The agency is looking into what it believes may have been data abuses by the Vote Leave campaign. However, at least one Remain in EU organization is also under scrutiny. As part of this process, the ICO is scrutinizing Google, Snapchat, and Twitter, in addition to Facebook. Worth noting is that when asked about ads from Cambridge Analytica, Twitter told the ICO it had banned access to its data products and removed Cambridge Analytica’s ads because the company “determined that Cambridge Analytica operated a business model that inherently conflicted with acceptable Twitter Ads business practices.”
- Regarding the controversial personality quiz developed by Cambridge University researcher Aleksandr Kogan, the information it accessed was staggering. From people who logged in using their Facebook profile, it was able to grab their name and gender, birthdate, current city, photographs in which the users were tagged, pages that the users had liked, posts on the users’ timelines, news feed posts, friends lists, email addresses, and Facebook messages.
- It also managed to collect the following from those users’ friends: public profile data, including name and gender; birth date; current city, if the friends had chosen to add this information to their profile; photographs in which the friends were tagged; and Pages that the friends had liked: “For some of this Facebook data, estimated to involve around 30 million users, the personality test results were paired with Facebook data to seek out psychological patterns and build models. GSR [the company Kogan started] shared data with SCL Elections Ltd [Cambridge Analytica’s parent company] in at least four discrete disclosures. It is believed it then combined this with other sources of data, such as voter records held by SCL, to help inform targeting of individuals in key marginal states with personalised advertising during the presidential election process.”
- It should be said that the ICO’s work has been hampered by cross-jurisdictional issues. Facebook, though it has cooperated, insists that it is governed by Irish data rules, and not the ICO, because its European headquarters is in Dublin. Meanwhile, the ICO has been trying to investigate the web of affiliated corporations that passed this data around, including AggregateIQ in Canada, which also says it is not within the ICO’s jurisdiction, and the University of Mississippi, which may have also received some of the data in question.
Turning to the second report, the authors attempt to map out more broadly and in greater detail just how political parties gather and use personal data. An interesting graph:
This data is blended to generate sophisticated profiles of individuals, which allows for unprecedented micro-targeting of messages. While the absolute numbers can appear small, the report says, in era of close, hard-fought elections, such campaigns can be enough to make the difference.
Let me bring in Chris O’Brien from Ampere Analysis (we trade notes and ideas and he has given me a Master Class in understanding the process in analyzing the metrics behind disinformation campaigns) who notes:
Facebook offers what it calls its Custom Audience tool for political parties (and any marketer really). U.K. political parties love this tool, and in 2017 spent 3 times as much on that as they did buying ads on Google. Custom Audience allows a marketer to create a specific advertising target by using “existing data about an individual possessed by that organisation,” which is then matched with Facebook data.
The ICO report says: “The Custom Audience service allows an advertiser to target adverts to individuals via multiple methods, the most common being to upload a list of email addresses, phone numbers, or user IDs that they and the advertiser already possess to Facebook. If Facebook is able to match information in its database with that uploaded by the advertiser, then those individuals may see an advert from that advertiser the next time they log into their account.”
Of course Facebook claims it is innocent in all of this because it doesn’t see the actual data. But users who are targeted never know they are in this custom audience, or that information gathered from outside Facebook is now being used on Facebook to target them.
From there, Facebook also offers a “Partner Categories” service. This lets advertisers pull in other sources of third-party information from companies such as Acxiom, Experian, and Oracle Data Cloud on top of all the data they’ve already shoved into Facebook to further refine and target their messaging. Quoting the report:
Whilst users were informed that their data would be used for commercial advertising, it was not clear that political advertising would take place on the platform. The ICO also found that despite a significant amount of privacy information and controls being made available, overall they did not effectively inform the users about the likely uses of their personal information …The ICO has concluded that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign.
CONCLUSION
I will dig a little deeper into this next week when I publish my two-part series on the Cannes Lions event and explain how Facebook and Google have effectively “gamed” both the GDPR and the upcoming ePrivacy directive. Taking a long view, it took centuries for the public information sphere to develop – trust, validity, privacy – and the technology companies have eviscerated all of that in a flash. By radically remaking the advertising business and commandeering news distribution, and the entire information ecosystem, Google and Facebook have damaged the public psyche forever. Big tech has made a fetish of efficiency, of data … and now, anything goes. There are no “rules”.