Brexit ad blitz data firm paid by Vote Leave broke privacy laws, watchdogs find
A joint investigation by watchdogs in Canada and British Columbia has found that Cambridge Analytica-linked data firm, Aggregate IQ, broke privacy laws in Facebook ad-targeting work it undertook for the official Vote Leave Brexit campaign in the UK’s 2016 EU referendum.
A quick reminder: Vote Leave was the official leave campaign in the referendum on the UK’s membership of the European Union. While Cambridge Analytica is the (now defunct) firm at the center of a massive Facebook data misuse scandal which has dented the company’s fortunes and continues to tarnish its reputation.
Vote Leave’s campaign director, Dominic Cummings — now a special advisor to the UK prime minister — wrote in 2017 that the winning recipe for the leave campaign was data science. And, more specifically, spending 98% of its marketing budget on “nearly a billion targeted digital adverts”.
Targeted at Facebook users.
The problem is, per the Canadian watchdogs’ conclusions, AIQ did not have proper legal consents from UK voters for disclosing their personal information to Facebook for the Brexit ad blitz which Cummings ordered.
Either for “the purpose of advertising to those individuals (via ‘custom audiences’) or for the purpose of analyzing their traits and characteristics in order to locate and target others like them (via ‘lookalike audiences’)”.
Last year the UK’s Electoral Commission also concluded that Vote Leave breached election campaign spending limits by channeling money to AIQ to run the targeting political ads on Facebook’s platform, via undeclared joint working with another Brexit campaign, BeLeave. So there’s a full sandwich of legal wrongdoings stuck to the brexit mess that UK society remains mired in, more than three years later.
Meanwhile, the current UK General Election is now a digital petri dish for data scientists and democracy hackers to run wild experiments in microtargeted manipulation — given election laws haven’t been updated to take account of the outgrowth of the adtech industry’s tracking and targeting infrastructure, despite multiple warnings from watchdogs and parliamentarians.
The Canadian investigation cleared AIQ of any wrongdoing in its use of phone numbers to send SMS messages for another pro-Brexit campaign, BeLeave; a purpose the watchdogs found had been authorized by the consent provided by individuals who gave their information to that youth-focused campaign.
But they did find consent problems with work AIQ undertook for various US campaigns on behalf of Cambridge Analytica affiliate, SCL Elections — including for a political action committee, a presidential primary campaign and various campaigns in the 2014 midterm elections.
And, again — as we know — Facebook is squarely in the frame here too.
“The investigation finds that the personal information provided to and used by AIQ comes from disparate sources. This includes psychographic profiles derived from personal information Facebook disclosed to Dr. Aleksandr Kogan, and onward to Cambridge Analytica,” the watchdogs write.
“In the case of their work for US campaigns… AIQ did not attempt to determine whether there was consent it could rely on for its use and disclosure of personal information.”
The investigation also looked at AIQ’s work for multiple Canadian campaigns — finding fewer issues related to consent. Though the report states that in: “certain cases, the purposes for which individuals are informed, or could reasonably assume their personal information is being collected, do not extend to social media advertising and analytics”.
AIQ also gets told off for failing to properly secure the data it misused.
This element of the probe resulted from a data breach reported by UpGuard after it found AIQ running an unsecured GitLab repository — holding what the report dubs “substantial personal information”, as well as encryption keys and login credentials which it says put the personal information of 35 million+ people at risk.
“The investigation determined that AIQ failed to take reasonable security measures to ensure that personal information under its control was secure from unauthorized access or disclosure,” is the inexorable conclusion.
Turns out if an entity doesn’t have a proper legal right to people’s information in the first place it may not be majorly concerned about where else the data might end up.
The report flows from an investigation into allegations of unauthorized access and use of Facebook user profiles which was started by the Office of the Information and Privacy Commissioner for BC in late 2017. A separate probe was opened by the Office of the Privacy Commissioner of Canada last year. The two watchdogs subsequently combined their efforts.
The upshot for AIQ from the joint investigation’s finding of multiple privacy and security violations is a series of, er, “recommendations”.
On the data use front it is suggested the company take “reasonable measures” to ensure any third-party consent it relies on for collection, use or disclosure of personal information on behalf of clients is “adequate” under the relevant Canadian and BC privacy laws.
“These measures should include both contractual measures and other measures, such as reviewing the consent language used by the client,” the watchdogs suggest. “Where the information is sensitive, as with political opinions, AIQ should ensure there is express consent, rather than implied.”
On security, the recommendations are similarly for it to “adopt and maintain reasonable security measures to protect personal information, and that it delete personal information that is no longer necessary for business or legal purposes”.
“During the investigation, AIQ took steps to remedy its security breach. AIQ has agreed to implement the Offices’ recommendations,” the report adds.
The upshot of political ‘data science’ for Western democracies? That’s still tbc. Buckle up.