Analysis Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm's ads off its platform, and Facebook still has a lot of questions to answer.
Also, British political parties used software to guess voters' ethnicities.
These were some of the findings of the UK's Information Commissioner's Office – the nation's privacy watchdog – which this morning issued a set of reports detailing the progress made on its 18-month investigation into data analytics and political campaigning in the country.
Although the headlines have focused on the fact the regulator is poised to slap a £500,000 fine on Facebook (the most it can dish out, since the Cambridge Analytica scandal happened before GDPR), there's plenty more dirt to dig.
So what have we learnt?
Cambridge Analytica: 'Inaccessible' servers, questionable deletion certificates
The ICO repeatedly emphasised how much data it had obtained throughout its investigation into the app that harvested 87 million people's info and whether it was used in the US elections or Brexit vote.
In addition to the much-publicised legal battle to raid the firm's London offices, the ICO said it had secured a further warrant for other premises, and has "seized significant volumes of evidence and several servers".
This includes servers that had been disconnected from the firm's systems – meaning, as the ICO pointed out, that they would have been unavailable for the onsite inspection Cambridge Analytica is said to have originally offered.
The ICO also has data sets it believes are combined, including Facebook-harvested data or its derivatives, and "large data sets" provided by third parties that it believes are originally from Cambridge Analytica and SCL.
Moreover, the body said it had evidence that copies of the data, or parts of it, have been shared with other parties and on other systems outside of SCL's umbrella.
Such evidence "potentially brings into question the accuracy of the deletion certificates provided to Facebook by CA/SCL", the ICO said – Facebook has cited its belief that the info had been deleted as one of the reasons it didn't go public about the incident when it was first alerted to it in 2015.
Of the locations and systems to which the data might have been sent, the ICO said it was working with organisations and regulators to ensure the data and any derivatives are deleted.
"This will include companies established by ex-CA/SCL staff where we have concerns they may have retained materials from SCL Group following their administration," it said.
The body added that it was still considering regulatory action despite the firm being in administration – if necessary, the ICO said it would pursue "any successor companies associated with ex-CA/SCL staff".
Twitter opted out of Cambridge Analytica ads
Although the investigation has focused heavily on Facebook, thanks to the Cambridge Analytica data harvesting scandal, the ICO looked elsewhere too.
In a section on other social media platforms, the body said that Twitter "did not provide access to [Cambridge Analytics or its parent group SCL Group]" for its data products, and had taken a "policy decision" to "off-board" all advertising from accounts owned and operated by Cambridge Analytica.
"Twitter determined that Cambridge Analytica operated a business model that inherently conflicted with acceptable Twitter Ads business practices," the report stated.
However, Twitter admitted that Cambridge Analytica and SCL Group had placed ads for the firm's own services and clients' services on the platform.
Facebook: Missed opportunities, continued concerns
The social media giant at the centre of the furore missed opportunities to kick app developer and academic Aleksandr Kogan off its platform and lock down the data collected.
The report noted that Kogan applied to migrate his app to the second version of the firm's API in May 2014, but was rejected – however, his existing app was allowed to continue on v1 with existing permissions.
Meanwhile, most of the 87 million profiles sucked up in this scandal were taken during the "grace period" when Facebook allowed existing apps to continue accessing users' friends' data, even though it had changed the policy for new apps.
And when Facebook found out about the data harvest – in December 2015 – its follow-up actions were not as robust as they should have been, particularly given that it was a known breach of platform policies for commercial gain.
The ICO also noted continued concerns about Facebook's Partner Category Service, although this has ceased in the EU and is being wound down elsewhere; the potential for sensitive data to be processed and a lack of transparency in the privacy tools users are offered as reasons.
An online targeted advertising model as complex as Facebook's needs a "very high level of transparency", especially on political ads, the ICO said. However, information is difficult to understand and privacy controls are unintuitive.
It added that, "by placing users into categories", Facebook might have been processing sensitive personal information about political opinions, and that the firm hadn't provided "satisfactory information" to understand the processes used to decide which segments to put people in.
"Whilst Facebook confirmed that the content of users' posts were not used to derive categories or target ads, it was difficult to understand how the different 'signals', as Facebook called them, built up to place individuals into categories," the ICO said.
AIQ: Cambridge Analytica's close Canadian cousin
AIQ – the Canadian firm with which the official Vote Leave (in the UK referendum on the EU) campaign spent about £3m – has repeatedly been linked to the data harvesting saga but has denied a closer relationship than software developer and client. It was contracted to build a CRM tool – named Ripon – for SCL's work on the American 2014 midterms.
However, the ICO's report cast doubt on this, saying SCL Elections had paid Facebook more than $280,000 for an AIQ ad account; was listed as one of the main contacts for at least one of the AIQ Facebook accounts; and said an employee who was involved in those payments had their email address linked to an account.
"This pattern is suggestive of a close working relationship," the ICO said.
It added that it believed an AIQ employee created and administered two apps that ran on Facebook's platform with Ripon.
The ICO has said it has no evidence that CA shared personal data including UK citizens with AIQ, but the Canadian firm did have access to UK voter’s personal data via the Vote Leave campaign.
In addition, the ICO said a security researcher had discovered that AIQ made some 397 email addresses and names relating to the UK – out of a total of 1,439 email addresses – publicly accessible via GitLab.
The ICO is investigating AIQ further and has issued an enforcement notice to compel them to cease processing UK citizens' data.
Political parties: Crap with data, trying out ethnicity-predicting software
Possibly the least surprising part of the report is that political parties' attitudes to protecting personal data have been found wanting.
All registered parties are entitled to accessing the full electoral register, which gives them access to the names and addresses of approximately 40 million voters. This data is matched against information gathered from canvasses, surveys and third parties, such as platforms like NationBuilder, and data brokers.
The ICO expressed concerns that the parties were not complying with fair processing requirements set out in data protection law. Although they are given access to the electoral roll, they still have to tell individuals they slurp up info on how it's going to be used.
And, it seems, the parties were sloppy about doing this, as well as in making sure they had the right consents to use data from these third parties and merrily uploaded email addresses to Facebook.
In addition, all three of the main political parties were found to have used software that assigns a predicted ethnicity and age to individuals that is used to target people for certain political messaging.
Laying bare just how clueless the parties are about this, some are reported to have been labouring under the misapprehension that "this was not personal information as the ethnicity or age of the individual was being inferred (rather than based on factual information)".
Eleven warning letters have been sent out to parties and campaigns on all sides of the political spectrum, and regulatory action will be taken against one broker, which trades under the name Emma's Diary and offers pregnancy advice, that was used by Labour.
The ICO is also investigating allegations that Eldon Insurance Services Ltd shared customer data obtained for insurance purposes with Leave.EU, and claims that it was then used for political campaigning. If true, this would be unlawful.
The full reports are available here and the investigation is due to complete in October 2018. ®