Watchdog slams political data slurpers' 'disturbing disregard' for voters' privacy

ICO's second report into data analytics in campaigning lands with a thud


Cambridge Analytica, Facebook, universities and political parties are all in the dog house as the UK's data protection watchdog condemned a "disturbing disregard" for personal privacy across the system.

50 of your British pounds. Photo by Shutterstock

ICO poised to fine Leave campaign and Arron Banks’ insurance biz £135,000

READ MORE

The Information Commissioner's Office yesterday issued the second report of its long-running investigation into data analytics and political campaigning, as head honcho Elizabeth Denham gave evidence to MPs probing the same issue.

Summarising her work to date, Denham said it had revealed a "disrespect" for voters' personal data, as the commercial model of behavioural targeting was transferred to the political sphere with too little thought.

"The major concern I have in this investigation is the very disturbing disregard that many of these organisations across the entire ecosystem have for personal privacy of UK citizens and voters," she said.

The regulator, who has been criticised for using the investigation as a bit of PR opportunity, went even further when asked to put the work – which has covered 172 organisations and seized 700 terabytes of information – into context.

"It's unprecedented for any data protection authority worldwide in terms of the type of information, the numbers of organisations, the number of individuals, the cost of the investigation and the expertise required," she effused. "What's at stake is the fundamentals of our democratic processes."

The report, which comes in at 113 pages, provides an update to the work that was detailed in the interim report in July, but is a long way from the final; the investigation looks set to lumber on almost indefinitely as it identifies more and more stones to look under.

So what's the latest?

Username? Cambridge Analytica. Password? Er... check the Post-It on the wall

The work started almost a year before the Facebook data-harvesting scandal broke in April this year, but Cambridge Analytica – the firm at the centre of that drama – was already in focus due to its reported links to the Leave.EU campaign.

To recap, back in 2014, Cambridge Analytica used an app developed by University of Cambridge academic Aleksandr Kogan to slurp up information on 87 million Facebook users, with the aim of using this info to micro-target and influence voters.

The firm had needed to find someone with a pre-existing app on the platform because a 2014 policy change meant that new apps were prevented from sucking up information on users' friends as well as users.

Although Facebook was alerted to this dodgy data gathering in 2015, it is now widely acknowledged that it didn't take it seriously enough, failing to tell regulators or users, or check the information had been deleted.

So one of the ICO's tasks has been to figure out if any of that data remains, which saw it become embroiled in a protracted, and very public, battle for a warrant to search Cambridge Analytica's offices and a midnight raid with ICO-jacket-toting staffers.

The result was a huge haul of evidence, including mobile phones, storage devices, servers – some of which had been disconnected and physically damaged – paperwork and so on for the group to plough through; this work is continuing.

The data haul also revealed what the ICO somewhat euphemistically branded "organisational shortcomings" in how CA stored, secured and processed personal data, and its general approach to technology.

magnifying

Brit privacy watchdog reports on political data harvests: We've read the lot so you don't have to

READ MORE

"The servers seized under warrant revealed a chaotic IT infrastructure," the report stated, not to mention the fact the raid revealed passwords were stuck to the office's walls on Post-It notes. Staff also used personal email accounts and the firm had failed to ensure data from Kogan was transferred securely between Cambridge Analytica and external contractors.

During the evidence session, Denham's deputy James Dipple-Johnstone said that the data obtained by GSR was modelled and transferred into a "drop zone" that allowed Cambridge Analytica to extract the modelled data they were interested in and carry out further work on it.

It isn't clear who had access to this server, and Denham noted that it would take some time to figure this out as it involved trudging through all of Cambridge Analytica's emails.

The ICO is clearly fuming that Cambridge Analytica and its parent firm SCL Group are in administration, saying it would have issued it with a "substantial fine for very serious breaches" of data protection law if this was not the case.

It is, though, referring the directors of Cambridge Analytica — some of whom, lest we forget, have a new interest in Emerdata – to the Insolvency Service, which the ICO noted can administer compulsory liquidation, wind up companies, impose personal bankruptcies and disqualify company directors.

The watchdog is also investigating whether Kogan or others are individually culpable, and pushing for the power to compel people to be interviewed, as neither Kogan nor former CA boss Alexander Nix have deigned to speak to the ICO.

Who else had access to the data?

During the committee hearing, Dipple-Johnstone said that it appears that some individuals in academic institutions received parts of the GSR datasets, and that the ICO was investigating "exactly what data has gone where". When pressed, he said it was about half a dozen people, but wouldn't name names.

He added that there was a separate system to the one that was linked to Cambridge Analytica; a Wiki that had some of the Facebook data on it, as well as some research reports. Witnesses had told the ICO's inquiry that this information was available on GitHub, for people with credentials that allowed them access to the system.

Those credentials had been used to access a number of points, he said, adding that they resolved to IP addresses in Russia and IP addresses that had been associated with alleged cyber attacks, as well as at least one ToR entry point. All of this is beyond the ICO's remit and has been passed on to other authorities.

Another company of interest in this saga has been Canadian data analytics biz Aggregate IQ (AIQ). The ICO's interim report sounded highly sceptical that it wasn't in bed with Cambridge Analytica due to a range of shared contacts, but in yesterday's missive it said that the close links – while uncommon – don't point to data misuse, and so it has dropped this strand of inquiries.

Rather, the focus is on the fact AIQ made 397 UK-related email addresses and names publicly accessible via GitLab. The firm said that these emails, which were part of a total of 1,439 on the repository, were stored as part of a backup and should have been deleted.

After AIQ appealed an initial enforcement notice in which the ICO ordered it to cease processing UK users' data, the ICO last month issued an updated notice (PDF) that allowed for personal data of individuals in the UK to be wiped from its systems after the Canadian data protection outfit was finished with its investigations.

Separate to this, AIQ created a series of ads on behalf of Brexit leave campaign groups, most of which (2,529 of 2,823) were for Vote Leave. AIQ ran 281 ads solely on behalf of Vote Leave in the run-up to the referendum, which were directed at email addresses on Facebook.

The social media platform said that these email addresses didn't come from data collected through Kogan's app – an assessment the ICO said was based on an comparison of the accounts affected by GSR app and the target audience for the ads.

But MPs challenged this assumption, asking whether the ICO had done its own assessments as to whether they were indeed separate data sources. Dipple-Johnstone said it hadn't because Facebook keeps all of its data to itself, and the ICO "can't recreate how their platform operates".

Meanwhile, as we reported earlier, the headline enforcement actions from the latest report are plans to fine Leave.EU and Arron Banks' insurance biz Eldon a total of £135,000 for breaching electronic marketing rules.

In particular, the ICO found a "disregard to the separation of data" between the two organisations – which shared staff and board members – and a complete audit of their activities and systems is under way, which could lead to data protection fines.

The ICO added that it had "cause for concern" about Vote Leave's electronic marketing communications, with a report due "imminently", and is investigating whether the Remain campaign had handled personal data properly.

The role of data brokers in the political data analytics ecosystem is also mentioned, although no new fines were handed out this time, along with credit reference agencies, which are being assessed in a separate project due to report by the end of 2018.

But it isn't just politicians and the private sector that have to pull their socks up: universities have also been slammed for poor data protection practices.

"Questions remain about the sufficiency of boundaries between academic studies and the commercial enterprises many academics legitimately establish, as well as the use of university equipment," the report said.

"The portability of data sets, cross-over in roles, sharing of premises and common use of students and postgraduates all serve to create a very complex picture for data protection."

The ICO's audit of Cambridge's psychometric centre – from whence came Kogan and his app – found "significant concerns", which included outdated data security policies, the fact research data isn't listed on a university-wide Information Asset Register, and a lack of overarching access control policies or management of IT hardware.

Similar topics


Other stories you might like

  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading
  • China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks

    FCC urges more action against Huawei and DJI, too

    The US Federal Communications Commission (FCC) has terminated China Telecom's authority to provide communications services in the USA.

    In its announcement of the termination, the government agency explained the decision is necessary because the national security environment has changed in the years since 2002. That was when China Telecom was first allowed to operate in the USA.

    The FCC now believes – partly based on classified advice from national security agencies – that China Telecom can "access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States." And because China Telecom is state-controlled, China's government can compel the carrier to act as it sees fit, without judicial review or oversight.

    Continue reading
  • Qualcomm gets news of modest Snapdragons out of the way before next month's big chip launch

    A little more oomph coming for cheaper smartphones

    Budget smartphones these days do OK with 5G though lack performance in other areas, and so Qualcomm has promised some system-on-chips to give these modest devices some more oomph.

    The processors, announced on Tuesday for entry and mid-range 5G smartphones, also clears the deck for big chip announcements Qualcomm is expected to make at its Snapdragon Tech Summit starting at the end of next month.

    The 6nm Snapdragon 695 5G, unveiled this week, is a successor to the 8nm 690 5G used in the OnePlus Nord N10 5G, which is priced under $300, and various other handhelds.

    Continue reading

Biting the hand that feeds IT © 1998–2021