Cambridge Analytica, Facebook, universities and political parties are all in the dog house as the UK's data protection watchdog condemned a "disturbing disregard" for personal privacy across the system.
ICO poised to fine Leave campaign and Arron Banks’ insurance biz £135,000READ MORE
The Information Commissioner's Office yesterday issued the second report of its long-running investigation into data analytics and political campaigning, as head honcho Elizabeth Denham gave evidence to MPs probing the same issue.
Summarising her work to date, Denham said it had revealed a "disrespect" for voters' personal data, as the commercial model of behavioural targeting was transferred to the political sphere with too little thought.
"The major concern I have in this investigation is the very disturbing disregard that many of these organisations across the entire ecosystem have for personal privacy of UK citizens and voters," she said.
The regulator, who has been criticised for using the investigation as a bit of PR opportunity, went even further when asked to put the work – which has covered 172 organisations and seized 700 terabytes of information – into context.
"It's unprecedented for any data protection authority worldwide in terms of the type of information, the numbers of organisations, the number of individuals, the cost of the investigation and the expertise required," she effused. "What's at stake is the fundamentals of our democratic processes."
The report, which comes in at 113 pages, provides an update to the work that was detailed in the interim report in July, but is a long way from the final; the investigation looks set to lumber on almost indefinitely as it identifies more and more stones to look under.
So what's the latest?
Username? Cambridge Analytica. Password? Er... check the Post-It on the wall
The work started almost a year before the Facebook data-harvesting scandal broke in April this year, but Cambridge Analytica – the firm at the centre of that drama – was already in focus due to its reported links to the Leave.EU campaign.
To recap, back in 2014, Cambridge Analytica used an app developed by University of Cambridge academic Aleksandr Kogan to slurp up information on 87 million Facebook users, with the aim of using this info to micro-target and influence voters.
The firm had needed to find someone with a pre-existing app on the platform because a 2014 policy change meant that new apps were prevented from sucking up information on users' friends as well as users.
Although Facebook was alerted to this dodgy data gathering in 2015, it is now widely acknowledged that it didn't take it seriously enough, failing to tell regulators or users, or check the information had been deleted.
So one of the ICO's tasks has been to figure out if any of that data remains, which saw it become embroiled in a protracted, and very public, battle for a warrant to search Cambridge Analytica's offices and a midnight raid with ICO-jacket-toting staffers.
The result was a huge haul of evidence, including mobile phones, storage devices, servers – some of which had been disconnected and physically damaged – paperwork and so on for the group to plough through; this work is continuing.
The data haul also revealed what the ICO somewhat euphemistically branded "organisational shortcomings" in how CA stored, secured and processed personal data, and its general approach to technology.
Brit privacy watchdog reports on political data harvests: We've read the lot so you don't have toREAD MORE
"The servers seized under warrant revealed a chaotic IT infrastructure," the report stated, not to mention the fact the raid revealed passwords were stuck to the office's walls on Post-It notes. Staff also used personal email accounts and the firm had failed to ensure data from Kogan was transferred securely between Cambridge Analytica and external contractors.
During the evidence session, Denham's deputy James Dipple-Johnstone said that the data obtained by GSR was modelled and transferred into a "drop zone" that allowed Cambridge Analytica to extract the modelled data they were interested in and carry out further work on it.
It isn't clear who had access to this server, and Denham noted that it would take some time to figure this out as it involved trudging through all of Cambridge Analytica's emails.
The ICO is clearly fuming that Cambridge Analytica and its parent firm SCL Group are in administration, saying it would have issued it with a "substantial fine for very serious breaches" of data protection law if this was not the case.
It is, though, referring the directors of Cambridge Analytica — some of whom, lest we forget, have a new interest in Emerdata – to the Insolvency Service, which the ICO noted can administer compulsory liquidation, wind up companies, impose personal bankruptcies and disqualify company directors.
The watchdog is also investigating whether Kogan or others are individually culpable, and pushing for the power to compel people to be interviewed, as neither Kogan nor former CA boss Alexander Nix have deigned to speak to the ICO.
Who else had access to the data?
During the committee hearing, Dipple-Johnstone said that it appears that some individuals in academic institutions received parts of the GSR datasets, and that the ICO was investigating "exactly what data has gone where". When pressed, he said it was about half a dozen people, but wouldn't name names.
He added that there was a separate system to the one that was linked to Cambridge Analytica; a Wiki that had some of the Facebook data on it, as well as some research reports. Witnesses had told the ICO's inquiry that this information was available on GitHub, for people with credentials that allowed them access to the system.
Those credentials had been used to access a number of points, he said, adding that they resolved to IP addresses in Russia and IP addresses that had been associated with alleged cyber attacks, as well as at least one ToR entry point. All of this is beyond the ICO's remit and has been passed on to other authorities.
Another company of interest in this saga has been Canadian data analytics biz Aggregate IQ (AIQ). The ICO's interim report sounded highly sceptical that it wasn't in bed with Cambridge Analytica due to a range of shared contacts, but in yesterday's missive it said that the close links – while uncommon – don't point to data misuse, and so it has dropped this strand of inquiries.
Rather, the focus is on the fact AIQ made 397 UK-related email addresses and names publicly accessible via GitLab. The firm said that these emails, which were part of a total of 1,439 on the repository, were stored as part of a backup and should have been deleted.
After AIQ appealed an initial enforcement notice in which the ICO ordered it to cease processing UK users' data, the ICO last month issued an updated notice (PDF) that allowed for personal data of individuals in the UK to be wiped from its systems after the Canadian data protection outfit was finished with its investigations.
Separate to this, AIQ created a series of ads on behalf of Brexit leave campaign groups, most of which (2,529 of 2,823) were for Vote Leave. AIQ ran 281 ads solely on behalf of Vote Leave in the run-up to the referendum, which were directed at email addresses on Facebook.
The social media platform said that these email addresses didn't come from data collected through Kogan's app – an assessment the ICO said was based on an comparison of the accounts affected by GSR app and the target audience for the ads.
But MPs challenged this assumption, asking whether the ICO had done its own assessments as to whether they were indeed separate data sources. Dipple-Johnstone said it hadn't because Facebook keeps all of its data to itself, and the ICO "can't recreate how their platform operates".
Meanwhile, as we reported earlier, the headline enforcement actions from the latest report are plans to fine Leave.EU and Arron Banks' insurance biz Eldon a total of £135,000 for breaching electronic marketing rules.
In particular, the ICO found a "disregard to the separation of data" between the two organisations – which shared staff and board members – and a complete audit of their activities and systems is under way, which could lead to data protection fines.
The ICO added that it had "cause for concern" about Vote Leave's electronic marketing communications, with a report due "imminently", and is investigating whether the Remain campaign had handled personal data properly.
The role of data brokers in the political data analytics ecosystem is also mentioned, although no new fines were handed out this time, along with credit reference agencies, which are being assessed in a separate project due to report by the end of 2018.
But it isn't just politicians and the private sector that have to pull their socks up: universities have also been slammed for poor data protection practices.
"Questions remain about the sufficiency of boundaries between academic studies and the commercial enterprises many academics legitimately establish, as well as the use of university equipment," the report said.
"The portability of data sets, cross-over in roles, sharing of premises and common use of students and postgraduates all serve to create a very complex picture for data protection."
The ICO's audit of Cambridge's psychometric centre – from whence came Kogan and his app – found "significant concerns", which included outdated data security policies, the fact research data isn't listed on a university-wide Information Asset Register, and a lack of overarching access control policies or management of IT hardware.