The UK's privacy watchdog has wrapped up its probe into Cambridge Analytica, saying it found no hard evidence to support claims the controversial biz used data scraped from people's Facebook profiles to influence the Brexit referendum nor the US 2016 presidential election. There was no clear evidence of Russian involvement, either.
In a letter [PDF] this month to Julian Knight – chairman of Parliament's Digital, Culture and Media and Sport Select Committee – the Information Commissioner’s Office detailed the findings of its investigation, having gone through 700TB and more than 300,000 documents seized from the now-defunct company.
Crucially, the watchdog said Cambridge Analytica pretty much dealt with information and tools that anyone could have purchased or used if they had the right budget and know-how: there were no special techniques nor hacking. Its raison d'etre was profiling voters to specifically target them with influential ads to persuade them to vote one way or another.
Cambridge Analytica tried to achieve this by buying up databases of people's details and combining it all with information scraped from Facebook's (at the time) problematic Graph API, via a third-party quiz app people were encouraged to use, which harvested data from their profile pages and their friends' pages.
Facebook subsequently dynamited its overly leaky API – the real scandal here – to end any further such slurpage, was fined half a million quid by the ICO, and ordered to cough up $5bn by America's consumer protection regulator, the FTC. If Cambridge Analytica achieved anything at all, it was blowing the lid off Facebook's slipshod and cavalier approach to safeguarding netizens' privacy.
Facebook ends appeal against ICO micro-fine: Admit liability? Never. But you can have £500kREAD MORE
Information Commissioner Elizabeth Denham's team characterized Cambridge Analytica, and its related outfit SCL Elections, as a bit of a smoke-and-mirrors operation that lacked the sort of game-changing insight it sold to clients, who were told they could use the database of Facebook addicts, as well as all the other collected info, to micro-target particular key voters with specific advertising to swing their political opinion in a particular direction.
"In summary, we concluded that SCL/CA were purchasing significant volumes of commercially available personal data (at one estimate over 130 billion data points), in the main about millions of US voters, to combine it with the Facebook derived insight information they had obtained from an academic at Cambridge University, Dr Aleksandr Kogan, and elsewhere," the ICO wrote. Kogan and his company Global Science Research (GSR) were tasked with harvesting 87 million Facebook users' personal data from the aforementioned quiz app.
"In the main their models were also built from ‘off the shelf’ analytical tools and there was evidence that their own staff were concerned about some of the public statements the leadership of the company were making about their impact and influence."
El Reg has heard on good authority from sources in British political circles that Cambridge Analytica's advertised powers of online suggestion were rather overblown and in fact mostly useless. In the end, it was skewered by its own hype, accused of tangibly influencing the Brexit and presidential votes on behalf of political parties and campaigners using its Facebook data. Yet, no evidence, according to the ICO, could be found supporting those specific claims.
On Brexit, the ICO reckoned Cambridge Analytica just had information on Americans from the social network:
It was suggested that some of the data was utilised for political campaigning associated with the Brexit Referendum. However, our view on review of the evidence is that the data from GSR could not have been used in the Brexit Referendum as the data shared with SCL/Cambridge Analytica by Dr Kogan related to US registered voters.
Cambridge Analytica did appear to do a limited amount of work for Leave.EU but this involved the analysis of UKIP membership data rather than data obtained from Facebook or GSR.
And on the US elections, we're told a database of voters was assembled from Cambridge Analytica's Facebook records, and that "targeted advertising was ultimately likely the final purpose of the data gathering but whether or which specific data from GSR was then used in any specific part of campaign has not been possible to determine from the digital evidence reviewed." Cambridge Analytica may have ended up working with data from the Republican National Committee (RNC), the ICO suggested.
For what it's worth, the ICO observed that a Canadian outfit called AggregateIQ, which was closely linked to Cambridge Analytica, was recruited by pro-Brexit campaigners to target adverts at British Facebook users. And, we note, AggregateIQ was hired to help US political campaigns in the run up to the 2016 elections. AggregateIQ has maintained it and Cambridge Analytica kept their distance; critics say they worked hand in hand and exchanged information.
And as for Russia: "We did not find any additional evidence of Russian involvement in our analysis of material contained in the SCL / CA servers we obtained," the ICO stated, adding that this is kinda outside its remit and something for the UK's National Crime Agency to probe.
Were Cambridge Analytica still around, we imagine some details of the report would be a little embarrassing. Alas, it shut down all operations (sort of) back in 2018.
Their models were also built from ‘off the shelf’ analytical tools and there was evidence that their own staff were concerned about some of the public statements the leadership of the company were making about their impact and influence
The ICO report noted how Cambridge Analytica was probably also less than honest with the sales pitches it made to American political and British pro-Brexit campaigns, overstating the amount of data it had collected.
"SCL’s own marketing material claimed they had 'Over 5,000 data points per individual on 230 million adult Americans'," the ICO noted. "However, based on what we found it appears that this may have been an exaggeration."
The company was also taken to task for poor data practices that, even had the political marketing stuff not blown up in public, likely would have landed it in hot water with the ICO.
While Cambridge Analytica may be gone and the ICO investigation concluded, Denham also warned that the tools and techniques it claimed could tip elections are not going away, and are likely to be used in the very near future... and may even work this time.
"What is clear is that the use of digital campaign techniques are a permanent fixture of our elections and the wider democratic process and will only continue to grow in the future," the commissioner wrote. "The COVID-19 pandemic is only likely to accelerate this process as political parties and campaigns seek to engage with voters in a safe and socially distanced way." ®