Why a British company has Americans voter data and how British law can help us get it back
How did Cambridge Analytica get our data? Who did they get it from? How did they process it? Who were the recipients of our data? Can we opt-out? Can they justify lawful compliance under UK Data Protection law?
Donate to the CrowdJustice campaign right now and help fund the effort to get our data back.
Hackers at DEFCON have just revealed that all of the voting machines in the USA can be easily hacked. It gets worse. Voters can be hacked as well. In 2016, American's voter data was compromised and abused in ways that we are just beginning to understand. Political campaigns have been collecting data and building sophisticated models of voters for decades. The Obama campaign, often touted for its breakthrough application of new targeting tech, accelerated the possibilities. In response, the Republican Party realized it needed to get aggressive about its digital strategy. As we look back on the current president's campaign, remember its shocking result, and the chaos of every day since, we are finding mounting evidence of wrongdoing. Indeed, the misuse of our voter data is a critical aspect of the foreign attack on our democracy in 2016. Understanding what lines were crossed will help us protect future elections from further abuse. Investigations in Congress are scrutinizing the Trump campaign's use of digital technology with key figures called to testify. Meanwhile, Americans do not realize that British regulators are currently investigating if a British company violated British data protection laws interfering in our democracy.
- David Carroll (@profcarroll) May 17, 2017
The Ted Cruz and Donald Trump campaigns hired a very unusual British company called Cambridge Analytica to work on their voter targeting strategies. General Flynn, a key figure in the Russia election hacking investigation, suspiciously updated his disclosure forms to include payments from the company. That means his story changed from an earlier denial when reporters asked about his ties to the company. He only admitted to working for Cambridge Analytica after his offer to cooperate with investigators for immunity was rebuffed by the Senate Intelligence Committee. What was he trying to hide?
That's what we're trying to find out. We've already learned so much and each detail is more unbelievable and disturbing than the next. Let's start with the basics.
The Trump voter data operation took the unprecedented step of hiring a British military contractor to handle its target audience analysis services for voter targeting. Previously, political campaigns had the good sense to keep our voter data in the United States. It turns out that Cambridge Analytica may be some sort of a facade to obscure its parent company, SCL GROUP LIMITED, a military contractor, purveyor of psychological operations, or PSYOPs in military lingo. Their elections division, SCL Elections in London, is the actual company behind Cambridge Analytica, the company that claims to have big data dossiers on every registered voter in America. The company does its "election management" work around the globe, with political clients in places such as Kenya and Mexico and contracts for government entities like NATO and the US STATE DEPT.
We set out to see if US voter data was processed in the UK to prove our central allegation that it leaked out of the country for the first time. On February 23, 2017, I asked SCL Elections, the registered data controller for Cambridge Analytica in London, for my data. If they ignored or denied my request, we would be proven wrong because it would suggest that our data stayed in domestic storage exclusively.
4/ Here is letter provided by Cambridge Analytica/SCL with request describing data protection policy jurisdictions and their data sourcing. pic.twitter.com/mrOmr4qPlf
- David Carroll (@profcarroll) March 27, 2017
On March 27, they sent me my data and proved our fears true. Our data appears to be sitting in London. I posted my letter from Cambridge Analytica signed by the COO of SCL and screenshots of the spreadsheets of my "data" to Twitter. By putting it out there, we quickly learned that the company is not compliant to the Data Protection Act in the UK. A solicitor and a barrister in London have agreed to take anyone on as a client to exercise our data protection rights there since we probably have none here at home. That means all American voters can all sue the Trump campaign's voter data company in London if they refuse to delete our data, refrain from collecting it again, and answer our reasonable questions about where they got our data, how they used it, how they blended voter registration information with it, and who they shared it with.
Donate to the CrowdJustice campaign right now and help fund the effort to get our data back.
Frequently Asked Questions
Who owns Cambridge Analytica and SCL GROUP?
We know from public disclosures that Steve Bannon holds loans, "membership units," and has been paid generous fees by the Cambridge Analytica LLC registered in Delaware. Multiple reports suggest that Trumps' mega-donor Robert Mercer owns most of the company (along with Breitbart) but Delaware corporate secrecy laws prevent documented confirmation. The parent company SCL GROUP LIMITED in Britain has a complex ownership structure that can be deduced from public filings. Researchers and reporters have been working together to draw the corporate structure that links while trying to obscure the US entities deeply intertwined with a British-based, oligarch-controlled conglomerate.
But all that really matters is one simple question: Which company has custody of our data? SCL Elections in London, and data access was apparently not limited to the US-based Cambridge Analytica LLC owned by Bannon and Mercer.
What is Target Audience Analysis and how does it work?
The digital advertising industry has developed an elaborate and troubling sub-industry dedicated to matching our consumer data with our identities. The data from our browsing histories, television habits, shopping habits and so much more are collected for the business purposes of targeting people to make ads more "relevant" so that businesses feel that they waste less money on advertising.
Re-identifiable data is freely trafficked in the US. SCL (or any company) buys commercial data and links it to voter data for TAA. pic.twitter.com/Ke1PCRC4Up
- David Carroll (@profcarroll) June 22, 2017
Unfortunately, military contractors have adopted these practices for geopolitical purposes to segment populations in order to identify potential cognitive biases or susceptibilities for influence campaigns or even radicalization. We should now expect that our voter registration records are being used as an index of our personal information for political campaigns. But we do not expect that our voter identity is being used for commercial purposes (it is!) nor do we expect that international military contractors are processing our voter data, blending it with our commercial behavior data so that we are effectively de-anonymized, re-identified, segmented, and sorted into classifications we cannot easily understand, and used against our political interests without our knowledge or control.
All those privacy policies that you never read broke their core promise. They usually say by not attaching your given name to your data when they sell it they will be "respecting your privacy." These are all broken promises because our data is getting re-attached to our once-anonymous data sets using voter records and data matching algorithms. It's being used against us by foreign companies with strange ties to secretive oligarchs and potentially traitorous figures associated with the Trump campaign, transition, and administration.
When people say they don't need privacy because they have nothing to hide, they haven't thought it through. Now you understand why it's a fallacy that benefits the advertising and military industrial complex but not the people's democracy or our national sovereignty.
What are psychometrics and how do they work?
Psychometrics, also known as psychographics, is a controversial personality model developed by behavioral psychologists with Cambridge University at the forefront of this research. The Republican-servicing voter data company Cambridge Analytica appears to get its name from the university's Psychometrics Centre where the original studies that gathered data from Facebook personality quizzes provided the massive data sets required to model people. You can connect your Facebook or Twitter account to their Apply Magic Sauce tool to see how the algorithms can read your social media activity to provide your personality model.
Psychometrics are based on the so-called Big 5 or OCEAN personality model. Cambridge Analytica claims to have scored every registered voter in America on the OCEAN scale by blending our consumer data with our voter registration.
There are other psychological measures being uncovered by researchers, including measures that effectively identify people who are essentially gullible because they have personality markers for not thinking critically.
The big idea behind OCEAN Psychometrics is that the population can be mapped against the averages. Therefore, it's not terribly interesting or useful to see your own OCEAN score. You can attach your Twitter and/or Facebook accounts to Apply Magic Sauce at Cambridge University and see for yourself how your social media activity provides the raw materials to grade your personality.
Long after receiving my Cambridge Analytica voter file, which did not include my OCEAN score despite my expectations it should have, I connected my Twitter account to Cambridge University's Apply Magic Sauce and my personality was modelled as follows:
If you do that, you're giving consent to the university to analyze your social media data. It's one thing to sign up for a personality quiz. It's another thing entirely to score an entire electorate without their knowledge or consent.
Many observers think psychometrics is hocus-pocus, in the realm of Myers-Briggs, or even horoscopes. But these scores are valuable at scale to further achieve weaponized target audience analysis. If personality traits along with many other factors help a campaign precisely isolate the approximately 77,000 voters its takes to swung the Electoral College in 2016, then it also enabled those people to be bombarded individually with personalized propaganda. When political media becomes this invasive and precise, we have to ask ourselves: Can the minds of the electorate be hacked?
Showing how additional traits beyond OCEAN scale leaked in TV broadcast. @podehaye snagged it CSI zoom-in. Need for Cognition (gullibility) pic.twitter.com/tRMMQCS2Qj
- David Carroll (@profcarroll) April 13, 2017
Does this mean that authoritarian voters be targeted and "activated"?
While the hackers that "pwned" all US voter machines grabbed the headlines coming out of the DEFCON conference in Las Vegas, another shocking presentation by the Online Privacy Foundation on Brexit voters was largely overlooked. In this alarming study, the researchers performed a replication study (using existing methods and datasets) to test what markers in psychometric profiles could be used to profile authoritarian voters in the UK for the EU referendum, also known as the Brexit vote.
Controversy surrounds the issue of whether or not Cambridge Analytica provided its services to the Leave.EU campaign that funded the political operation to convince the British to vote Leave, not Remain. The tycoons that paid for Leave.EU, Andy Wigmore and Aaron Banks, are buddies with Nigel Farage, Donald Trump and Robert Mercer. Banks and Wigmore are on record in video, documents, and their own tweets describing how that they used Cambridge Analytica for their campaign. SCL employees are also on record touting their services for the Bad Boys of Brexit. Their services were reportedly donated by Robert Mercer, which would be unlawful to British campaign finance law. In response, the CEO of Cambridge Analytica, Alexander Nix offers non-denial denials when asked by reporters if they worked for the Brexit campaign. SCL has threatened The Guardian with legal actions for poking too deeply at the truth in their coverage, exploiting libel laws that do not compare with US practices. Wigmore and Banks have tweeted that they will be testifying to the Senate Judiciary. Getting their narrative ahead of the investigation is a smart move on their part, especially if they're guilty of wrongdoing and misleading the public.
Assuming Cambridge Analytica did build psychometric profiles of British voters, the Online Privacy Foundation study found a troubling correlation between the Openness and Conscientiousness facets of OCEAN model as clearly identifiable markers for authoritarian and anti-authoritarian voters. In other words, Cambridge Analytica may have helped the oligarchs who wanted Britain to leave the European Union by finding the precise voters in the swing districts with a penchant for authoritarian thought. They were able to tailor messages that tap into the cognitive biases of the authoritarian personality and further reinforce, target, and tailor messages to these voters to activate and even foment their propensity for authoritarian rule.
Controversy surrounds whether or not Cambridge Analytica used psychometrics for profiling US voters as well. In a similar pattern, employees have described in interviews and in company promotions their capability to psychometrically profile every US voter using the OCEAN model. However, as soon as reporters and researchers started asking tough questions, the company has changes its story, claiming it did not use psychometrics for the Trump campaign. They acknowledge using psychographic methods for the Cruz campaign who went from being the most detested politician in America to winning the Iowa primary.
We are pursuing civil action in UK courts to get answers to these questions. Did the Trump campaign use (legacy) psychometric modeling or not? Did any company with legal associations to SCL Group work for Brexit or not? Could authoritarian voters be identified in swing districts using psychometrics? Did they respond to hyper-targeted messages on Facebook and television by tapping into these susceptibilities? Do the owners of SCL and its affiliates have financial and/or legal ties to Russian, British, and American oligarchs? Are they coordinating an attack on our democracies using dark databases?
How is Facebook involved?
This is where things get really complicated. Facebook has played a key role on the front and back-end of this fiasco.
It all started at the University of Cambridge when academic researchers conducted unethical and likely unlawful data collection practices using the Facebook platform. The researchers got kicked off of Amazon and Facebook when the companies learned what was going on their systems. The Cambridge researchers claim to have deleted the data on 30 million American Facebook users. But given the strange behavior of this company in many other contexts, it is reasonable to doubt just about everything this company and its affiliates claim.
The data that the Cambridge University researchers collected allowed them to psychometrically profile users who installed a personality quiz app. The researchers discovered that they could accurately predict the following personal details about someone with as few as 170 Facebook likes per Facebook user (prediction accuracy): Your ethnicity (95%), gender (93%), sexual orientation (88%), politics (85%), religion (82%), whether you smoke (73%), drink (70%), use drugs (65%), are in a relationship (67%), and whether your parents were divorced when you were 21 (60%). (Kosinki et al 2013 from Networks of Control)
SCL claims it does not currently possess the Facebook Like data its affiliated researchers gathered illegitimately but we don't know if they acquired the data model they needed when they improperly collected it. In other words, they could have developed an algorithm from stolen Facebook data and there's no indication that they voluntarily destroyed this intellectual property. Instead, they're asking everyone to take their word for it they are well behaved. We should assume that the company has sophisticated algorithms and data sets to draw upon allowing them to invasively model every single registered voter. Facebook failed to protect the privacy of 30 million voters. In that way, Facebook broke their privacy promise to all of us.
On the back-end of this fiasco, Facebook was used to deliver the hyper-partisan, hyper-targeted, hyper-personalized ads to individual voters, addressed by name. Facebook advertises to political campaigns the advantage of being able to upload the email address or other identifiable information about voters so they can be precisely targeted on Facebook. There's a feature called Custom Audiences that allows anyone to target you by name, if they have your email address and it matches your Facebook account email address. With enough money and data to target you, an unknown entity can overload your Facebook news feed with sponsored posts.
To make a terrible situation worse, fake users can be purchased on the dark market that are either software-based or click-workers toiling for pennies in countries like Vietnam, Indonesia, Bangladesh, and Egypt. Fake users create a false amplification effect, what most people call bots. They make it look like more people agree with ideas than actually exist. This manufactures consensus and seems to exploit a powerful cognitive bias that helps content go viral.
Facebook claims not to have saved the 100,000+ variations of hyper-targeted ads presumably developed with Cambridge Analytica target audience analysis and psychometric profiling. Journalists, regulators, private citizens are unable to review the Trump campaign's digital political advertising campaign, in terms of content and how it targeted to voters. If the campaign wanted to hide wrongdoing, Facebook may have facilitated that.
If Facebook failed to foresee how their platform could be abused in this manner, it's on Mark Zuckerberg. The company was making $1 million per day in August of 2016 leading up to the October surprise. Now it is safe to presume that SCL and Facebook are being scrutinized by investigations in Britain by the Information Commissioner's Office and in Washington DC by the House and Senate committees. According to reports, the special counsel served Facebook with a warrant for data and ads connected to an advertiser with troubling links to the Kremlin.
How did this happen? What can we do about it?
This happened because Americans have a different attitude and mindset about digital privacy than Europeans do. We have laws that protect our privacy in specific "vertical" industries but we have no broad "horizontal" laws that protect our data, generally. For example, your medical data is protected by the HIPAA law. Your college transcripts are protected by FERPA. But there is no federal law protecting voter data from being blended with commercial data to de-anonymize you without your consent. Without express prohibitions on political and personality modeling, the market for voter profiling thrives, totally unregulated in the United States, somewhat regulated in the United Kingdom, and forcefully regulated in countries like France and the European Union more broadly.
Most significantly, as Americans, we have no rights to know either way, no right of access. We can't demand that companies share the data they have on us with us. The ones that do now (you can download your data from Facebook, Google, LinkedIn and Twitter) do so as a courtesy to Americans and a requirement for Europeans.
Europeans have this right of access, and many more privacy rights that they we do not enjoy in the United States. That's one of the biggest lessons learned from requesting my data from Cambridge Analytica. Ironically, if the Trump campaign had not processed our voter data in London, leaking it out of the country for the first time, we would probably not have realized we need these crucial rights that we now must demand from our government. We need equal data protection rights with Europe.
To protect our democracy, we need to protect our data and treasure our privacy. The European Union has already passed a sweeping new law called the General Data Protection Regulation and it becomes enforceable in May 2018. You will start to see new pop-ups on websites that will grant you your new data protection rights thanks to the EU. American companies will not be exempt from the steep penalties of failing to comply with GDPR. The flow of data across geographic boundaries is stretching the jurisdiction of laws in many new ways. If your data gets processed in another country, you may exercise your data protection rights there. Conversely, you're a company that collects data from EU citizens, you are liable to crackdown and lose 4% of your revenue turnover to EU authorities if you fail to protect EU citizen data lawfully. Things are going to change for the better, as democracies gain badly needed data rights. It will become harder and harder for companies like Cambridge Analytica to have a viable business model if the electorate flexes its new data protection muscles in the courts.
This brings us to our goal, the key thing that we can do right now to protect the future of democracy. If we succeed at winning a lawsuit against SCL in London for their violations of the UK Data Protection Act of 1998, then we will set an important legal precedent that companies can't do what they did in 2016 and seek to repeat in 2018.
The easy part will be contributing to an upcoming crowdfunding campaign. Your contributions will go directly toward the civil case in London. You don't have to request your data and become a client of Ravi Naik, but it certainly helps strengthen our position. It also gives you a chance to take your data back and prevent it from being collected in the future. Send a blank email to firstname.lastname@example.org to subscribe to the mailing list for announcements and discussions related to the crowdfunding campaign and legal challenges.
The hard work will entail supporting your representatives in state and federal government fighting for the passage of privacy and data protection legislation and standing up to tech titans that may seek to silence dissenters. It also means remembering to demand the nomination of agency appointees to FCC, FTC, and FEC who will take a muscular approach to holding companies accountable to the democracies that enable their successes.
Lawmakers won't be enthusiastic about limiting their own ability to hyper-target and manipulate voters to keep them in power. The electorate will have to unify across the aisles to shock the system into ratifying equal data rights to Europe.
Lawmakers will be up against deep-pocketed industry lobbyists hell-bent on blocking any reasonable privacy laws from being passed in the US. They will take the fight all the way to the Supreme Court and they will claim that the First Amendment gives them unrestricted rights to collect data on us. They will claim it is protected commercial speech. We will need to defend our privacy as our right of autonomy and sovereignty of our identity. This involves standing up to secretive companies like SCL but also a national conversation about what Facebook and Google are doing to erode our democracy with the help of data brokers like Axciom, Experian, Equifax, and all the adtech companies that track and target us for advertisers.
Down the Rabbit Hole
Several fascinating and in-depth articles have been written about Cambridge Analytica and the controversies surrounding voter data abuse by top-notch reporters. Once you discover this company, it's pretty easy to become obsessed with it. Here's a reading list of some of the best articles on the subject.
Ann Marlow for Tablet Magazine
Will Donald Trump's Data-Analytics Company Allow Russia to Access Research on U.S. Citizens? Tracing the suspicious-looking, and messy, ties between a Ukrainian oligarch, an elections-information firm, and the GOP candidate's former campaign manager.
Nina Burleigh for Newsweek
How big data mines personal info to craft fake news and manipulate voters
Tamsin Shaw for The New York Review of Books
Invisible Manipulators for Your Mind
J.J. Patrick for Byline Media
A crowd-funded, micro-published book written by a British ex-cop who has chased the story like a detective. His book is steps ahead of the media narrative and ties the big picture together.
Spread the Word. Get your data back. Join the legal action.
We're up against money. We need yours.
Donate to the CrowdJustice campaign right now.
Contributing Editor: David Carroll
Educator, designer, researcher, speaker, and writer working across industry and academia, being critical about technology with technology. Currently associate professor of media design at the School of Art, Media, and Technology at The New School's Parsons School of Design. Previously served as director of the MFA Design and Technology graduate program (2010-2013) leading a dynamic and diverse faculty and student body designing and building near futures. Co-founded Glossy.io (2013-2015), an A.I. brain learning popular culture through magazines, born at NYC Media Lab, backed by Hearst Corporation, and incubated at the Made in NY Media Center by IFP. Founded the Center for Mobile Creativity, to support research grants from MacArthur Foundation, National Science Foundation, National Institutes of Health, Department of Education, Pearson Foundation, EPFL+ECAL, and Nokia Research Centers. Earned MFA Design and Technology at Parsons in 2000 and BA Art History and Religion with Highest Honors at Bowdoin College in 1997. Married with two children, living in Brooklyn. On Twitter and Medium as @profcarroll.