Since December of last year, I have been part of a small group of concerned citizens engaged in a series of actions against Cambridge Analytica (CA) and its parent corporation, SCL Group.
I am writing this post in the hopes of gathering support (that is, funds) we need to continue this action. You can support us at our Crowd Justice page, which has more information.
Here I’ve tried to lay out some of the background behind our efforts.
Our actions are driven by concern for claims made by CA, and those whose work it relies on, regarding the level of behavioral manipulation of which they are capable, and specifically about whether the techniques CA has developed have been used to manipulate voting behavior, especially in the 2016 US Presidential election and the UK Brexit election (although as US citizens our inquiry is limited to the US election). Carol Cadwalladr of The Guardian is the journalist who has covered the topic most extensively: see, for example, her piece on this campaign, “British Courts May Unlock Secrets of How Trump Campaign Profiled US Voters,” and her earlier pieces on the Brexit/Leave.EU campaign, “Follow the Data: Does a Legal Document Link Brexit Campaigns to US Billionaire?” and “The Great British Brexit Robbery: How Our Democracy Was Hijacked” and on the US Presidential election, including “Cambridge Analytica Affair Raises Questions Vital to Our Democracy” and “When Nigel Farage Met Julian Assange.”
The UK has more extensive data protection laws than does the US. Its laws and regulations are administered by the Information Commissioner’s Office (here not standing for Initial Coin Offering). Because CA/SCL, a British company (SCL Group) with an American subsidiary (CA) appears to have directly collected and used data about US citizens in its work for the Cruz and Trump campaigns in the 2016 election, the UK Data Protection Act (DPA) is triggered. The DPA has many provisions for individuals to discover exactly what data is being collected on them and how it is being used.
In late 2016, David Carroll of Parsons School of Design and I and a few others, working with data researcher Paul-Olivier Dehaye, and the PersonalData.io project he runs, submitted formal requests to CA/SCL under the UK Data Protection Law, which allows us to see all data companies have about us.
During the spring, UK attorney (aka “solicitor”) Ravi Naik of Irvine Thanvi Natas Solicitors took an interest in our efforts and helped to coordinate our requests to CA/SCL. Ravi himself has written an article in The Guardian about the campaign.
It took longer than the 40 days the law allows, but eventually (in March) CA/SCL did return files to David and myself. The file consisted of a single Excel spreadsheet with 3 tabs. Two of these were relatively innocuous identifying information (date of birth, address, records of which elections I’ve voted in) that are available to marketers via public election records. The third, though, is shocking in its implications:
What is startling about this data, in part, is that it appears to be specifically about how manipulable I might be with regard to central hot button issues in the political public sphere—not necessarily what my opinions are, but whether I would be susceptible to manipulation about issues like “Gun Rights” and “Traditional Social and Moral Values.” In general this psychographic profile strikes me as being plausible, though not necessarily how I consciously think I’d rank all of these issues for myself: but then again, the point of psychographic data is that it knows us better than we know ourselves.
We don’t think this information can possibly be complete, since it gives very little sense of what I think about all of these issues, which a marketer like CA/SCL would surely need to take targeted actions based on it—for example, even if environmental issues are at level 10 importance to me, this data does not indicate whether that means I consider the problem to be climate change, or the fact that climate change is a fraud.
CA/SCL provided no information whatsoever on where and how this information was gathered, whether it represents a purchase of existing information or analytics performed on a body of data CA/SCL also has but has not disclosed, and so on.
In 2017, the ICO issued a document called “Guidance for Political Campaigning.” Among the many provisions of this guidance that CA/SCL would appear not to have followed scrupulously even based on this limited amount of data is this:
79. The big data revolution has made available new and powerful technical means to analyse extremely large and varied datasets. These can include traditional datasets such as the electoral register but also information which people have made publicly accessible on Facebook, Twitter and other social media. Research and profiling carried out by and on behalf of political parties can now benefit from these advanced analytical tools. The outputs may be used to understand general trends in the electorate, or to find and influence potential voters. (16)
80. Whatever the purpose of the processing, it is subject to the DPA if it involves data from which living individuals can be identified. This brings with it duties for the party commissioning the analytics and rights for the individuals to whom the data relates. It includes the duty to tell people how their data is being used. While people might expect that the electoral register is used for election campaigns they may well not be aware of how other data about them can be used and combined in complex analytics. If a political organisation is collecting data directly from people eg via a website or obtains it from another source, it has to tell them what it is going to do with the data. In the case of data obtained from another source, the organisation may make the information available in other ways, eg on its website, if contacting individuals directly would involve disproportionate effort. It cannot simply choose to say nothing, and the possible complexity of the analytics is not an excuse for ignoring this requirement. Our code of practice on privacy notices, transparency and control provides advice on giving people this information. (16-17)
And
81. Even where information about individuals is apparently publicly accessible, this does not automatically mean that it can be re-used for another purpose. If a political organisation collects and processes this data, then it is a data controller for that data, and has to comply with the requirements of the DPA in relation to it. (17)
In its responses to us, other than the data mentioned above, CA/SCL has engaged in a pattern of bullying and denial that suggests to me, at least, that it has much more to disclose and will do everything in its power not to.
In order to take the next step in our legal challenge to CA/SCL, we need to raise £25,000. That is a lot of money. None of the money is going to us; we are raising the money using the established legal crowdfunding site Crowd Justice. The money is needed for two reasons: first, because in the UK, the loser of a lawsuit can be forced to pay the winner’s legal fees (so-called “adverse fees”). If we sue CA/SCL and lose, we could be liable for the fees CA/SCL has paid to its attorneys. With the Mercers backing CA/SCL, we are already certain that they will be using some of the highest-priced corporate attorneys available. Second, the money is needed to pay our own legal fees and to partly reimburse the solicitors working on the case for their time, even though most of their time is being donated.
We believe that continuing to force this issue could ultimately cause CA/SCL to release all of its data on the 2016 Presidential election, and possibly even the Brexit campaign. We also believe it may have extremely positive effects in preventing CA/SCL and other organizations from engaging in similar actions in the future.
We have at this point raised about £20,000 of the initial £25,000 we need to raise to start actions beyond making our subject data requests under the DPA. If you are at all inclined to help us in this effort, please visit our Crowd Justice page.