After more than three years, Elizabeth Denham, the UK’s Information Commissioner, has closed her investigation into improper data handling by the SCL and Cambridge Analytica group.
At first glance her findings, which were released on Tuesday, dispel many of the accusations put forward by whistleblowers and digital rights campaigners over the course of 2018.
The most serious of these was that the digital marketing specialist had colluded with Russia to steer the results of the Brexit referendum and broken US campaign rules during the 2016 presidential election. Campaigners had also previously argued the company failed to delete contentious data sourced from Facebook without users’ permission when asked.
Denham told a parliamentary select committee on Friday that “on examination, the methods that SCL were using, were in the main, well recognised processes using commonly available technology”.
But the findings (available here) also introduce questions about the breadth and scope of the regulator’s current remit. Chief among them is whether the ICO, as an independent body funded in part by fees and government grants, is well suited to evaluating wrongdoing — both in terms of resources and expertise — which extends beyond the immediate remit of data protection law and UK jurisdiction.
The origins of its Cambridge Analytica inquiry hark back to a subject access request (SAR) by US academic David Carroll, a US citizen, in 2017. He wanted to better understand how his personal data was being used to profile him for microtargeting in electoral campaigns.
At the time of the SAR, however, it was unclear whether the ICO was obligated to respond to requests originating from foreign citizens, even if they pertained to the handling of their personal data in UK territory. Most lawyers now agree the investigation has set a precedent that they the ICO can and will investigate in such scenarios, exposing the body to potentially even broader internationally-flavoured investigations in the future.
The ICO’s final report noted the Cambridge Analytica probe constituted “one of the largest and most complex ever carried out by a data protection authority”. Analysis by the regulator also touched upon more than 700 terabytes of data seized from the group’s London office under warrant in 2018.
As of October 2018, the ICO’s investigation has run up costs of £2.4m versus an annual budget currently projected to top £50m.
No smoking gun
A key controversy surrounding Cambridge Analytica has been the degree to which the company continued to rely on controversial data sets it acquired from Facebook, even after Facebook had asked them to delete them.
The original Facebook data was sourced from Dr. Aleksandr Kogan, an academic at Cambridge university, who had developed the psychographic techniques which Cambridge Analytica had become known for. While Kogan’s models were informed by data samples generated from a personality test he ran on Facebook with the permission of users, it later transpired the data also included information scraped about the friends of users without permission.
The ICO’s report, however, found that Cambridge Analytica had made efforts to delete the data when Facebook requested it to do so in 2016. The authority also noted the company had begun efforts to replicate the Kogan data on a fully independent and permissioned basis as far back as 2015.
But the report cautioned that some derivative data persisted until it was deleted in 2017, a move signed off by then chief executive Alexander Nix.
The ICO hence noted “it is suspected” that some parts of the original Kogan data may have been used in connection with political campaigning for the US 2016 presidential election, albeit in modelled form:
For example, it is understood SCL (through contracts with firms including AIQ) deployed advertising on the Facebook Platform which was targeted to specific voter demographics informed by the profiling that had been undertaken by SCL/CA and GSR
Sources at Cambridge Analytica, however, have always disputed this, claiming that the data was only being quarantined for modelling comparison reasons. As it stands, the final report offers no compelling evidence to dispute that.
Guilty of overselling psychographics?
Another unpopular finding by the Commissioner relates to how ineffective the group’s predictive analytics really were. Potentially very. As noted in the report (our emphasis):
. . . while the models showed some success in correctly predicting attributes on individuals whose data was used in the training of the model, the real-world accuracy of these predictions — when used on new individuals whose data had not been used in the generating of the models — was likely much lower. Through the ICO’s analysis of internal company communications, the investigation identified there was a degree of scepticism within SCL as to the accuracy or reliability of the processing being undertaken. There appeared to be concern internally about the external messaging when set against the reality of their processing.
The group’s famous marketing slogan, meanwhile — that it had over 5,000 data points per individual on 230m adult Americans — was also deemed to have been an exaggeration by the Commissioner. The actual data points the companies held looked more like this:
But what about Brexit?
The scale of Cambridge Analytica’s involvement in the Leave.EU Brexit campaign is probably the question that has plagued UK digital rights campaigners’ minds most in recent years. But the conclusions from the ICO report are unlikely to be welcomed.
According to the Commissioner, the authority found (our emphasis):
. . . no further evidence to change my earlier view that SCL/CA were not involved in the EU referendum campaign in the UK — beyond some initial inquiries made by SCL/CA in relation to Ukip data in the early stages of the referendum process. This strand of work does not appear to have then been taken forward by SCL/CA.
On Russian involvement, meanwhile, the Commissioner reminded that the ICO had already handed over what evidence they had found to the National Crime Agency. The final report by the Digital, Culture, Media and Sport Committee revealed in February 2019 that this pertained to the discovery of Russian IP addresses in the data associated with Aleksandr Kogan’s server. The Commissioner added the investigation had not found any additional evidence of Russian involvement in material contained in the Cambridge Analytica servers it had since obtained. The National Crime Agency, meanwhile, is yet to pursue any action.
Last, the Commissioner said she identified “no significant breaches of the privacy and electronic marketing regulations and data protection legislation that met the threshold for formal regulatory action.”
The single successful action against the Cambridge group was against SCL Elections for their failure to comply with an enforcement notice sent to them when they were already in administration. The fine paid was £18,000.
But the authority’s penalty actions also extended to the following groups:
• Facebook (£500,000) paid 04 November 2019
• Vote Leave (£40,000) paid 29 April 2019
• Leave.EU (£15,000) paid 15 May 2019
• Emma’s Diary (£140,000) paid 29 August 2018
Who watches the watchmen?
In total, the data trove amassed by the ICO over the course of its investigations included 42 laptops and computers, 700 TB of data, 31 servers, over 300,000 documents, and a wide range of material in paper form and from cloud storage devices.
Now that its investigation has concluded, the ICO will be required under its own data control guidelines to either return the data sets to their owners — in this case SCL’s administrators — or dispose of them securely.
According to the final report, the Commissioner’s office is already ensuring that “any data, models and derivatives are safely destroyed” and that “several items obtained have been subsequently disowned and we are taking measures via our forensic technology provider to destroy these safely ourselves.”
That, FT Alphaville assumes, implies the underlying data that many continue to believe single-handedly “hacked” the 2016 Brexit and American elections, could soon be lost forever.
If that’s the case, it may shortly become even harder to disprove the uncomfortable proposition that Cambridge Analytica’s main data-related crime was overselling its own capabilities rather than actually hacking democracy with the help of the Russians.