Governance & Risk Management , Privacy , Standards, Regulations & Compliance
FTC Sanctions Defunct Cambridge Analytica: So What?MIA: Checks on Voter Microtargeting and Nation-State Information Operations
U.S. regulators have sanctioned a notorious, self-described "data-science consultancy and marketing agency" that misused Facebook users' personal details as part of voter-targeting campaigns.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
On Friday, the Federal Trade Commission announced that London-based Cambridge Analytica had "engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting."
"How will an election look 10 to 15 years from now, if we carry on down this same path?"
The FTC said the firm had also violated the EU-U.S. Privacy Shield framework, which governs the cross-border sharing of individuals' personal details. As a result, the FTC ordered the company to desist deceptive practices as well as to delete data it had collected on 87 million Facebook users.
Commissioners voted 5-0 to issue the opinion and final order.
But in a clear case of closing the stable door after the horse has bolted, the FTC's finding looks set to have no real-world impact. That's because Cambridge Analytica no longer exists (see: Besieged Cambridge Analytica Shuts Down).
Facing the heat after its practices came to light, the company's directors declared bankruptcy in May 2018, leaving in their wake an indignant statement: "Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations and, despite the company's efforts to correct the record, has been vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas."
At least part of that statement remains accurate: The voter-targeting campaigns the company was running appeared to be legal. Perhaps that's why executives at Cambridge Analytica as well as parent company SCL Group had already registered a company called Emerdata Ltd. in Britain in August 2017, saying it would be devoted to "data processing, hosting and related activities."
Alexander Nix - the former CEO of Cambridge Analytica who was caught on video describing his firm's ethically questionable tactics - was appointed as a director of Emerdata in February. In March 2018, Rebekah and Jennifer Mercer - daughters of billionaire Robert Mercer, who bankrolled SCL Group and Cambridge Analytica - became directors of Emerdata.
Voter Profiling and Microtargeting
Cambridge Analytica completed $15 million worth of U.S. political work in the 2016 election cycle, the Wall Street Journal has reported. But the firm appeared to have illegally obtained at least some data that it used for targeted marketing.
"In late 2013 or early 2014, Cambridge Analytica ... learned of research suggesting that people's Facebook profile data could be used to predict their personality traits," the FTC says in a blog post. "Cambridge Analytica wanted that information for voter profiling, microtargeting, and other services it offered to U.S. political campaigns and marketing clients."
After Cambridge Analytica's activities came to light, Facebook faced numerous investigations into its data protection policies, leading to it agreeing pay multiple fines, including $643,000 in the U.K., $1 million in Italy, $100 million to the U.S. Securities and Exchange Commission and $5 billion to the FTC. The agreement with the FTC also stipulates that Facebook maintain and demonstrate improved security and privacy practices or it will risk future fines.
Despite Cambridge Analytica's directors closing up shop, the U.K. Information Commissioner's Office last year promised to still "pursue individuals and directors" at Cambridge Analytica if it determined they'd broken the law, as well as to "closely monitor any successor companies."
"Our investigations remain ongoing and we have no further update at this time," Steve Doohan, an ICO spokesman, told me Monday.
Good News, Bad News
The good news about Cambridge Analytica, beyond the fact of its bankruptcy, is that it's not clear that the firm's activities had any impact.
That's the assessment political and technology expert Jamie Bartlett offered a keynote speech at the Infosecurity Europe conference in June, adding that what the firm was doing on behalf of Donald Trump's 2016 presidential election campaign "was pretty industry standard - lots of people were doing the same thing. ... They were probably just slightly better at doing data analytics than the Clinton team was." (See 10 Highlights: Infosecurity Europe 2019 Keynotes.)
President Donald Trump won three crucial swing states in the 2016 election, each by less than one percentage point. It's not clear if targeted marketing practiced by Cambridge Analytica helped.
Regardless, Bartlett said that organizations are continuing to try to apply data science techniques to use "subtle nudges" to microtarget smaller and smaller groups of people, which could end up "changing fundamentally" the democratic process.
"This is not really what elections are supposed to be about," he said.
Needed Now: Transparency
His proposed antidote involves greater transparency, including keeping records of every advertisement directed at every individual, and subjecting them to automatic review under the aegis of a regulator that is independent from the government.
But there are no signs that such a model is being pursued in any country.
British voters, for example, are set to go to the polls this Thursday for a general election, and they're reportedly being bombarded by advertising via social media paid for by "unknown and shadowy groups," according to reporter Carole Cadwalladr.
Data-science tactics can be used not just by consulting firms in the employ of political parties, of course, but also by foreign intelligence agencies to try and interfere in elections. At least in Britain, however, transparency into such efforts is lacking. Parliament's cross-party Intelligence and Security Committee has prepared a report, based on extensive testimony from British intelligence agencies, that examines Russia's alleged attempts to influence the outcome of the 2016 Brexit referendum and 2017 general election. No doubt the report will offer recommendations for how such interference attempts can be better countered.
But Conservative Prime Minister Boris Johnson has blocked the report's release. Perhaps not coincidentally, he's trying to hang onto his job after 10 years of his party being in power, which has included its holding of the "Brexit" referendum, in which voters decided 52 percent to 48 percent to leave the EU. But for more than three years, Johnson and his predecessor, Theresa May, have been unable to deliver a vision of what a post-Brexit Britain would look like that even their own party can agree to vote through Parliament.
With Brexit continuing to be debated, this election has appeared more divisive than any in recent memory. One of the points of contention is the future of the country's beloved National Health Service. Labour has accused the Tories of underfunding the NHS, in a bid to privatize large swaths of it, which the Conservatives have denied.
Election Interference Continues
Enter Russia, which appears to be attempting to amplify already rancorous political debates. On Friday, Reddit said that after working with law enforcement, it had tied information leaks via its platform to a Russian campaign discovered by Facebook earlier this year, dubbed "Secondary Infektion" by the Atlantic Council. Reddit banned 61 accounts as a result, noting that two of those accounts - "ostermaxnn" and "gregoratior" - were used to leak documents in late October about Britain's secret post-Brexit trade talks with the U.S.
Labour leader Jeremy Corbyn recently brandished the documents at a news conference, saying they are evidence that "the NHS is on the table and will be up for sale" if Conservatives remain in power.
So nation-state information operations and political microtargeting continue, apparently unchecked. As Bartlett said at Infosecurity Europe in June: "How will an election look 10 to 15 years from now, if we carry on down this same path?" And what will be the impact on western democracies, or what is left of them?