The company at the center of a major Facebook data misuse scandal has failed to respond to a legal order issued by the U.K.’s data protection watchdog to provide a U.S. voter with all the personal information it holds on him.
The enforcement order followed a complaint by the U.S. academic, professor David Carroll, that the original Subject Access Request (SAR) he made under European law seeking to obtain his personal data had not been satisfactorily fulfilled.
My prepared statement to @EUparliament committees today on my data quest to recover my Cambridge Analytica data under UK/EU law. The company did not respond to the @ICOnews Enforcement Order due today. We are now in uncharted waters. pic.twitter.com/8djPQykHAt
— David Carroll 🦅 (@profcarroll) June 4, 2018
The academic has spent more than a year trying to obtain the data Cambridge Analytica/SCL held on him after learning the company had built psychographic profiles of U.S. voters for the 2016 presidential election, when it was working for the Trump campaign.
Speaking in front of the EU parliament’s justice, civil liberties and home affairs (LIBE) committee today, Carroll said: “We have heard nothing [from SCL in response to the ICO’s enforcement order]. So they have not respected the regulator. They have not co-operated with the regulator. They are not respecting the law, in my opinion. So that’s very troubling — because they seem to be trying to use liquidation to evade their responsibility as far as we can tell.”
While he is not a U.K. citizen, Carroll discovered his personal data had been processed in the U.K. so he decided to bring a test case under U.K. law. The ICO supported his complaint — and last month ordered Cambridge Analytica/SCL Elections to hand over everything it holds on him, warning that failure to comply with the order is a criminal offense that can carry an unlimited fine.
At the same time — and pretty much at the height of a storm of publicity around the data misuse scandal — Cambridge Analytica and SCL Elections announced insolvency proceedings, blaming what they described as “unfairly negative media coverage.”
Its Twitter account has been silent ever since. Though company directors, senior management and investors were quickly spotted attaching themselves to yet another data company. So the bankruptcy proceedings look rather more like an exit strategy to try to escape the snowballing scandal and cover any associated data trails.
There are a lot of data trails though. Back in April Facebook admitted that data on as many as 87 million of its users had been passed to Cambridge Analytica without most of the people’s knowledge or consent.
“I expected to help set precedents of data sovereignty in this case. But I did not expect to be trying to also set rules of liquidation as a way to avoid responsibility for potential data crimes,” Carroll also told the LIBE committee. “So now that this is seeming to becoming a criminal matter we are now in uncharted waters.
“I’m seeking full disclosure… so that I can evaluate if my opinions were influenced for the presidential election. I suspect that they were, I suspect that I was exposed to malicious information that was trying to [influence my vote] — whether it did is a different question.”
He added that he intends to continue to pursue a claim for full disclosure via the courts, arguing that the only way to assess whether psychographic models can successfully be matched to online profiles for the purposes of manipulating political opinions — which is what Cambridge Analytica/SCL stands accused of misusing Facebook data for — is to see how the company structured and processed the information it sucked out of Facebook’s platform.
“If the predictions of my personality are in 80-90% then we can understand that their model has the potential to affect a population — even if it’s just a tiny slice of the population. Because in the US only about 70,000 voters in three states decided the election,” he added.
What comes after Cambridge Analytica?
The LIBE committee hearing in the European Union’s parliament is the first of a series of planned sessions focused on digging into the Cambridge Analytica Facebook scandal and “setting out a way forward,” as committee chair Claude Moraes put it.
Today’s hearing took evidence from former Facebook employee turned whistleblower Sandy Parakilas; investigative journalist Carole Cadwalladr; Cambridge Analytica whistleblower Chris Wylie; and the U.K.’s ICO Elizabeth Denham, along with her deputy, James Dipple-Johnstone.
The Information Commissioner’s Office has been running a more-than-year-long investigation into political ad targeting on online platforms — which now of course encompasses the Cambridge Analytica scandal and much more besides.
Denham described it today as “unprecedented in scale” — and likely the largest investigation ever undertaken by a data protection agency in Europe.
The inquiry is looking at “exactly what data went where; from whom; and how that flowed through the system; how that data was combined with other data from other data brokers; what were the algorithms that were processed,” explained Dipple-Johnstone, who is leading the investigation for the ICO.
“We’re presently working through a huge volume — many hundreds of terabytes of data — to follow that audit trail and we’re committed to getting to the bottom of that,” he added. “We are looking at over 30 organizations as part of this investigation and the actions of dozens of key individuals. We’re investigating social media platforms, data brokers, analytics firms, political parties and campaign groups across all spectrums and academic institutions.
“We are looking at both regulatory and criminal breaches, and we are working with other regulators, EU data protection colleagues and law enforcement in the U.K. and abroad.”
He said the ICO’s report is now expected to be published at the end of this month.
Denham previously told a U.K. parliamentary committee she’s leaning toward recommending a code of conduct for the use of social media in political campaigns to avoid the risk of political uses of the technology getting ahead of the law — a point she reiterated today.
“Beyond data protection I expect my report will be relevant to other regulators overseeing electoral processes and also overseeing academic research,” she said, emphasizing that the recommendations will be relevant “well beyond the borders of the U.K.”
“What is clear is that work will need to be done to strengthen information-sharing and closer working across these areas,” she added.
Many MEPs asked the witnesses for their views on whether the EU’s new data protection framework, the GDPR, is sufficient to curb the kinds of data abuse and misuse that has been so publicly foregrounded by the Cambridge Analytica-Facebook scandal — or whether additional regulations are required?
On this Denham made a plea for GDPR to be “given some time to work.” “I think the GDPR is an important step, it’s one step but remember the GDPR is the law that’s written on paper — and what really matters now is the enforcement of the law,” she said.
“So it’s the activities that data protection authorities are willing to do. It’s the sanctions that we look at. It’s the users and the citizens who understand their rights enough to take action — because we don’t have thousands of inspectors that are going to go around and look at every system. But we do have millions of users and millions of citizens that can exercise their rights. So it’s the enforcement and the administration of the law. It’s going to take a village to change the scenario.
“You asked me if I thought this kind of activity which we’re speaking about today — involving Cambridge Analytica and Facebook — is happening on other platforms or if there’s other applications or if there’s misuse and misselling of personal data. I would say yes,” she said in response to another question from an MEP.
“Even in the political arena there are other political consultancies that are pairing up with data brokers and other data analytics companies. I think there is a lack of transparency for users across many platforms.”
Parakilas, a former Facebook platform operations manager — and the closest stand in for the company in the room — fielded many of the questions from MEPs, including being asked for suggestions for a legislative framework that “wouldn’t put breaks on the development of healthy companies” and also not be unduly burdensome on smaller companies.
He urged EU lawmakers to think about ways to incentivize a commercial ecosystem that works to encourage rather than undermine data protection and privacy, as well as ensuring regulators are properly resourced to enforce the law.
“I think the GDPR is a really important first step,” he added. “What I would say beyond that is there’s going to have to be a lot of thinking that is done about the next generation of technologies — and so while I think GDPR does a admirable job of addressing some of the issues with current technologies the stuff that’s coming is, frankly, when you think about the bad cases is terrifying.
“Things like deepfakes. The ability to create on-demand content that’s completely fabricated but looks real… Things like artificial intelligence which can predict user actions before those actions are actually done. And in fact Facebook is just one company that’s working on this — but the fact that they have a business model where they could potentially sell the ability to influence future actions using these predictions. There’s a lot of thinking that needs to be done about the frameworks for these new technologies. So I would just encourage you to engage as soon as possible on those new technologies.”
Parakilas also discussed fresh revelations related to how Facebook’s platform disseminates user data published by The New York Times at the weekend.
The newspaper’s report details how, until April, Facebook’s API was passing user and friend data to at least 60 device makers without gaining people’s consent — despite a consent decree the company struck with the Federal Trade Commission in 2011, which Parakilas suggested “appears to prohibit that kind of behavior.”
He also pointed out the device maker data-sharing “appears to contradict Facebook’s own testimony to Congress and potentially other testimony and public statements they’ve made” — given the company’s repeat claims, since the Cambridge Analytica scandal broke, that it “locked down” data-sharing on its platform in 2015.
Yet data was still flowing out to multiple device maker partners — apparently without users’ knowledge or consent.
“I think this is a very, very important developing story. And I would encourage everyone in this body to follow it closely,” he said.
Two more LIBE hearings are planned around the Cambridge Analytica scandal — one on June 25 and one on July 2 — with the latter slated to include a Facebook representative.
Mark Zuckerberg himself attended a meeting with the EU parliament’s Council of Presidents on May 22, though the format of the meeting was widely criticized for allowing the Facebook founder to cherry-pick questions he wanted to answer — and dodge those he didn’t.
In its follow up responses the company claims, for example, that it does not create shadow profiles on non-users — saying it merely collects information on site visitors in the same way that “any website or app” might.
On the issue of compensation for EU users affected by the Cambridge Analytica scandal — something MEPs also pressed Zuckerberg on — Facebook claims it has not seen evidence that the app developer who harvested people’s data from its platform on behalf of Cambridge Analytica/SCL sold any EU users’ data to the company.
The developer, Dr. Aleksandr Kogan, had been contracted by SCL Elections for U.S.-related election work. Although his apps collected data on Facebook users from all over the world — including some 2.7 million EU citizens.
“We will conduct a forensic audit of Cambridge Analytica, which we hope to complete as soon as we are authorized by the UK’s Information Commissioner,” Facebook also writes on that.