The Information Commissioner’s Office (ICO) will shortly conclude its investigations into Cambridge Analytica and its use and processing of Facebook user data for the purposes of influencing political events, stating that all remaining lines of enquiry have now been completed as far as the available evidence allows.
In a letter to Julian Knight, chairman of the Digital, Culture, Media and Sport Select Committee, information commissioner Elizabeth Denham wrote that since her most recent appearance before the committee 18 months ago, the ICO had continued its investigation, analysing a “digital haystack” of materials obtained during the probe and seized under warrant.
Denham said the ICO had now been able to confirm and reinforce the findings of its previous reports. “I have therefore concluded that there is little in the vast volumes of evidence we have now worked through that has changed our initial understanding or identified new lines of enquiry that suggest they could drive new insight,” she wrote.
Since April 2019, the investigation has covered outstanding areas related to the processing of data by SCL Elections and Cambridge Analytica (SCL/CA), concluding that they had purchased significant volumes of commercially available data, most of it on US voters, to combine with the Facebook-derived information obtained from Cambridge University’s Aleksandr Kogan via his company, Global Science Research (GSR).
Denham said they built their models mostly from off-the-shelf analytical tools, and she had found some evidence that staff of both organisations had concerns about the behaviour and statements made by their leadership.
Denham said the investigation had confirmed the ICO’s existing understanding of poor data handling practices and she suspected that had there been no scandal and had Cambridge Analytica not shut down of its own accord, it was very likely to have eventually attracted an ICO investigation anyway.
The investigation found significant evidence of poor data security practice, with data uncovered in a variety of locations with little apparent thought given to effective security measures. Notably, said Denham, individuals under investigation held data and shared it using personal Gmail accounts.
The ICO also found that towards the end of its life, SCL/CA drew up plans to relocate its data offshore to duck ICO scrutiny, but it wasn’t able to follow through in time. The ICO has required those it contacted during its investigation to certify deletion of the data they held.
Denham went on to say that the ICO had found no further evidence to challenge the view that SCL/CA had no involvement in the Brexit referendum campaign beyond some initial inquiries in relation to the data of UKIP members which never came to anything. Nor had the ICO found any evidence of Russian involvement in its analysis of seized SCL/CA servers.
“I have concluded my wider investigations of several organisations on both the remain and the leave side of the UK’s referendum about membership of the EU,” she wrote. “I identified no significant breaches of the privacy and electronic marketing regulations and data protection legislation that met the threshold for formal regulatory action.”
Since April 2019, the ICO has taken several actions against organisations it found to have broken the law, including Facebook, which was fined £500,000 in October 2019, and SCL Elections, which was prosecuted in the end for failure to comply with an enforcement notice. Most recently, information provided by the ICO resulted in disgraced SCL director Alexander Nix being disqualified from acting as a company director for seven years. Denham also noted a number of appeals against ICO actions that are still pending.
She added that a small number of follow-up enquiries do remain, which will move forward over the next few months, and also noted that the ICO will soon publish various reports of its findings after auditing the main political parties, credit reference agencies, data brokers and the Cambridge University Psychometrics Centre.
“This has been a complex and wide-ranging data protection investigation, touching on some of the most contentious and widely debated issues of recent times,” wrote Denham.
“At all times we have sought to follow the data, being transparent in our methodology and findings and acting only where there was a public interest to do so. We are continuing to work to address the systemic vulnerabilities we identified, working alongside other agencies.
“What is clear is that the use of digital campaign techniques is a permanent fixture of our elections and the wider democratic process and will only continue to grow in the future. The Covid-19 pandemic is only likely to accelerate this process as political parties and campaigns seek to engage with voters in a safe and socially distanced way.”
Denham went on to reiterate her view that digital campaign techniques were, overall, a positive development that enabled political parties and others to engage better with voters in ways that traditional methods cannot always accomplish. However, she stated, for this to be truly successful, it is vital that voters have trust in, and understanding of, how their data is being used to engage with them.
“The scale of the investigation I conducted was unprecedented for a data protection authority,” she said. “It highlighted the whole ecosystem of personal data in political campaigns. I believe that citizens are better informed as a result and policymakers are alive to the risks of data misuse. It has led to improvements in oversight arrangements and changes in operating practices of the major technology platforms.”