Alternative War: Unabridged
Page 17
In March 2017, it was revealed that almost eight hundred million dollars of money from Russian criminal operations was laundered in the UK as part of a global scheme to clean up to eighty billion in illegal funds116. One source, while discussing how the financial sector is so complex this could easily go unnoticed, said: “If you are on the back end you are kind of playing Whack-a-mole, trying to pick this up.”
So there I was in the perfect place, Britain, playing Whack-a-mole. But this was no longer about following the money – finances had become secondary. The thing to follow was the most valuable commodity of all: the data itself.
Eleven:
Behind the labyrinthine network of data companies, I discovered an even deeper connection between Trump, Brexit, and Russia. By the time I found it, my investigation had already uncovered those first signs of broad, international data laundering, apparently being used to manipulate democracies and the markets with the state-backing of Russia. I’d also stumbled across the first clear example of the complex machinery in practice while investigating crime and immigration in Sweden. The public figures, limited companies, and other groups involved in the UK arm of this operation – which clearly relied on hacking, psychometric targeting, propaganda, and disinformation – were left exposed by the very same thing they had been using as a weapon: big data.
Extraordinarily, it turned out, these parties had also received a somewhat unveiled warning from the Information Commissioner’s Office (ICO) ahead of the UK’s snap general election in June 2017. When I kicked over this particular stone, the final piece of investigative work ended up being referred to the Electoral Commission (EC) – as it appeared Leave.EU may have had further undeclared donations of services within their complex company structure, taking them well beyond those crucial permissible campaign limits. It was also sent back to the ICO, due to the complex issue of what they call ‘sugging’ across multiple companies.
The Information Commissioner’s Office is the United Kingdom's independent body set up to ensure information rights are maintained in the public interest. They keep a national register of data controllers – people authorised to handle our data – and uphold the laws set out in the Data Protection legislation. Their powers are similar to the Electoral Commission in terms of demanding compliance through orders and agreements, issuing substantial fines, or instigating prosecutions. They are just as flawed as the EC too, in terms of inadequacy in situations like this one – circumstances which affect the direction of a whole nation. The data protection regulations themselves were set to change in 2018 and, though this enhancement was an initiative of the European Union, the government – the full Conservative majority under Theresa May before June 2017 – had committed to implementing the new framework. The General Data Protection Regulations was the title of the new law, which was set to replace the Data Protection Act 1998 on the 25th of May 2018. Though a much stronger framework, this wouldn’t have addressed the central weaknesses in effectively responding to an act of war with a fine.
The ICO itself holds information on every single company handling “controlled data” in the UK – basically everything which falls under the regulations – and, in the wake of revelations about the use of ‘big data’ in the Trump and Brexit campaigns, issued some starkly worded guidance for political parties117 ahead of the 2017 general election. Having read the document, which did cause some raised eyebrows, I initially approached the ICO with three specific questions, largely arising from things I’d found out while looking into the background of Brexit. I wanted to know if Vote Leave (not Leave.EU) was ever fined or reported over spam messages sent by US company UCampaign via their app; was there an official, ongoing inquiry into Cambridge Analytica or SCL Elections – the UK parent – and, if so, what was the official comment of the ICO. I also wanted to know where one company is restricted to transfers of data within the European Economic Area (EEA) and they transfer data to a non-restricted company (who can transfer data anywhere in the world), was this legal? I wasn’t really anticipating the reply that I received.
The ICO responded with what turned out to be an unprecedented press release, headed “Information Commissioner warns political groups to campaign within the law,” which confirmed just how serious the situation really was as we approached Theresa May’s contentious general election. The ICO, it turned out, had also written to all major political parties, reminding them of their obligations when contacting potential supporters during the election campaign. The Commissioner’s Office went as far as inviting every party to a briefing session, to hear details of the updated guidance on the use of personal data in political campaigning, which included data analytics and associated technologies. The ICO briefing was scheduled for the 4th of May 2017, the same day as local elections across the United Kingdom, and the Commission later told me that each of the parties had sent delegates. After June’s election, it was revealed that the Conservative Party used potentially illegal surveys during their campaign.
Elizabeth Denham was appointed UK Information Commissioner in July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada and, also, Assistant Privacy Commissioner of Canada. By December 2016 she had led the office to issue its largest ever fine to telecommunications company TalkTalk, a record four hundred thousand pounds for poor website security which led to the theft of the personal data of nearly 157,000 customers118. The ICO said the website’s security was so poor the attack succeeded “with ease.”
Denham said at the time: “TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease.”
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” she added. The two British hackers were caught thanks to one of them discussing selling the data on.
Denham also raised concerns in late 2016 when the data-sharing between Facebook and WhatsApp became an issue following acquisition – WhatsApp had been co-opted to share the address books and message records of the encrypted messaging service users to allow greater precision in targeted messaging. Denham wrote in the Guardian119, saying: “If those two sets of data were put side by side, Jenny’s personal, private information suddenly wouldn’t seem quite so private.” To say she was alive to the dangers of large datasets, such as those used by Cambridge Analytica, would be an understatement. In her statement on the ICO’s political intervention ahead of the election, Denham said: “Engagement with the electorate is vital to the democratic process. But, if a party or campaign group fails to comply with the law, it may face enforcement action as well as reputational damage to its campaign. People have a right to expect that their information will be used in line with the law and my office is there to uphold that right.”
The ICO made it clear to me the new guidance was issued in response to an “increase in complaints from members of the public about the promotion of political parties, their candidates, and their views during political campaigns.” Specifically, the Commissioner’s Office had received complaints about “the use of surveys to gain support for campaigns now or in the future” and also “concerns that their personal information has been shared between national and local organisations.” The employment of surveys is broadly cited by controversial company Cambridge Analytica, who use the data they gather to form psychometric profiles which guide targeted messaging, or simply to expand the amount of data, such as contact details, they hold. It was these tactics that were successfully deployed in both the Brexit and Trump campaigns and both campaigns are linked to Russia, hacking, and the use of disinformation to drive voter behaviour.
The ICO guidance explicitly covers viral marketing, stating it must comply with the same rules as direct marketing and cannot dip around consent to the use of data by simply asking people to pass it on. Leave.EU, the campaign of Arron
Banks fronted by Nigel Farage, trading under the name Better For The Country Limited, was fined fifty thousand pounds by the ICO for sending five-hundred-thousand unsolicited text messages asking people to support Brexit between May and October 2015120 – a year before the referendum took place. The ICO, though I specifically asked, made no comment on the official Vote Leave campaign’s use of American app provider UCampaign which, by their own admission, used phone book access via the application to send unsolicited messages to the relatives of hundreds of thousands of voters. The ICO database shows no registrations for UCampaign, the company behind it, Political Social Media LLC, Vote Leave, Vote Leave Limited, or Get Change Limited. Both of these activities would fall well within the definition of viral marketing set out in the guidance.
In terms of the survey data gathering, such as that deployed by Cambridge Analytica, the ICO specifically define this practice as “sugging.” They made clear using surveys to collect data (whether ultimately used by the company conducting the survey, or sold on to others, or intended to gather the information for use in marketing) falls within direct marketing. Even open source data, they said, requires adherence to data protection legislation and this would include social media likes and posts. There is no access to collection and retention of this data which escapes the legal protections.
As I’d already established through the documents I had been shown, Leave.EU and Cambridge Analytica worked together during the Brexit campaign, despite the fact comments have been made attempting to distance themselves from this. I’d also already obtained an exclusive insight which uncovered that the Electoral Commission was, in fact, investigating Leave.EU for undeclared and potentially illegal donations of services by Cambridge Analytica, also known in the UK as SCL Elections, during the EU referendum. Though the ICO refused to confirm whether they were investigating these companies in tandem with the Electoral Commission, with my own investigative work revealing a broader picture of Russian-linked data laundering, I found the ICO’s public access database held invaluable information on these companies. It appeared both were structurally designed to engage in sugging and to facilitate transfers of data within and outside of the EEA. The ICO state that sugging attracts a maximum fine of £500,000 as it is a breach of the Privacy and Electronic Communications Regulations (PECR).
Leave.EU, the company behind the unofficial Brexit campaign, registered with the ICO on the 29th of February 2016 and this registration expires in 2018. They set out their headline reason for processing data as being to: “Enable us to promote our goods & services” and state they hold personal, family, lifestyle, social circumstances, and financial details. In the sensitive class of information, they are registered to hold political interests and racial/ethnic origin data and the company is authorised to share what it holds with affiliate groups, central government, suppliers and service providers, financial organisations, and the Electoral Commission.
Despite being a company established specifically to support the domestic Brexit campaign, the register for Leave.EU shows: “Personal information is traded as a primary business function” and adds the information may be shared with business associates, advisers, other associates, and “traders in personal data.” The UK based company entry also states: “It may sometimes be necessary to transfer personal information overseas” though this is restricted to within the EEA.
This didn’t strike me as a company established purely for political campaign purposes and it certainly didn’t sound benevolently patriotic. Subsequently, I started to dig more.
Cambridge Analytica, I found, was slightly different. The company was first registered in November 2015, and the registration was set to expire in late 2017. The address listed for them was at the Cooperation Trust Center, Wilmington, Delaware, though it also gives a UK representative, Jordanna Zetter, based in London. She is, it would appear, an Operations Executive at SCL Group. Listed as a “data analytics” company, they state they carry out marketing, advertising, and PR functions, as well as undertaking research. They hold the same classes of primary data as Leave.EU but the sensitive information is much deeper and that starts to tell the true story – Cambridge Analytica holds records on people’s physical and mental health, racial and ethnic origin, religious or “other similar” beliefs, trade union memberships and “political opinions.” The other difference from Leave.EU is that the US company includes retained data from survey respondents and can transfer the data they hold to territories and countries around the world. There is no restriction to the EEA. One of the primary business functions they had listed on the ICO register was to acquire data through surveys – a method first developed by Kosinski, the Cambridge academic, which bears similarities to aspects of Cambridge Analytica’s psychometric profiling. This is also the activity which falls squarely within the definition of sugging.
But, I confirmed having seen it elsewhere, Cambridge Analytica is not the principle trading name for the organisation in the United Kingdom, in fact, it is only the US brand which became famous as a result of the Trump campaign. In the UK, the primary business is SCL Elections Limited, and its own registration strengthened the depth of connection to Leave.EU and the businesses – and people – behind it.
SCL Elections Limited registered in November 2015, the same month as Cambridge Analytica, but according to the records trades at a separate London address in E14. The sensitive data classes held are the same as CA but the headline data is expanded to include memberships, employment, and education information. Again the transfer of data is worldwide, not EEA restricted, and the company can share data with business associates. Working with Leave.EU, whose primary business function is the trade of data, this means a legitimate transfer from the UK could reach America or another worldwide territory without the law technically being broken. This also means Leave.EU, via its connection with Cambridge Analytica and SCL, could buy in databases created outside of the EEA area where data is regulated, or simply buy sugged databases created through Cambridge Analytica and SCL surveys hosted outside of the EEA. When you factor in that Steve Bannon has defined links to Cambridge Analytica by way of his former seat on the board, and the company’s owner, Robert Mercer, was a key donor to Trump’s campaign, this starts to create a pretty grim jigsaw puzzle.
In January 2017, Trump signed an executive order exempting non-US citizens from the privacy shield121 – a European Union and United States law which defined what data could be shared between businesses on both sides of the Atlantic Ocean and how that data could be used. It was designed so data protection laws could be upheld between the EU's the member states and the US, where information regulation remains much weaker. Wired reported at the time122: “The Privacy Shield was developed by EU and US negotiators in 2015 after the previous data sharing agreement between the two groups was struck down by Europe's highest court. In October 2015, the European Court of Justice ruled the Safe Harbour framework was invalid as data being sent out of the EU was not being properly protected.” The case was pushed through the EU’s highest court by Austrian privacy campaigner Max Schrems and the court ruled that the European Commission’s original trans-Atlantic data protection agreement, which went into force in 2000, was invalid because it failed to adequately protect consumers. It came about in the wake of the scandal involving Edward Snowden. Facebook, which found itself in the middle of Schrems’ case, came under the scrutiny of the Irish data protection authority (DPA) who were compelled to look into the company’s data protection practices. The EUCJ said the Irish DPA had to decide: “Whether...transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.”
In July 2016, the European Commission deemed the new EU-US Privacy Shield Framework adequate to enable data transfers under EU law and, on January the 12th 2017, the Swiss Government announced the approval of the Swiss-US Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirement
s when transferring personal data from Switzerland to the United States. Only days after the Swiss agreement, Trump signed his order. Lawyers continued to argue the Privacy Shield was safe, however, citing that no presidential Executive Order can override existing laws written by Congress, and Congress has already approved the Judicial Redress Act which granted EU citizens the right to use the US courts in the case of misuse of data. The act became law on the 1st of February 2017.
Whether the order the president signed took effect is one thing. Trump’s intent, however, is another matter entirely, especially given the direct links to data companies and his White House administration. Even a few years ago, I discovered while exploring all of this, both the EU and the US were aware of the capabilities of data exploitation in circumstances exactly matching the Leave.EU and Cambridge Analytica/SCL scenario and, it appears, Trump took the step to directly interfere in the enhanced protections while being directly involved and beholden to parties potentially benefitting his arrangement.
As I’d found out, the data laundering trade also involves reportedly legitimate purchases of hacked data in exchange for Bitcoin and it was apparent to me the arrangements of international transfer available to SCL and its subsidiary provided a direct channel for the potential use of laundered data in the UK. This left me even more concerned about the discovery relating to when Leave.EU received it’s fifty thousand pound fine for the 2015 spam campaign: they claimed they obtained the lists from a third-party supplier. In much the same way, the official Vote Leave campaign would have avoided data protections as they were not registered themselves and nor was the app provider, UCampaign, who would have retained the British data captured by the app in the US.