Further questions on Cambridge Analytica’s involvement in the 2017 Kenyan Elections and Privacy International’s investigations

Tuesday, March 27, 2018

In December 2017, Privacy International published an investigation into the use of data and microtargeting during the 2017 Kenyan elections. Cambridge Analytica was one of the companies that featured as part of our investigation.

Due to the recent reporting on Cambridge Analytica and Facebook, we have seen renewed interest in this issue and our investigation. Recently in March of 2018, Channel 4 News featured a report on micro targeting during the 2017 Kenyan Presidential Elections, and the companies involved. The report featured an interview with Robert Muthuri from CIPIT at Strathmore University in Nairobi, one of Privacy International’s partners. CIPIT are conducting research [PDF] into the sharing of Kenya’s biometric voter register with third parties to enable micro targeting of voters through Whatsapp messages. The Channel 4 News report also reflected Privacy International’s own work on the issue, including our investigation which revealed Harris Media were behind inflammatory videos circulated during the election, and our policy work focusing on the lack of data protection in Kenya.

We set out here answers to some of the commonly asked questions we have recieved. We also have listed below questions we believe need to be asked of Cambridge Analytica and other data analytics firms, social media platforms, and the political parties that exploit in political campaigning and beyond.

This story is indicative of a powerful and opaque corporate ecosystem which thrives on our personal data. This is also a story of how countries with weak or no legislation continue to be testing grounds for intensive data gathering and experiments with personal data by companies and governments.

Cambridge Analytica is just one example of a company that exploits our personal data, in this instance for political campaigning and the benefit of political parties. There are thousands of companies in the business of data exploitation- whether in retail, financial services, media, public services. The ecosystem extends into issues such as credit scoring, hiring processes, policing, and insurance. We should be deeply concerned with how our data is handled by such companies and the nature of corporate surveillance. There are still many questions, but this story has started to chip away at the secrecy behind the machine.

What does Cambridge Analytica have to do with Kenya?

In 2017, Privacy International investigated a report that Cambridge Analytica was discreetly working for the ruling Jubilee Party in the run up to the Presidential elections. In a country like Kenya, where there is history of ethnic tensions resulting in political violence, campaigning based on data analytics and profiling is untested ground fraught with great risk. Privacy International wrote to Alexander Nix in May 2017 to ask for clarification on the company’s role and how, as a British company, they were adhering to data protection laws when Kenya has none. We received no response. Our sources confirmed that Cambridge Analytica were indeed working for the Jubilee Party, gathering survey data to aid the campaign and managing the image of the President. The undercover report from Channel 4 News featured Mark Turnbull, the Managing Director of CA Political, confirming this and more,

We have rebranded their entire party twice, written their manifesto, done two rounds of 50,000 surveys, huge amount of research, analysis, messaging and then we’d write all the speeches and stage the whole thing, so just about every element of his campaign. (At 9 minutes)

What data did Cambridge Analytica collect in Kenya?

We still do not have an answer to the question of exactly what kind of data was collected on Kenyan citizens and from what sources. As Kenya has no data protection framework, the potential data gathering could be extremely intrusive and include the collection of sensitive personal data such as ethnicity.

Further questions that need answering are: Specifically what data on Kenyans was collected during the “surveys”, “research” and “analysis” conducted? What was the purpose of collection? What was the legal basis for collection? How long is the data stored for? Who was it shared with? What safeguards are in place to keep it secure? What were people told about how their data was going to be used?

Did Cambridge Analytica produce the two online campaigns The Real Raila and Uhuru For Us?

Privacy International conducted an in-depth investigation into the origin of two inflammatory online campaigns targeting the Kenyan opposition, The Real Raila and Uhuru For Us, which also featured in the Channel 4 reporting (at 7m50). These videos played on Kenya’s violent past and fears of future violence. For example, The Real Raila campaign claimed that opposition candidate Raila Odinga’s administration would remove whole tribes”. These two videos dominated Google searches and flooded Twitter, Facebook and YouTube accounts across the country during 2017.

Speculation was that Cambridge Analytica were behind them. However, our investigation revealed that the videos were created by Harris Media LLC, a Texas based agency that uses data analytics to create political campaigns. On this occasion, targeting was done through judicious use of Google AdWords. This explains why paid-for ads for the campaigns emerged above the Google search results for many Kenyan election-related search terms, such as “Kenyan election date.”

Cambridge Analytica denies involvement with Harris Media or these videos. But Channel 4’s undercover report features Mark Turnbull talking about using “front companies” or subcontractors to spread information that cannot be traced back to Cambridge Analytica. He says,

It may be that we have to contract under a different name…A different entity, with a different name…so that no record exists with our name attached to this at all. (At 11 minutes)

Was Harris Media subcontracted with the intention of, as Mark Turnbull states in the reporting, putting information into the bloodstream of the internet? (Scroll down to Part 3. At 9 mins 20 secs)

Did Facebook share personal data of Kenyans with Cambridge Analytica?

We don’t know what data may have been collected or how it has been obtained. As Kenya has no data protection laws, there are no legal restrictions on sharing or selling personal data, including sensitive personal data such as a person’s ethnicity.

What is the responsibility of platforms like Google and Facebook?

Both Facebook and Google have profited financially from selling controversial political ads during the Kenyan election. The question is now whether these platforms will differentiate political campaigning and advertising from commercial clients, and apply a different expectation of transparency and accountability. Kenya already has a law in place that any bulk political text messaging must be attributed to the candidate or political party sending it, and the telecommunications company must verify the messages are not sent anonymously from political candidaes and parties. This is due to the spread of anonymous text messages during the 2007/2008 election, which was found to have contributed to the post election violence. Could the same principal be applied to online political messages?

We encourage both Facebook and Google to review their internal policies on political ads to establish whether ads during the Kenyan election have violated their existing standards or whether their existing stadards are ill equipped to prevent such ads to run.

Were Kenyans micro-targeted in other ways during the election?

During the election period, there were reports that Kenyans received unsolciited Whatsapp messages from political candidates asking the reciever to vote for them. These messages referenced individual voter registration information such as constituency and polling station, information collected for Kenya’s biometric voter register. There are concerns that this database has been shared by Kenya’s electoral commission (IEBC) with third parties, without consent of the individual, and that telecoms companies may have shared subscriber information, also without consent, in order for this micro targeting to happen. It is not clear who the database was shared with and therefore which company, if any, were responsbile for this micro targeting. Privacy International’s partner, Strathmore University, are conducting research into whether the 2017 voter register was shared with third parties, and if so who.

Why is a lack of data protection in Kenya a problem?

Data protection provides one legal framework to protect people’s personal information. It also frames a nation’s attitude towards the importance of keeping people’s information secure. If there was data protection in Kenya, there would be limits on the data companies could collect, and it would be easier for Kenyans to excercise their rights and receive answers to their questions about what data was collected and what it was used for. The biometric voter register, if it was shared with third parties, should not have been without consent from the individual. By processing personal data of Kenyans, Cambridge Analytica might have taken advantage of this lack of domestic regulation. However, the company cannot use this as an excuse for not compling with its obligations under UK data protection law.

Cambridge Analytica are a UK company. The UK has data protection. Is this relevant?

Yes. Cambridge Analytica is bound by UK data protection law, which means they must comply with data protection wherever they operate. The current data protection law in the UK, the Data Protection Act 1998 applies to companies established (i.e. incorporated) in the UK that process personal data data in the context of that establishment. This law will be replaced after the 25 May 2018, by the General Data Protection Regulation (GDPR), which also applies to processing of personal data in the context of the activities of an establishment in the EU (including the UK) regardless of where the processing takes place. Data protection law puts a number of obligations on companies including the requirement to have a clear legal basis for processing personal data, for sensitive personal data (such as someone’s politcal views) the rules are even stricter. The law also provides individuals with rights over their data, such as the right to access your data. There is currently a legal chalenge ongoing by an American Professor seeking access to his data from Cambridge Analytica (see https://motherboard.vice.com/en_us/article/d35vym/david-carroll-cambridge-analytica-facebook-legal-claim and https://www.crowdjustice.com/case/scl/)

Has Cambridge Analytica influenced the outcome of the Kenyan election?

Many different factors influence how voters decide at the ballot — or whether they will vote at all. As a result, it is extremely difficult to attribute the outcome of an entire election to a single, determining factor (or the data operation of a single company). That said, the Kenyan election offers some annecdotal evidence about how quickly content has spread. At some point during the election, searching for “Kenyan election date” on Google would show an inflammatory video that had initially been promoted through Google AdWords as the top result.

The data practices that microtargeting relies on are inherently privacy invasive. Using thousands of data points to persuade or influence people’s behaviour also raises pressing ethical concerns. The entire point of building intimate profiles of individuals, including their interests, personalities, and emotions, is to change the way that people behave. This is the definition of marketing, political or commercial. Companies know that you are depressed or feeling lonely to sell you products you otherwise wouldn’t want — political campaigns, foreign governments and lobbyists around the world can tap into the very same system to spread (mis)information, persuade, and influence.

Where else have Cambridge Analytica worked on elections?

Kenya is only one country where it will take time to untangle the web of companies exploiting personal data for campaigns paid for by political parties. Mark Turnbull states that the company will be working on Brazil’s upcoming elections (at 5m45s) and we have reports they are also working on Mexico’s Presidential elections in 2018. But during Alexander Nix’s evidence session to the Select Committee on Tuesday 27 February 2018, we were particularly concerned about his reluctance to reveal where Cambridge Analytica has worked internationally.

Case studies on the company’s website reveal that up to 2013 the company has worked on elections in Colombia, India, Indonesia, Italy, Kenya, Malaysia, South Africa, St. Kitts and Nevis and Thailand. We are puzzled as to why they refused to reveal their more recent work and be transaprent about where they have been working and exactly what they have been doing.

There are elections in my country in 2018. How do I know if microtargeting will be used?

Now is the time to ask this question of all poltical parties. Ask them which companies they intend to contract, what exactly these companies would be doing and what data they would be collecting. If you have a data protection authority, ask them to investigate.

Where can I read more?

More on data and elections issue: https://privacyinternational.org/topics/data-and-elections

CIPIT at Strathmore University’s upcoming research in partnership with Privacy International: http://blog.cipit.org/wp-content/uploads/2017/12/CIPIT-Press-Release-Final-1-1.pdf

Infographic on the history of biometrics in elections: http://blog.cipit.org/wp-content/uploads/2017/12/Biometrics_history.png

Privacy International’s report on communications surveillance in Kenya, entitled Track, Capture, Kill: https://privacyinternational.org/report/43/track-capture-kill-inside-communications-surveillance-and-counterterrorism-kenya