Hacking the Voters

Why a British company has America’s voter data and how British law can help us get it back

How did Cambridge Analytica get our data? Who did they get it from? How did they process it? Who were the recipients of our data? Can we opt-out? Can they justify lawful compliance under UK Data Protection law?

🏛 Donate to the CrowdJustice campaign right now and help fund the effort to get our data back.

Hackers at DEFCON demonstrated that all of the voting machines in the USA can be easily hacked. It gets worse. Voters can be hacked as well. In 2016, American’s voter data was compromised and abused in ways that we are just beginning to understand. Political campaigns have been collecting data and building sophisticated models of voters for decades. The Obama campaign, often touted for its breakthrough application of new targeting tech, accelerated the possibilities. In response, the Republican Party realized it needed to get aggressive about its digital strategy. As we look back on the current president’s campaign, remember its shocking result, and the chaos of every day since, we are finding mounting evidence of wrongdoing. Indeed, the misuse of our voter data is a critical aspect of the foreign attack on our democracy in 2016. Understanding what lines were crossed will help us protect future elections from further abuse. Investigations in Congress are scrutinizing the Trump campaign’s use of digital technology with key figures called to testify. Meanwhile, Americans do not realize that British regulators are currently investigating if a British company violated British data protection laws interfering in our democracy.

The Ted Cruz and Donald Trump campaigns hired a very unusual international company called Cambridge Analytica to work on their voter targeting strategies. General Flynn, a key figure in the election hacking and collusion investigation, suspiciously updated his disclosure forms to include a consultancy with the company. He seems to have only admitted to working for Cambridge Analytica after his offer to cooperate with investigators for immunity was rebuffed by the Senate Intelligence Committee. What was he trying to hide?

That’s what we’re trying to find out. We’ve already learned so much and each detail is more unbelievable and disturbing than the next. Let’s start with the basics.

🏛 Pledge to the CrowdJustice campaign right now and help fund the effort to get our data back.

The Trump voter data operation took the unprecedented step of hiring a British military contractor to handle its target audience analysis services for voter targeting. Previously, political campaigns had the good sense to keep our voter data in the United States. It turns out that Cambridge Analytica may be some sort of a facade to obscure its parent company, SCL GROUP LIMITED, a military contractor, purveyor of psychological operations, or PSYOPs in military lingo. Their elections division, SCL Elections in London, is the “registered data controller” for Cambridge Analytica, the company that claims to have big data dossiers on every registered voter in America. The company allegedly does its “election management” work around the globe, with political clients in places such as Kenya and Mexico and is verifiably contracted as a vendor for government entities like NATO and the US STATE DEPT.

We set out to see if US voter data was processed in the UK to prove our central allegation that it leaked out of the country for the first time. On February 23, 2017, I asked SCL Elections, the registered data controller for Cambridge Analytica in London, for my data. If they ignored or denied my request, it would suggest that our data stayed in domestic storage exclusively.

On March 27, they sent me my data and proved our fears true. Our data appears to be sitting in London. I posted my letter from Cambridge Analytica signed by the COO of SCL and screenshots of the spreadsheets of my “data” to Twitter. By putting it out there, we quickly learned that the company is not compliant to the Data Protection Act in the UK. Our solicitor, Ravi Naik, and top barristers in London have agreed to take anyone on as a client to exercise our data protection rights there since we probably have none here at home. We are challenging the Trump campaign’s voter data company in London if they refuse to delete our data, refrain from collecting it again, and answer our reasonable questions about where they got our data, how they used it, how they blended voter registration information with it, and who they shared it with.

🏛 Pledge to the CrowdJustice campaign right now and help fund the effort to get our data back.

Frequently Asked Questions

Who owns Cambridge Analytica and SCL GROUP?

We know from public disclosures that Steve Bannon holds loans, “membership units,” and has been paid generous fees by the Cambridge Analytica LLC registered in Delaware. Multiple reports suggest that Trumps’ mega-donor Robert Mercer owns most of the company (along with Breitbart) but Delaware corporate secrecy laws prevent documented confirmation. The parent company SCL GROUP LIMITED in Britain has a complex ownership structure that can be deduced from public filings. Researchers and reporters have been working together to draw the corporate structure that links while trying to obscure the US entities deeply intertwined with a British-based, oligarch-controlled conglomerate.

But all that really matters is one simple question: Which company has custody of our data? SCL Elections in London and we believe that data access was apparently not limited to the US-based Cambridge Analytica LLC probably owned by Bannon and Mercer.

What is Target Audience Analysis and how does it work?

The digital advertising industry has developed an elaborate and troubling sub-industry dedicated to matching our consumer data with our identities. The data from our browsing histories, television habits, shopping habits and so much more are collected for the business purposes of targeting people to make ads more “relevant” so that businesses feel that they waste less money on advertising.

Unfortunately, military contractors have adopted these practices for geopolitical purposes to segment populations in order to identify potential cognitive biases or susceptibilities for influence campaigns or even radicalization. We should now expect that our voter registration records are being used as an index of our personal information for political campaigns. But we do not expect that our voter identity is being used for commercial purposes (it is!) nor do we expect that international military contractors are processing our voter data, blending it with our commercial behavior data so that we are effectively de-anonymized, re-identified, segmented, and sorted into classifications we cannot easily understand, and used against our political interests without our knowledge or control.

All those privacy policies that you never read broke their core promise. They usually say by not attaching your given name to your data when they sell it they will be “respecting your privacy.” These are all broken promises because our data is getting re-attached to our once-anonymous data sets using voter records and data matching algorithms. The reports suggest it’s being used against us by foreign companies with strange ties to secretive oligarchs and potentially traitorous figures associated with the Trump campaign, transition, and administration.

When people say they don’t need privacy because they have nothing to hide, they haven’t thought it through. Now you understand why it’s a fallacy that benefits the advertising and military industrial complex but not the people’s democracy or our national sovereignty.

What are psychometrics and how do they work?

Psychometrics, also known as psychographics, is a controversial personality model developed by behavioral psychologists with Cambridge University at the forefront of this research. The Republican-servicing voter data company Cambridge Analytica appears to get its name from the university’s Psychometrics Centre where the original studies that gathered data from Facebook personality quizzes provided the massive data sets required to model people.

Psychometrics are based on the so-called Big 5 or OCEAN personality model. Cambridge Analytica claims to have scored every registered voter in America on the OCEAN scale by blending our consumer data with our voter registration.

There are other psychological measures being uncovered by researchers, including measures that effectively identify people who are essentially gullible because they have personality markers for not thinking critically.

The big idea behind OCEAN Psychometrics is that the population can be mapped against the law of averages. Therefore, it’s not terribly interesting or useful to see your own OCEAN score. You can attach your Twitter and/or Facebook accounts to Apply Magic Sauce at Cambridge University and see for yourself how your social media activity provides the raw materials to grade your personality.

Long after receiving my Cambridge Analytica voter file, which did not include my OCEAN score despite my expectations it should have, I connected my Twitter account to Cambridge University’s tool for academic research purposes without mitigation to my concerns of how SCL used my data. My personality was modelled as follows:

If you do that, you’re giving consent to the university to analyze your social media data. It’s one thing to sign up for a personality quiz. It’s another thing entirely to score the electorate without their knowledge or consent.

Many observers think psychometrics is hocus-pocus, in the realm of Myers-Briggs, or even horoscopes, and claims of its effectiveness are over-hyped. But these personality scores are valuable at scale to further achieve weaponized target audience analysis. If personality traits along with many other factors help a campaign precisely isolate the 80,000 or so voters it took to swing the Electoral College in 2016, then it also enabled those people to be bombarded individually with personalized propaganda. When political media becomes this invasive and precise, we have to ask ourselves: Can the minds of the electorate be hacked?

Does this mean that authoritarian voters be targeted and “activated”?

While the hackers that “pwned” all US voter machines grabbed the headlines coming out of the DEFCON conference in Las Vegas, another shocking presentation by the Online Privacy Foundation on Brexit voters offers striking findings. In this alarming study, the researchers performed a replication study (using existing methods and datasets) to test what markers in psychometric profiles could be used to profile authoritarian voters in the UK for the EU referendum, also known as the Brexit vote.

Controversy surrounds the issue of whether or not Cambridge Analytica provided its services to the Leave.EU campaign that funded the political operation to convince the British to vote Leave, not Remain. The tycoons that paid for Leave.EU, Andy Wigmore and Aaron Banks, are buddies with Nigel Farage, Donald Trump and Robert Mercer. Banks and Wigmore are on record in video, documents, and their own tweets describing how that they used Cambridge Analytica for their campaign. SCL employees are also on record touting their services for the Bad Boys of Brexit. Their services were reportedly donated by Robert Mercer, which reports suggest are unlawful under British campaign finance law. In response, the CEO of Cambridge Analytica, Alexander Nix offers non-denial denials when asked by reporters if they worked for the Brexit campaign. SCL has threatened The Guardian with legal actions for poking too deeply at the truth in their coverage, exploiting libel laws that do not compare with US practices. Wigmore and Banks have tweeted that they hope to testify to the Senate Judiciary. Getting their narrative ahead of the investigation is a smart move on their part.

Assuming Cambridge Analytica did build psychometric profiles of British voters, the Online Privacy Foundation study found a troubling correlation between the Openness and Conscientiousness facets of OCEAN model as clearly identifiable markers for authoritarian and anti-authoritarian voters. In other words, Cambridge Analytica may have helped the oligarchs who wanted Britain to leave the European Union by finding the precise voters in the swing districts with a penchant for authoritarian thought. They were able to tailor messages that tap into the cognitive biases of the authoritarian personality and further reinforce, target, and tailor messages to these voters to activate and even foment their propensity for authoritarian rule.

Controversy has surrounded the use of psychometrics by the Trump campaign. Intitially, Alexander Nix, the CEO of Cambridge Analytica and SCL Elections, boasted of his firm’s psychographic models of US voters. Then, Director of Product, Matt Oczkowski, claimed that the company did not have time to employ psychometrics during a panel discussion. Prominent journalists began reporting that the campaign did not use psychometrics. Then in August of 2017, the BBC aired a special that includes Nix clarifying that the Trump campaign did, in fact, use the “legacy” models from the Cruz campaign. They didn’t create new models for the Trump campaign and this weaseling around the facts seems to have caused confusion among reporters.

We believe that pursuing civil action in UK courts by exercising data protection rights is an important mechanism that attempts to get answers to these questions. If the Trump campaign used “legacy” psychometric modeling, why wasn’t it included in my data request? Could authoritarian voters be identified in swing districts using psychometrics? Did they respond to hyper-targeted messages on Facebook and television by tapping into these susceptibilities? Do the owners of SCL and its affiliates have financial and/or legal ties to Russian, British, and American oligarchs? Are they coordinating an attack on our democracies using dark databases?

Only the courts, with help from the ICO, can force SCL to make good on its requirement to comply with the UK Data Protection Act and give us the answers we have rights to get.

How is Facebook involved?

This is where things get really complicated. Facebook has played a key role on the front and back-end of this fiasco.

It all started at the University of Cambridge when academic researchers conducted unethical and likely unlawful data collection practices using the Facebook platform. The researchers got booted and banned from Amazon and Facebook when the companies learned how their systems were being used by the researchers, you later claimed to have deleted the data on 30 million American Facebook users.

The data that the Cambridge University researchers collected allowed them to psychometrically profile users who installed a personality quiz app. The researchers discovered that they could accurately predict the following personal details about someone with as few as 170 Facebook likes per Facebook user (prediction accuracy): Your ethnicity (95%), gender (93%), sexual orientation (88%), politics (85%), religion (82%), whether you smoke (73%), drink (70%), use drugs (65%), are in a relationship (67%), and whether your parents were divorced when you were 21 (60%). (Kosinki et al 2013 from Networks of Control)

SCL claims it does not currently possess the Facebook Like data its affiliated researchers gathered in violation of Amazon and Facebook’s terms of use. We should assume that the company has sophisticated algorithms and data sets to draw upon allowing them to invasively model every single registered voter. This issue remains controversial but it’s clear that Facebook failed to protect the privacy of 30 million voters and broke their privacy promise to all of us.

On the back-end of this fiasco, Facebook was used to deliver the hyper-partisan, hyper-targeted, hyper-personalized ads to individual voters, addressed by name. Facebook advertises to political campaigns the advantage of being able to upload the email address or other identifiable information about voters so they can be precisely targeted on Facebook. This feature called Custom Audiences allows anyone to target you by name, if they have personal information like your email address which is matched to your Facebook account identity. With enough money and data to target you, an unknown entity can overload your Facebook news feed with sponsored posts. If your vote is predicted to be decisive in a swing district, you should expect the investment in your vote will be increasingly formidable.

To make a terrible situation worse, fake users can be purchased on the dark market that are either software-based or click-workers toiling for pennies in countries like Vietnam, Indonesia, Bangladesh, and Egypt. Fake users create a false amplification effect, what most people call bots. They make it look like more people agree with ideas than actually exist. This manufactures consensus and seems to exploit a powerful cognitive bias that helps content go viral.

Facebook initially claimed not to have saved the 100,000+ variations of hyper-targeted ads presumably developed with Cambridge Analytica target audience analysis and psychometric profiling. Journalists, regulators, private citizens were unable to review the Trump campaign’s digital political advertising campaign, in terms of content and how it targeted to voters. If the campaign wanted to hide wrongdoing, Facebook might have facilitated that. But then Facebook announced that it found $150,000 worth of ads traced back to the Internet Research Agency, a known Kremlin affiliate.

If Facebook failed to foresee how their platform could be abused in this manner, it’s on Mark Zuckerberg. The company was making $1 million per day in August of 2016 leading up to the October surprise. Now it is safe to presume that SCL and Facebook are being scrutinized by investigations in Britain by the Information Commissioner’s Office and in Washington DC by the House and Senate committees. According to reports, the special counsel served Facebook with a warrant for data and ads connected to an advertiser with troubling links to the Kremlin.

How did this happen? What can we do about it?

This happened because Americans have a different attitude and mindset about digital privacy than Europeans do. We have laws that protect our privacy in specific “vertical” industries but we have no broad “horizontal” laws that protect our data, generally. For example, your medical data is protected by the HIPAA law. Your college transcripts are protected by FERPA. But there is no federal law protecting voter data from being blended with commercial data to de-anonymize you without your consent an effective opt-out with a one-time choice mechanism. Without express prohibitions on political and personality modeling, the market for voter profiling thrives, totally unregulated in the United States, somewhat regulated in the United Kingdom, and forcefully regulated in countries like France and the European Union more broadly.

Most significantly, as Americans, we have no rights to know either way, no right of access. We can’t demand that companies share the data they have on us with us. The ones that do now (you can download your data from Facebook, Google, LinkedIn and Twitter) do so as a courtesy to Americans and a requirement for Europeans.

Europeans have this right of access, and many more privacy rights that they we do not enjoy in the United States. That’s one of the biggest lessons learned from requesting my data from Cambridge Analytica. Ironically, if the Trump campaign had not processed our voter data in London, leaking it out of the country for the first time, we would probably not have realized we need these crucial rights that we now must demand from our government. We need equal data protection rights with Europe.

To protect our democracy, we need to protect our data and treasure our privacy. The European Union has already passed a sweeping new law called the General Data Protection Regulation and it becomes enforceable in May 2018. You will start to see new pop-ups on websites that will grant you your new data protection rights thanks to the EU. American companies will not be exempt from the steep penalties of failing to comply with GDPR. The flow of data across geographic boundaries is stretching the jurisdiction of laws in many new ways. If your data gets processed in another country, you may exercise your data protection rights there. Conversely, you’re a company that collects data from EU citizens, you are liable to crackdown and lose 4% of your revenue turnover to EU authorities if you fail to protect EU citizen data lawfully. Things are going to change for the better, as democracies gain badly needed data rights. It will become harder and harder for companies like Cambridge Analytica to have a viable business model if the electorate flexes its new data protection muscles in the courts.

This brings us to our goal, the key thing that we can do right now to protect the future of democracy. If we succeed at winning a lawsuit against SCL in London for their violations of the UK Data Protection Act of 1998, then we will set an important legal precedent that companies can’t do what they did in 2016 and seek to repeat in 2018.

The easy part will be contributing to our crowdfunding campaign. Your contributions will go directly toward the civil case in London. You don’t have to request your data and become a client of Ravi Naik, but it certainly helps strengthen our position. It also gives you a chance to take your data back and prevent it from being collected in the future. Send a blank email to voterdata-join@mfadt.parsons.edu to subscribe to the mailing list for announcements and discussions related to the crowdfunding campaign and legal challenges.

The hard work will entail supporting your representatives in state and federal government fighting for the passage of privacy and data protection legislation and standing up to tech titans that may seek to silence dissenters. It also means remembering to demand the nomination of agency appointees to FCC, FTC, and FEC who will take a muscular approach to holding companies accountable to the democracies that enable their successes.

Lawmakers won’t be enthusiastic about limiting their own ability to hyper-target and manipulate voters to keep them in power. The electorate will have to unify across the aisles to shock the system into ratifying equal data rights to Europe.

Lawmakers will be up against deep-pocketed industry lobbyists hell-bent on blocking any reasonable privacy laws from being passed in the US. They will take the fight all the way to the Supreme Court and they will claim that the First Amendment gives them unrestricted rights to collect data on us. They will claim it is protected commercial speech. We will need to defend our privacy as our right of autonomy and sovereignty of our identity. This involves standing up to secretive companies like SCL but also a national conversation about what Facebook and Google are doing to erode our democracy with the help of data brokers like Axciom, Experian, Equifax, and all the adtech companies that track and target us for advertisers.

Down the Rabbit Hole

Several fascinating and in-depth articles have been written about Cambridge Analytica and the controversies surrounding voter data abuse by top-notch reporters. Once you discover this company, it’s pretty easy to become obsessed with it. Here’s a reading list of some of the best articles on the subject.

Carole Cadwalladr for The Observer
The great British Brexit robbery: how our democracy was hijacked

Jane Mayer for The New Yorker
The Reclusive Hedge-Fund Tycoon Behind Trump Presidency: How Robert Mercer exploited America’s populist insurgency

Joshua Green and Sasha Issenberg for Bloomberg
Inside the Trump Bunker, With Days to Go

Stephanie Baker, David Kocieniewski, and Michael Smith for Bloomberg
Trump Data Gurus Leave Long Trail of Subterfuge, Dubious Dealing

Ann Marlow for Tablet Magazine
Will Donald Trump’s Data-Analytics Company Allow Russia to Access Research on U.S. Citizens? Tracing the suspicious-looking, and messy, ties between a Ukrainian oligarch, an elections-information firm, and the GOP candidate’s former campaign manager.

McKenzie Funk for The New York Times
The Secret Agenda of a Facebook Quiz

Dave Gershgorn for Quartz
The industry that predicts your vote — and then alters it — is still just in its infancy

Massimo Calabresi for Time Magazine
Inside Russia’s Social Media War on America

Nina Burleigh for Newsweek
How big data mines personal info to craft fake news and manipulate voters

Hannes Grassegger and Mikael Krogerus for Motherboard
The Data That Turned the World Upside Down

Mattathias Schwartz for The Interface
Facebook failed to protect 30 million users from having their data harvested by Trump campaign affiliate

Tamsin Shaw for The New York Review of Books
Invisible Manipulators for Your Mind

Sue Halpern for The New York Review of Books
Hacking the Vote: Who Helped Whom?

Timothy Revell for New Scientist
First proof that Facebook dark ads could swing an election

Eric Albert for Le Monde
Cambridge Analytica, la start-up qui influence les électeurs

J.J. Patrick for Byline Media
Alternative War
A crowd-funded, micro-published book written by a British ex-cop who has chased the story like a detective. His book is steps ahead of the media narrative and ties the big picture together.

Coverage of this campaign:

Spread the word. Get your data back. Join the legal action.

We’re up against money. We need yours.
💳🏛 Pledge to the CrowdJustice campaign right now

Subscribe to updates by sending a blank email to:

Associate Professor of Media Design at Parsons School of Design @THENEWSCHOOL http://dave.parsons.edu

Associate Professor of Media Design at Parsons School of Design @THENEWSCHOOL http://dave.parsons.edu