ICO’s final report into Cambridge Analytica invites regulatory questions


After more than three years, Elizabeth Denham, the UK’s Information Commissioner, has closed her investigation into the inappropriateness of data by the SCL and Cambridge Analytica groups.

At first glance, its findings, released on Tuesday, dispel many of the allegations whistleblowers and digital rights activists have made throughout 2018.

Most seriously, the digital marketing specialist had worked with Russia to steer the results of the Brexit referendum and break U.S. campaign rules during the 2016 presidential election. Activists had previously also argued that the company failed to delete controversial data from Facebook without users’ permission when prompted.

Denham told a parliamentary selection committee on Friday that “when testing, the methods used by SCL were essentially recognized processes using generally available technology”.

However, the results (available here) also raise questions about the breadth and scope of the regulator’s current remit. Above all, this includes whether the ICO, as an independent body financed in part by government fees and grants, is well suited to assessing misconduct – both in terms of resources and in terms of expertise – beyond the immediate Goes beyond data protection law and UK jurisdiction.

The origins of his Cambridge Analytica study go back to a 2017 request from US scientist David Carroll (US citizen). He wanted to better understand how his personal information was used to profile him for microtargeting in election campaigns.

However, at the time of the Special Administrative Region, it was unclear whether the ICO was required to respond to inquiries from foreign nationals, even if they related to the handling of their personal data in the UK. Most lawyers now agree that the investigation has set a precedent that the ICO can and will investigate in such scenarios, potentially exposing the panel to even wider international investigations in the future.

The ICO’s final report stated that the Cambridge Analytica probe was “one of the largest and most complex ever undertaken by a data protection authority”. The regulator’s analysis also touched on more than 700 terabytes of data confiscated from the group’s London office in 2018 as part of an arrest warrant.

As of October 2018, the ICO’s investigation has resulted in costs of £ 2.4m compared to an annual budget of currently over £ 50m.

No smoking gun

A major controversy surrounding Cambridge Analytica was the extent to which the company continued to rely on controversial records it received from Facebook, even after Facebook asked them to delete them.

The original Facebook data comes from Dr. Aleksandr Kogan, an academic at Cambridge University who developed the psychographic techniques for which Cambridge Analytica was best known. While Kogan’s models were informed through data samples generated from a personality test he conducted with users ‘permission on Facebook, it later emerged that the data also contained information scraped off about the users’ friends without permission.

However, the ICO’s report found that Cambridge Analytica had made efforts to clear the data when Facebook requested it in 2016. The agency also noted that the company had made efforts to replicate the Kogan data on a fully independent and approved basis as of 2015.

However, the report noted that some inferred data persisted until it was deleted in 2017. This step was signed by the then chairman of the board, Alexander Nix.

The ICO therefore noted that some parts of the original Kogan data were “suspected” to have been used in the context of political campaigning for the 2016 US presidential election, albeit in modeled form:

For example, it is believed that SCL (through contracts with companies, including AIQ) provided advertisements on the Facebook platform that targeted specific voter demographics, informed through the profiling carried out by SCL / CA and GSR

However, Cambridge Analytica sources have always denied this, claiming that the data was only quarantined for modeling comparison purposes. The final report does not currently offer any compelling evidence to contest this.

To blame for overselling psychographics?

Another unpopular observation by the Commissioner relates to how ineffective the group’s predictive analyzes actually were. Possibly very. As mentioned in the report (our focus):

. . . While the models showed some success in correctly predicting attributes for people whose data was used to train the model, the real accuracy of those predictions was – when used for new people whose data was not used in building the models – was probably much lower. The investigation was identified through the ICO’s analysis of internal corporate communications Within SCL, there was a certain skepticism about the accuracy or reliability of the processing carried out. There seemed to be internal concerns about the external messages when contrasted with the reality of their processing.

The group’s famous marketing slogan – over 230 data points per person out of 230 million American adults – was also viewed as excessive by the commissioner. The companies’ actual data points looked more like this:

But what about Brexit?

The extent of Cambridge Analytica’s involvement in Leave.EU’s Brexit campaign is probably the question that has preoccupied UK digital rights activists the most in recent years. However, the conclusions of the ICO report are unlikely to be welcomed.

According to the commissioner, the authority stated (our focus):

. . . No more evidence to change my previous view that SCL / CA were not involved in the UK EU referendum campaign – beyond some initial inquiries from SCL / CA regarding Ukip data in the early stages of the referendum process. This area of ​​work does not seem to have been promoted by SCL / CA.

Regarding Russia’s involvement, the commissioner recalled that the ICO had already handed over the evidence found to the National Crime Agency. The final report of the Committee on Digital, Culture, Media and Sport revealed in February 2019 that this concerned the discovery of Russian IP addresses in the data of Aleksandr Kogan’s server. The commissioner added that the investigation had found no additional evidence of Russia’s involvement in material on Cambridge Analytica’s servers that he has received since then. The National Crime Agency has yet to take action.

Most recently, the Commissioner said she had “found no material breaches of data protection and electronic marketing rules, as well as data protection laws that have reached the threshold for formal regulatory action”.

The only successful lawsuit against the Cambridge Group was against SCL Elections for failure to comply with a writ of execution that was sent to them while they were already in administration. The fine was £ 18,000.

However, the authority’s penalties also extended to the following groups:

• Facebook (£ 500,000) was paid on November 4, 2019
• The voting leave paid on April 29, 2019 (£ 40,000)
• Leave.EU (£ 15,000) was paid on May 15, 2019
• Emma’s Diary (£ 140,000) was paid on August 29, 2018

Who is watching the guards?

In total, the database collected by the ICO as part of its investigations comprised 42 laptops and computers, 700 TB of data, 31 servers, over 300,000 documents and a wide range of materials in paper form and from cloud storage devices.

After completing the investigation, the ICO must either return the records to their owners – in this case to the administrators of SCL – or safely dispose of them in accordance with its own data control guidelines.

According to the final report, the commissioner’s office is already ensuring that “all data, models and derivatives are safely destroyed” and that “several items received were later rejected and that we are taking steps through our forensic technology provider to destroy them safely ourselves. ”

FT Alphaville believes the underlying data, which many continue to believe single-handedly “hacked” Brexit 2016 and the 2016 American elections, may soon be lost forever.

If so, it could shortly become even more difficult to refute the nasty claim that Cambridge Analytica’s main crime related to data was selling its own skills rather than actually hacking democracy with the help of the Russians.