http://www.cbc.ca/news/politics/christopher-wylie-facebook-liberals-canada-cambridge-analytica-1.4586046
The story of the massive privacy breach from facebook continues to grow and implicate more Canadian politicians. This recent story has forced the current Liberal party to disclose that they contracted with the Cambridge Analytica whistleblower Christopher Wylie in 2016 at a cost of $100,000.
The article does not go into detail about what Wylie’s company (“Eunoia”) did exactly for the Liberals, although they do describe creating “social-media monitoring tools” and sample Canadian voter profiles. The contract with Wylie’s company was ultimately not renewed, but exactly how many Canadians had their data used, the legal terms governing that data, and the extent of the $100,000 work remains obscure.
In question period following the revelations, the Liberal party, in their defense to the use of their “data driven activities” point out that the Conservative Party had a similar $100,000 contract with the public relations data firm Agility PR Solutions.
In response to all this, the Privacy Commissioner Daniel Therrien “launched an investigation to determine whether any personal information of Canadians was affected by the alleged unauthorized access to Facebook user profiles.” Another news report quotes the Commissioner as asking for more meaningful, binding powers in light of recent alleged data abuses:
This week’s events have shown that weak privacy safeguards can have serious effects that go beyond the commercial realm, potentially distorting democracy, Therrien said. “It’s a wake up call, frankly, if not a crisis in confidence.”
Therrien wants other legislative changes to usher privacy laws into the era of big data and artificial intelligence, including new powers for his office to audit companies, make binding orders and levy fines.
Some questions arise in light of these comments, such as, what form should those legislative changes take to be truly effective? And, how can users meaningfully enforce their rights in cyberspace?
The cyber security firm UpGuard has recently reveal another intriguing Canadian connection to the Cambridge Analytica story. The Victoria, British Columbia based Aggregate IQ, a political data firm which has close ties to the parent company of Cambridge Analytica, is now being name in the unfolding scandal.
SCL Elections owns both Aggregate IQ and Cambridge Analytica. According to whistleblower Christopher Wylie “Essentially it [Aggregate IQ] was set up as a Canadian entity for people who wanted to work on SCL projects who didn’t want to move to London. That’s how AIQ got started: originally to service SCL and Cambridge Analytica projects.”
This small, 20 person Canadian firm was allegedly involved in not only the 2016 US Presidential election, but also a number of other State elections. What may be most alarming is that the company left a sensitive repository of their tools (SCL Elections owns Aggregate IQ intellectual property “in perpetuity”), which can be used to manipulate democratic processes around the world, accessible to the public online:
“Revealed within this repository is a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing, and Facebook ads. Also exposed among these tools are numerous credentials, keys, hashes, usernames, and passwords to access other AIQ assets, including databases, social media accounts, and Amazon Web Services repositories, raising the possibility of attacks by any malicious actors encountering the exposure.”
The growing storm of controversy surrounding personal data abuses seems to reinforce the movement towards increased regulation and enforcement of rights in cyberspace. This particular story highlights that the adverse consequences of deregulation are not limited to giant tech companies like Facebook alone, the problem is systemic. As one author writes:
“But this story is not about Facebook’s rules being broken, or the apps that seek to discern a more algorithmically predictable “you” through inane clickbait quizzes about which philosopher or dog breed you like best. It’s not, fundamentally, about Cambridge Analytica, or even about Facebook. If you delete Facebook because you’re worried about privacy, you’ll have to delete almost every other app and platform too, because almost everything else on the internet is operating the same way.
This story, at root, is about what you don’t know you’re sharing simply by being online. It’s about how companies take that data and sell it and use it for purposes that you have no say in.”
It will be interesting to see how regulators here react to the news, and attempt to apply existing laws to condemn any wrongdoing. It will also be interesting to see what new laws come to fruition as a result of these ongoing data fiascos, if any.
Sources:
https://www.upguard.com/breaches/aggregate-iq-part-one
https://www.vox.com/the-big-idea/2018/3/26/17164022/gdpr-europe-privacy-rules-facebook-data-protection-eu-cambridge