Cambridge Analytica and its parent company, SCL Group, had drawn up plans to offshore all data to evade regulatory scrutiny but could not implement them as investigations had already started, UK’s data protection authority said as it concluded its investigation into the company. The Information Commissioner’s Office’s (ICO) said that the company had purchased 130 billion data points of more than 87 million Facebook users, mostly American voters, and combined them with other datasets to serve them political ads. It however concluded that SCL and Cambridge Analytica were not involved in influencing the Brexit referendum.

In a letter to the British MP Julian Knight, who is the chairperson of the Digital, Culture and Media and Sport Select Committee, Elizabeth Denham, the Information Commissioner Officer, called it the ICO’s “final written account” to the British Parliament. The letter acknowledged parallel investigations into Facebook in Australia, Canada and the US which reached similar conclusions as the ICO. The large volumes of evidence that ICO processed reiterated their intial findings and no new lines of enquiry have been opened up.

Background: ICO started investigating the use of personal data for political purposes in 2017 after multiple media organisations reported that Facebook data was harvested to target potential voters in the Brexit referendum and the US Presidential elections. ICO came into picture since SCL was a British firm. So far, the ICO has submitted three reports to the British Parliement and Denham last submitted evidence to the committee in April 2019.

Methodology: Since April 2019, the ICO has analysed materials obtained during investigation and those seized under warrant. To that end, the ICO reverse engineered processes to figure out how SCL/CA processed Facebook users’ personal data. The reverse engineering process helped ICO understand whether this process could be repeated, and the risks posed through such data processing. Reviewed material included:

  • 42 laptops and computers
  • 700 TB of data
  • 31 servers
  • 300,000+ documents
  • A wide range of material in paper form and from cloud storage devies

Relationship between SCL/CA: The director of SCL Elections at that time was Alexander Nix. Cambridge Analytica LLC was a subsidiary of SCL, with “Cambridge Analytica” serving as the brand under which the SCL group of companies predominantly operated. We have referred to them as SCL/CA in this document, save where it makes a material difference.

A Canadian company, AggregateIQ (AIQ), was commissioned by SCL/CA in 2014 to build a customer relationship management tool for use during the 2014 American midterms elections. AIQ advertised on Facebook on behalf of its clients and was subsequently investigated by Canada, and the ICO. While SCL/CA and AIQ have claimed that AIQ is a separate entity, ICO obtained evidence where AIQ was called the “Canadian branch of SCL” and Facebook invoices to AIQ were fulfilled by SCL.

Key takeaways from ICO’s investigation

SCL/Cambridge Analytica purchased data: SCL/Cambridge Analytica purchased “significant volumes of commercially available personal data”, about 130 billion data points as per an estimate. Most data was about millions of American voters. This data was combined with information derived from Facebook data. CA had got this information from Dr Aleksandr Kogan, a Cambridge University academic, and elsewhere.

SCL/CA not involved in Brexit referendum campaign: Denham reiterated previous findings that SCL/CA were not involved in the Brexit referendum in the UK. The company had only made “initial enquiries” in relation to UKIP data in the early stages of the referendum process but it was not carried forward by SCL/CA.

No ‘significant’ breaches of regulations in the Brexit campaigning on either side: The ICO also wrote that a wider set of investigations of several organisations, both on Remain and Leave sides of the Brexit referendum, revealed that any breaches of market regulations or the data protection legislation did not meet the threshold for formal regulatory action. Thus, the Office has just provided “advice and guidance” for better compliance to organisations that have continued operations.

Data combined with other publicly available and breached datasets: Apart from purchasing data, to “make predictions on personal data for political alliance purposes”, SCL/CA aggregated datasets. ICO said that SCL’s own marketing claims that they have over 5,000 data points per individual on 230 million adult Americans may have been an exaggeration. SCL/CA’s sources included:

  • US electoral rolls from Labels and Lists and DataTrust (~50 data points for 160 million individuals)
  • Consumer data sets from Acxiom and Infogroup (~500 data points for 160 million individuals) and Data Trust (3,000 data points for 100 million individuals)
  • Election return results from Magellan (~20 data points for national census tracks)
  • Psychographic inventories (10 data points for 30 million individuals)
  • Facebook (graph database of 30 million individuals)
  • Facebook likes (570 data points for 30 million individuals)
  • In-depth Republican Primary focused surveys (80,000)
  • ForAmerica member data (14.6 million post comments, 240 million post likes across 31 million users)
  • Emails from Infogroup (30 million)
  • Emails from DataTrust (26 million)

Who is Aleksandr Kogan? An American data scientist who was born in erstwhile USSR, now Moldova, Kogan developed the app “thisisyourdigitallife” that Cambridge Analytica used to collect personal data of about 87 million Facebook users. The app collected data on individuals who took the survey, as well as data of the user’s Facebook friends who hadn’t opted for stricter privacy options. Using each user’s inputs for the quiz and history of likes, Kogan basically created a digital personality dossier for each user and their friends.

When he developed the app, he was working as a lecturer in the Cambridge University’s psychology department. Kogan had built a personality quiz app in 2013, similar to what two other Cambridge researchers had built in 2007. In 2014, Kogan created his own company, Global Science Research Ltd (GSR) which had SCL Elections as one of its clients. Through this partnership, Kogan got access to Facebook data since he could now pay Facebook users money for taking his survey, and thus collect more data.

After the Guardian’s exposé of ties between Cambridge Analytica and how its data was used to target American voters for then presidential nominee Ted Cruz, Facebook severed ties with Kogan and asked him to delete the GSR data. It also ceased collaborating with Kogan on research related to a dataset with 57 billion data points.

Company had poor data practices: Denham wrote that had SCL/CA sought to continue trading data, they would have attracted “further regulatory actions against them” by the ICO. During the investigation, the ICO found examples of data obtained by Kogan and GSR from Facebook.

  • Data from Facebook shared outside of GSR and SCL/CA: Facebook data was shared by GSR and SCL/CA with people outside these companies. It was shared with staff at SCL/CA, Eunoia Technologies Inc., University of Cambridge, and University of Toronto amongst unnamed others. This data was then used by SCL, through AIQ, for political advertising during the 2016 US elections. Eunoia Technologies was founded by Christopher Wylie, the Cambridge Analytica whistleblower, and two other former SCL/CA senior staff in 2014. While Wylie had claimed that Eunoia had no Facebook data, Kogan testified before Knight’s committee in 2018 that GSR had sold the Facebook data of 87 million users to Eunoia. Before working at Cambridge University, Kogan had held a post-doctoral fellowship at the University of Toronto. The ICO was not able to ascertain if all this data was from GSR/Kogan and derived from the app he used to harvest Facebook data.
  • Accurate records of processing were not kept: Personal data was not always organised or well-structured. Accurate records of processing were not kept.
  • Several email accounts were used: SCL/CA staff worked interchangeably across different email accounts as a standard operating model rather than an attempt to evade ICO. A number of them also used their personal accounts.

SCL/CA planned to move data offshore to evade regulatory scrutiny: The ICO found evidence that SCL/CA were planning to relocate their data offshore to avoid regulatory scrutiny by the ICO. They were unable to implement those plans before the company ceased trading. The ICO has directed the overseas counterparts it contacted to vertify that they have deleted the data they held.

Own staff concerned about company’s impact: Evidence showed that SCL/CA’s own staff was concerned about the public statements that the company leaders had made about the company’s impact and influence.

No ‘additional’ evidence of Russian involvement with SCL/CA: The ICO said that analysis of material on SCL/CA servers did not reveal any “additional evidence of Russian involvement”. Reiterating her comments from April 2019, Denham said that reports of possible Russia-located activity to access data linked to the investigation were referred to the National Crime Agency after which it fell outside the remit of the ICO.

Ads were targeted using data given by the political campaign: In response to outstanding questions from April 2019, the ICO wrote that at times AIQ used Facebook’s standard targeting tools to target users on the basis of age, location, gender and interests while in some cases, the political campaign gave a dataset so that AIQ could create a lookalike audience. For instance, Vote Leave gave AIQ personal data to create lookalike audiences.

Ads targeted only to users provided by the political campaign: AIQ had an internal firewall policy that prohibited data sharing between campaigns. Thus, if Vote Leave provided a dataset of users to target, only those users were targeted, not users provided by BeLeave. The ICO did not find evidence suggesting otherwise.

Data deletion by SCL/CA may not have been effective: Although SCL’s director Alexander Nix had signed a Deletion Certificate in April 2017 stating that all data collected by the Kogan app had been permanently deleted, ICO recovered evidence that showed confusion within the SCL/CA staff about the quality and effectiveness of the deletion process.

ICO has received £695K in penalties thus far

Thus far, the ICO has received £695,000 (~₹6.95 crore) in penalties from Facebook, Vote Leave, Leave.EU, and Emma’s Diary (a website for new parents that sold data of more than a million people to the Labour Party).

Facebook had appealed the monetary penalty but withdrew it on the basis of a settlement agreement.

It also fined SCL Elections £18,000 (~₹18 lakh) for not complying with the ICO’s enforcement notice. The ICO’s recommendations to the Insolvency Service eventually resulted in a prohibition on Alexander Nix, a director of SCL Election Ltd, from acting as a director of any company for seven years. He is also prohibited from getting involved, without court permission, in the promotion, formation or management of a company. He was barred since SCL offered “potentially unethical services to prospective clients”. The ban came into effect on October 5.

ICO has audited at least 15 organisations

The ICO is also:

  • Auditing the Liberal Democrats’ compliance with the Data Protection Act
  • Getting information from UKIP about their data practices

The ICO has also finished auditing data protection compliance at 14 organisations including Cambridge University’s Psychometrics Centre (where Kogan worked), main political parties, main credit reference agencies, and major data brokers. The reports of these audits will be published separately.

The ICO had also sent auditing notices to Eldon Insurance and Leave.EU, but those have been appealed by the two organisations. Denham, however, intends to complete those audits subject to the outcome of the appeal.

Since the investigation has now been concluded, the ICO is returning materials to SCL’s administrators and is safely destroying any data, models and derivatives. Since some items have been disowned since the investigation started, the ICO will destroy those.