The British Columbia firm tied up in the Cambridge Analytica scandal repeatedly broke Canadian law according to an investigative report published Tuesday.
AggregateIQ was one of a network of companies that inappropriately obtained personal information on millions of Facebook users, which they used to psychologically profile and target political messages to voters during the 2016 U.K. Brexit referendum and U.S. presidential election campaigns.
A joint investigation by Canada’s privacy commissioner and the B.C. information and privacy commissioner found Tuesday that the political technology firm didn’t have adequate consent to use the data.
Speaking to reporters, federal privacy commissioner Daniel Therrien and B.C. commissioner Michael McEvoy made it clear that they would’ve liked to punish AIQ, but they don’t have the power to levy fines.
“This is an area where Canada is in serious need of reform. In Europe, under the privacy regulation, their companies can be fined a significant significant amounts of money which act as a real deterrent,” McEvoy said. “Canada needs to keep up.”
But because neither commissioner has the power to levy fines, the report concludes by making two recommendations which have been accepted by AIQ — first, the company must be more diligent about respecting individual consent when handling data, and second, it must beef up security and delete the personal information it shouldn’t have been using.
In March of 2018, British journalists broke a story about personal data harvested from Facebook without user consent by an academic named Aleksandr Kogan.
The data was then provided to a company called Cambridge Analytica, and was used to create psychographic profiles of individuals, which could then be used to target advertising in various election campaigns, including the Brexit referendum and the early stages of the last U.S. presidential campaign.
In particular, the report said that AIQ took personal information gathered from various sources to create “custom audiences” and “lookalike audiences” using Facebook’s ad targeting tool.
Custom audiences are when an advertiser uploads a list of names, email addresses or other identifying data, so that they can target ads to those people. Lookalike audiences take a list of individuals — for example a customer set — and then target ads at other people who fit a similar profile.
According to a report in The Guardian, the AIQ website prominently included a quote from the Brexit Vote Leave campaign manager, David Cummings, saying, “We couldn’t have done it without them.”
That quote was scrubbed from the website after the story broke in 2018.
In an emailed statement to the Financial Post, AIQ chief operating officer Jeff Silvester made no mention of the finding that the company broke the law, but he emphasized that they have been fully co-operating with the investigation, and that they have taken action on the recommendations.
“While this investigation imposed a tremendous burden on a small company, and took a very long time to complete, the privacy issues engaged by a new and internationally-connected economy are important,” Silvester wrote.
Did You See This CB Softwares?
37 SOFTWARE TOOLS... FOR $27!?Join Affiliate Bots Right Away
“This is why we have been sharing our experience of navigating the complexities of cross-jurisdictional information and privacy laws with other organizations through private meetings and public speaking opportunities.”
Facebook did not respond to a request for comment on these issues.
The report released Tuesday also found that AIQ left unsecured personal information in a publicly available GitLab repository which included encryption keys that could’ve allowed somebody to access private information on 35 million people.
McEvoy said he believes that the situation demonstrates the need for major changes to Canada’s laws, giving regulators more power to police companies who handle personal information.
“Cambridge Analytica, Facebook, that whole story, I think, has seismic implications around the world, including in Canada and British Columbia, where over 600,000 named Canadians were involved,” he said.
“To a great extent it has shaken Canadians’ and British Columbians’ confidence in the political campaign system. That is critically fundamental in a democratic society where trust is often in short supply.”
Both commissioners said one of the important takeaways from Tuesday’s report is that Canadian laws apply to Canadian companies, even when they’re doing work internationally. In this case, that means Canadian companies must have individuals’ consent if they’re working with personal data.
Therrien has for years been saying publicly that his office needs significantly expanded legislative authority, including order-making power, the ability to fine offenders, and more resources to more aggressively investigate these issues.
On Tuesday, he reiterated that idea, and took particular aim at Canada’s political parties.
“Unfortunately, there is a gaping hole in terms of protection. Political parties collect vast amounts of data bout voters, and yet British Columvia is the only jurisdiction in Canada that explicitly regulates the privacy,” he said.
“Reform is urgently needed to maintain trust in political parties and our democratic system.”