How a private consultancy firm got hold of and what it did with the personal data on US citizens may soon be made public after the UK data privacy watchdog stepped in. Millions could soon demand their own personal data.
Cambridge Analytica — described by critics as Trump's "digital army" and founded by hedge fund billionaire Robert Mercer — is at the center of an evolving row over grabbing data on millions of Facebook users.
The social media giant is accused in turn of failing to force the UK-based firm to delete all the data from its servers. Critics argue this enabled the company to retain highly valued predictive models based on the data, which were allegedly used in the 2016 US presidential election.
Read more: Who needs privacy anyway?
It has been suggested by former Cambridge Analytica employees, including Christopher Wylie (pictured below), that Facebook knew about this and was content to profit financially from political advertising using the models.
Cambridge Analytica has denied using data harvested by Cambridge University psychologist Alexandr Kogan on Facebook in the 2016 election and has denied psychographic targeting techniques were used in Donald Trump's successful 2016 election campaign.
But recent revelations in The Guardian newspaper show that US President Donald Trump, hired Cambridge Analytica after he became the Republican nominee and the company retained models and aggregated versions of Facebook data throughout the presidential campaign and after.
Former Cambridge Analytica executives have told The Guardian, that Facebook could have demanded the company delete models built using Kogan's data, but it was not until April 2017 — some 16 months after Facebook asked for the data to be erased — that it received official certification that the company no longer held such data.
The Carroll case
In March, David Carroll, a professor at the Parsons School of Design at the New School in New York, asked Cambridge Analytica for details on how his personal data had been obtained, processed and used by the company. He was, he says, fobbed off with masses of raw, largely unintelligible, information.
Cambridge Analytica later described Carroll's claims as "unfounded" and said: "Unfortunately, he is wasting other people's money with this spurious legal action."
Carroll is adamant Cambridge Analytica fundamentally impacted the US election. "They did this by both activating turnout of Trump supporters while suppressing turnout of potential [Democrat candidate Hillary] Clinton voters," Carroll told DW. "In addition, the company is accused of fomenting the alt-right ethno-nationalist movement and employing Nazi propaganda tactics," he said.
And so he decided to take the matter to the UK courts.
In March, Carroll filed a statement in the high court in London in support of a claim to recover his data and reveal its source, citing Cambridge Analytica and SCL Elections, its parent company.
"We are fighting for a legal principle that, in an age of unlimited access to personal data, is fundamental: companies cannot use your data in any way they see fit. Your data is yours and you have a right to control its use," Carroll's lawyer Ravi Naik told DW.
The case of Carroll, an American citizen without legal recourse in the US, was then taken up by the UK's Information Commissioner's Office (ICO), which has the power to enforce data protection laws in the case of Cambridge Analytica since it is a UK-based company.
The ICO declined to comment.
Asked if this data is possible to erase completely, Carroll said: "Recent reporting suggests controversy surrounding when/if data versus data models were destroyed so it remains an open question for the ICO's audit and pending report."
The timetable for releasing the Carroll data is 30 days from the date of issuance of the ICO order and the company has a right to appeal, he says.
"I hope this resolves into a mechanism where citizens around the world can easily repatriate their own voter profiles from SCL," Carroll said, adding he also hopes the US passes new laws that restrict processing of political data abroad and further restricts foreign nationals from participating in digital election campaigns.
"I hope the US works to harmonize and reciprocate key aspects of the [EU's] General Data Protection Regulation (GDPR), especially the right of access, a data right that we don't have in the US and one that my story with CA/SCL shows we badly need," Carroll said.
The GDPR is a regulation in EU law on data protection and privacy for all individuals in the EU, and also addresses exports of personal data outside the EU.
The ICO decision has two noteworthy implications, Zulfikar Ramzan, the Chief Technology Officer of RSA, a global cybersecurity firm, told DW.
"First, this decision sends a message that organizations cannot operate with impunity when it comes to individual data. It fails to address the fundamental misalignment of economic incentives that represent the root cause, but it creates a partial disincentive for organizations who behave badly."
"The second implication is that this decision follows a recent trend of focusing on data sovereignty rather than organizational sovereignty. In other words, rather than being concerned with where a particular organization is located at a given point in time, the focus is on where the data originated and how it was processed."
But others are skeptical the case will change much.
"It looks like the company went bankrupt and reformed under a different name. The company's data and models almost certainly moved to that new company, where they will continue to create a business around it," Bruce Schneier, an American computer security expert, told DW.
"The David Carroll decision gives us a window into the data Cambridge Analytica collected. It's important legally, because it involves a US citizen making a demand in a UK court, but ... I'm not sure knowing the details will make any real difference," Schneier said.
Raw data as commodity
Derivatives of data — including predictive models or clusters of populations in psychological groupings — can be highly valuable to companies involved in micro-targeting advertisements to voters. They are often more valuable than the raw data.
"The inherent nature of digital data is that it can often take on a life of its own," Ramzan said. "Firms like Cambridge Analytica do not merely collect raw data for its own sake," he added, noting that typically they are looking for ways to monetize that data.
"This means they leverage analytical tools to derive meaningful insights. In the process, they may correlate your data with other data, build predictive models around your original data, and so on," Ramzan said.
This all leads to a seemingly amorphous body of raw data and derived data that becomes harder to control, noted Ramzan, adding that "Organizations that make money by deriving insights from your data are not economically incentivized to destroy it."
"If history is any guide, they take responsibly, promise to do better next time, wait for everyone to forget about the issue, and go on doing what they've been always doing. I don't like it, but it seems that we are all very forgetful and will salvage Facebook's reputation for it," Schneier concluded.