Cambridge Analytica Claim To Sway Elections With Facebook Data

Facebook data was contorted without user consent to put a candidate in the White House. That's not today's news, it happened in 2012. That Cambridge Analytica obtained scraped Facebook data for political campaigning wasn't revealed last weekend, it was first published in 2015. 

This week, headlines centre on Cambridge Analytica, Trump and Brexit, revealed data from Facebook was passed via a third-party researcher and used to target individuals en masse with "psychological warfare" during the US election. Cambridge Analytica has denied the allegations, while Facebook booted both Cambridge Analytica and whistleblower Chris Wiley from its platform. 

The news is shocking, though familiar. A story about an American politician turning to Cambridge Analytica for campaign help using data hoovered up in questionable fashion from Facebook was published back in 2015, before Trump and before Brexit. Facebook said at the time it was "carefully investigating".

Clearly not carefully enough. More than two years later Facebook representatives were reportedly spotted in Cambridge Analytica's offices, trying to "secure" data while the Information Commissioner sought a warrant for a raid. So what took so long? 

"The essence of the story really isn’t that different from what was revealed in 2015," says Eerke Boiten, professor in cyber security at De Montfort University. "Then, and throughout the last few years, there were always missing details and crucial denials that could sustain the idea that it was all a conspiracy theory, or boasting by the big egos of Cambridge Analytica."

Thanks to tenacious reporting and the decision of former Cambridge Analytica employee-cum-whistleblower Wylie’s decision to go public, the story has finally been cracked open, with data watchdog raids, rumblings from MPs about hearings, share price falls and Facebook's chief information security officer suddenly departing. 

At the start of this year, Facebook founder Mark Zuckerberg admitted that the social network “make too many errors enforcing our policies and preventing misuse of our tools” and made it his priority to do better. And yet, throughout this week’s scandal, Zuckerberg had remained silent.

"With the developments since then, and the investigations that have taken place either side of the Atlantic, we’ve now had so much smoke that there really must be a fire," says Boiten. 

Add that to the dramatic Trump and Brexit results, regardless of how you view the outcome, as well as investigations into Russian influence, and, Boiten says, the fact "nobody has any illusions about good intentions of Steve Bannon or Robert Mercer anymore," and it's no wonder we're finally paying attention. 

Privacy campaigners finally have a story that shows how dangerous the misuse of our data can be.

"It was only a matter of time for some profiling application to turn up that the public would find unacceptable," says Boiten. 

"Last year it briefly looked to be wealth screening of charity donors. Personalised price discrimination based on perceived wealth and buying habits was also a long standing candidate, or the setting of very precise life insurance premiums based on health data profiling. Turned out it was social media manipulation around elections, then."

If only we'd listened to privacy activists and data-rights campaigners sooner, they've been warning us for years.

The Digital Canary
The capture of Facebook data for political ends didn't start with Cambridge Analytica. In 2012 a story about "Obama for America", as his re-election team was called, and a Facebook app it created to boost the campaign. The app was the work of Blue State Digital, which had worked on Obama's first presidential run; Blue State Digital’s founder Joe Rospar was Obama's chief digital strategist. The aim was to use people’s Facebook friends to convince them to vote for Obama. 

To do that, the app asked Facebook followers if it could access your friends data, allowed under Facebook's terms at the time but banned in 2014. That data was used for funding requests and ads, but also to help identify which of supporters' friends were dithering on the election, so they could be targeted by their own Facebook friends. 

You're more likely to listen to your friends, the argument went, than any campaign manager. Back then, Facebook was a digital darling, but the idea that it allowed third parties to access people’s data without their direct consent now seems ludicrous.

"Understanding that a message from a friend is more trusted and effective, the program matched undecided voters in swing states within supporters’ networks, and provided them with a simple yet powerful way to share voting information," the Blue State Digital website explains. 

"The peer-to-peer messages boosted target audience reach by 400 per cent and increased completion rates for important actions like registering to vote by 40 per cent."

This is a far cry from what Cambridge Analytica stands accused of; Blue State's data was collected and used legally with consent, the messages clearly came from Obama's campaign, and there were no attempts to use psychometric analysis. Yet even then it still raised prescient questions from privacy activists. 

At the time, Jeff Chester of the digital advertising watchdog Center for Digital Democracy, said Blue State Digital’s technology was "beyond J Edgar Hoover's dream. In its rush to exploit the power of digital data to win re-election, the Obama campaign appears to be ignoring the ethical and moral implications."

Cambridge Analytica appears to have taken the idea of using Facebook to persuade citizens and run to hell and back with it.

What's more convincing than your friends armed with a few facts and memes from campaign central command? Propaganda tuned to your individual psychological quirks. Rather than legally acquire Facebook data to encourage supporters to share a few facts, links or videos to convince friends or encourage voter turnout, Cambridge Analytica allegedly acquired the data through a researcher who broke Facebook’s terms and UK data laws in order to build what Wylie describes as a "psychological warfare mindfuck tool" and "a full service propaganda machine".

Wylie says Cambridge Analytica tried to understand what kinds of messaging would change a person's mind, be it the right topic or tone, such as scary or warm, and then use a team of designers and developers to create that content as websites, blogs or other sources. 

"We will create content on the internet for them to find," he says. Those posts and blogs would have seemed organic and authentic, but they weren't. Cambridge Analytica denies it used Facebook data in the Trump campaign. 

Why don't we Listen?
Why did we wait for electoral carnage before heeding the warnings from privacy experts and investigative journalists? Privacy campaigners have been warning against this for years.  The Wall Street Journal reported on political data mining as early 2010, The Intercept laid out details of political data mining firms in 2016 and the Daily Mail asked in 2014 if Facebook could "swing an election." All those warnings and many more, before Cambridge Analytica was even formed, were all ignored. 

Cambridge Analytica has been the subject of repeated stories for years. In 2015 it made news with the story described above, detailing the use of scraped Facebook data on Ted Cruz's candidacy campaign.  Christopher Soghoian, chief technologist of the American Civil Liberties Union, said the news was "troubling" and Facebook claimed at the time it was "carefully investigating the situation." It took two years for anyone to fully appreciate what was going on.

Boiten believes the public and activists focused too much on keeping data private, rather than how private data could be abused. "The big data protection stories, and in the UK, fines, have been about information leaking and being sold, for example in data breaches," he says. 

At the start of this week, the first round of headlines on the latest Cambridge Analytica scoop highlighted a breach, sparking arguments on semantics. The idea of "privacy as control" also gained some traction, with even Boiten arguing that "the precise use of Facebook privacy settings to share particular things with particular audiences is a triumph of privacy-as-control". However, he notes that it hasn't been well explained how data could be used against people; while we were warned that Facebook could "swing an election" or predict sensitive characteristics, we didn't understand what that meant for us. 
"The dimension of privacy that has proved hardest to catch is the use of, possibly innocuous-seeming, personal data against people," he says. We've got one heck of a case study now, at least, the slimmest of silver linings on this debacle. 

What about Facebook?
We've heard ad nauseum that on Facebook we're not the customers but the product. We all know Facebook is designed to collect data on its users, massage it for preferences, and try to influence us, that's behavioural advertising, after all. Will the association with Cambridge Analytica and the clear view of the danger of data misuse convince us to change our promiscuity with data sharing? Aral Balkan, privacy activist and developer of the Better anti-tracking tool, doesn't think we'll smarten up and ditch Facebook. "People are still more worried that a third-party company like Cambridge Analytica used Facebook’s data instead of what they should actually be worried about: that Facebook had that data to begin with," he says

"Cambridge Analytica and Facebook have the same business model," says Balkan. "If Cambridge Analytica can sway elections and referenda with a relatively small subset of Facebook’s data, imagine what Facebook can and does do with the full set."

If that doesn't alarm you, you haven't been paying attention. Not enough of us have, but it's time to start.

Wired

You Might Also Read:

How AI Has Conquered Democracy:

Millions Of Facebook Profiles Were ‘Harvested’  In US Election Breach:

You Probably Don’t Know All the Ways Facebook Tracks You:
 

 

« About Strategic Threat Intelligence
Slingshot: Avoiding Sophisticated Cyber Espionage »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CERT Bulgaria (CERT.BG)

CERT Bulgaria (CERT.BG)

CERT Bulfaria is the National Computer Security Incidents Response Team for Bulgaria.

National Cyber Security Directorate (DNSC) - Romania

National Cyber Security Directorate (DNSC) - Romania

DNSC (formerly CERT-RO) is the Romanian national cyber security and incident response team.

VADO Security Technologies

VADO Security Technologies

VADO Security enables the safe transfer of data between low & high security networks.

Hexatrust

Hexatrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

Echosec Systems

Echosec Systems

Echosec Systems is a data discovery company delivering social media and dark web threat intelligence. Our web based security software delivers critical information for situational awareness.

Truly Secure

Truly Secure

Truly Secure is an IT Service Provider that ensures greater efficiency and security within a company's technological environment.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

Intelligent Technical Solutions (ITS)

Intelligent Technical Solutions (ITS)

We help businesses manage their technology. Intelligent Technical Solutions provide you with the right technical solution, so you can get back to running your business.

Otto

Otto

Stop Client-Side Attacks. Plug otto into your application security suite and protect your supply chain.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

Uptime Institute

Uptime Institute

Uptime Institute is an unbiased advisory organization focused on improving the performance, efficiency, and reliability of business critical infrastructure.

AuditBoard

AuditBoard

AuditBoard is the leading cloud-based platform transforming audit, risk, ESG, and InfoSec management.

Qodea

Qodea

Qodea (formerly Appsbroker CTS) is Europe's largest Google Premier only transformation partner.