British Watchdog Finds Cambridge Analytica and Brexit Financier Misused Private Data

LONDON — The defunct political consulting firm Cambridge Analytica violated British law when it used improperly harvested Facebook data to aid Donald Trump’s 2016 presidential campaign, and would face a significant fine if it were not already in bankruptcy, Britain’s top data protection watchdog found Tuesday.

Posted Updated

Adam Satariano
Nicholas Confessore, New York Times

LONDON — The defunct political consulting firm Cambridge Analytica violated British law when it used improperly harvested Facebook data to aid Donald Trump’s 2016 presidential campaign, and would face a significant fine if it were not already in bankruptcy, Britain’s top data protection watchdog found Tuesday.

The long-awaited report by Britain’s Information Commissioner’s Office, which has been investigating the misuse of personal data by political campaigns, also said an insurance company owned by Arron Banks, a main backer of Britain’s campaign to leave the European Union, broke British law when it used customer data to aid the Brexit effort.

According to the commissioner’s office, the company, Eldon Insurance, shared private email addresses to be sent campaign messages on behalf of Leave.EU, a pro-Brexit group, months before the 2016 referendum on Britain’s membership in the European Union.

The 112-page report underscored how modern political campaigns rely on Facebook data and other consumer information, extracted or bought by consulting firms with little oversight and few protections for consumers. An investigation in March by The New York Times, The Observer of London and The Guardian revealed how Cambridge Analytica — at the time an upstart data firm bankrolled by conservative billionaire Robert Mercer — had improperly obtained and exploited Facebook data from as many as 87 million users around the globe.

The commissioner’s investigation revealed that political campaigns in Britain had exercised little restraint in exploiting consumer data, despite the EU’s relatively strict data laws. Political groups were acting more like online businesses and internet marketing firms to target and engage voters, the report concluded.

“We have uncovered a disturbing disregard for voters’ personal privacy,” the commissioner found.

The finding also adds to legal and political scrutiny of Banks, who was the single largest donor to the Brexit campaign. His dealings with the Russian ambassador before the referendum have separately raised questions about whether the Kremlin sought to reward important backers of Britain’s exit from the EU, and prompted British election officials last week to ask for a police investigation. In Washington, the special prosecutor, Robert Mueller, has obtained records of Banks’ communications with Russian diplomats.

Now Banks’ insurance company and the Leave.EU campaign are facing total fines of 135,000 pounds (about $177,000) for the privacy breaches, which occurred in 2015, 2016 and 2017. The insurance company owned by Banks will also be audited, the report said.

But the commissioner rejected accusations that Leave.EU secretly employed Cambridge Analytica — and possibly exploited its Facebook data haul — during the Brexit campaign, potentially violating British election disclosure laws. Though Cambridge Analytica considered working with Leave.EU, and even sent one executive to appear with Leave.EU officials at a news conference, the data company never reached an agreement with the campaign, the commissioner found.

Banks, sometimes described as the “godfather of Brexit,” has denied wrongdoing and was quick to rebuff the findings of the information commissioner’s office. The investigators “find no evidence of a grand data conspiracy and find we may have accidentally sent a newsletter to customers,” Banks said on Twitter.

But investigators specifically described an improper intermingling of data between Eldon Insurance, Banks’ company, and the Leave.EU campaign he co-founded.

Investigators said more than 1 million emails sent to Leave.EU supporters over two separate periods had also included marketing for Eldon Insurance services. Eldon customers also were sent a Leave.EU newsletter, an incident the company described as a mistake in managing an email distribution system.

The two organizations were already known to have close ties, including sharing board members.

The investigation began last year to look into the potential misuse of data in the British referendum on leaving the European Union. But it took on new urgency when The Times, The Observer and The Guardian revealed in March that Cambridge had improperly harvested the personal information of tens of millions of Facebook users without their consent.

The British investigation involved 71 witnesses, 30 organizations whose data practices were reviewed and 700 terabytes of data — the equivalent of 52 billion pages.

In an earlier report, issued in July, the Information Commissioner’s Office said it had fined Facebook 500,000 pounds — the maximum under British law — for allowing Cambridge Analytica to harvest user data.

In addition to the new details about Banks, Tuesday’s report provides more information about the investigation into how Cambridge Analytica obtained Facebook user data.

The investigation found that Cambridge had nimbly evaded what few restrictions Facebook imposed by contracting with an academic researcher working at Cambridge University, who used an app to harvest the data, almost all of it without the users’ explicit consent.

The political consulting firm teamed up with the researcher, Alexander Kogan, who had created an application that collected demographic information, News Feed posts, friend lists, pages that users had liked and other data.

The information was used to create physiological profiles that could guide the targeting of political messages.

In March, officials obtained a warrant to search Cambridge Analytica’s offices, getting access to mobile phones, storage devices, computers and financial records. At one location, the authorities said, they discovered a number of physically damaged servers, from which investigators were able to recover information.

Investigators said the Information Commissioner’s Office needed more to time to review evidence, including Cambridge Analytica’s email system, to better determine who had access to data on Facebook users.

“There are several strands that will take us into the future,” said Elizabeth Denham, the information commissioner. Cambridge Analytica announced in May that it was ceasing most operations and filing for bankruptcy amid growing legal and political scrutiny of its business practices and work for the Trump campaign. The elections division of Cambridge’s British affiliate, SCL Group, was also shut down.

In its report Tuesday, the information commissioner said that had the company still existed, it would have faced “a substantial fine for very serious breaches” or Britain’s data protection laws. The company, the report added, engaged in “unfairly processing people’s personal data for political purposes, including purposes connected with the 2016 U.S. presidential campaigns.”

The report did not draw any conclusions about whether data mining techniques used by Cambridge Analytica and others had determined the outcome of elections in the United States or Britain, but the regulator called on policymakers to draft new laws to restrict how data is collected and shared for political purposes.

“We may never know whether individuals were unknowingly influenced to vote a certain way in either the U.K. EU referendum or the U.S. election campaigns,” the report said. “But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform.”

Copyright 2023 New York Times News Service. All rights reserved.