The three main political parties in B.C. collect too much information from potential voters without getting proper consent and at times use it in ways people don’t realize, the province’s privacy commissioner has found.

In particular the report found that people don’t realize the parties disclose some personal information to Facebook to find and target potential supporters with ads. “Individuals are not informed that their information is being used in this way,” it says, “and it is unlikely that parties have the consent to disclose voter information for this purpose.”

Released Wednesday, the report looks at what personal information B.C,’s three main political parties — the Green Party, the Liberals and the NDP — collect from the province’s 3.3 million registered voters and what they do with it.

Under the provincial Personal Information Protection Act (PIPA) all organizations, including political parties, can only collect, use, or disclose information about an individual if the individual has given consent. B.C. is the only province with a privacy law that applies to political parties. The Trudeau government has rejected calls for legislation to cover federak parties.

While political parties have to talk with the public, wrote commissioner Michael McEvoy, “this communication should be a fully transparent two-way street. A one-sided dialogue in which the public is kept largely in the dark about the significant amounts of personal information collected and used about them is not sustainable legally or ethically.

“In the competitive world of political campaigning it is understandable that political parties would explore technological platforms and tools to refine voter profiling and targeting. However, this cannot be without limits. Political parties [are] disclosing personal information of supporters to Facebook without consent, or processing supporters’ information to determine ethnicity demonstrate why boundaries are required.

“While these are concerning scenarios, recent developments in the U.S. and U.K. suggest they may only be the thin edge of the wedge when it comes to privacy-invasive techniques used to gain electoral advantage.”

Before receiving a voters list from Elections B.C. (which oversees votes), parties must agree to the terms of a privacy policy acceptable to the Chief Electoral Officer, McEvoy recommended.

He also suggested the parties create a voluntary code of practice governing how political parties handle personal information, including personal data analytics, online advertising, and the use of social media. The idea was raised in the U.K. last year by that country’s information commissioner.

The report comes amid heightened scrutiny of how political parties, interest groups and social media handle personal information to possibly accelerate disinformation and fake news, and how much consent individuals give to having their information used for political purposes.

Concern increased after the revelation that British firm Cambridge Analytica used data of millions of unwitting Facebook users to create profiles used to target ads in a number of political campaigns. The data was pulled from the profiles of 300,000 Facebook users who willingly participated in what they thought was a personality test created by a researcher. They didn’t realize the app also pulled in the profiles of their friends, which totalled 87 million people. The researcher who gathered the data shared it with Cambridge Analytica and another firm. Allegedly connected was Victoria, B.C.-based AggregateIQ, which according to news reports had an agreement with Cambridge Analytica.

Both the federal and B.C. privacy commissioners are investigating AggregateIQ and Cambridge Analytica.

The B.C. report issued Wednesday in part was started because during the 2017 provincial election McEvoy received several complaints about political parties improperly disclosing and failing to take adequate security measures to protect the personal information of voters. The complaints included instances of stolen equipment, lost canvassing lists, and retention of voter data after the election.

McEvoy cautioned that the report isn’t an exhaustive examination of every aspect of the political parties’ activities with respect to personal information. His staff didn’t analyze local party constituency associations or candidates that may control data, but focused on the way the three parties’ central offices treat personal information.

Organizations — including political parties — are not entitled to collect whatever information they want about a person, the report emphasisze. They can only collect the personal information that PIPA and/or the Election Act allows.

Generally the three B.C. parties investigated merge information from government-supplied voters lists with information
collected from other sources, such as door-to-door canvassing, telephone canvassing, data brokers, petitions, and social media.

Standard information is name, address and indication of party support. But, the report notes, door-to-door canvassers might also collect information on a person’s gender, ethnicity, religion and languages spoken without asking for consent  “It is highly debatable that most individuals would agree to it if they were told. In other words, it is highly unlikely – particularly as it concerns gender, ethnicity, and religion – that voters are consenting to this collection,” the report says.

If an individual speaks to a canvasser in a language other than English that may be implied consent, the report adds.

When it comes to collecting data through social media, the report says that if an individual “likes” or shares information about a political party on a social media platform, that isn’t lawful consent for the party to collect the individual’s personal information. Specifically, political parties don’t get express consent to link email addresses with social media profiles, says the report.

Perhaps one of the most significant findings McEvoy makes is that the use of personal information by a party to predict and profile a voter’s ethnicity, gender, or age is likely not authorized by PIPA without consent. “PIPA also requires that an organization ensure the personal information it collects about an individual is accurate,” says the report. “As this method of inferring personal information can be inaccurate, the compilation of this information may be in contravention of PIPA.”

“It is at the very least important that all political parties transparently disclose to voters how they are profiled and scored.”

As for social media, the report says all three parties disclose the email addresses of known supporters to companies like Facebook. Additionally, the B.C. NDP gives Facebook the first and last name of their supporters along with phone number, city of residence, and date of birth. The Liberal Party uploads its financial donor list to Facebook. All this is done so parties can target ads on social media to supporters.

But while PIPA permits political parties to disclose personal information to a social media provider to contact individuals if they  had originally contacted the political party that way, or given express consent to be contacted via social media, the privacy act doesn’t permit political parties to disclose identifying information of supporters to a social media platform for data analysis or profiling without express consent.

All political parties should only disclose email addresses to social media providers with express consent, McEvoy urged.

One other significant finding: Due to the lack of regular auditing, the Liberal Party and the BC NDP have failed to make reasonable security arrangements to prevent unauthorized access and disclosure of personal information in their custody as required by PIPA.

The report makes 17 recommendations, including that all B.C. political parties should amend privacy policies to include a comprehensive description of the personal information collected, used, and disclosed by the party, the purposes for each of those types of personal information, and how it is authorized to collect, use, or disclose that personal information under PIPA.



Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now