Now that Facebook has agreed to pay a US$5 billion fine for its part in the Cambridge Analytica data collection and political advertising scandal, there is one more question to be answered: What role if any was played by a Canadian company called AggregateIQ Data Services?
The Victoria, B.C. public opinion polling and audience analysis firm is under investigation by the federal and B.C. privacy commissioners for possible violation of Canadian privacy law after news broke in 2018 that there was a local angle to the story.
A quick synopsis: In 2017 a number of news agencies published stories about the links between political consulting firm Cambridge Analytica, AggregateIQ and the two groups urging the U.K. to leave the European Union.
Eventually investigations were launched by the U.K. Information Commissioner’s Office and the U.K. Parliament which led to allegations that Cambridge Analytica had deceived Facebook users by falsely claiming no personally identifiable information was collected from those who participated in a so-called online personality app quiz named “This Is Your Digital Life” between 2014 and 2015. Data on possibly as many as 87 million Facebook users and their friends were scooped up and — unknown to them — later used for targeted politically-related ads in the 2016 Brexit and U.S. federal elections.
It was these allegations that led Facebook to agree to proposed settlements with the U.S. Federal Trade Commission and the Securities and Exchange Commission.
This also triggered separate investigations by Candian privacy regulators into Facebook and AggregateIQ because the data of Canadian Facebook subscribers were involved. They are looking only at whether federal Personal Information Privacy and Electronic Documents Act (PIPEDA) and B.C.’s Personal Information Protection Act (PIPA) were violated.
In their joint report on Facebook released in April of this year, the Canadian regulators found Facebook failed to get valid and meaningful consent of users who installed the quiz app and in getting the consent of the friends of users for their data. Nor did the social media company have adequate safeguards to protect subscriber data, the report adds.
Facebook Canada rejected a number of the regulators’ recommendations for improving data protection, including ensuring it obtains meaningful and valid consent from users and their friends when third-party apps are installed. The federal privacy commissioner’s office said Wednesday that it plans to go to the Federal Court later this year to have its recommendations upheld.
This report only briefly mentions AggregateIQ: “According to the principals of Canadian analytics company AggregateIQ Data Services Ltd. (“AggregateIQ”), and others in testimony before the [Canadian] House of Commons Standing Committee on access to information, privacy and ethics and the U.K. digital, culture, media and sport committee, SCL would provide lists of individuals (based on the psychological profiles modelled by [app creator Aleksandr] Kogan and SCL) to be targeted for political advertising by AggregateIQ. This was accomplished and supported using other Facebook tools including the creation of “custom audiences”, a tool developed for businesses to build an audience of users that can then be targeted for marketing and advertisements on Facebook.”
In testimony before the Canadian parliamentary committee, AggregateIQ executives insisted the company didn’t know where the data that SCL sent to it came from. They also maintained that their company doesn’t process data. Instead, they said it does data modeling.
They said they were hired by SCL to create a political software tool, described as akin to customer relationship management software. In addition, work done by AggregateIQ for the BeLeave campaign during the 2016 Brexit referendum included placing $1 million worth of targeted online ads. Separately, the Canadian company got $5 million from the Vote Leave campaign, largely for placing online ads, including on Facebook.
While there were some allegations before the U.K. parliamentary committee last year that the walls between AggregateIQ, Cambridge Analytica and SCL Group were “porous.” Jeff Silvester, the Canadian company’s chief operating officer, insisted while it works closely with clients it had no legal or ownership connection to SCL
At one point in 2017 SCL’s web site listed an SCL Canada, with the phone number of Silvester’s partner and CEO Zach Massingham. Silvester testified he has no idea why SCL would do that. SCL admitted that was a mistake, he added.
The U.K. hearing also touched on the discovery by a researcher working for the security firm UpGuard who in 2018 discovered an AggregateIQ code repository on GitHub that included some personal information. Silvester said that was a mistake. The data, he added, was some contact information on individual voters — largely American — from some of his company’s previous clients. The incident was reported to privacy regulators in B.C. and the U.K., he said.
Silvester’s testimony ended with this exchange with a U.K. MP:
Question: “I am reflecting on your evidence this afternoon and it strikes me there are only three possibilities here. First, it has not been a problem, there is nothing to see, move along. The second two are both there is a problem, which may well be unlawful sharing of data, use of data that has been unlawfully acquired or stored, possible breaking of U.K. electoral law. Of that second one, there is either the possibility that you are an innocent techie that has been used by highly politicized people running sophisticated political campaigns and you have been caught in the middle of it. Or that you have been part of the activities as well.
“There are only those three possibilities that I can think of. Which is it?”
Silvester: “Your first is?”
MP: “There is no problem at all.”
Silvester: “There is no problem at all.”