Give Me Liberty, Or Give Me Data Protection? A Troubling Implication Of The American Voter UK Data Protection Case

from the frying-pan-to-fire dept

The Guardian had an article this past weekend about what looks like a potentially successful attempt by an American to use UK data protection law to force Cambridge Analytica to divulge what information it had collected about US voters like him. Whether the UK Information Commissioner’s Office (ICO) is truly entitled to compel Cambridge Analytica to do anything, much less on behalf of an American, is an open question. But for purposes here, let's assume that UK data protection law works this way, that it was intended to work this way, and that it's good policy for it to work this way.

The problem is, it's one thing for the ICO to force Cambridge Analytica to share with the American voter himself what personal data it had about him. But it's another thing entirely for the ICO to force Cambridge Analytica to share the personal data it has about American voters with it. Yet it looks from the article like that's what ICO may have threatened to force Cambridge Analytica to do.

The troubling passage:

The covering letter from the ICO says that if Cambridge Analytica has difficulties complying, it should hand over passwords for the servers seized during its raid on the company’s office – something that raises questions also about what it has managed to retrieve from the servers so far.

Insert record scratch noise here. The framing of the article, and a lot of reaction to it, is that ICO is the white knight here, seeking to vindicate the privacy rights of Americans whose data has been scooped by Cambridge Analytica. Maybe so, but to the extent it proposes to do this by itself scooping up Americans' data (and hopefully future reporting can be more explicit on whether this is what is truly proposed; the Guardian article did not link to the cover letter, nor does the ICO's press announcement) such a move is extremely concerning.

Because regardless of how problematic it is for a private entity like Cambridge Analytica to have access to lots of data about American voters, for all those same reasons it is even more problematic for a government to. And while it would be bad enough if it were the American government demanding it, it's even worse if it's a foreign government that now has access to all this data about American voters.

It's not a question of how much we trust that foreign government. We might see the problem more easily if it were, say, Russian regulators demanding Cambridge Analytica give it all the data it has, but the fact that it is our UK ally demanding it makes no difference. Irrespective of how well-intentioned or trust-worthy one considers the UK government of today, or its data protection authority, we still fought a war or two to keep it out of American democracy. In fact, so unhappy were we about things the UK government had done to help itself to information about American lives that we even came up with a couple of constitutional amendments to ensure the practice would not be continued.

Thus no matter how we feel about Cambridge Analytica having acquired our data without our permission, it would be a strange thing to encourage governments to return to those old ways and get to acquire our data without our permission too. Especially not governments so politically unaccountable to those whose data they would now collect.

Because while voters like Professor Carroll might not care, the apparently indiscriminate way the ICO has acquired data by copying entire servers would seem to capture the data of many more American voters than just him. Which, to put into the language of EU privacy regulators, would constitute a sort of data acquisition that not all of us affected had consented to.

Filed Under: data protection, foreign governments, ico, information commissioner's office, uk, voter info
Companies: cambridge analytica

Democratic National Committee Punishes Bernie Sanders For Their Own Technical Mistake; Sanders Threatens To Sues

from the turmoil dept

There's a bizarre story about potential computer hackery this morning, involving the Democratic National Committee and the campaigns of Bernie Sanders and Hillary Clinton -- the two front runners on the Democratic side. Apparently, the DNC was doing some sort of upgrade to its computer systems, and in the process, there was a glitch that very briefly allowed a Sanders staffer, "data director" Josh Uretsky, to access confidential data from Hillary Clinton's campaign -- specifically confidential voter information gathered by Clinton's campaign. Uretsky realized he was able to access the data and did so -- and has apparently since been "fired." In response, the DNC has completely cut off all access to its systems to the Sanders' campaign, saying it won't allow the campaign back in "until it provides an explanation as well as assurances that all Clinton data has been destroyed."

And, now the Sanders campaign is threatening to sue the party, claiming that this move could undermine his entire political campaign.

Yes, accessing a competitor's data seems questionable, but again remember that the mistake here appears to be because of the DNC itself -- or, rather, its computer system vendor NGP VAN. If there's a problem, the DNC should take it up with NGP VAN who fucked up and made the data available across campaigns. That's a pretty big mistake, given the stakes. But to blame the Sanders campaign seems pretty questionable. Yet, the DNC apparently has decided to go full bore against the Sanders campaign instead of admitting to its own error:

DNC chair Debbie Wasserman Schultz weighed in with a statement of her own.

"Once the DNC became aware that the Sanders campaign had inappropriately and systematically accessed Clinton campaign data, and in doing so violated the agreement that all the presidential campaigns have signed with the DNC, as the agreement provides, we directed NGP VAN to suspend the Sanders campaign's access to the system until the DNC is provided with a full accounting of whether or not this information was used and the way in which it was disposed," she said.

In a separate interview, Wasserman Schultz further attacked the Sanders campaign:

“The Sanders campaign doesn’t have anything other than bluster at the moment that they can put out there,” she told CNN on Friday. “It’s like if you found the front door of a house unlocked and someone decided to go into the house and take things that didn’t belong to them.”

To some extent, this sounds like the ridiculous legal fights over the CFAA, over what is and what is not "exceeds authorized access" (just wait until the DNC files CFAA claims against the Sanders campaign...). But separate from that, it really looks like the DNC is not just playing favorites with the Clinton campaign here, but so actively trying to blame its own technical failures on the Sanders campaign as to make itself look ridiculous.

Update: Well, that didn't take long. The Sanders campaign has sued the DNC alleging breach of contract (Sanders and the DNC have a contract allowing the campaign access to the system) as well as negligence for letting NGP VAN screw things up so badly.

Filed Under: access, bernie sanders, campaigns, cfaa, debbie wasserman schultz, hillary clinton, voter info
Companies: democratic national committee, dnc