Before the 2016 presidential campaign, David Carroll, a media professor at New York’s Parsons School of Design, didn’t know much, if anything, about Cambridge Analytica. Despite studying data collection and privacy, he says he had probably only heard the name of the data analytics company mentioned once or twice. But that was before the election. And it was before, of course, it became clear that the firm—partially owned by Trump mega-donor Robert Mercer and the place where former White House Chief Strategist Steve Bannon once served as vice president—would help propel Donald Trump into the White House by cultivating vast troves of information on an untold number of American voters to craft controversial and highly targeted political messages.
But even still, it wasn’t until a few months after the election that the alarm bells started going off for Carroll. Paul-Olivier Dehaye, the co-founder of PersonalData.IO, a startup that helps individuals request their data from companies like Tinder, Uber, and Facebook, Carroll says, told him he suspected that Cambridge Analytica, with offices around the world, may have processed the data of American voters in 2016 in the UK. While the company’s tactics were a complete mystery, if that were true, Carroll, an American, could request what information it had on him as allowed by British data protection laws. So in early 2017, the two set out to pull back the curtain on the data tactics of Cambridge Analytica.
“He was curious,” Carroll, a self-described “data nerd,” tells Mother Jones. “I was curious. It was purely academic curiosity.”
Just a few months later, Carroll would find himself in the midst of a landmark data privacy legal battle.
Carroll’s quest started in February, when he formally requested his personal data from Cambridge Analytica, not knowing what, if anything, the company would give him.
At that point, the practices of Cambridge Analytica and its connection to both Mercer and Bannon were only starting to come under the microscope—questions that have since expanded to include the company’s possible connection to Russia’s social-media meddling in the election and, more recently, its potential collaboration with Wikileaks. As the Daily Beast reported in late October, last year Cambridge Analytica CEO Alexander Nix offered WikiLeaks founder Julian Assange assistance in the release of 33,000 of former Secretary of State Hillary Clinton’s stolen emails. (Recently Nix said, “We did not work with Russia in this election, and moreover we would never work with a third-party state actor in another country’s campaign.”)
Just a month after filing the initial request, Carroll, to his surprise, received a letter signed by a chairman of London-based “behavioral research and strategic communication” firm SCL, the parent company to Cambridge Analytica, with a file of his personal data, including a set of political predictions about Carroll made by the firm. It rated Carroll a “very unlikely Republican” (this is true; Carroll voted for Democrats in the 2016 general and primary elections) and assigned him scores on various political issues: He scored a 3/10 on “gun importance,” a 7/10 on “national security importance,” and a 9/10 on “traditional social and moral values.” He tweeted, “I’d rank this somewhat differently but feels roughly accurate. Could be worse.”
7/ Here is CA/SCL voter issue profile/propensity model on me. I’d rank this somewhat differently but feels roughly accurate. Could be worse. pic.twitter.com/n4x3IRQrL8
— David Carroll? (@profcarroll) March 27, 2017
The results were unsettling for Carroll and also for his thousands of Twitter followers, who he had been updating on his data-request efforts. It turned out a wide expanse of personal information about Carroll’s behavior was being connected to his voter file and shared with “commercial entities,” “research partners,” “political campaigns,” and other groups, according to the letter he received. “People were kind of terrified that this information was accurate,” Carroll says. “People had a visceral reaction that their voter files aren’t being protected like they ought to be.” While some of his followers said what he got was “typical data for the industry” or “no big surprise,” others called it “scary” and “deeply disturbing.”
But what was particularly problematic for Carroll was that, he believes, the profile the company sent him wasn’t nearly comprehensive. Nix and other Cambridge Analytica executives have boasted that the company has up to a startling 5,000 data points on each of the 230 million voters in the US. What Carroll received in March, according to his tweet at the time, was about 200 data points, and, even then, it wasn’t clear how or where the company got the data or who it was shared with, beyond the vague descriptions in the letter.
What’s more, the response came from someone at a British company, SCL, which suggested to Carroll that his data, and presumably the rest of Americans’ data, was in fact processed in the UK, just as Dehaye thought. And if the data had been processed in the US, Carroll suggests, there would be little incentive for them to share it given the restrictive data laws in America.
But according to the 1998 British Data Protection Act, any company that receives a personal data request is required to provide a “description of the personal data,” state their purpose of processing it, and disclose any people and countries, outside Europe, the data were shared with.* Carroll argues that Cambridge Analytica failed to share the necessary information when he asked. To get the rest of his data—if there was in fact more, as Nix had bragged—Carroll would have to sue.
In April, Carroll and a group of an unspecified number of Americans who have remained anonymous to protect their privacy hired a British solicitor recommended by Dehaye, Ravi Naik, to launch the first-of-its-kind legal battle against the company.
This case, the group hopes, will clarify the legal requirements for British data-collecting companies—including those with information on non-European citizens. More specifically, the Data Protection Act also states that companies, in most cases,* must obtain “explicit consent” from individuals before processing sensitive personal data, including “political opinions.” Cambridge Analytica, Naik argues, failed to obtain consent from American voters in 2016. “What the European regulations on data protection make clear is that if you want to collect and process sensitive personal data here, you should get consent to do so,” Naik tells Mother Jones. “Political opinions are recognized as a class of sensitive personal data, as information deserving of higher protection.”
American laws are much less forgiving. “If a [British] company has information about you, you have the right to access it, and if you ask for it, they have to give it to you,” Carroll tells Mother Jones. “We don’t have that right in the United States.” In the US, companies don’t need consent to collect its citizens’ data and aren’t legally obligated to share it with them. In fact, Carroll wouldn’t even have a case if the company processed its data in the United States (and won’t, if that turns out to be true). As Naik told the Guardian earlier this year, “It’s this fascinating situation because when it became apparent that Cambridge Analytica had processed Americans’ data in Britain, it suddenly opened up this window of opportunity. In the US, Americans have almost no rights over their data whatsoever, but the data protection framework is set up in such a way that it doesn’t matter where people are: it matters where the data is processed.”
The result of this case could blow the lid off how private data was used to shape votes and the outcome of 2016 election—and how it might be used in the future. As University of Maryland law professor and big data expert Frank Pasquale told the Guardian, “I think [this case] will be the model for other citizens’ actions against other big corporations. I think we will look back and see it as a really significant case in terms of the future of algorithmic accountability and data protection.”
Cambridge Analytica opened its doors in 2013 and claims to use big data to predict human behavior and influence political elections, according to the company’s website. But what sets Cambridge Analytica apart from other data firms is that it claims to use what’s known as psychographics to build its voter profiles. Many political campaigns have used demographics (e.g., age, race, gender) to target political messaging, and President Obama successfully and famously used consumer data to target voters. But psychographics, in theory, go deeper, claiming to be able to predict a voter’s personality traits, such as how organized, extroverted, or quick to worry they are, by looking at a person’s online and consumer behavior. Cambridge Analytica is the only data firm, Republican or Democratic, that has publicly claimed to use psychographics in political campaigns. All this begs the question: How does Cambridge Analytica then connect up to 5,000 data points of consumer behavior with American voter files to build their profiles?
“People don’t realize that all of their consumer behavior—every time they swipe their credit card, what websites they visit, the TV shows they watch—is being re-connected to your voter file and processed internationally,” Carroll says. “And we can’t opt out of it.”
Nix, however, offered a glimpse into the company’s mysterious practices in a presentation he gave nearly two months before Election Day 2016. In it, he claims that his company had been a powerful shaper of public opinion during the 2016 Republican primary campaign, bragging that Cambridge Analytica helped Ted Cruz rise from being “one of the less-popular” candidates to being the “second-most threatening contender.” Cruz, Nix said, accomplished this in part by sending highly-targeted, personalized political messages over social media and television to voters in key states—the same controversial tactics that, after Cruz dropped out of the race, were supposedly deployed on behalf of the election’s winner.
Nix then gives an example of those tactics: “The Second Amendment might be a popular issue amongst the electorate,” he said. “For a highly neurotic and conscientious audience, you’re going to need a message that is rational, and fear-based, or emotionally based.” He said, gesturing to his presentation slides, which displayed a photograph of a gloved hand breaking a window above the text, The Second Amendment isn’t just a right. It’s an insurance policy. DEFEND THE RIGHT TO BEAR ARMS. “In this case, the threat of a burglary and the insurance policy of a gun is very persuasive.”
What’s particularly frightening about Cambridge Analytica and SCL, Molly McKew, an information warfare expert and specialist on Russia-US relations notes, is that they are operating internationally to supposedly influence elections outside of where they are operating, in the US and elsewhere.
“Nobody wants to believe that information, coming from some place they don’t really understand, could change how they think or what their decisions are, but it can—for any of us,” McKew tells Mother Jones. “Why does some company incorporated in the United Kingdom have [our data]? What the hell is that for? If it were just about selling shoes, or getting you to buy vitamins or whatever crap—ok, fine. But that’s not what it’s being used for, and they specifically say that. [SCL] is a company that’s marketing themselves as a military-grade psychological warfare and psychological operations company. That is a problem for all of us.”
To be sure, there is another way to read the secrecy shrouding Cambridge Analytica’s data collection efforts. Daniel Castleman, co-founder of progressive data firm Clarity Campaign Labs, which worked on the Obama for America campaign, tells Mother Jones that the role of psychographics in the 2016 election has almost certainly been “overplayed.” There isn’t even a consensus in the data community on if these tactics work, he notes: “While how [psychographics] are described gives the impression that they help campaigns give deep insights in the minds of voters, current implementations have questionable scientific legitimacy and often lack accuracy when constructed from available voter and consumer data.”
And since the election, even the Trump campaign has downplayed the role of Cambridge Analytica’s tactics in helping it win. “We as a campaign made the choice to rely on the voter data of the Republican National Committee to help elect President Donald J. Trump,” Trump campaign executive director, Michael Glassner, said in a statement in October. “Any claims that voter data from any other source played a key role in the victory are false.” (Though of course there could be a certain amount of self-preservation in this statement, which came a few hours after the Daily Beast reported Nix’s offer to help Assange in the release of Clinton’s stolen emails.)
To add, even Cambridge Analytica itself is sending mixed messages about the use of psychographics on the Trump campaign. Nix said in that same fall 2016 presentation, “Of the two candidates left in the election, one of them is using these technologies,” referring to Trump. Then, at a December post-election panel hosted by Google, Matt Oczkowski, Cambridge’s head of product, said “I don’t want to break your heart; but we actually didn’t really do any psychographics with the Trump campaign.”
Regardless, with the appetite for fake news on the rise, bots distorting campaigns, and foreign entities meddling in American elections, tools like psychographics in the wrong hands, says McKew, may endanger democracy itself. “This is changing how elections work,” she says. “I can’t even imagine what that means for future elections.”
Carroll plans to file a formal lawsuit against the firm early next year, and the group is currently raising funds to cover any costs in case of a loss (in the UK, if they lose, they have to pay for the other side’s legal fees).
Cambridge Analytica maintains that they haven’t broken any laws and seems ready for a fight. “Mr. Carroll’s claims are unfounded, and unfortunately, he is wasting other people’s money with this spurious legal action,” Cambridge Analytica tells Mother Jones in an email. “Cambridge Analytica abides by all relevant data protection laws and, just as importantly, the company’s core values of integrity, respect and honesty. Data privacy is a fundamental right and one that Cambridge Analytica takes very seriously.”
In response to Carroll’s specific allegations against them, Cambridge Analytica tells Mother Jones, “Given that this is a legal matter, it would not be appropriate to make any further comment.” They also note, “Cambridge Analytica is not a data miner or a data broker. We can help clients extract value from their own data, and do our own market research, before exploring to what extent other data is available.”
The group of plaintiffs meanwhile steadfastly believes that their data are possibly being used to “manipulate our democracy, without our knowledge or consent,” according to their CrowdJustice fundraising campaign. A favorable ruling for the group would not just mean access to their own data and a chance to opt-out of the company’s monitoring, but it would also provide information on how the company is targeting voters—and could target voters in future elections. Armed with this knowledge, voters would in theory be less persuadable, and could even choose to pull their data from the hands of Cambridge Analytica and its peers.
“If David wins, everyone wins,” an optimistic Naik says.
Correction: An earlier version of this article incorrectly interpreted the British Data Protection Act and cited Section 24 of the Act, which does not apply to Carroll’s claim.
Clarification: Some entities can apply for exemptions under the law.