Privatised political surveilance
Why the hell is a single website being allowed a monopoly of data about the political views of supporters of diametrically opposed parties and campaigns?
Were you phoned up by the Leave or Remain Campaigns on your ex-directory telephone number during the Referendum Campaign (probably in breach of PECR)? I was. If so, how did they get my number? How did one of the Campaigns, for example, know who was a Millwall fan so the caller from a Campaign gloated (sorry, I mean …
"It is clear that the personal data above provides a detailed profile of the data subject’s social and political views"
Of the data sources listed the only ones which would provide this information are the social media ones - i.e. those where the data subject has actually proclaimed those views. I don't see how even voting in the general and local elections could provide any significant data: the most they could tell is whether the subject supported one of the parties standing in that particular constituency and as that almost invariably includes all the main parties it's not exactly a very specific piece of information.
Nevertheless the use of a supplier in a country with such a lackadaisical (I'm being generous) approach to privacy is a major concern.
"the most they could tell is whether the subject supported one of the parties standing in that particular constituency"
Sure about that? I could have sworn that the last voting slip I used had a number on it which was copied next to my details on the electoral register by polling station staff. I was under the impression that this was routine.
>I don't see how even voting in the general and local elections could provide any significant data
There are circs where voting or not voting could be dangerous info. In N Ireland, for instance, if a referendum is being boycotted by one side or the other.
There was a ref in NI back in the 70s. I didn't vote. My parents were told I hadn't voted.
Knowing that someone voted is extremely useful to know. If they don't and never do then you don't bother to knock their door when you're canvassing.
As for the comment about the ballot paper having a number on it, that's to make sure there are no dodgy fake votes stuffing the ballot box, basically a security feature. Your name is crossed off the list when you go to vote, your ballot paper and your name are not linked.
I hate when there are stories like this that help perpetuate so many myths (even indirectly) and do little to prevent scaremongering. Fact is, if you don't want the data used then don't put it out in the public domain in the first place. No-one is forcing you. The ex directory telephone numbers are more than likely from services you forgot to tick a box on to say you didn't want details passed on. Big political parties have automatic blocks on TPS numbers being dialled, they are more likely to respect your data than the shits who ring trying to get you to claim PPI or about that accident you had in the last 3 years.
A quick Google for Social Media analytical or profiling software gets about 2 million results. So considering that most of what has been used by the Brexiteers of one flavour or another was gleaned the same way, there should be similar concerns about most of the targetted advertising that reaches most people if it is anything less than a direct result of say, using Google, Amazon or eBay.
It is about time that the notion of implied consent merely because you happen to land on a site and don't immediately close the page, should be outlawed.
Wait! Perhaps social media should be outlawed. Then we'd have the Dark Farcebook I suppose.
Since you Brits won't be using the EU privacy policies for much longer, can we have them? Sure, businesses here in the Colonies will shit themselves, but it's better than them shitting on us.
A couple of announcements:
1. Today is "Independence Day" here in the United Colonies, a loathsome and rude thing to do to people we call friends
2. Tomorrow is Good Riddance Day in Great Britain, or at least it should be.
NationBuilder is a software as a service company. There are thousands of campaigning groups that use its services. Like Google, it can be asked to provide information for police investigations, under the laws of California. But otherwise it is a site hosting the databases of each organisation using its service, like any cloud data provider. I don't think that makes it a data controller, as the data is managed by each organisation hosting there. But I am not a lawyer.
Each organisation mentioned in the article has registered under the Data Protection Act, where they list all the many things political parties need to do to campaign in elections and maintain their databases. They should explain this in their privacy policies. As we see in the article, they don't do that very well.
Several of the limitations on commercial data protection do not apply to political parties. Since voting is a civic duty, you cannot opt out of electoral communications, be it from a council or a political party. For that reason, electoral law entitles political parties to the complete register of electors. You can opt out of the edited version sold to businesses, but not from political communications. Party officers sign an agreement that they will not use the electoral roll for non-political purposes. For the same reason, you cannot opt out of political telephone calls during election periods. It is electoral law that determines what parties can do in such circumstances.
Nevertheless, all parties maintain opt-out lists. There is no point communicating with someone who is not going to vote for you. NationBuilder is designed so that every email blast includes an opt-out link. If you use it to record telephone contacts, the telephone volunteer can mark the record do not call.
NationBuilder, and some rival systems, do pull in data from Twitter and Facebook that has been made available to everyone (not just friends), starting with followers of political party accounts. A deduplication routine each night tries to find matches with people in the database: but they have to be confirmed by a human being before the records are merged.
That is the state of the art as far as most UK parties go. A lot of local parties just use spreadsheets, and have no database. The Conservative Party commissioned a special voter database that failed on polling day last year, containing details of all the voter responses to surveys, so they could deliver to each voter in marginal constituencies a letter about the issue they were most concerned about (there is an article on Conservative Home that explains this).
Nowhere in the UK have I come across the extensive data collection and analysis done in the Obama 2012 campaign, when the Democrats and Republicans purchased lots of commercial demographic data, and even went as far as commissioning psychometric tests of voters in different towns, to work out how likely they were to vote at all. (A talk at a London data science meetup explained how they could explain 90% of the variance in probability to vote through a nested decision tree trained on such data.)
In short, most political parties are using data in the ways they are registered to use it under the Data Protection Act, but are not making this clear in their privacy policies.
IANAL but it doesn't. Safe Harbour has always been utterly useless and no guarantee of anything. It was nothing more than a voluntary agreement with copious get out clauses and was never backed up by law. So in short, a UK organisation has passed our personal data to data processors/holders that do not comply with the Data Protection act.
"so you're telling me that various political parties have handed over the *complete* electoral roll to some chancers in the colonies, who've mashed it up with facebook and twitter and all of that is now subject to US law? how does that even begin to be legal?"
Simple. Just leave the EU so you don't have to worry about those troublesome data protection laws or European courts, and then when people find out what you've been doing, you can just retrospectively legalise it. Seems to be standard procedure now.
If you're going to write in the first person, signing your name would be a nice touch. "Amberhawk Training" doesn't sound like anyone I'm likely to meet in a pub.
Also, the painting of "NationBuilder" as a data controller is unconvincing. Seriously, does there exist, anywhere in the world, a company that won't "disclose customer data... if required to do so by law or subpoena”? Without a lot more detail on specifically what "customer data" may be disclosed, this is not nearly enough information to call them a "data controller".
Maybe they'll just disclose the billing contact name and address of the Leave campaign (after all, that's their customer, right?)
The article comes from Amberhawk Training's own website: the words "Amberhawk Training" in the title are a link and it's explicitly credited at the end of the article. Therefore in the original context writing in the first person is entirely appropriate. I've got no idea how it comes to be on El Reg - maybe they nicked it, maybe there's an agreement to share content.
I happen to know that it was written by Dr. Chris Pounder who is one of the UK's leading experts on UK Data Protection law. I've had the pleasure of being taught by him and of hearing him speak several times. Even if I hadn't known that it would have taken about one second to click on the title link or three seconds to Google "Amberhawk Training" and find out.
* Electoral rolls from all UK constituencies (names and address nationality)
Wander into your local library. There's the electoral roll. The only difference is that political parties have access to the unedited register.
* Whether an individual voted in 2015 (General) and 2016 (Local) Elections
Wander into your local election office within 6 months of an election, and you can examine the marked register (the register used in the polling station with voters' names crossed off as they come in and vote).
* Telephone numbers (including those ex-directory) and email addresses
Those are only known if the person in question has given that information to them. There is no such thing as an email directory in the same way as a telephone directory. The only way anybody can know what the email address of Fred Smith at 22 Acacia Avenue is if Fred Smith at 22 Acacia Avenue has made that information available.
* Siblings living at home (from electoral roll one presumes)
* Linkedin profile, Facebook profile, Twitter activity
Come on, you're complaining that content on the internet can be seen by people who have access to content on the internet?
>Come on, you're complaining that content on the internet can be seen by people who have access to content on the internet?
No. We're complaining that they're not complying with the law.
Some of this stuff has always been available on paper. It had to be, so someone could check for fraud. Simply transferring the availability to electronic media changes things significantly. It turns this data into a commercial asset. If my info is to be a commercial asset, I want my cut (or I want out).
".....Facebook.....LinkedIn....." So information that people voluntarily put up on the Web? No laws about scraping that and then writing some software to run analysis against it, or use it for any other marketing or polling exercises. It's amusing how many people simply don't realise how much of their information they give away for free.
If the idea worries you that much, the best solution would be to create fake Facebook accounts and regularly populate them with the most rediculous ideas possible to screw with the marketing/polling companies. Things like after voting Monster Raving Looney, you enjoy crochet whilst watching Millwall FC with your pet giraffe and your seventeen children, all eating Marks & Spencer's beef bourguignon ready meals. Real people will get the satire, bots will eat it up into their marketing data.
"Whether an individual voted in 2015 (General) and 2016 (Local) Elections"
Wouldn't that be against the representation of the peoples acts?
Certainly when I used to work elections, at the end of the vote the electoral registers were sealed up and transported to the count, with the boxes and then after the count secured with the voting slips to be placed in secure storage for many years. Access to any of that would require a High Court Order.
Or are they saying that they have the party's tallies from the people at the exit of the polling stations?
If it is the 2nd, many won't give that data, and postal voters just aren't in it.
And my Twitter account isn't in my name and uses an email address not associated with me in any other way.
Biting the hand that feeds IT © 1998–2018