Given the time it's take to get the warrant...
...bet they'll find little more than a pile of well used paper shredders...
Cambridge Analytica’s London offices will finally be searched by the UK's Information Commissioner’s Office, following a marathon week of arguing inside and outside court. Woolwich Crown Court, sitting in the capital's Royal Courts of Justice for the occasion, granted the warrant after a five-hour hearing. The ICO, as the UK’s …
... as a diversion from the drive dump.
I'm guessing the only way the ICO can pin this one is to go through CA's backup policy and see how reality matches up to what should be. And whether small discrepencies can underpin a court case [most likely not].
If CA has the backing of GCHQ's best spooky hackers - no chance. One part of the corporate state defeating another. But perhaps they are more honest and respectful of individual liberty than we cynics assume.
It's sit back and wait for a result time. But what will it be?
That's even if they ever brought the data onshore to the UK in the first place. Something like that could do with being kept on say an azure database hosted on Ireland (since MS is somewhat bullish over data sovereignty).
It also doesn't mention of they're looking for evidence of work that was a result of analysis of the data... it all seems a tad suspect like everyone's trying to hide some bigger issue.
This post has been deleted by its author
The seven day process to obtain a warrant and the requirement to tip off the subjects of that warrant in advance don't really provide a huge amount of reassurance that ICO has the ability to enforce the rules, do they?
Have you ever tried to get the ICO to take enforcement action against anyone, even where they have determined a breach of the Act has occurred and they can plainly see harm has resulted from it? It's all but impossible, unless you happen to be a media outlet.
The biggest problem isn't the level of power they have, its their absolute stubborn refusal to use it unless cornered like a rat in a trap and nailed to the bloody floor. Seriously WAKE UP ICO!!
" Something like that could do with being kept on say an azure database hosted on Ireland (since MS is somewhat bullish over data sovereignty)."
in the circumstances, and as long as they follow the processes properly, I'd guess their chances in an Irish court are probably fairly high ....
Any CIOs or executives/managers on the IT side from that organisation, with the experience gained from this kind of ICO / criminal investigation, would be worth their weight in gold to an organisation with something to hide. Not that I would trust them one micron in order to hire them - they'll either have been aware of all those goings on and turning a blind eye or even sanctioning the operation and therefore untrustworthy in the extreme, or they won't have been doing their job and therefore be of only limited value.
I wonder what's happened to them all? Does anyone have a list?
They absolutely should always need a warrant.
That's the only step in the process that stops bodies like this being used as weapons.
It's the business equivalent of SWATing someone (US prank calls to the police that result in heavily armed fuzz putting your door through, usually after an online fallout with someone). People have been killed like this over falling out/name calling while gaming online.
Same thing here. With no requirement for a warrant they'd get 100s of "tips" per day , about various businesses, made by a competitor.
Facebook, the court was told by barristers Christopher Coltart QC and Philip Coppel QC on behalf of CA, demanded that the slurped data be deleted...
This always pisses me off when I read it. Everyone knows you can't delete data and it is naive to assume otherwise. Any company with such a lack of ethics that they would slurp private data in the first place is going to have a backup hidden somewhere.
The only way to guarantee this doesn't happen again is criminal penalties for upper management. It's the only way.
If they are made to delete all their copies of the data and later it reappears then they have gone against the court.
So deleting is removing the company's right to hold/use/sell the data, something that I would suggest most people would agree was a minimum requirement.
> If they are made to delete all their copies of the data and later it reappears then they have gone against the court.
But the data itself doesn't appear anywhere, it's just used, and it will be very hard to prove any future mailings/whatever some future incarnation of CA sends out might be based on that dataset - given nobody knows for sure what it contains.
I'm not even sure they actually have to hide the database. One can expect to find databases in a company like that, so all they have to do is to change the label form "Facebook data" to "Current subscribers" or some such, and that's it: "Why, this is a completely different database. The one you're looking for has been deleted, and if you pretend otherwise we'll sue you for slander"...
Having used a small office paper shredder last week to delete accumulated financial statements, I wouldn't try to shred many documents in-house. It didn't work well for the STASI in 1990 either. You have to use an industrial shredder* which makes it interesting to consider why CA allegedly removed boxes of material...
* I once watched a DEC RL02 disk pack being fed into a shredder.
@DJV; "a pile of well used paper shredders"
I would *not* rely on a paper shredder alone- not even a cross-cut one- to protect me in a case as serious as this.
I'm pretty certain there must be software out there able to take arbitrary amounts of scanned pieces, figure out which bits are most likely to join together- using multiple heuristics- then reassemble most of the "destroyed" documents.
If you can scatter them far and wide enough before anyone is likely to get their hands on them, this might not be workable, but you have to get away with *that* as well.
"They suggested that the application for the warrant was flawed because, among other things, CA had offered to allow the ICO access to its offices, subject to agreeing the terms and scope of access with the regulator."
Where the "terms and scope of access" presumably included not being able to look in places CA didn't want them to.
OK i'm a thicko but my understanding so far is that CA dubiously acquired , ok nicked (NO not nicked, took an unauthorised copy of) some of Facebooks data on users and , ye gads, horror of horrors, used it for political purposes.
So what? It's not as though Facebooks data is gathered entirely ethically or lawfully in the first place. What is the ICO doing about that aspect?
On a smaller scale, a local organisation ( well, a handful of people) have gathered data about myself and, using it for political purposes, regularly post their shite through my letterbox.
Ok, they may call it a Liberal Democrat newsletter but it's still shite. Tbf, the Tories don't even bother, no point, at all.
Haven't the ICO and indeed Courts got better things to do?
@The Nazz
I've always loved the creation, care and feeding of databases; they fit right into my bent on doing the same with models. They are the model once you create your rules sets. From everything I've read, and I've been reading rather a lot, the creation of this dataset was done using Facebook's graph database and Facebook's API's. It's a bit rich for Facebook to come back and say that this was wrong. I'd put Mr. Z up against the wall especially for his comments and non-apologies.
And the worst part? Way too many people, including nation-state actors, have extracted similar datasets. Apparent acts in accordance power-conflict theory, thanks Marx, as applied to IT. Looks like we need an ethics course for all of IT, and related professional fields. Not that they seem to work as applied to lawyers or journalists.
As to the ICO, they were either complicit or willfully blind. This was all known about for years. Were they interested at what was harvested and held, they could have applied for an API key and had someone with an inkling about databases see what they could turn up. I've been able to do this, with a total lack of documentation on mainframes since I began working with computers. Way back when ISAM was king which is saying something. One tool, comes with every OS I've run into, pointed at the database itself. I guess they need to bring some database/data-scientist types with a clue.
To the best of my knowledge, the Liberal Democrats did not send out a fake Labour manifesto promising to solve the housing crisis by nationalising property and billeting homeless foreigners on anyone who can't afford the legal fees to prevent it. They did not distribute a fake conservative election promise to disband the Serious Fraud Office so business could proceed without hindrance. They did not even publish an article in the local newspaper saying that the reason for all the potholes was that 97% of council tax goes to Europe [but someone actually did and I met people who believed it].
CA/Aggregate IQ claimed to have received a clean bill of health from the electoral commission. The real conversation when something like UKEC: "Have you done anything naughty?" Aggregate IQ: "We do not have to answer your questions, we are Canadian."
CA made an effort not to be noticed. They made an effort to present their activities as either legal or beyond UK jurisdiction. Their most obvious cock-up involves possibly illegal use of Facebook data. I have a small preference for laws more specific to what CA have actually done. I have a much larger preference for teaching critical thinking in schools. Both have unpleasant consequences for current politicians, so I will just have to make do with the laws we have being enforced to the full (tiny) extent of the ICO's powers.
"One of those is the question of whether or not the court is satisfied that the evidence which is the subject of the application is in fact on the premises in question.”
So to get the warrant, you've convinced the court the evidence is there. When you execute said warrant, and the evidence is not found, by definition, in the court's eyes they must be guilty of destruction of said evidence. This seems pretty smart to me! The ICO either has the evidence or an easy conviction... (this is how it all works, right?)
My understanding from the article is that for the type of warrant being issued they need to be given seven days advanced notification of the warrant. Nothing to do with judges or the ICO - its just the law*
*Whether or not that makes sense is another matter - Im sure that there's a good reason for it.
found that app installed in my FB apps list.. and they had default access to all my profile and social network =( I dont even know how it got there in the first place and when!! Also they dont even have a way to remove your data..
Anonymous, because you never know.
Must be lots of judges and politicians with new Ukrainian girlfriends...
Utterly pathetic as it was designed to be entirely a useless watchdog paying lip service to its job. Just like Ofwat, Ofgem, and plenty of others. Its only purpose is to keep the 'little people' happy for the few seconds they actually bother wondering why they've been ripped off yet again by the neoliberal establishment. After the right wing press have been wheeled out to prove to them 'somethings being done about it by the regulator' they can return to their diet of immigrant hating, footie and tits.
Welcome to feudal Britain.
Information Commissioner Elizabeth Denham's Posse have left CA London office;
"The seven-hour search finished in the early hours of Saturday"
Looking at that article the only word that springs to mind is "circus".
Have we really seen so much fake news that we now accept this bullshit? That's what it is and to call it any other name is insulting to bulls.
How does it take seven hours to realise that there is no data on the premises and never was?
Here's the logic. You are running queries against a data set of potentially 50 million users, what server do you need for that and how much disk space is required? Do we believe they could fit it in an office in London? Lets not be stupid, it's in a cloud instance somewhere or at a proper data centre. Maybe they didn't need to collect all the data and had a deal with Facebook where they could target people directly through Facebook while paying for the privilege. That makes much more sense.
"You are running queries against a data set of potentially 50 million users, what server do you need for that and how much disk space is required? "
You are Austin Powers and I claim my (old money) five pounds
50 million records and the power to search them sounds like it would run on a web page on my phone.
"Here's the logic. You are running queries against a data set of potentially 50 million users, what server do you need for that and how much disk space is required? Do we believe they could fit it in an office in London? Lets not be stupid, it's in a cloud instance somewhere or at a proper data centre."
The actual data in question isn't the only thing that would count as evidence. There would also have been documentation related to it, whether that's in paper form (all the way down to post-it notes that could have something incriminating written on them), electronic form (emails, text messages), invoices and receipts, entries in accounting records, and so on. It's important to find as much of this as possible - even if each element on its own doesn't look like much - then put the jigsaw together.
The actual data itself would be a massive bonus. The chances of that still being there is slim to none - the chances of there being any of the above is also slim, but greater than the data in question. (The more disparate the pieces of the jigsaw, the harder it is to hide it all away/dispose of it).
"Here's the logic. You are running queries against a data set of potentially 50 million users, what server do you need for that and how much disk space is required? Do we believe they could fit it in an office in London?"
I did a repair on a server grade desktop box a few years ago at a university. The user was running queries for research on a local copy of the entire NHS patient database, over 60 million records. No network connection due to data sensitivity. The HDD looked exactly the same physical dimensions as any other 3.5" HDD. Weird that it all managed to fit in there eh?
>you can only put just under two million records in excel so that's like 25 worksheets.
Erm, Microsoft make more than one program that can handle sets of data. Access for example lets you have databases up to 2GB in size, or SQL Server, depending on the version chosen, can handle terabytes at a time.
That’s just if you stick with MS. There are plenty of other database systems out there which can handle databases way larger than a puny 50 million records.
>Looking at that article the only word that springs to mind is "circus".
Yes, it does seem to have been a bit of a circus, but look at what the ICO have achieved:
1. They have shown the powers given to the ICO by the Westminster politicians are laughable, further showing the lie to the government's commitments to data protection etc.
2. Given notice to others, if the ICO want to take a look at your organisation, no is not an acceptable answer.
3. Given their investigative team a chance to use their skills and tools in a real-world trial.
As yet we don't know if CA are another Enron et al., where the company never expected to have its offices raided and so overlooked their incriminating data archival and destruction practices...
>How does it take seven hours to realise that there is no data on the premises and never was?
I'm actually a little surprised the search only took 7 hours (8pm to 3am) on a friday night. Given how CA behaved, I would have expected the ICO to have taken at least a few weeks to complete their search...
Also the ICO were probably between a rock and a hard place. As having got the court to issue the warrant, they had to be seen to exercise it, or their failure to do so might come back to haunt them...
we have a 2 year browsing history for 1400 people. The dataset is about 1.2Tb. The sql server it sits on has a measly 4 cores and 64Gb RAM allocated to the VM. The actual physical server is a pair of R610s with dual quad cores and 192Gb ram connected to an MD3220i raid10 array using quad 1gb mpio. The same sql server also has a print manager dataset with about 400Gb and WSUS database plus sophos database giving another 300Gb or so. Response time is more than adequate.
the whole shebang is 6U high if you count the UPS and switch.
The sheer number of shell company names suggest planned malfeasance, especially Aleksandr Kogan's 'cloak and data' pseudonym Aleksandr Spectre.
An innocent company wouldn't have paid those huge legal fees to buy time, and whatever skeletons were in those crates hastily removed on Monday, shamelessly under the journalists noses, will be disappeared by now.
The delay in getting a warrant hints at corruption or complicity within the British establishment and highlights that the ICO should no longer be required to obtain a warrant.
Facebook's complicity is shown by its legal threats against The Observer before publication, but it's lack of legal action against Cambridge Analytica for reputational damage after losing many billions of dollars.
"crates hastily removed on Monday, shamelessly under the journalists noses"
Journalists who apparently didn't think to follow them.
"highlights that the ICO should no longer be required to obtain a warrant."
Do you honestly think that the reason the ICO is like this isn't by design?
The issue wasn't the need to obtain a warrant.
The issue is the legal requirement to give 7 days notice to the other party.
As previous comments have noted, the ICO should always be required to obtain a warrant. Same for any other body wanting to search premises or equipment. It's the only thing that prevents these bodies being used as a blunt instrument to squash competitors.
The laughable bit is the legally required 7 day notice period to. That's the part that shouldn't be required.
Once upon a time, in cases where there was reason to believe an offence (or offences) had been committed and there was a real risk of evidence being destroyed in the time before a search warrant could be executed, the authorities could apply for what was commonly called an "Anton Piller order".
Whatever happened to that concept? Gone? Not applicable? Inconveniently career limiting for any "lawyers for hire; no win no fee" involved in not properly protecting the corporate guilty?
This is a relatively simple example of another problem which can be fixed by the solution to Accountability Theatre.
Had the solution been in place for this instance, every data item or collection they'd ever received, together with all correspondence and recorded conversations about the project (including, for example, the internal emails from their Academic Colleaugues at Cambridge, protesting at the "get rich quick" scheme) would have been hashed on receipt or creation and those hashes committed to an immutable audit trail. Mandatory access controls would have ensured that no data could be processed (or, in appropriate cases even accessed) without confirmation that its hash was duly recorded, along with identity and proof of access.
This process would render doubts and discussion about the length of time it takes to get warrants utterly irrelevant as the audit trail would either confirm the completeness of material - or reveal which items were missing or tampered with. As I say, (Relatively) Simples.
Solving the larger problem of Facebook (et al) leeching private data from their victims is not quite so simple, by virtue of scale. But the ability to prove, indisputably, who has agreed to, or authorised or implemented or paid for (whatever) would go a long way to forcing transparency into their murky world.
How many people here are saying '"give government agencies even easier access to warrants and snooping".
Is this the same crowd that complains about that the rest of the time? Are you being played over this?
We know that despite shenanigans, they had little if any effect.
But you want to arm the government with even more power over you?
That can backfire, you know. The progressives in the US and a lazy congress handed the office of president all these extra executive powers - fine as long as it was their guy promoting the corrupt status quo, but look at 'em spin now! They are afraid (perhaps rightly, too soon to judge) that these powers will be used as corruptly against them now as they used them against us before.
Shortsighted much?
The whole thing shows the pointlessness of the Snoopers Charter; anyone who wants to hide will, the sort of legislation proposed will catch some people of course, but the type of threat we're being told it's aimed at ...
In this case, one of the Cambridge Analytic (nearly put CA, apologies to Computer Associates) "gentlemen" was on camera talking about using ProtonMail - I wonder if Amber Rudd, or her immediate predecessor, would care to go on TV and explain exactly how the Snoopers Charter would have enabled the government to take action against Cambridge Analytica the moment it became clear information obtained by irregular means was being used by a political campaign with no accountability?
Are you sure it was the progressives in the US that gave extra powers to the presidency? I think you'll find that a lot of that happened after 911 which was under W, who was considered one of the worst Presidents until Trump, unless you consider W a progressive. I do agree with you that giving governments more search and seizure rights can be short sighted. Although, the way this has played out seems odd, at the least.
"But you want to arm the government with even more power over you?"
Not over me. Or any other individual, but corporations and that changes the game totally.
I really wish I had the privilege of a court order and 7-day warning period of any search in my house as currently any police (literally) can write a warrant outside my house to himself and use that to break in, without any previous warning. Whole process takes 2 minutes.
Why any corporation is having that kind of protection when none of the individuals do?
Remove those and drop the corporations to the same level as individuals. It's obvious that those restrictions are there just to protect good buddies, who paid for that to legislator.
Cambridge Analytica (CA) sent two QCs – top barristers – to argue against the ICO’s application. They suggested that the application for the warrant was flawed because, among other things, CA had offered to allow the ICO access to its offices, subject to agreeing the terms and scope of access with the regulator.
Presumably the scope the ICO wanted was full access and CA didn't want to give it.
Interesting! I remember coming across that application not long ago (perhaps a month or two). Sadly I would have been unable to check it out, had I been so inclined, because of the privacy settings of my Facebook profile, which consist of not having a Facebook profile in the first place (and not ever having had one, cause it seemed like a dodgy idea from day zero).
Not being familiar with the legislation around ICO, I would have thought that the initial warrant would have been given ex parte so they move into to seize the assets. Then, the respondent would then be able to go court to determine whether the ICO were able to continue with the seizure, or if the ICO had to return the assets unsearched.
However, destroying all the data is problematic, since that could be construed as a contempt.
In the end, I suspect that Cambridge Analytica's defence will be simple: they did not break the law at the time of their actions and therefore should not be prosecuted.
Data Enforcers UK. A variant on the Bodycam Cops and Crime Vanquishers type of series that clog the airwaves showing dramatic scenes of vans full of police officers turning up to search houses of small time soft drug dealers in which a team move in rapidly to arrest these menacing scumbags.
Thrill as they turn up as expected armed with court documents authorisaing a search relating to the possible manipulation of democracy in the most powerful nation on Earth, bearing terrifying threats like "you must let us in in 7 days to look at your computers to check that you've not been breaking the data protection rules and therefore become liable for a fine"........
HMRC and a tax audit. One comment that struck me from the C4 clips was the Cambridge Analytica execs offering to run everything through an SPV/shell company. Depending on who their clients were, that could raise tax problems, along with possible money laundering/election spending. Hopefully that won't result in any Sarkozy moments.
BONKERS.
Obviously designed to protect "friends" of the Government?
It should be secret with NO notice.
Then normal appeals etc should apply if there was any charges.
Does it apply to suspected Child Pron, or Terrorism, or other suspected illegal computer contents?
Ain't nobody time for that!
What, when you can just pay a smallish wad to choke a Ravenous Bugblater Beast of Traal with, to the Zuckkster, and let him then pass along his Golden Key to you little Organization, to make what use of as they can.
I mean what the **** did you ruddey well think was gonna happen with this Data anyway? I'm actually still quite gobsmacked that the left, and their MSM cronies still haven't quite worked out the connection between Cambridge Analytica, and the Kremlin yet.
"warrants issued under Blighty's Data Protection Act must by law, in most circumstances, require those on the receiving end be given seven days of notice of the intended swoop in writing, and be given a chance to argue against the warrant if they so wish."
What's the point of such a law if not giving corporations all the time they need to clean the mess?
In any event, unlike virtually all other search warrants, warrants issued under Blighty's Data Protection Act must by law, in most circumstances, require those on the receiving end be given seven days of notice of the intended swoop in writing, and be given a chance to argue against the warrant if they so wish.
Brilliant! Only in the UK...
One also wonders what they could achieve in 7 hours on the premises?
Unless they took hardware with them for forensic analysis off-site?
They really are looking for evidence that the data was recently wiped. Not the actual data.
it's not like those cold-calling scumbags that file for bankruptcy, when the ground becomes hot under their feet. Move on, citizens, there's absolutely NOTHING to see, pure coincidence, companies are born and die every minute, move on, NOTHING to see, move on...
p.s. I'm sure our government would not be, in any way, involved, by means of personal links (oops!) and backhand deals, eh? NOTHING to see, move on, MOVE ON!!!!