Disinformation and fake news Interim Report by UK Government

There are many potential threats to our democracy and our values. One such threat arises from what has been coined ‘fake news’, created for profit or other gain, disseminated through state-sponsored programmes, or spread through the deliberate distortion of facts, by groups with a particular agenda, including the desire to affect political elections.
About Techcelerate Ventures

Tech Investment and Growth Advisory for Series A in the UK, operating in £150k to £5m investment market, working with #SaaS #FinTech #HealthTech #MarketPlaces and #PropTech companies.
data Facebook company tech company Cambridge Analytica social Media Interim Report fake campaign inform electors Commission user politics Committee people Disinformation Evidence Digital work politics campaign Content
House of Commons
Digital, Culture, Media and 
Sport Committee
Disinformation and 
‘fake news’: Interim 
Report
Fifth Report of Session 2017–19
Report, together with formal minutes relating 
to the report
Ordered by the House of Commons 
to be printed 24 July 2018
HC 363
Published on 29 July 2018
by authority of the House of Commons
The Digital, Culture, Media and Sport Committee
The Digital, Culture, Media and Sport Committee is appointed by the House 
of Commons to examine the expenditure, administration and policy of the 
Department for Digital, Culture, Media and Sport and its associated public bodies.
Current membership
Damian Collins MP (Conservative, Folkestone and Hythe) (Chair)
Clive Efford MP (Labour, Eltham)
Julie Elliott MP (Labour, Sunderland Central)
Paul Farrelly MP (Labour, Newcastle-under-Lyme)
Simon Hart MP (Conservative, Carmarthen West and South Pembrokeshire)
Julian Knight MP (Conservative, Solihull)
Ian C. Lucas MP (Labour, Wrexham)
Brendan O’Hara MP (Scottish National Party, Argyll and Bute)
Rebecca Pow MP (Conservative, Taunton Deane)
Jo Stevens MP (Labour, Cardiff Central)
Giles Watling MP (Conservative, Clacton)
The following Members were also members of the Committee during the inquiry
Christian Matheson MP (Labour, City of Chester)
Powers
The Committee is one of the departmental select committees, the powers of which 
are set out in House of Commons Standing Orders, principally in SO No 152. These 
are available on the internet via www.parliament.uk.
Publication
Committee reports are published on the Committee’s website at 
www.parliament.uk/dcmscom and in print by Order of the House.
Evidence relating to this report is published on the inquiry publications page of the 
Committee’s website.
Committee staff
The current staff of the Committee are Chloe Challender (Clerk), Joe Watt (Second 
Clerk), Lauren Boyer (Second Clerk), Josephine Willows (Senior Committee 
Specialist), Lois Jeary (Committee Specialist), Andy Boyd (Senior Committee 
Assistant), Keely Bishop (Committee Assistant), Lucy Dargahi (Media Officer) and 
Janet Coull Trisic (Media Officer).
Contacts
All correspondence should be addressed to the Clerk of the Digital, Culture, Media 
and Sport Committee, House of Commons, London SW1A 0AA. The telephone 
number for general enquiries is 020 7219 6188; the Committee’s email address is 
cmscom@parliament.uk
1
 Disinformation and ‘fake news’: Interim Report 
Contents
Summary 
3
1 
Introduction and background 
4
Definition of ‘fake news’ 
7
How to spot ‘fake news’ 
8
Our recommendations in this Report 
9
2 The definition, role and legal responsibilities of tech companies 
10
An unregulated sphere 
10
Regulatory architecture 
11
The Information Commissioner’s Office 
11
The Electoral Commission 
13
Platform or publisher? 
16
Transparency 
18
Bots 
19
Algorithms 
20
Privacy settings and ‘terms and conditions’ 
21
‘Free Basics’ and Burma 
22
Code of Ethics and developments 
23
Monopolies and the business models of tech companies 
24
3 The issue of data targeting, based around the Facebook, GSR and 
Cambridge Analytica allegations 
26
Cambridge Analytica and micro-targeting 
26
Global Science Research 
28
Facebook 
31
Aggregate IQ (AIQ) 
32
The links between Cambridge Analytica, SCL and AIQ 
33
4 Political campaigning 
37
What is a political advert? 
37
Electoral questions concerning the EU Referendum 
38
Co-ordinated campaigns 
38
Leave.EU and data from Eldon Insurance allegedly used for campaigning work 40
5 Russian influence in political campaigns 
43
Introduction 
43
Use of the data obtained by Aleksandr Kogan in Russia 
44
 Disinformation and ‘fake news’: Interim Report 
2
The role of social media companies in disseminating Russian disinformation 
45
Leave.EU, Arron Banks, and Russia 
47
Foreign investment in the EU Referendum 
49
Catalonia Referendum 
50
Co-ordination between UK Departments and between countries 
51
6 SCL influence in foreign elections 
53
Introduction 
53
General 
53
St Kitts and Nevis 
55
Trinidad and Tobago 
56
Argentina 
56
Malta 
56
Nigeria and Black Cube 
57
Conclusion 
58
7 Digital literacy 
60
The need for digital literacy 
60
Why people connect on social media 
60
Content on social media 
61
Data on social media 
61
A unified approach to digital literacy 
62
Young people 
62
School curriculum 
62
Conclusions and recommendations 
64
Annex 
74
Formal minutes 
77
Witnesses 
78
Published written evidence 
81
List of Reports from the Committee during the current Parliament 
87
3
 Disinformation and ‘fake news’: Interim Report 
Summary
There are many potential threats to our democracy and our values. One such threat arises 
from what has been coined ‘fake news’, created for profit or other gain, disseminated 
through state-sponsored programmes, or spread through the deliberate distortion of 
facts, by groups with a particular agenda, including the desire to affect political elections.
Such has been the impact of this agenda, the focus of our inquiry moved from 
understanding the phenomenon of ‘fake news’, distributed largely through social 
media, to issues concerning the very future of democracy. Arguably, more invasive than 
obviously false information is the relentless targeting of hyper-partisan views, which 
play to the fears and prejudices of people, in order to influence their voting plans and 
their behaviour. We are faced with a crisis concerning the use of data, the manipulation 
of our data, and the targeting of pernicious views. In particular, we heard evidence of 
Russian state-sponsored attempts to influence elections in the US and the UK through 
social media, of the efforts of private companies to do the same, and of law-breaking by 
certain Leave campaign groups in the UK’s EU Referendum in their use of social media.
In this rapidly changing digital world, our existing legal framework is no longer fit for 
purpose. This is very much an interim Report, following an extensive inquiry. A further, 
substantive Report will follow in the autumn of 2018. We have highlighted significant 
concerns, following recent revelations regarding, in particular, political manipulation 
and set we out areas where urgent action needs to be taken by the Government and other 
regulatory agencies to build resilience against misinformation and disinformation into 
our democratic system. Our democracy is at risk, and now is the time to act, to protect 
our shared values and the integrity of our democratic institutions.
 Disinformation and ‘fake news’: Interim Report 
4
1 
Introduction and background
1. 
In this inquiry, we have studied the spread of false, misleading, and persuasive 
content, and the ways in which malign players, whether automated or human, or both 
together, distort what is true in order to create influence, to intimidate, to make money, or 
to influence political elections.
2. People are increasingly finding out about what is happening in this country, in their 
local communities, and across the wider world, through social media, rather than through 
more traditional forms of communication, such as television, print media, or the radio.1 
Social media has become hugely influential in our lives.2 Research by the Reuters Institute 
for the Study of Journalism has shown that not only are huge numbers of people accessing 
news and information worldwide through Facebook, in particular, but also through social 
messaging software such as WhatsApp. When such media are used to spread rumours 
and ‘fake news’, the consequences can be devastating.3
3. Tristan Harris, Co-founder and Executive Director, at the Center for Humane 
Technology—an organisation seeking to realign technology with the best interests of its 
users—told us about the many billions of people who interact with social media: “There are 
more than 2 billion people who use Facebook, which is about the number of conventional 
followers of Christianity. There are about 1.8 billion users of YouTube, which is about the 
number of conventional followers of Islam. People check their phones about 150 times a 
day in the developed world.”4 This equates to once every 6.4 minutes in a 16-hour day. This 
is a profound change in the way in which we access information and news, one which has 
occurred without conscious appreciation by most of us.
4. This kind of evidence led us to explore the use of data analytics and psychological 
profiling to target people on social media with political content, as its political impact 
has been profound, but largely unappreciated. The inquiry was launched in January 2017 
in the previous Parliament, and then relaunched in the autumn, following the June 2017 
election. The inquiry’s Terms of Reference were as follows:
• What is ‘fake news’? Where does biased but legitimate commentary shade into 
propaganda and lies?
• What impact has fake news on public understanding of the world, and also on 
the public response to traditional journalism? If all views are equally valid, does 
objectivity and balance lose all value?
• 
Is there any difference in the way people of different ages, social backgrounds, 
genders etc use and respond to fake news?
• 
Have changes in the selling and placing of advertising encouraged the growth of 
fake news, for example by making it profitable to use fake news to attract more 
hits to websites, and thus more income from advertisers?5
1 
News consumption in the UK: 2016, Ofcom, 29 June 2017
2 
Tristan Harris, Co-founder and Executive Director, Center for Humane Technology, Q3147
3 
The seventh annual Digital News Report, by the Reuters Institute for the Study of Journalism, University of 
Oxford was based on a YouGov online survey of 74,000 people in 37 countries.
4 
Tristan Harris, Q3147
5 
Terms of reference, Fake News inquiry, DCMS Committee, 15 September 2017.
5
 Disinformation and ‘fake news’: Interim Report 
5. We will address the wider areas of our Terms of Reference, including the role of 
advertising, in our further Report this autumn. In recent months, however, our inquiry 
delved increasingly into the political use of social media, raising concerns that we wish 
to address immediately. We had asked representatives from Facebook, in February 2018, 
about Facebook developers and data harvesting.6 Then, in March 2018, Carole Cadwalladr 
of The Observer,7 together with Channel 4 News, and the New York Times, published 
allegations about Cambridge Analytica (and associated companies) and its work with 
Global Science Research (GSR), and the misuse of Facebook data.8 Those allegations 
put into question the use of data during the EU Referendum in 2016, and the extent of 
foreign interference in UK politics. Our oral evidence sessions subsequently focussed on 
those specific revelations, and we invited several people involved to give evidence. The 
allegations highlighted both the amount of data that private companies and organisations 
hold on individuals, and the ability of technology to manipulate people.
6. This transatlantic media coverage brought our Committee into close contact with 
other parliaments around the world. The US Senate Select Committee on Intelligence, the 
US House of Representatives Permanent Select Committee on Intelligence, the European 
Parliament, and the Canadian Standing Committee on Access to Information, Privacy, 
and Ethics all carried out independent investigations. We shared information, sometimes 
live, during the hearings. Representatives from other countries, including Spain, France, 
Estonia, Latvia, Lithuania, Australia, Singapore, Canada, and Uzbekistan, have visited 
London, and we have shared our evidence and thoughts. We were also told about the 
work of SCL Elections—and other SCL associates, including Cambridge Analytica—set 
up by the businessman Alexander Nix; their role in manipulating foreign elections; and 
the financial benefits they gained through those activities. What became clear is that, 
without the knowledge of most politicians and election regulators across the world, 
not to mention the wider public, a small group of individuals and businesses had been 
influencing elections across different jurisdictions in recent years.
7. We invited many witnesses to give evidence. Some came to the Committee willingly, 
others less so. We were forced to summon two witnesses: Alexander Nix, former CEO of 
Cambridge Analytica; and Dominic Cummings, Campaign Director of Vote Leave, the 
designated Leave campaign group in the EU Referendum. While Mr. Nix subsequently 
agreed to appear before the Committee, Dominic Cummings still refused. We were then 
compelled to ask the House to support a motion ordering Mr Cummings to appear before 
the Committee.9 At the time of writing he has still not complied with this Order, and the 
matter has been referred by the House to the Committee of Privileges. Mr Cummings’ 
contemptuous behaviour is unprecedented in the history of this Committee’s inquiries and 
underlines concerns about the difficulties of enforcing co-operation with Parliamentary 
scrutiny in the modern age. We will return to this issue in our Report in the autumn, and 
believe it to be an urgent matter for consideration by the Privileges Committee and by 
Parliament as a whole.
6 
Monika Bickert, Q389
7 
In June 2018, Carole Cadwalladr won the Orwell journalism prize, for her investigative work into Cambridge 
Analytica, which culminated in a series of articles from March 2018.
8 
Harry Davies had previously published the following article Ted Cruz using firm that harvested data on millions 
of unwitting Facebook users, in The Guardian, on 11 December 2015, which first revealed the harvesting of data 
from Facebook.
9 
Following the motion being passed, Dominic Cummings did not appear before the Committee. The matter was 
then referred to the Privileges Committee on 28 June 2018.
 Disinformation and ‘fake news’: Interim Report 
6
8. 
In total, we held twenty oral evidence sessions, including two informal background 
sessions, and heard from 61 witnesses, asking over 3,500 questions at these hearings. We 
received over 150 written submissions, numerous pieces of background evidence, and 
undertook substantial exchanges of correspondence with organisations and individuals. 
We held one oral evidence session in Washington D.C. (the first time a Select Committee 
has held a public, live broadcast oral evidence session abroad) and also heard from 
experts in the tech field, journalists and politicians, in private meetings, in Washington 
and New York. Most of our witnesses took the Select Committee process seriously, and 
gave considered, thoughtful evidence, specific to the context of our inquiry. We thank 
witnesses, experts, politicians, and individuals (including whistle-blowers) whom we met 
in public and in private, in this country and abroad, and who have been generous with 
their expertise, knowledge, help and ideas.10 We also thank Dr Lara Brown and her team 
at the Graduate School of Political Management at George Washington University, for 
hosting the Select Committee’s oral evidence session in the US.
9. As noted above, this is our first Report on misinformation and disinformation. 
Another Report will be published in the autumn of 2018, which will include more 
substantive recommendations, and also detailed analysis of data obtained from the 
insecure AggregateIQ website, harvested and submitted to us by Chris Vickery, Director 
of Cyber Risk Research at UpGuard.11 Aggregate IQ is one of the businesses involved most 
closely in influencing elections.
10. Since we commenced this inquiry, the Electoral Commission has reported on serious 
breaches by Vote Leave and other campaign groups during the 2016 EU Referendum; 
the Information Commissioner’s Office has found serious data breaches by Facebook 
and Cambridge Analytica, amongst others; the Department for Digital, Culture, Media 
and Sport (DDCMS) has launched the Cairncross Review into press sustainability in the 
digital age; and, following a Green Paper in May, 2018, the Government has announced 
its intention to publish a White Paper later this year into making the internet and social 
media safer. This interim Report, therefore, focuses at this stage on seven of the areas 
covered in our inquiry:
• 
Definition of fake news, and how to spot it;
• 
Definition, role and legal liabilities of social media platforms;
• 
Data misuse and targeting, focussing on the Facebook/Cambridge Analytica/
AIQ revelations;
• 
Political campaigning;
• 
Foreign players in UK elections and referenda;
• 
Co-ordination of Departments within Government;
• 
Digital literacy.
10 
Our expert adviser for the inquiry was Dr Charles Kriel, Associate Fellow at the King’s Centre for Strategic 
Communications (KCSC), King’s College London. His Declaration of Interests are: Director, Kriel.Agency, a digital 
media and social data consulting agency; Countering Violent Extremism Programme Director, Corsham Institute, 
a civil society charity; and Cofounder and shareholder, Lightful, a social media tool for charities.
11 
In the early autumn, we hope to invite Ofcom and the Advertising Standards Authority to give evidence, and 
to re-invite witnesses from the Information Commissioner’s Office and the Electoral Commission, and this oral 
evidence will also inform our substantive Report.
7
 Disinformation and ‘fake news’: Interim Report 
Definition of ‘fake news’
11. There is no agreed definition of the term ‘fake news’, which became widely used in 
2016 (although it first appeared in the US in the latter part of the 19th century).12 Claire 
Wardle, from First Draft, told us in our oral evidence session in Washington D.C. that 
“when we are talking about this huge spectrum, we cannot start thinking about regulation, 
and we cannot start talking about interventions, if we are not clear about what we mean”.13 
It has been used by some, notably the current US President Donald Trump, to describe 
content published by established news providers that they dislike or disagree with, but is 
more widely applied to various types of false information, including:
• 
Fabricated content: completely false content;
• Manipulated content: distortion of genuine information or imagery, for example 
a headline that is made more sensationalist, often popularised by ‘clickbait’;
• 
Imposter content: impersonation of genuine sources, for example by using the 
branding of an established news agency;
• Misleading content: misleading use of information, for example by presenting 
comment as fact;
• 
False context of connection: factually accurate content that is shared with false 
contextual information, for example when a headline of an article does not 
reflect the content;
• 
Satire and parody: presenting humorous but false stores as if they are true. 
Although not usually categorised as fake news, this may unintentionally fool 
readers.14
12. In addition to the above is the relentless prevalence of ‘micro-targeted messaging’, 
which may distort people’s views and opinions.15 The distortion of images is a related 
problem; evidence from MoneySavingExpert.com cited celebrities who have had their 
images used to endorse scam money-making businesses, including Martin Lewis, whose 
face has been used in adverts across Facebook and the internet for scams endorsing 
products including binary trading and energy products.16 There are also ‘deepfakes’, audio 
and videos that look and sound like a real person, saying something that that person has 
never said.17 These examples will only become more complex and harder to spot, the more 
sophisticated the software becomes.
13. There is no regulatory body that oversees social media platforms and written 
content including printed news content, online, as a whole. However, in the UK, under 
the Communications Act 2003, Ofcom sets and enforces content standards for television 
12 
Fake News: A Roadmap, NATO Strategic Centre for Strategic Communications, Riga and King’s Centre for 
Strategic Communications (KCSE), January 2018.
13 
Claire Wardle, Q573
14 
Online information and fake news, Parliamentary Office of Science and Technology, July 2017, box 4. 
Also see First Draft News, Fake news. It’s complicated, February 2017; Ben Nimmo (FNW0125); Full Fact, 
(FNW0097)
15 
Micro-targeting of messages will be explored in greater detail in Chapter 4.
16 
MoneySavingExpert.com (FKN0068)
17 
Edward Lucas, Q881
 Disinformation and ‘fake news’: Interim Report 
8
and radio broadcasters, including rules relating to accuracy and impartiality.18 On 13 
July 2018, Ofcom’s Chief Executive, Sharon White, called for greater regulation of social 
media, and announced plans to release an outline of how such regulation could work in 
the autumn of this year.19 We shall assess these plans in our further Report.
14. The term ‘fake news’ is bandied around with no clear idea of what it means, or 
agreed definition. The term has taken on a variety of meanings, including a description 
of any statement that is not liked or agreed with by the reader. We recommend that the 
Government rejects the term ‘fake news’, and instead puts forward an agreed definition 
of the words ‘misinformation’ and ‘disinformation’. With such a shared definition, and 
clear guidelines for companies, organisations, and the Government to follow, there will 
be a shared consistency of meaning across the platforms, which can be used as the basis 
of regulation and enforcement.
15. We recommend that the Government uses the rules given to Ofcom under the 
Communications Act 2003 to set and enforce content standards for television and 
radio broadcasters, including rules relating to accuracy and impartiality, as a basis 
for setting standards for online content. We look forward to hearing Ofcom’s plans for 
greater regulation of social media this autumn. We plan to comment on these in our 
further Report.
How to spot ‘fake news’
16. Standards surrounding fact-checking exist, through the International Fact-
Checking Network’s Code of Principles, signed by the majority of major fact-checkers.20 
A recent report of the independent High-Level Expert Group on Fake News and Online 
Disinformation highlighted that, while a Code of Principles exists, fact-checkers themselves 
must continually improve on their own transparency.21
17. Algorithms are being used to help address the challenges of misinformation. We 
heard evidence from Professor Kalina Bontcheva, who conceived and led the Pheme 
research project, which aims to create a system to automatically verify online rumours 
and thereby allow journalists, governments and others to check the veracity of stories 
on social media.22 Algorithms are also being developed to help to identify fake news. 
The fact-checking organisation, Full Fact, received funding from Google to develop an 
automated fact-checking tool for journalists.23 Facebook and Google have also altered 
their algorithms so that content identified as misinformation ranks lower.24 Many 
organisations are exploring ways in which content on the internet can be verified, kite-
marked, and graded according to agreed definitions.25
18. The Government should support research into the methods by which misinformation 
and disinformation are created and spread across the internet: a core part of this is fact-
18 
Ofcom (FNW0107)
19 
‘It’s time to regulate social media sites that publish news’ The Times 13 July 2018
20 
The International Fact-Checking Network website, accessed 21 June 2018.
21 
A multi-dimensional approach to disinformation, Report of the independent High Level Expert Group on Fake 
News and Online Disinformation, March 2018.
22 
Pheme website, www.pheme.eu, accessed 21 June 2018
23 
Full Fact website, fullfact.org, accessed 21 June 2018
24 
Mosseri, Facebook, “Working to stop misinformation and false news”. 6/4/2017
25 
Full Fact (FNW0097); Disinformation Index (FKN0058); HonestReporting (FKN0047); Factmata Limited, UK 
(FKN0035).
9
 Disinformation and ‘fake news’: Interim Report 
checking. We recommend that the Government initiate a working group of experts to 
create a credible annotation of standards, so that people can see, at a glance, the level 
of verification of a site. This would help people to decide on the level of importance that 
they put on those sites.
Our recommendations in this Report
19. During the course of this inquiry we have wrestled with complex, global issues, 
which cannot easily be tackled by blunt, reactive and outmoded legislative instruments. 
In this Report, we suggest principle-based recommendations which are sufficiently 
adaptive to deal with fast-moving technological developments. We look forward to 
hearing the Government’s response to these recommendations.
20. We also welcome submissions to the Committee from readers of this interim Report, 
based on these recommendations, and on specific areas where the recommendations 
can incorporate work already undertaken by others. This inquiry has grown through 
collaboration with other countries, organisations, parliamentarians, and individuals, 
in this country and abroad, and we want this co-operation to continue.
 Disinformation and ‘fake news’: Interim Report 
10
2 The definition, role and legal 
responsibilities of tech companies
21. At the centre of the argument about misinformation and disinformation is the role of 
tech companies, on whose platforms content is disseminated.26 Throughout the chapter, 
we shall use the term ‘tech companies’ to indicate the different types of social media and 
internet service providers, such as Facebook, Twitter, and Google. It is important to note 
that a series of mergers and acquisitions mean that a handful of tech companies own the 
major platforms. For example, Facebook owns Instagram and WhatsApp; Alphabet owns 
both Google and YouTube.
22. The word ‘platform’ suggests that these companies act in a passive way, posting 
information they receive, and not themselves influencing what we see, or what we do not 
see. However, this is a misleading term; tech companies do control what we see, by their 
very business model. They want to engage us from the moment we log onto their sites and 
into their apps, in order to generate revenue from the adverts that we see. In this chapter, 
we will explore: the definitions surrounding tech companies; the companies’ power in 
choosing and disseminating content to users; and the role of the Government and the 
tech companies themselves in ensuring that those companies carry out their business in 
a transparent, accountable way.
An unregulated sphere
23. Tristan Harris of the Center for Humane Technology27 provided a persuasive 
narrative of the development and role of social media platforms, telling us that engagement 
of the user is an integral part both of tech companies’ business model and of their growth 
strategy:
They set the dial; they don’t want to admit that they set the dial, and instead 
they keep claiming, “We’re a neutral platform,” or, “We’re a neutral tool,” but 
in fact every choice they make is a choice architecture. They are designing 
how compelling the thing that shows up next on the news feed is, and their 
admission that they can already change the news feeds so that people spend 
less time [on it] shows that they do have control of that.28
24. Mr Harris told us that, while we think that we are in control of what we look at when 
we check our phones (on average, around 150 times a day), our mind is being hijacked, as 
if we were playing a slot machine:
Every time you scroll, you might as well be playing a slot machine, because 
you are not sure what is going to come up next on the page. A slot machine 
is a very simple, powerful technique that causes people to want to check in 
all the time. Facebook and Twitter, by being social products—by using your 
26 
As of February 2018, 79% of the UK population had Facebook accounts, 79% used YouTube, and 47% used 
Twitter, https://weareflint.co.uk/press-release-social-media-demographics-2018
27 
The Center for Humane Technology website, accessed 27 June 2018
28 
Tristan Harris, Q3149
11
 Disinformation and ‘fake news’: Interim Report 
social network—have an infinite supply of new information that they could 
show you. There are literally thousands of things that they could populate 
that news feed with, which turns it into that random-reward slot machine.29
25. Coupled with this is the relentless feed of information that we receive on our phones, 
which is driven by tech engineers “who know a lot more about how your mind works than 
you do. They play all these different tricks every single day and update those tricks to keep 
people hooked”.30
Regulatory architecture
The Information Commissioner’s Office
26. The Information Commissioner is a non-departmental public body, with statutory 
responsibility “for regulating the processing of personal data” in the United Kingdom,31 
including the enforcement of the new Data Protection Act 2018 and the General Data 
Protection Regulation (GDPR).32 The ICO’s written evidence describes the Commission’s 
role as “one of the sheriffs of the internet”.33
27. The Commissioner, Elizabeth Denham, highlighted the “behind the scenes 
algorithms, analysis, data matching and profiling” which mean that people’s data is being 
used in new ways to target them with information.34 She sees her role as showing the public 
how personal data is collected, used and shared through advertising and through the 
micro-targeting of messages delivered through social media.”35 She has a range of powers 
to ensure that personal data is processed within the legislative framework, including the 
serving of an information notice, requiring specified information to be provided within a 
defined timeframe.
28. The 2018 Act extends the Commissioner’s powers to conduct a full audit where 
she suspects that data protection legislation has, or is being, contravened and to order 
a company to stop processing data. Elizabeth Denham told us that these would be 
“powerful” measures.36 The recent legislative changes also increased the maximum fine 
that the Commissioner can levy, from £500,000 to £17 million or 4% of global turnover, 
whichever is greater, and set out her responsibilities for international co-operation on the 
enforcement of data protection legislation.37
29. The Data Protection Act 2018 created a new definition, called “Applied GDPR”, to 
describe an amended version of the GDPR, when European Union law does not apply 
(when the UK leaves the EU). Data controllers would still need to assess whether they are 
subject to EU law, in order to decide whether to follow the GDPR or the Applied GDPR. 
29 
Q3147
30 
Tristan Harris, Q3147
31 
Elizabeth Denham, Information Commissioner (FKN0051)
32 
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and is a regulation under 
EU law on data protection and privacy for all individuals within the European Union (EU) and the European 
Economic Area (EEA). It forms part of the data protection regime in the UK, together with the new Data 
Protection Act 2018 (DPA 2018).
33 
Elizabeth Denham, Information Commissioner (FKN0051)
34 
Elizabeth Denham, Information Commissioner (FKN0051)
35 
Elizabeth Denham, Information Commissioner (FKN0051)
36 
Q907
37 
Guide to the GDPR, ICO website, accessed 21 July 2018
 Disinformation and ‘fake news’: Interim Report 
12
Apart from the exceptions laid down in the GDPR, all personal data processed in the 
United Kingdom comes within the scope of European Union law, until EU law no longer 
applies to the United Kingdom. However, when the United Kingdom leaves the EU, social 
media companies could “process personal data of people in the UK from bases in the 
US without any coverage of data protection law. Organisations that emulate Cambridge 
Analytica could set up in offshore locations and profile individuals in the UK without 
being subject to any rules on processing personal data”, according to Robert Madge, CEO 
of the Swiss data management company Xifrat Daten.38
30. The Data Protection Act 2018 gives greater protection to people’s data than did 
its predecessor, the 1998 Data Protection Act, and follows the law set out in the GDPR. 
However, when the UK leaves the EU, social media companies will be able to process 
personal data of people in the UK from bases in the US, without any coverage of data 
protection law. We urge the Government to clarify this loophole in a White Paper this 
autumn.
Investigation into the use of data analytics for political purposes
31. In May 2017, the ICO announced a formal investigation into the use of data analytics 
for political purposes. The investigation has two strands: explaining how personal data 
is used in the context of political messaging; and taking enforcement action against 
any found breaches of data protection legislation.39 The investigation has involved 30 
organisations, including Facebook and Cambridge Analytica. Elizabeth Denham said of 
the investigation:
For the public, we need to be able to understand why an individual sees a 
certain ad. Why does an individual see a message in their newsfeed that 
somebody else does not see? We are really the data cops here. We are doing 
a data audit to be able to understand and to pull back the curtain on the 
advertising model around political campaigning and elections.40
32. In response to our request for the ICO to provide an update on the investigation into 
data analytics in political campaigning, the Commissioner duly published this update on 
11 July 2018.41 We are grateful to the Commissioner for providing such a useful, detailed 
update on her investigations, and we look forward to receiving her final report in due 
course.
33. The ICO has been given extra responsibilities, but with those responsibilities should 
come extra resources. Christopher Wylie, a whistle-blower and ex-SCL employee, has had 
regular contact with the ICO, and he explained that the organisation has limited resources 
to deal with its responsibilities: “A lot of the investigators do not have a robust technical 
background. […] They are in charge of regulating data, which means that they should 
have a lot of people who understand how databases work”.42
34. Paul-Olivier Dehaye, founder of PersonalDataIO, told us that he had sent a letter to the 
ICO in August 2016, asking them if they were investigating Cambridge Analytica, because 
38 
Brexit risk to UK personal data, Robert Madge, Medium, 22 June 2018
39 
Q895
40 
Q899
41 
Investigation into the use of data analytics in political campaigns: investigation update, ICO, July 2018.
42 
Q1460
13
 Disinformation and ‘fake news’: Interim Report 
of the information about the company that was publicly available at that time. He told us 
that “if the right of access was made much more efficient, because of increased staffing at 
the ICO, this right would be adopted by [...] educators, journalists, activists, academics, as 
a tool to connect civil society with the commercial world and to help document what is 
happening”.43 Data scientists at the ICO need to be able to cope with new technologies that 
are not even in existence at the moment and, therefore, the ICO needs to be as technically 
expert, if not more so, than the experts in private tech companies.
35. The Commissioner told us that the Government had given the ICO pay flexibility 
to retain and recruit more expert staff: “We need forensic investigators, we need senior 
counsel and lawyers, we need access to the best, and maybe outside counsel, to be able to 
help us with some of these really big files”.44 We are unconvinced that pay flexibility will 
be enough to retain and recruit technical experts.
36. We welcome the increased powers that the Information Commissioner has been 
given as a result of the Data Protection Act 2018, and the ability to be able to look behind 
the curtain of tech companies, and to examine the data for themselves. However, to be 
a sheriff in the wild west of the internet, which is how the Information Commissioner 
has described her office, the ICO needs to have the same if not more technical expert 
knowledge as those organisations under scrutiny. The ICO needs to attract and employ 
more technically-skilled engineers who not only can analyse current technologies, but 
have the capacity to predict future technologies. We acknowledge the fact that the 
Government has given the ICO pay flexibility to retain and recruit more expert staff, but 
it is uncertain whether pay flexibility will be enough to retain and attract the expertise 
that the ICO needs. We recommend that the White Paper explores the possibility of 
major investment in the ICO and the way in which that money should be raised. One 
possible route could be a levy on tech companies operating in the UK, to help pay for the 
expanded work of the ICO, in a similar vein to the way in which the banking sector pays 
for the upkeep of the Financial Conduct Authority.
The Electoral Commission
37. The Electoral Commission is responsible for regulating and enforcing the rules 
that govern political campaign finance in the UK. Their priority is to ensure appropriate 
transparency and voter confidence in the system.45 However, concerns have been expressed 
about the relevance of that legislation in an age of social media and online campaigning. 
Claire Bassett, the Electoral Commission’s Chief Executive, told us that, “It is no great 
secret that our electoral law is old and fragmented. It has developed over the years, and we 
struggle with the complexity created by that, right across the work that we do.”46
38. The use of social media in political campaigning has had major consequences for 
the Electoral Commission’s work.47 As a financial regulator, the Electoral Commission 
regulates “by looking at how campaigners and parties receive income, and how they 
spend that.”48 While that is primarily achieved through the spending returns submitted 
43 
Q1460
44 
Q923
45 
Electoral Commission (FNW0048)
46 
Q2617
47 
The Electoral Commission’s remit covers the UK only and it has no power to intervene or to stop someone acting 
if they are outside the UK (Claire Bassett, Q2655)
48 
Q2617
 Disinformation and ‘fake news’: Interim Report 
14
by registered campaigners, the Commission also conducts real-time monitoring of 
campaign activities, including on social media, that it can then compare the facts with 
what it is being told.49 Where the Electoral Commission suspects or identifies that rules 
have been breached it has the power to conduct investigations, refer matters to the police, 
and issue sanctions, including fines.
39. At present, campaign spending is declared under broad categories such as ‘advertising’ 
and ‘unsolicited material to electors’, with no specific category for digital campaigning, 
not to mention the many subcategories covered by paid and organic campaigning, and 
combinations thereof. Bob Posner, the Electoral Commission’s Director of Political 
Finance and Regulation and Legal Counsel, told us that “A more detailed category of 
spending would be helpful to understand what is spent on services, advertising, leaflets, 
posters or whatever it might be, so anyone can interrogate and question it.”50 The Electoral 
Commission has since recommended that legislation be amended so that spending returns 
clearly detail digital campaigning.51
40. Spending on election or referendum campaigns by foreign organisations or 
individuals is not allowed. We shall be exploring issues surrounding the donation to Leave.
EU by Arron Banks in Chapter 4, but another example involving Cambridge Analytica 
was brought to our attention by Arron Banks himself. A document from Cambridge 
Analytica’s presentation pitch to Leave.EU stated that “We will co-ordinate a programme 
of targeted solicitation, using digital advertising and other media as appropriate to raise 
funds for Leave.EU in the UK, the USA, and in other countries.”52 In response to a question 
asking whether he had taken legal advice on this proposal, Alexander Nix, the then CEO 
of Cambridge Analytica, replied, “We took a considerable amount of legal advice and, 
at the time, it was suggested by our counsel that we could target British nationals living 
abroad for donations. I believe […] that there is still some lack of clarity about whether 
this is true or not.53
41. When giving evidence, the Electoral Commission repeated a recommendation first 
made in 2003 that online campaign material should legally be required to carry a digital 
imprint, identifying the source. While the Electoral Commission’s remit does not cover 
the content of campaign material, and it is “not in a position to monitor the truthfulness 
of campaign claims, online or otherwise”, it holds that digital imprints “will help voters 
to assess the credibility of campaign messages.”54 A recent paper from Upturn, Leveling 
the platform: real transparency for paid messages on Facebook, highlighted the fact that 
“ads can be shared widely, and live beyond indication that their distribution was once 
subsidized. And they can be targeted with remarkable precision”.55 For this reason, we 
believe digital imprints should be clear and make it easy for users to identify what is in 
adverts and who the advertiser is.
49 
Q2717
50 
Q2668
51 
Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018, p12
52 
Arron Banks (FKN0056)
53 
Q3331
54 
Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018, p9
55 
Levelling the platform: real transparency for paid messages on Facebook, Upturn, May 2018
15
 Disinformation and ‘fake news’: Interim Report 
42. The Electoral Commission published a report on 26 June 2018, calling for the law to 
be strengthened around digital advertising and campaigning, including:
• 
A change in the law to require all digital political campaign material to state 
who paid for it, bringing online adverts in line with physical leaflets and adverts;
• 
New legislation to make it clear that spending in UK elections and referenda by 
foreign organisations and individuals is not allowed;
• 
An increase in the maximum fine, currently £20,000 per offence, that the 
Electoral Commission can impose on organisations and individuals who break 
the rules;
• 
Tougher requirements for political campaigns to declare their spending soon 
after or during a campaign, rather than months later;
• 
A requirement for all campaigners to provide more detailed paperwork on how 
they spent money online.56
43. Claire Bassett told us that the current maximum fine that the Electoral Commission 
can impose on wrongdoings in political campaigning is £20,000, which she said is described 
as “the cost of doing business” for some individuals and organisations. Ms Bassett said 
that this amount was too low and should be increased, in line with other regulators that 
can impose more significant fines.57 She also commented on how she would like a change 
to the regulated periods, particularly in reference to referenda:
One of the challenges we have as regulator is that we are a financial 
regulator, and we regulate the parties and campaigners, usually during just 
that regulated period or the extended period that is set out. That does create 
challenges in a referendum setting. We think there is value in looking at 
those campaign regulated periods and thinking about how they work.58
We are aware that the Report of the Independent Commission on Referendums made 
similar recommendations in its report of July 2018.59
44. The globalised nature of social media creates challenges for regulators. In evidence 
Facebook did not accept their responsibilities to identify or prevent illegal election 
campaign activity from overseas jurisdictions. In the context of outside interference in 
elections, this position is unsustainable and Facebook, and other platforms, must begin 
to take responsibility for the way in which their platforms are used.
45. Electoral law in this country is not fit for purpose for the digital age, and needs 
to be amended to reflect new technologies. We support the Electoral Commission’s 
suggestion that all electronic campaigning should have easily accessible digital imprint 
requirements, including information on the publishing organisation and who is legally 
responsible for the spending, so that it is obvious at a glance who has sponsored that 
campaigning material, thereby bringing all online advertisements and messages into 
line with physically published leaflets, circulars and advertisements. We note that a 
56 
Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018
57 
Q2618
58 
Claire Bassett, Q2617
59 
Report of the Independent Commission on Referendums UCL Constitution Unit, July 2018
 Disinformation and ‘fake news’: Interim Report 
16
similar recommendation was made by the Committee on Standards in Public Life, and 
urge the Government to study the practicalities of giving the Electoral Commission this 
power in its White Paper.
46. As well as having digital imprints, the Government should consider the feasibility 
of clear, persistent banners on all paid-for political adverts and videos, indicating 
the source and making it easy for users to identify what is in the adverts, and who the 
advertiser is.
47. The Electoral Commission’s current maximum fine limit of £20,000 should be 
changed to a larger fine based on a fixed percentage of turnover, such as has been 
granted recently to the Information Commissioner’s Office in the Data Protection Act 
2018. Furthermore, the Electoral Commission should have the ability to refer matters to 
the Crown Prosecution Service, before their investigations have been completed.
48. Electoral law needs to be updated to reflect changes in campaigning techniques, 
and the move from physical leaflets and billboards to online, micro-targeted political 
campaigning, as well as the many digital subcategories covered by paid and organic 
campaigning. The Government must carry out a comprehensive review of the current 
rules and regulations surrounding political work during elections and referenda, 
including: increasing the length of the regulated period; definitions of what constitutes 
political campaigning; absolute transparency of online political campaigning; a category 
introduced for digital spending on campaigns; reducing the time for spending returns to 
be sent to the Electoral Commission (the current time for large political organisations is 
six months); and increasing the fine for not complying with the electoral law.
49. The Government should consider giving the Electoral Commission the power to 
compel organisations that it does not specifically regulate, including tech companies and 
individuals, to provide information relevant to their inquiries, subject to due process.
50. The Electoral Commission should also establish a code for advertising through 
social media during election periods, giving consideration to whether such activity 
should be restricted during the regulated period, to political organisations or campaigns 
that have registered with the Commission. Both the Electoral Commission and the ICO 
should consider the ethics of Facebook or other relevant social media companies selling 
lookalike political audiences to advertisers during the regulated period, where they are 
using the data they hold on their customers to guess whether their political interests 
are similar to those profiles held in target audiences already collected by a political 
campaign. In particular, we would ask them to consider whether users of Facebook 
or other relevant social media companies should have the right to opt out from being 
included in such lookalike audiences.
Platform or publisher?
51. How should tech companies be defined—as a platform, a publisher, or something 
in between? The definition of ‘publisher’ gives the impression that tech companies have 
the potential to limit freedom of speech, by choosing what to publish and what not to 
publish. Monika Bickert, Head of Global Policy Management, Facebook, told us that 
“our community would not want us, a private company, to be the arbiter of truth”.60 The 
60 
Q431
17
 Disinformation and ‘fake news’: Interim Report 
definition of ‘platform’ gives the impression that these companies do not create or control 
the content themselves, but are merely the channel through which content is made available. 
Yet Facebook is continually altering what we see, as is shown by its decision to prioritise 
content from friends and family, which then feeds into users’ newsfeed algorithm.61
52. Frank Sesno, Director of the School of Media and Public Affairs, George Washington 
University, told us in Washington D.C. that “they have this very strange, powerful, hybrid 
identity as media companies that do not create any of the content but should and must—to 
their own inadequate levels—accept some responsibility for promulgating it. What they 
fear most is regulation—a requirement to turn over their data”.62
53. At both our evidence session and at a separate speech in March 2018, the then 
Secretary of State for DCMS, Rt Hon Matt Hancock MP, noted the complexity of 
making any legislative changes to tech companies’ liabilities, putting his weight behind 
“a new definition” that was “more subtle” than the binary choice between platform and 
publisher.63 He told us that the Government has launched the Cairncross Review to look 
(within the broader context of the future of the press in the UK) at the role of the digital 
advertising supply chain, at how fair and transparent it is, and whether it “incentivises 
the proliferation of inaccurate and/or misleading news.” The review is also examining 
the role and impact of digital search engines and social media companies including an 
assessment of regulation “or further collaboration between the platforms and publishers.” 
The consultation closes in September 2018.64
54. In Germany, tech companies were asked to remove hate speech within 24 hours. This 
self-regulation did not work, so the German Government passed the Network Enforcement 
Act, commonly known as NetzDG, which became law in January 2018. This legislation 
forces tech companies to remove hate speech from their sites within 24 hours, and fines 
them 20 million Euros if it is not removed.65
55. Some say that the NetzDG regulation is a blunt instrument, which could be seen to 
tamper with free speech, and is specific to one country, when the extent of the content spans 
many countries. Monika Bickert, from Facebook, told us that “sometimes regulations can 
take us to a place—you have probably seen some of the commentary about the NetzDG 
law in Germany—where there will be broader societal concerns about content that we are 
removing and whether that line is in the right place”.66 The then Secretary of State was also 
wary of the German legislation because “when a regulator gets to the position where they 
are policing the publication of politicians then you are into tricky territory”.67 However, 
as a result of this law, one in six of Facebook’s moderators now works in Germany, which 
is practical evidence that legislation can work.68
56. Within social media, there is little or no regulation. Hugely important and 
influential subjects that affect us—political opinions, mental health, advertising, 
61 
Monika Bickert, Q434
62 
Frank Sesno, Q583
63 
Matt Hancock MP on ‘The Future of the Media’ at the Oxford Media Convention, Monday 12 March 2018 and 
Q977
64 
Terms of reference, Cairncross Review, DCMS, 12 March 2018.
65 
Germany start enforcing hate speech law, BBC, 1 January 2018
66 
Q386
67 
Q973
68 
Professor Lewandowsky, Q233
 Disinformation and ‘fake news’: Interim Report 
18
data privacy—are being raised, directly or indirectly, in these tech spaces. People’s 
behaviour is being modified and changed as a result of social media companies. There 
is currently no sign of this stopping.
57. Social media companies cannot hide behind the claim of being merely a ‘platform’, 
claiming that they are tech companies and have no role themselves in regulating the 
content of their sites. That is not the case; they continually change what is and is not 
seen on their sites, based on algorithms and human intervention. However, they are also 
significantly different from the traditional model of a ‘publisher’, which commissions, 
pays for, edits and takes responsibility for the content it disseminates.
58. We recommend that a new category of tech company is formulated, which 
tightens tech companies’ liabilities, and which is not necessarily either a ‘platform’ or 
a ‘publisher’. We anticipate that the Government will put forward these proposals in 
its White Paper later this year and hope that sufficient time will be built in for our 
Committee to comment on new policies and possible legislation.
59. We support the launch of the Government’s Cairncross Review, which has been 
charged with studying the role of the digital advertising supply chain, and whether 
its model incentivises the proliferation of inaccurate or misleading news. We propose 
that this Report is taken into account as a submission to the Cairncross Review. We 
recommend that the possibility of the Advertising Standards Agency regulating digital 
advertising be considered as part of the Review. We ourselves plan to take evidence on 
this question this autumn, from the ASA themselves, and as part of wider discussions 
with DCMS and Ofcom.
60. It is our recommendation that this process should establish clear legal liability for 
the tech companies to act against harmful and illegal content on their platforms. This 
should include both content that has been referred to them for takedown by their users, 
and other content that should have been easy for the tech companies to identify for 
themselves. In these cases, failure to act on behalf of the tech companies could leave them 
open to legal proceedings launched either by a public regulator, and/or by individuals or 
organisations who have suffered as a result of this content being freely disseminated on 
a social media platform.
Transparency
61. What we found, time and again, during the course of our inquiry, was the failure 
on occasions of Facebook and other tech companies, to provide us with the information 
that we sought. We undertook fifteen exchanges of correspondence with Facebook, and 
two oral evidence sessions, in an attempt to elicit some of the information that they held, 
including information regarding users’ data, foreign interference and details of the so-
called ‘dark ads’ that had reached Facebook users.69 Facebook consistently responded 
to questions by giving the minimal amount of information possible, and routinely 
failed to offer information relevant to the inquiry, unless it had been expressly asked 
for. It provided witnesses who have been unwilling or unable to give full answers to the 
69 
Oral evidence session, 8 February 2018; oral evidence session, 26 April 2018; exchanges of correspondence 
between the Chair of the DCMS Committee and Facebook representatives, between 24 October and 8 June 
2018, can be found on the DCMS Committee’s inquiry page.
19
 Disinformation and ‘fake news’: Interim Report 
Committee’s questions. This is the reason why the Committee has continued to press for 
Mark Zuckerberg to appear as a witness as, by his own admission, he is the person who 
decides what happens at Facebook.
62. We ask, once more, for Mr Zuckerberg to come to the Committee to answer the 
many outstanding questions to which Facebook has not responded adequately to date. 
Edward Lucas, a writer and security policy expert, rightly told us that Facebook should 
not be in a position of marking its own homework: “They have a duty as a platform to have 
transparent rules that can be discussed with the outside world and we should be able to 
check stuff. […] We cannot just trust Facebook to go after the event and say, ‘Nothing to 
see here, move along’. We should be able to see in real time who is advertising”.70
63. As the then Secretary of State, Rt Hon Matthew Hancock MP, pointed out when he 
gave evidence to us, the Defamation Act 2013 contains provisions stating that, if a user is 
defamed on social media, and the offending individual cannot be identified, the liability 
rests with the platform.71
64. Tech companies are not passive platforms on which users input content; they 
reward what is most engaging, because engagement is part of their business model and 
their growth strategy. They have profited greatly by using this model. This manipulation 
of the sites by tech companies must be made more transparent. Facebook has all of the 
information. Those outside of the company have none of it, unless Facebook chooses 
to release it. Facebook was reluctant to share information with the Committee, which 
does not bode well for future transparency. We ask, once more, for Mr Zuckerberg to 
come to the Committee to answer the many outstanding questions to which Facebook 
has not responded adequately, to date.
65. Facebook and other social media companies should not be in a position of ‘marking 
their own homework’. As part of its White Paper this Autumn, the Government need to 
carry out proactive work to find practical solutions to issues surrounding transparency 
that will work for both users, the Government, and the tech companies.
66. Facebook and other social media companies have a duty to publish and to follow 
transparent rules. The Defamation Act 2013 contains provisions stating that, if a user is 
defamed on social media, and the offending individual cannot be identified, the liability 
rests with the platform. We urge the Government to examine the effectiveness of these 
provisions, and to monitor tech companies to ensure they are complying with court 
orders in the UK and to provide details of the source of disputed content—including 
advertisements—to ensure that they are operating in accordance with the law, or any 
future industry Codes of Ethics or Conduct. Tech companies also have a responsibility 
to ensure full disclosure of the source of any political advertising they carry.
Bots
67. Bots are algorithmically-driven computer programmes designed to carry out specific 
tasks online, such as analysing and scraping data. Some are created for political purposes, 
such as automatically posting content, increasing follower numbers, supporting political 
campaigns, or for spreading misinformation and disinformation. Samantha Bradshaw, 
70 
Q855
71 
Section 5, ‘Operators’, Defamation Act 2013
 Disinformation and ‘fake news’: Interim Report 
20
from the Oxford Internet Institute, University of Oxford, described the different types of 
bots, with some being completely automated and some with real people who engage with 
the automated bots, described as ‘cyborgs’: “Those accounts are a lot harder to detect for 
researchers, because they feel a lot more genuine. Instead of just automating a bunch of 
tweets, so that something retweets different accounts 100 times a day, bots might actually 
post comments and talk with other users—real people—on the accounts”.72
68. When she gave evidence in February 2018, Monika Bickert, Head of Global Policy 
Management at Facebook, would not confirm whether there were around 50,000 bot 
accounts during the US presidential election of 2016.73 However, when Mike Schroepfer, 
CTO of Facebook, gave evidence in April 2018, after the Cambridge Analytica events had 
unfolded, he was more forthcoming about the problem of bots:
The key thing here is people trying to create inauthentic identities on 
Facebook, claiming they are someone other than who they are. To give 
you a sense of the scale of that problem and the means, while we are in 
this testimony today it is likely we will be blocking hundreds of thousands 
of attempts by people around the world to create fake accounts through 
automated systems. This is literally a day-to-day fight to make sure that 
people who are trying to abuse the platform are kept off it and to make sure 
that people use Facebook for what we want it for, which is to share it with 
our friends.74
69. Mike Schroepfer also said that removal of such bots can be difficult, and was evasive 
about how many fake accounts had been removed, telling us: “We are purging fake accounts 
all the time and dealing with fraudulent ads and we do not tend to report each specific 
instance. I know we report aggregate statistics on a regular basis, but it is not something 
we are reporting here or there, so I don’t know.75 The problem with removing such bots 
without a systematic appraisal of their composition means that valuable information is 
then lost. Such information would prove invaluable to researchers involved in making 
connections, in order to prevent future attacks by malign players.
Algorithms
70. Both social media companies and search engines use algorithms, or sequences 
of instructions, to personalise news and other content for users. The algorithms select 
content based on factors such as a user’s past online activity, social connections, and 
their location. Samantha Bradshaw, from the Oxford Internet Institute, told us about the 
power of Facebook to manipulate people’s emotions by showing different types of stories 
to them: “If you showed them more negative stories, they would feel more negatively. If 
you showed them positive stories, they would feel more positive”.76 The tech companies’ 
business models rely on revenue coming from the sale of adverts and, because the bottom 
line is profit, negative emotions (which appear more quickly than positive emotions) will 
always be prioritised. This makes it possible for negative stories to spread.
72 
Q18
73 
Q465
74 
Q2126
75 
Q2293
76 
Q29
21
 Disinformation and ‘fake news’: Interim Report 
71. Information about algorithms that dictate what users see on their News Feed is not 
publicly available. But just as information about the tech companies themselves needs to 
be more transparent, so does information about the algorithms themselves. These can 
carry inherent biases, such as those involving gender and race, as a result of algorithms 
development by engineers; these biases are then replicated, spread, and reinforced. Monika 
Bickert, from Facebook, admitted that Facebook was concerned about “any type of bias, 
whether gender bias, racial bias or other forms of bias that could affect the way that work 
is done at our company. That includes working on algorithms”. She went on to describe 
ways in which they were attempting to address this problem, including “initiatives 
ongoing, right now, to try to develop talent in under-represented communities”.77 In 
our opinion, Facebook should be taking a more active and urgent role in tackling such 
inherent biases in algorithm development by engineers, to prevent these biases being 
replicated and reinforced. Claire Wardle, Executive Director of First Draft News, told us 
of the importance to get behind the ‘black box’ of the working of algorithms, in order to 
understand the rules and motivations of the tech companies:
What are the questions to ask a platform about why it was created? What 
are the metrics for that particular algorithm? How can we have more insight 
into that algorithm? How can we think about frameworks of algorithms? 
Irrespective of the platform, how can we set up that framework so that 
platforms have to be not just transparent but transparent across particular 
aspects and elements?78
72. Just as the finances of companies are audited and scrutinised, the same type of 
auditing and scrutinising should be carried out on the non-financial aspects of technology 
companies, including their security mechanisms and algorithms, to ensure they are 
operating responsibly. The Government should provide the appropriate body with the 
power to audit these companies, including algorithmic auditing, and we reiterate the 
point that the ICO’s powers should be substantially strengthened in these respects.
73. If companies like Facebook and Twitter fail to act against fake accounts, and 
properly account for the estimated total of fake accounts on their sites at any one time, 
this could not only damage the user experience, but potentially defraud advertisers who 
could be buying target audiences on the basis that the user profiles are connected to real 
people. We ask the Competition and Markets Authority to consider conducting an audit 
of the operation of the advertising market on social media.
Privacy settings and ‘terms and conditions’
74. Facebook and other tech companies make it hard for users to protect their own data. 
A report by the Norwegian Consumer Council, ‘Deceived by Design’, published in June 
2018, highlighted the fact that Facebook, Google and Microsoft direct users away from 
privacy-friendly options on their services in an “unethical” way, while giving users “an 
illusion of control”.79 Users’ privacy rights are usually hidden in tech companies’ ‘terms 
77 
Q441
78 
Q582
79 
Deceived by design, Norwegian Consumer Council, 26 June 2018.
 Disinformation and ‘fake news’: Interim Report 
22
and conditions’ policies, which themselves are complicated, and do not follow their own 
terms of conditions in ensuring that they are age appropriate and that age ratification 
takes place.80
75. Social media companies have a legal duty to inform users of their privacy rights. 
Companies give users the illusion of users having freedom over how they control their 
data, but they make it extremely difficult, in practice, for users to protect their data. 
Complicated and lengthy terms and conditions, small buttons to protect our data and 
large buttons to share our data mean that, although in principle we have the ability 
to practise our rights over our data—through for example the GDPR and the Data 
Protection Act—in practice it is made hard for us.
76. The UK Government should consider establishing a digital Atlantic Charter 
as a new mechanism to reassure users that their digital rights are guaranteed. This 
innovation would demonstrate the UK’s commitment to protecting and supporting users, 
and establish a formal basis for collaboration with the US on this issue. The Charter 
would be voluntary, but would be underpinned by a framework setting out clearly the 
respective legal obligations in signatory countries. This would help ensure alignment, if 
not in law, then in what users can expect in terms of liability and protections.
‘Free Basics’ and Burma
77. One of Facebook’s unofficial company mottoes was to “move quickly and break 
things”; to take risks, to not consider the consequences. Sandy Parakilas, an ex-Facebook 
employee, told us that most of the goals of the company were centred around growth, 
in terms of the number of people using the service and the subsequent revenue.81 But 
with growth comes unintended consequences, if that growth happens unchecked. This 
unchecked growth of Facebook is continuing. ‘Free Basics’ is a Facebook service that 
provides people in developing countries with mobile phone access to various services 
without data charges. This content includes news, employment, health, information and 
local information. Free Basics is available in 63 countries around the world.82
78. Out of a 50 million population in Burma, there are 30 million monthly active 
users on Facebook.83 While Free Basics gives internet access for the majority of people 
in Burma, at the same time it severely limits the information available to users, making 
Facebook virtually the only source of information online for the majority of people in 
Burma.84 The United Nations accused Facebook of playing a determining role in stirring 
up hatred against the Rohingya Muslim minority in Rakhine State. In March 2018, the 
UN Myanmar investigator Yanghee Lee said that the platform had morphed into a ‘beast’ 
that helped to spread vitriol against Rohingya Muslins.85
79. When Mike Schroepfer, the CTO at Facebook, gave evidence in April 2018, he 
described the situation in Burma as “awful”, and that “we need to and are trying to do a 
lot more to get hate speech and all this kind of vile content off the platform”,86 but he could 
80 
The then Secretary of State, Rt Hon Matt Hancock MP Q968
81 
Q1208
82 
internet.org by Facebook, accessed 21 July 2018.
83 
Myanmar group blasts Zuckerberg claim on Facebook hate speech prevention, Techcrunch, 6 April, 2018
84 
Unliked: How Facebook is playing a part in the Rohingya genocide, The Conversation, 2 January 2018.
85 
UN: Facebook has turned into a beast in Myanmar, BBC, 13 March 2018.
86 
Q2490
23
 Disinformation and ‘fake news’: Interim Report 
not tell us when Facebook had started work on limiting hate speech, he could not tell us 
how many fake accounts had been identified and removed from Burma, and he could not 
tell us how much revenue Facebook was making from Facebook users in Burma.87
80. Mr. Schroepfer promised to submit supplementary evidence to give us that 
information. However, Facebook’s supplementary evidence stated: “We do not break down 
the removal of fake accounts by country. […] Myanmar [Burma] is a small market for 
Facebook. We do not publish country advertising revenue figures”.88 We sent yet another 
letter, asking why Facebook does not break down the removal of fake accounts by country, 
which seems a serious lapse in demonstrating how it takes responsibility when problems 
with fake accounts arise.89 To date, we have not received an answer.
81. UK aid to Burma is planned at £100 million for 2018.90 The Department for 
International Development told the International Development Committee that “for our 
programme to be successful, Burma must work towards the implementation of inclusive 
peace agreements, a new political settlement; and the military serving, rather than ruling, 
Burma”.91 To date, the UK’s total support for the crisis since August 2017 is £129 million.
82. The United Nations has named Facebook as being responsible for inciting hatred 
against the Rohingya Muslim minority in Burma, through its ‘Free Basics’ service. It 
provides people free mobile phone access without data charges, but is also responsible 
for the spread disinformation and propaganda. The CTO of Facebook, Mike Schroepfer 
described the situation in Burma as “awful”, yet Facebook cannot show us that it has 
done anything to stop the spread of disinformation against the Rohingya minority.
83. The hate speech against the Rohingya—built up on Facebook, much of which is 
disseminated through fake accounts—and subsequent ethnic cleansing, has potentially 
resulted in the success of DFID’s aid programmes being greatly reduced, based on the 
qualifications they set for success. The activity of Facebook undermines international aid 
to Burma, including the UK Government’s work. Facebook is releasing a product that is 
dangerous to consumers and deeply unethical. We urge the Government to demonstrate 
how seriously it takes Facebook’s apparent collusion in spreading disinformation in 
Burma, at the earliest opportunity. This is a further example of Facebook failing to take 
responsibility for the misuse of its platform.
Code of Ethics and developments
84. Facebook has hampered our efforts to get information about their company 
throughout this inquiry. It is as if it thinks that the problem will go away if it does not 
share information about the problem, and reacts only when it is pressed. Time and again 
we heard from Facebook about mistakes being made and then (sometimes) rectified, 
rather than designing the product ethically from the beginning of the process. Facebook 
has a ‘Code of Conduct’, which highlights the principles by which Facebook staff carry 
87 
Qq 2493 to 2496
88 
Facebook letter from Rebecca Stimson, Head of Public Policy, to Damian Collins, 14 May 2018.
89 
Letter from Damian Collins to Rebecca Stimson, 21 May 2018
90 
Bangladesh, Burma and the Rohingya crisis, International Development Committee, fourth report of session 
2017–19, HC 1054, para 11
91 
Ibid.
 Disinformation and ‘fake news’: Interim Report 
24
out their work, and states that employees are expected to “act lawfully, honestly, ethically, 
and in the best interests of the company while performing duties on behalf of Facebook”.92 
Facebook has fallen well below this standard in Burma.
85. The then Secretary of State, Rt Hon Matt Hancock MP, talked about the need for tech 
companies to move from a libertarian attitude—“the foundation of the internet”—to one 
of “liberal values on the internet, which is supporting and cherishing the freedom but not 
the freedom to harm others”.93 He warned that tech company leaders have a responsibility, 
otherwise responsibility will be imposed on them: “I do not, for a moment, buy this idea 
that just because the internet is global therefore nation states do not have a say in it. We 
are responsible. We collectively, Parliament is responsible, for the statutory rules where 
our society lives”.94
Monopolies and the business models of tech companies
86. The dominance of a handful of powerful tech companies, such as Facebook, Twitter 
and Google, has resulted in their behaving as if they were monopolies in their specific 
area. Traditionally, the basis of competition policy with regard to monopolies has been 
the issue of consumer detriment, such as the risk of overcharging. However, in the tech 
world, consumer detriment is harder to quantify. In the digital sphere, many of these 
services have marginal running costs, are free to the consumer at the point of use, and 
have the potential of benefiting the consumer from being monopolistic—the sharing of 
information is the point of these companies and improves the accuracy of services such as 
Google Maps. As the Secretary of State told us, “The whole question of the concept of how 
we run competition policy in an era where many goods and many other new innovations 
have zero marginal costs and are free is intellectually difficult.”95
87. With the free access of services must come the means of funding the businesses; tech 
companies’ business models rely on the data of users for advertisers to utilise, in order 
to maximise their revenue. Facebook and Google have 60% of US digital ad spend and 
20% of total global spend, as of February 2018.96 Therefore, consumer protection in the 
modern world is not only about goods, it is about the protection of data. Tech companies’ 
business models have extolled the fact that they are offering innovations that are free to 
use, but in doing so the users become the product of the companies, and this is where 
issues of mistrust and misuse arise. The new measures in GDPR allow users to see what 
data the companies hold about them, and users can request their data to be removed or 
transferred to other tech companies, but in order for this to be effective, users must have 
knowledge of and utilise these rights.97
88. Professor Bakir, from Bangor University, talked of how technology continually 
changes, with people adapting to that technology in unpredictable ways.98 She suggested 
the establishment of a working group, to monitor what is being developed in the area of 
misinformation and disinformation because “what is around the corner may be much 
92 
Code of Conduct, Facebook, 31 May 2018
93 
Q954
94 
Q954
95 
Q979
96 
Ian Lucas MP, Q619
97 
Guide to the GDPR, ICO website
98 
Q233
25
 Disinformation and ‘fake news’: Interim Report 
more worrying than what we have experienced to date”.99 As technology develops so 
quickly, regulation needs to be based not on specifics, but on principles, and adaptive 
enough to withstand technological developments.
89. A professional global Code of Ethics should be developed by tech companies, in 
collaboration with this and other governments, academics, and interested parties, 
including the World Summit on Information Society, to set down in writing what is and 
what is not acceptable by users on social media, with possible liabilities for companies 
and for individuals working for those companies, including those technical engineers 
involved in creating the software for the companies. New products should be tested to 
ensure that products are fit-for-purpose and do not constitute dangers to the users, or 
to society.
90. The Code of Ethics should be the backbone of tech companies’ work, and should be 
continually referred to when developing new technologies and algorithms. If companies 
fail to adhere to their own Code of Ethics, the UK Government should introduce 
regulation to make such ethical rules compulsory.
91. The dominance of a handful of powerful tech companies, such as Facebook, Twitter 
and Google, has resulted in their behaving as if they were monopolies in their specific 
area. While this portrayal of tech companies does not appreciate the benefits of a shared 
service, where people can communicate freely, there are considerations around the data 
on which those services are based, and how these companies are using the vast amount 
of data they hold on users. In its White Paper, the Government must set out why the 
issue of monopolies is different in the tech world, and the measures needed to protect 
users’ data.
99 
Q233
 Disinformation and ‘fake news’: Interim Report 
26
3 The issue of data targeting, based 
around the Facebook, GSR and 
Cambridge Analytica allegations
92. Arguably more invasive than obviously false information is the relentless targeting of 
hyper-partisan views, which play to the fears and the prejudices of people, in order to alter 
their voting plans. This targeting formed the basis of the revelations of March 2018, which 
brought to the general public’s attention the facts about how much of their own personal 
data is in the public domain, unprotected, and available for use by different players. Some 
of the events surrounding Cambridge Analytica and its use of Facebook data had been 
revealed at the end of 2015, when Harry Davies published an article in The Guardian, 
following investigations lasting around a year, and wrote: “a little known data company 
[Cambridge Analytica] […] paid researchers at Cambridge University to gather detailed 
psychological profiles about the US electorate using a massive pool of mainly unwitting 
US Facebook users built with an online survey”.100
93. Based on our knowledge of this article, we had explored the general issues 
surrounding the manipulation of data when we questioned Facebook in February 2018. 
However, it was in March 2018 when facts about this case became better known across 
the world, including how people’s data was used to influence election campaigning, in the 
US and the UK, through the work of Carole Cadwalladr, at The Observer, and the whistle-
blower Christopher Wylie, a former employee of SCL Group, and Cambridge Analytica. 
Shortly after going public with his allegations, Christopher Wylie gave evidence to the 
Committee.101 This chapter will focus on the events that highlighted the extent of the 
misuse of data, involving various organisations including Facebook, Global Science 
Research (GSR), Cambridge Analytica, and Aggregate IQ (AIQ), and the alleged sharing 
of data in the EU Referendum. We received written and oral evidence from many of those 
intimately involved in these revelations. Issues relating to these companies and political 
campaigning are further examined in Chapter 4, as well as evidence regarding SCL’s 
involvement in overseas elections in Chapter 6.
Cambridge Analytica and micro-targeting
94. Cambridge Analytica was founded in 2012, with backing from the US hedge 
fund billionaire and Donald Trump donor, Robert Mercer, who became the majority 
shareholder.102 He was the largest donor to the super political action committee (PAC) 
that supported the presidential campaigns of Ted Cruz and Donald Trump in the 2016 
presidential election.103 Christopher Wylie argued that the funding of Cambridge 
Analytica enabled Mr Mercer to benefit from political campaigns that he supported, 
without directly spending money on them, thereby bypassing electoral finance laws: 
100 Paul-Olivier Dehaye, Q1342, referring to Ted Cruz using firm that harvested data on millions of unwitting 
Facebook users, Harry Davies, The Guardian, 11 December 2015.
101 
The DCMS Committee’s oral evidence session with Christopher Wylie and Paul-Olivier Dehaye, 27 March 2018, 
was described by Mark D’Arcy, parliamentary correspondent at the BBC, as “by a distance, the most astounding 
thing I’ve seen in Parliament”. Tweet, 17 March 2018, Mark D’Arcy.
102 Christopher Wylie, Q1273
103 Contributors, 2016 cycle, OpenSecrets.org
27
 Disinformation and ‘fake news’: Interim Report 
“[Robert Mercer] can put in $15 million to create something and then only charge $50,000 
for it. It would have been physically impossible to get the same value and level of service 
and data for that amount of money in any other way”.104
95. Cambridge Analytica was born out of the already established SCL consultancy, which 
had engaged in political campaigns around the world, using specialist communications 
techniques previously developed by the military to combat terror organisations, 
and to disrupt enemy intelligence and to give on the ground support in war zones. 
Cambridge Analytica’s primary purpose would instead be to focus on data targeting and 
communications campaigns for carefully selected Republican Party candidates in the 
United States of America.
96. Steve Bannon served as White House chief strategist at the start of President Donald 
Trump’s term, having previously been chief executive of President Trump’s general election 
campaign. He was the executive chairman of Breitbart News, a website he described as ‘the 
platform of the alt-right,’105 and was the former Vice President of Cambridge Analytica. 
A Cambridge Analytica invoice to UKIP was billed to the same address as Steve Bannon’s 
company, Glittering Steel.106 The Committee was also told that Steve Bannon introduced 
Cambridge Analytica to Arron Banks and to Leave.EU.107
97. We heard evidence from Alexander Nix, in February 2018, before the Observer and 
Guardian revelations in March 2018, and before the company and its associated company 
had gone into administration.108 Alexander Nix described the micro-targeting business 
of Cambridge Analytica:
We are trying to make sure that voters receive messages on the issues and 
policies that they care most about, and we are trying to make sure that they 
are not bombarded with irrelevant materials. That can only be good. That 
can only be good for politics, it can only be good for democracy and it can 
be good in the wider realms of communication and advertising.109
98. The use of data analytics, based on the psychological profile of the audience, was at 
the heart of the work of Cambridge Analytica, “presenting a fact that is underpinned by an 
emotion”, as described by Mr. Nix.110 In order to match the right type of message to voters, 
Cambridge Analytica needed information about voters, such as what merchandise they 
bought, what media they read, what cars they drove.111 Mr. Nix told us that “we are able to 
match these data with first-party research, being large, quantitative research instruments, 
not dissimilar to a poll. We can go out and ask audiences about their preferences […] 
indeed we can also start to probe questions about personality and other drivers that might 
be relevant to understanding their behaviour and purchasing decisions”.112 Cambridge 
Analytica used ‘OCEAN psychological analysis’ to identify issues people might support 
and how to position the arguments to them. OCEAN categorises people based on their 
104 Christopher Wylie, Qq 1410 and 1411
105 A brief history of Breitbart news, Business Insider UK, November 2016
106 Brittany Kaiser, Qq 1682–1684
107 Q1506
108 Cambridge Analytica and the SCL Group started insolvency proceedings in the US and the UK on 2 May 2018.
109 Q657
110 Q662
111 Alexander Nix, Q679
112 Q675
 Disinformation and ‘fake news’: Interim Report 
28
‘Openness’, ‘Conscientiousness’, ‘Extraversion’, ‘Agreeableness’ and ‘Neuroticism’.113 As 
Alexander Nix explained in his talk at the 2016 Concordia Annual Summit, entitled 
‘The Power of Big Data and Psychographics’, this approach helps you, for example, to 
decide how to persuade American voters on the importance of protection of the second 
amendment, which guarantees the right to keep and bear arms. In the example Mr Nix 
showed, you might play on the fears of someone who could be frightened into believing 
that they needed the right to have a gun to protect their home from intruders.114
99. When asked where the data used by Cambridge Analytica came from, Alexander 
Nix told us: “We do not work with Facebook data, and we do not have Facebook data. 
We do use Facebook as a platform to advertise, as do all brands and most agencies, or all 
agencies, I should say. We use Facebook as a means to gather data. We roll out surveys 
on Facebook that the public can engage with if they elect to”.115 When asked whether 
Cambridge Analytica was able to use information on users’ Facebook profile when they 
complete surveys, Mr. Nix replied, “No, absolutely not. Absolutely not”.116
100. Professor David Carroll, a US citizen, made a Subject Access Request (SAR) to 
Cambridge Analytica in January 2017, under the Data Protection Act 1998, because he 
believed that his data was being processed in the UK. He told us “there was no indication 
of where they obtained the data. […] We should be able to know where they got the data, 
how they processed it, what they used it for, who they shared it with and also whether we 
have a right to opt out of it and have them delete the data and stop processing it in the 
future”.117 The ICO’s investigation update of 11 July 2018 described Professor Carroll’s 
case as “a specific example of Cambridge Analytica/SCL’s poor practice with regard to 
data protection law”.118
101. The ICO served an Enforcement Notice on SCL Elections Ltd on 4 May 2018, ordering 
it to comply with the terms of the SAR, by providing copies of all personal information 
that SCL held on Professor Carroll. However, the terms of the Enforcement Notice were 
not complied with by the deadline of 3 June 2018, and the ICO is now considering criminal 
action against Cambridge Analytica and SCL Elections Ltd.119
Global Science Research
102. The Facebook data breach in 2014, and the role of Cambridge Analytica in acquiring 
this data, has been the subject of intense scrutiny. Ultimately the data breach originated 
at the source of the data, at Facebook. ‘Friends permissions’ were a set of permissions on 
Facebook between 2010 and 2014, and allowed developers to access data related to users’ 
friends, without the knowledge or express consent of those friends.120 One such developer, 
Aleksandr Kogan, an American citizen who had been born in the former Soviet Union, 
was a Research Associate and University Lecturer at the University of Cambridge in the 
113 Alexander Nix, Q679
114 Q783
115 Q682
116 Q704
117 Q571
118 
Investigation into data analytics for political purposes: investigation update, ICO, 11 July 2018
119 
Investigation into data analytics for political purposes: investigation update, ICO, 11 July 2018
120 
Sandy Parakilas, Q1202
29
 Disinformation and ‘fake news’: Interim Report 
Department of Psychology. Kogan began collaborating “directly” with Facebook in 2013, 
and he told us that they “provided me with several macro-level datasets on friendship 
connections and emoticon usage.”121
103. Professor Kogan set up his own business, Global Science Research (GSR), in the spring 
of 2014, and developed an App, called the GSR App, which collected data from users, at 
an individual level.122 It was at around this time as well that Dr Kogan was in discussions 
about working on some projects with SCL Elections and Cambridge Analytica, to see 
whether his data collection and analysis methods could help the audience targeting of 
digital campaigns. Professor Kogan explained that he did not sell the GSR App itself as 
“it is not technically challenging in any way. Facebook explains how to do it, so there is 
great documentation on this”.123 What was valuable was the data. The aim was to recruit 
around 200,000 people who could earn money by completing an online survey. Recruits 
had to download the App before they could collect payment. The App would download 
some information about the user and their friends. Each person was paid $3 or $4, which 
totalled $600,000 to $800,000 across all participants. In this case SCL paid that amount, 
and then returned to get predictions about people’s personalities, for which they paid GSR 
£230,000.124 In the latter part of 2014, after the GSR App data collection was complete, 
Professor Kogan revised the application to become an interactive personality “quiz” and 
renamed the App “thisisyourdigitallife.”125
104. The exact nature of Dr Kogan’s work on this project is set out in the contract he 
signed with SCL, on 4 June 2014, along with his business partner, Joseph Chancellor, who 
was later hired to work for Facebook.126 Alexander Nix also signed this contract on behalf 
of SCL Elections. In the ‘Project and Specification’ schedule of the contract it states that 
‘After data is collected, models are built using psychometric techniques (e.g. factor analysis, 
dimensional scaling etc) which uses Facebook likes to predict people’s personality scores. 
These models are validity tested on users who were not part of the training sample. Trait 
predictions based on Facebook likes are at near test-retest levels and have been compared 
to the predictions that romantic partners, family members and friends make about their 
traits. In all previous cases the computer-generated scores performed the best. Thus, the 
computer-generated scores can be more accurate than even the knowledge of very close 
friends and family members.’127
105. Furthermore, Dr Kogan and SCL knew that ‘scraping’ Facebook user data in this 
way was in breach of the company’s then recently revised terms of service. Instead the 
work was carried out under the terms of an agreement GSR has with Facebook which 
predated this change. It is stated in the contract that, “GSR’s method relies on a pre-
existing application functioning under Facebook’s old terms of service. New applications 
are not able to access friend networks and no other psychometric profiling applications 
exist under the old Facebook terms.”128
121 Q1770
122 Aleksandr Kogan, Q1796
123 Q1809
124 Q1809
125 Aleksandr Kogan (FKN0077)
126 Background papers submitted by Christopher Wylie, p67
127 Background papers submitted by Christopher Wylie, p84
128 Background paper submitted by Christopher Wylie, p.84
 Disinformation and ‘fake news’: Interim Report 
30
106. The purpose of the project, however, was not to carry out this testing as part of an 
experiment into the predictive nature of understanding the insights about an individual 
that are provided by Facebook likes. Rather, data would be scraped to order to support 
political campaigns. Cambridge Analytica was involved with in eleven states in the USA in 
2014. These were Arkansas, Colorado, Florida, Iowa, Louisiana, Nevada, New Hampshire, 
North Carolina, Oregon, South Carolina and West Virginia.129 Dr Kogan and his team 
were required under the contract to provide SCL with data sets that matched predictive 
personality scores, including someone’s likely political interests, to named individuals on 
the electoral register in those states.
107. When Dr Kogan gave evidence to us, he stated that he believed using Facebook likes 
to predict someone’s personality and interests was not particularly accurate. However, 
from the contract he signed with SCL in June 2014, he certainly thought it was at the 
time. Furthermore, Dr Kogan’s colleague at the Cambridge Psychometrics Centre, Michal 
Kosinski, co-authored an academic paper called ‘Tracking the Digital Footprints of 
Personality’, published in December 2014, where he re-states the case or the effectiveness 
of assessing personality from Facebook likes.130 This article claims that “Facebook likes 
are highly predictive of personality and number[s] of other psychodemographic traits, 
such as age, gender, intelligence, political and religious views, and sexual orientation”. The 
article goes on, rightly, to raise the ethical concerns that should exist in relation to this 
approach, stating that:
The results presented here may have considerable negative implications 
because it can easily be applied to large numbers of people without 
obtaining their individual consent and without them noticing. Commercial 
companies, governmental institutions, or even one’s Facebook friends could 
use software to infer personality (and other attributes, such as intelligence 
or sexual orientation) that an individual may not have intended to share. 
There is a risk that the growing awareness of such digital exposure may 
decrease their trust in digital technologies, or even completely deter them 
from them.131
108. When Alexander Nix first gave evidence to us in February 2018, he denied that Dr 
Kogan and GSR had supplied Cambridge Analytica with any data or information, and that 
his datasets were not based on information received from GSR.132 We received evidence 
from both Dr Kogan and Mr Wylie that conflicted with Mr Nix’s evidence; indeed, Mr 
Wylie described the data obtained from Dr Kogan’s GSR App as the foundation dataset of 
the company, which collected data on up to 87 million users, over 1 million of whom were 
based in the UK.133 We believe that Dr Kogan also knew perfectly well what he was doing, 
and that he was in breach of Facebook’s own codes of conduct (which he told us he did not 
consider to be operative in practice, as they were never enforced).
109. During his second appearance, Mr Nix admitted that “I accept that some of my 
answers could have been clearer, but I assure you that I did not intend to mislead you”. He 
went on to explain that Cambridge Analytica had not at that time been in possession of 
129 Background paper submitted by Christopher Wylie, pp.84–85
130 Tracking the digital footprints of personality, Michal Kosinski, proceedings of the IEEE,Vol 102, no 12, December 
2014
131 
Ibid.
132 Qq 730 to 731
133 Q1281
31
 Disinformation and ‘fake news’: Interim Report 
data from GSR, due to the fact that they had “deleted all such data licensed in good faith 
from GSR under that research contract”.134 This suggests that Mr. Nix, who by his own 
admission to the Committee tells lies, was not telling the whole truth when he gave us his 
previous version of events, in February 2018.
110. In August 2014 Dr Kogan worked with SCL to provide data on individual voters to 
support US candidates being promoted by the John Bolton Super Pac in the mid-term 
elections in November of that year. Psychographic profiling was used to micro-target 
adverts at voters across five distinct personality groups. After the campaign, according 
to an SCL presentation document seen by the Committee, the company claimed that 
there was a 39% increase in awareness of the issues featured in the campaign’s advertising 
amongst those who had received targeted messages.135 In September 2014, SCL also signed 
a contract to work with the American Conservative advocacy organisation, ‘For America’. 
Again, they used behavioural micro-targeting to support their campaign messages ahead 
of the mid-term elections that year. SCL would later claim that the 1.5million advertising 
impressions they generated through their campaign led to a 30% uplift in voter turnout, 
against the predicted turnout, for the targeted groups.
Facebook
111. Sandy Parakilas worked for Facebook for 16 months in 2011 and 2012, and told us 
that “once the data passed from Facebook servers to the developer, Facebook lost insight 
into what was being done with the data and lost control over the data”.136 There was no 
proper audit trail of where the data went and during Mr Parakilas’ 16 months of working 
there, he did not remember one audit of a developer’s storage.137 This is a fundamental 
flaw in Facebook’s model of holding data; Facebook cannot assure its users that its data is 
not being used by third parties and of the reasons for which that data may be being used.
112. Once the data had left Facebook, that data, or its derivatives, could be copied multiple 
times. Chris Vickery, Director of Cyber Risk Research at UpGuard, described to us the 
‘sticky’ nature of data: “In this type of industry, data does not just go away. It does not just 
disappear. It is sticky. It gathers up. The good stuff stays. Even the bad stuff stays, but it is 
not used. It is held in an archive somewhere. Nothing disappears”.138
113. Furthermore, that data was specific and personal to each person with a Facebook 
account, including their names, their email addresses, and could even include private 
messages.139 Tristan Harris, from the Center for Humane Technology, told us that the 
entire premise of Facebook’s App platform was exactly this—to enable third-party 
developers to have access to people’s friends’ data: “The premise of the app platform was 
to enable as many developers as possible to use that data in creative ways, to build creative 
new social applications on behalf of Facebook”.140
114. Facebook claimed that Dr Kogan had violated his agreement to use the data solely 
for academic purposes. On Friday 16 March 2018, Facebook suspended Kogan from the 
134 Q3288
135 Background papers submitted by Christopher Wylie
136 Q1188
137 Q1188
138 Q2534
139 
Sandy Parakilas, Q1206
140 Q3168
 Disinformation and ‘fake news’: Interim Report 
32
platform, issued a statement saying that he “lied” to the company, and characterised his 
activities as “a scam—and a fraud”.141 Facebook also suspended Christopher Wylie at the 
same time. On Wednesday 21 March 2018, Mark Zuckerberg called Dr Kogan’s actions a 
“breach of trust”.142 However, when Facebook gave evidence to us in February 2018, they 
failed to disclose the existence of this “breach of trust” and its implications.
115. In its commitment to update our Committee on its ongoing investigation, the ICO 
decided to publish a Notice of Intent to issue a monetary penalty to Facebook of £500,000, 
“for lack of transparency and security issues relating to the harvesting of data constituting 
breaches of the first and seventh data protection principles”, under the Data Protection 
Act 1998.143 It should be noted that, if the new Data Protection Act 2018 had been in place 
when the ICO started its investigation into Facebook, the ICO’s Notice of Intent to impose 
4% of its annual turnover of $7.87 billion, which would have totalled £315 million.
116. As recently as 20 July 2018, Facebook suspended another company that it believes 
harvested data from its site. Crimson Hexagon is based in Boston, US. Facebook is 
investigating whether this analytics firm’s contracts with the US government and a Russian 
not-for-profit organisation with ties to the Kremlin violated Facebook’s policies. For 
Crimson Hexagon to share such data with government agencies would be incredibly useful 
to those agencies, as it would show how large groups of people were feeling at a particular 
time, and could be used during political campaigns.6 Again, the same opportunities 
given by Facebook to, unwittingly, share their users’ data with Cambridge Analytica, via 
GSR, were being given, up until a few days ago, to Crimson Hexagon, despite Facebook’s 
reassurances that they were tightening their policies.
Aggregate IQ (AIQ)
117. Jeff Silvester is one of the owners of the Canadian digital advertising web and software 
development company, Aggregate IQ (AIQ), which was incorporated in 2013. Mr Silvester 
gave evidence to us in May 2018 and explained that their first work for SCL was to “create 
a political customer relationship management software tool” for the Trinidad and Tobago 
election campaigning, in 2014.144 From that work, AIQ then started developing the Ripon 
tool, software that was commissioned and would be owned by SCL:145
The Ripon tool has been described in a lot of different ways. The part that we 
have done was a political customer relationship management tool focused 
on the US market. This was software that would help with people going 
door to door. There was a tool in there that you could do phone banking so 
you could call people and get their opinions on things and keep track of all 
that sort of information.146
118. Christopher Wylie gave us a different version of Ripon: “A lot of the papers that 
eventually became the foundation of the methods that were used on the Ripon project 
came out of research that was being done at the University of Cambridge, some of which 
141 
Suspending Cambridge Analytica and SCL Group from Facebook, Facebook statement, 16 March 2018; Facebook 
gave data about 57 billion friendships to academic, The Guardian, 22 March 2018
142 Zuckerberg on data debacle: ‘It was a breach of trust’, CNN interview with Mark Zuckerberg, 22 March 2018
143 
Investigation into data analytics for political purposes: investigation update, ICO, July 2018
144 Q2770 and 2771
145 Q2779
146 Q2776