Loading ...
Techceler...
Civic & Government
Regulations including GDPR
47
0
Try Now
Log In
Pricing
House of Commons Digital, Culture, Media and Sport Committee Disinformation and ‘fake news’: Interim Report Fifth Report of Session 2017–19 Report, together with formal minutes relating to the report Ordered by the House of Commons to be printed 24 July 2018 HC 363 Published on 29 July 2018 by authority of the House of Commons The Digital, Culture, Media and Sport Committee The Digital, Culture, Media and Sport Committee is appointed by the House of Commons to examine the expenditure, administration and policy of the Department for Digital, Culture, Media and Sport and its associated public bodies. Current membership Damian Collins MP (Conservative, Folkestone and Hythe) (Chair) Clive Efford MP (Labour, Eltham) Julie Elliott MP (Labour, Sunderland Central) Paul Farrelly MP (Labour, Newcastle-under-Lyme) Simon Hart MP (Conservative, Carmarthen West and South Pembrokeshire) Julian Knight MP (Conservative, Solihull) Ian C. Lucas MP (Labour, Wrexham) Brendan O’Hara MP (Scottish National Party, Argyll and Bute) Rebecca Pow MP (Conservative, Taunton Deane) Jo Stevens MP (Labour, Cardiff Central) Giles Watling MP (Conservative, Clacton) The following Members were also members of the Committee during the inquiry Christian Matheson MP (Labour, City of Chester) Powers The Committee is one of the departmental select committees, the powers of which are set out in House of Commons Standing Orders, principally in SO No 152. These are available on the internet via www.parliament.uk. Publication Committee reports are published on the Committee’s website at www.parliament.uk/dcmscom and in print by Order of the House. Evidence relating to this report is published on the inquiry publications page of the Committee’s website. Committee staff The current staff of the Committee are Chloe Challender (Clerk), Joe Watt (Second Clerk), Lauren Boyer (Second Clerk), Josephine Willows (Senior Committee Specialist), Lois Jeary (Committee Specialist), Andy Boyd (Senior Committee Assistant), Keely Bishop (Committee Assistant), Lucy Dargahi (Media Officer) and Janet Coull Trisic (Media Officer). Contacts All correspondence should be addressed to the Clerk of the Digital, Culture, Media and Sport Committee, House of Commons, London SW1A 0AA. The telephone number for general enquiries is 020 7219 6188; the Committee’s email address is cmscom@parliament.uk 1 Disinformation and ‘fake news’: Interim Report Contents Summary 3 1 Introduction and background 4 Definition of ‘fake news’ 7 How to spot ‘fake news’ 8 Our recommendations in this Report 9 2 The definition, role and legal responsibilities of tech companies 10 An unregulated sphere 10 Regulatory architecture 11 The Information Commissioner’s Office 11 The Electoral Commission 13 Platform or publisher? 16 Transparency 18 Bots 19 Algorithms 20 Privacy settings and ‘terms and conditions’ 21 ‘Free Basics’ and Burma 22 Code of Ethics and developments 23 Monopolies and the business models of tech companies 24 3 The issue of data targeting, based around the Facebook, GSR and Cambridge Analytica allegations 26 Cambridge Analytica and micro-targeting 26 Global Science Research 28 Facebook 31 Aggregate IQ (AIQ) 32 The links between Cambridge Analytica, SCL and AIQ 33 4 Political campaigning 37 What is a political advert? 37 Electoral questions concerning the EU Referendum 38 Co-ordinated campaigns 38 Leave.EU and data from Eldon Insurance allegedly used for campaigning work 40 5 Russian influence in political campaigns 43 Introduction 43 Use of the data obtained by Aleksandr Kogan in Russia 44 Disinformation and ‘fake news’: Interim Report 2 The role of social media companies in disseminating Russian disinformation 45 Leave.EU, Arron Banks, and Russia 47 Foreign investment in the EU Referendum 49 Catalonia Referendum 50 Co-ordination between UK Departments and between countries 51 6 SCL influence in foreign elections 53 Introduction 53 General 53 St Kitts and Nevis 55 Trinidad and Tobago 56 Argentina 56 Malta 56 Nigeria and Black Cube 57 Conclusion 58 7 Digital literacy 60 The need for digital literacy 60 Why people connect on social media 60 Content on social media 61 Data on social media 61 A unified approach to digital literacy 62 Young people 62 School curriculum 62 Conclusions and recommendations 64 Annex 74 Formal minutes 77 Witnesses 78 Published written evidence 81 List of Reports from the Committee during the current Parliament 87 3 Disinformation and ‘fake news’: Interim Report Summary There are many potential threats to our democracy and our values. One such threat arises from what has been coined ‘fake news’, created for profit or other gain, disseminated through state-sponsored programmes, or spread through the deliberate distortion of facts, by groups with a particular agenda, including the desire to affect political elections. Such has been the impact of this agenda, the focus of our inquiry moved from understanding the phenomenon of ‘fake news’, distributed largely through social media, to issues concerning the very future of democracy. Arguably, more invasive than obviously false information is the relentless targeting of hyper-partisan views, which play to the fears and prejudices of people, in order to influence their voting plans and their behaviour. We are faced with a crisis concerning the use of data, the manipulation of our data, and the targeting of pernicious views. In particular, we heard evidence of Russian state-sponsored attempts to influence elections in the US and the UK through social media, of the efforts of private companies to do the same, and of law-breaking by certain Leave campaign groups in the UK’s EU Referendum in their use of social media. In this rapidly changing digital world, our existing legal framework is no longer fit for purpose. This is very much an interim Report, following an extensive inquiry. A further, substantive Report will follow in the autumn of 2018. We have highlighted significant concerns, following recent revelations regarding, in particular, political manipulation and set we out areas where urgent action needs to be taken by the Government and other regulatory agencies to build resilience against misinformation and disinformation into our democratic system. Our democracy is at risk, and now is the time to act, to protect our shared values and the integrity of our democratic institutions. Disinformation and ‘fake news’: Interim Report 4 1 Introduction and background 1. In this inquiry, we have studied the spread of false, misleading, and persuasive content, and the ways in which malign players, whether automated or human, or both together, distort what is true in order to create influence, to intimidate, to make money, or to influence political elections. 2. People are increasingly finding out about what is happening in this country, in their local communities, and across the wider world, through social media, rather than through more traditional forms of communication, such as television, print media, or the radio.1 Social media has become hugely influential in our lives.2 Research by the Reuters Institute for the Study of Journalism has shown that not only are huge numbers of people accessing news and information worldwide through Facebook, in particular, but also through social messaging software such as WhatsApp. When such media are used to spread rumours and ‘fake news’, the consequences can be devastating.3 3. Tristan Harris, Co-founder and Executive Director, at the Center for Humane Technology—an organisation seeking to realign technology with the best interests of its users—told us about the many billions of people who interact with social media: “There are more than 2 billion people who use Facebook, which is about the number of conventional followers of Christianity. There are about 1.8 billion users of YouTube, which is about the number of conventional followers of Islam. People check their phones about 150 times a day in the developed world.”4 This equates to once every 6.4 minutes in a 16-hour day. This is a profound change in the way in which we access information and news, one which has occurred without conscious appreciation by most of us. 4. This kind of evidence led us to explore the use of data analytics and psychological profiling to target people on social media with political content, as its political impact has been profound, but largely unappreciated. The inquiry was launched in January 2017 in the previous Parliament, and then relaunched in the autumn, following the June 2017 election. The inquiry’s Terms of Reference were as follows: • What is ‘fake news’? Where does biased but legitimate commentary shade into propaganda and lies? • What impact has fake news on public understanding of the world, and also on the public response to traditional journalism? If all views are equally valid, does objectivity and balance lose all value? • Is there any difference in the way people of different ages, social backgrounds, genders etc use and respond to fake news? • Have changes in the selling and placing of advertising encouraged the growth of fake news, for example by making it profitable to use fake news to attract more hits to websites, and thus more income from advertisers?5 1 News consumption in the UK: 2016, Ofcom, 29 June 2017 2 Tristan Harris, Co-founder and Executive Director, Center for Humane Technology, Q3147 3 The seventh annual Digital News Report, by the Reuters Institute for the Study of Journalism, University of Oxford was based on a YouGov online survey of 74,000 people in 37 countries. 4 Tristan Harris, Q3147 5 Terms of reference, Fake News inquiry, DCMS Committee, 15 September 2017. 5 Disinformation and ‘fake news’: Interim Report 5. We will address the wider areas of our Terms of Reference, including the role of advertising, in our further Report this autumn. In recent months, however, our inquiry delved increasingly into the political use of social media, raising concerns that we wish to address immediately. We had asked representatives from Facebook, in February 2018, about Facebook developers and data harvesting.6 Then, in March 2018, Carole Cadwalladr of The Observer,7 together with Channel 4 News, and the New York Times, published allegations about Cambridge Analytica (and associated companies) and its work with Global Science Research (GSR), and the misuse of Facebook data.8 Those allegations put into question the use of data during the EU Referendum in 2016, and the extent of foreign interference in UK politics. Our oral evidence sessions subsequently focussed on those specific revelations, and we invited several people involved to give evidence. The allegations highlighted both the amount of data that private companies and organisations hold on individuals, and the ability of technology to manipulate people. 6. This transatlantic media coverage brought our Committee into close contact with other parliaments around the world. The US Senate Select Committee on Intelligence, the US House of Representatives Permanent Select Committee on Intelligence, the European Parliament, and the Canadian Standing Committee on Access to Information, Privacy, and Ethics all carried out independent investigations. We shared information, sometimes live, during the hearings. Representatives from other countries, including Spain, France, Estonia, Latvia, Lithuania, Australia, Singapore, Canada, and Uzbekistan, have visited London, and we have shared our evidence and thoughts. We were also told about the work of SCL Elections—and other SCL associates, including Cambridge Analytica—set up by the businessman Alexander Nix; their role in manipulating foreign elections; and the financial benefits they gained through those activities. What became clear is that, without the knowledge of most politicians and election regulators across the world, not to mention the wider public, a small group of individuals and businesses had been influencing elections across different jurisdictions in recent years. 7. We invited many witnesses to give evidence. Some came to the Committee willingly, others less so. We were forced to summon two witnesses: Alexander Nix, former CEO of Cambridge Analytica; and Dominic Cummings, Campaign Director of Vote Leave, the designated Leave campaign group in the EU Referendum. While Mr. Nix subsequently agreed to appear before the Committee, Dominic Cummings still refused. We were then compelled to ask the House to support a motion ordering Mr Cummings to appear before the Committee.9 At the time of writing he has still not complied with this Order, and the matter has been referred by the House to the Committee of Privileges. Mr Cummings’ contemptuous behaviour is unprecedented in the history of this Committee’s inquiries and underlines concerns about the difficulties of enforcing co-operation with Parliamentary scrutiny in the modern age. We will return to this issue in our Report in the autumn, and believe it to be an urgent matter for consideration by the Privileges Committee and by Parliament as a whole. 6 Monika Bickert, Q389 7 In June 2018, Carole Cadwalladr won the Orwell journalism prize, for her investigative work into Cambridge Analytica, which culminated in a series of articles from March 2018. 8 Harry Davies had previously published the following article Ted Cruz using firm that harvested data on millions of unwitting Facebook users, in The Guardian, on 11 December 2015, which first revealed the harvesting of data from Facebook. 9 Following the motion being passed, Dominic Cummings did not appear before the Committee. The matter was then referred to the Privileges Committee on 28 June 2018. Disinformation and ‘fake news’: Interim Report 6 8. In total, we held twenty oral evidence sessions, including two informal background sessions, and heard from 61 witnesses, asking over 3,500 questions at these hearings. We received over 150 written submissions, numerous pieces of background evidence, and undertook substantial exchanges of correspondence with organisations and individuals. We held one oral evidence session in Washington D.C. (the first time a Select Committee has held a public, live broadcast oral evidence session abroad) and also heard from experts in the tech field, journalists and politicians, in private meetings, in Washington and New York. Most of our witnesses took the Select Committee process seriously, and gave considered, thoughtful evidence, specific to the context of our inquiry. We thank witnesses, experts, politicians, and individuals (including whistle-blowers) whom we met in public and in private, in this country and abroad, and who have been generous with their expertise, knowledge, help and ideas.10 We also thank Dr Lara Brown and her team at the Graduate School of Political Management at George Washington University, for hosting the Select Committee’s oral evidence session in the US. 9. As noted above, this is our first Report on misinformation and disinformation. Another Report will be published in the autumn of 2018, which will include more substantive recommendations, and also detailed analysis of data obtained from the insecure AggregateIQ website, harvested and submitted to us by Chris Vickery, Director of Cyber Risk Research at UpGuard.11 Aggregate IQ is one of the businesses involved most closely in influencing elections. 10. Since we commenced this inquiry, the Electoral Commission has reported on serious breaches by Vote Leave and other campaign groups during the 2016 EU Referendum; the Information Commissioner’s Office has found serious data breaches by Facebook and Cambridge Analytica, amongst others; the Department for Digital, Culture, Media and Sport (DDCMS) has launched the Cairncross Review into press sustainability in the digital age; and, following a Green Paper in May, 2018, the Government has announced its intention to publish a White Paper later this year into making the internet and social media safer. This interim Report, therefore, focuses at this stage on seven of the areas covered in our inquiry: • Definition of fake news, and how to spot it; • Definition, role and legal liabilities of social media platforms; • Data misuse and targeting, focussing on the Facebook/Cambridge Analytica/ AIQ revelations; • Political campaigning; • Foreign players in UK elections and referenda; • Co-ordination of Departments within Government; • Digital literacy. 10 Our expert adviser for the inquiry was Dr Charles Kriel, Associate Fellow at the King’s Centre for Strategic Communications (KCSC), King’s College London. His Declaration of Interests are: Director, Kriel.Agency, a digital media and social data consulting agency; Countering Violent Extremism Programme Director, Corsham Institute, a civil society charity; and Cofounder and shareholder, Lightful, a social media tool for charities. 11 In the early autumn, we hope to invite Ofcom and the Advertising Standards Authority to give evidence, and to re-invite witnesses from the Information Commissioner’s Office and the Electoral Commission, and this oral evidence will also inform our substantive Report. 7 Disinformation and ‘fake news’: Interim Report Definition of ‘fake news’ 11. There is no agreed definition of the term ‘fake news’, which became widely used in 2016 (although it first appeared in the US in the latter part of the 19th century).12 Claire Wardle, from First Draft, told us in our oral evidence session in Washington D.C. that “when we are talking about this huge spectrum, we cannot start thinking about regulation, and we cannot start talking about interventions, if we are not clear about what we mean”.13 It has been used by some, notably the current US President Donald Trump, to describe content published by established news providers that they dislike or disagree with, but is more widely applied to various types of false information, including: • Fabricated content: completely false content; • Manipulated content: distortion of genuine information or imagery, for example a headline that is made more sensationalist, often popularised by ‘clickbait’; • Imposter content: impersonation of genuine sources, for example by using the branding of an established news agency; • Misleading content: misleading use of information, for example by presenting comment as fact; • False context of connection: factually accurate content that is shared with false contextual information, for example when a headline of an article does not reflect the content; • Satire and parody: presenting humorous but false stores as if they are true. Although not usually categorised as fake news, this may unintentionally fool readers.14 12. In addition to the above is the relentless prevalence of ‘micro-targeted messaging’, which may distort people’s views and opinions.15 The distortion of images is a related problem; evidence from MoneySavingExpert.com cited celebrities who have had their images used to endorse scam money-making businesses, including Martin Lewis, whose face has been used in adverts across Facebook and the internet for scams endorsing products including binary trading and energy products.16 There are also ‘deepfakes’, audio and videos that look and sound like a real person, saying something that that person has never said.17 These examples will only become more complex and harder to spot, the more sophisticated the software becomes. 13. There is no regulatory body that oversees social media platforms and written content including printed news content, online, as a whole. However, in the UK, under the Communications Act 2003, Ofcom sets and enforces content standards for television 12 Fake News: A Roadmap, NATO Strategic Centre for Strategic Communications, Riga and King’s Centre for Strategic Communications (KCSE), January 2018. 13 Claire Wardle, Q573 14 Online information and fake news, Parliamentary Office of Science and Technology, July 2017, box 4. Also see First Draft News, Fake news. It’s complicated, February 2017; Ben Nimmo (FNW0125); Full Fact, (FNW0097) 15 Micro-targeting of messages will be explored in greater detail in Chapter 4. 16 MoneySavingExpert.com (FKN0068) 17 Edward Lucas, Q881 Disinformation and ‘fake news’: Interim Report 8 and radio broadcasters, including rules relating to accuracy and impartiality.18 On 13 July 2018, Ofcom’s Chief Executive, Sharon White, called for greater regulation of social media, and announced plans to release an outline of how such regulation could work in the autumn of this year.19 We shall assess these plans in our further Report. 14. The term ‘fake news’ is bandied around with no clear idea of what it means, or agreed definition. The term has taken on a variety of meanings, including a description of any statement that is not liked or agreed with by the reader. We recommend that the Government rejects the term ‘fake news’, and instead puts forward an agreed definition of the words ‘misinformation’ and ‘disinformation’. With such a shared definition, and clear guidelines for companies, organisations, and the Government to follow, there will be a shared consistency of meaning across the platforms, which can be used as the basis of regulation and enforcement. 15. We recommend that the Government uses the rules given to Ofcom under the Communications Act 2003 to set and enforce content standards for television and radio broadcasters, including rules relating to accuracy and impartiality, as a basis for setting standards for online content. We look forward to hearing Ofcom’s plans for greater regulation of social media this autumn. We plan to comment on these in our further Report. How to spot ‘fake news’ 16. Standards surrounding fact-checking exist, through the International Fact- Checking Network’s Code of Principles, signed by the majority of major fact-checkers.20 A recent report of the independent High-Level Expert Group on Fake News and Online Disinformation highlighted that, while a Code of Principles exists, fact-checkers themselves must continually improve on their own transparency.21 17. Algorithms are being used to help address the challenges of misinformation. We heard evidence from Professor Kalina Bontcheva, who conceived and led the Pheme research project, which aims to create a system to automatically verify online rumours and thereby allow journalists, governments and others to check the veracity of stories on social media.22 Algorithms are also being developed to help to identify fake news. The fact-checking organisation, Full Fact, received funding from Google to develop an automated fact-checking tool for journalists.23 Facebook and Google have also altered their algorithms so that content identified as misinformation ranks lower.24 Many organisations are exploring ways in which content on the internet can be verified, kite- marked, and graded according to agreed definitions.25 18. The Government should support research into the methods by which misinformation and disinformation are created and spread across the internet: a core part of this is fact- 18 Ofcom (FNW0107) 19 ‘It’s time to regulate social media sites that publish news’ The Times 13 July 2018 20 The International Fact-Checking Network website, accessed 21 June 2018. 21 A multi-dimensional approach to disinformation, Report of the independent High Level Expert Group on Fake News and Online Disinformation, March 2018. 22 Pheme website, www.pheme.eu, accessed 21 June 2018 23 Full Fact website, fullfact.org, accessed 21 June 2018 24 Mosseri, Facebook, “Working to stop misinformation and false news”. 6/4/2017 25 Full Fact (FNW0097); Disinformation Index (FKN0058); HonestReporting (FKN0047); Factmata Limited, UK (FKN0035). 9 Disinformation and ‘fake news’: Interim Report checking. We recommend that the Government initiate a working group of experts to create a credible annotation of standards, so that people can see, at a glance, the level of verification of a site. This would help people to decide on the level of importance that they put on those sites. Our recommendations in this Report 19. During the course of this inquiry we have wrestled with complex, global issues, which cannot easily be tackled by blunt, reactive and outmoded legislative instruments. In this Report, we suggest principle-based recommendations which are sufficiently adaptive to deal with fast-moving technological developments. We look forward to hearing the Government’s response to these recommendations. 20. We also welcome submissions to the Committee from readers of this interim Report, based on these recommendations, and on specific areas where the recommendations can incorporate work already undertaken by others. This inquiry has grown through collaboration with other countries, organisations, parliamentarians, and individuals, in this country and abroad, and we want this co-operation to continue. Disinformation and ‘fake news’: Interim Report 10 2 The definition, role and legal responsibilities of tech companies 21. At the centre of the argument about misinformation and disinformation is the role of tech companies, on whose platforms content is disseminated.26 Throughout the chapter, we shall use the term ‘tech companies’ to indicate the different types of social media and internet service providers, such as Facebook, Twitter, and Google. It is important to note that a series of mergers and acquisitions mean that a handful of tech companies own the major platforms. For example, Facebook owns Instagram and WhatsApp; Alphabet owns both Google and YouTube. 22. The word ‘platform’ suggests that these companies act in a passive way, posting information they receive, and not themselves influencing what we see, or what we do not see. However, this is a misleading term; tech companies do control what we see, by their very business model. They want to engage us from the moment we log onto their sites and into their apps, in order to generate revenue from the adverts that we see. In this chapter, we will explore: the definitions surrounding tech companies; the companies’ power in choosing and disseminating content to users; and the role of the Government and the tech companies themselves in ensuring that those companies carry out their business in a transparent, accountable way. An unregulated sphere 23. Tristan Harris of the Center for Humane Technology27 provided a persuasive narrative of the development and role of social media platforms, telling us that engagement of the user is an integral part both of tech companies’ business model and of their growth strategy: They set the dial; they don’t want to admit that they set the dial, and instead they keep claiming, “We’re a neutral platform,” or, “We’re a neutral tool,” but in fact every choice they make is a choice architecture. They are designing how compelling the thing that shows up next on the news feed is, and their admission that they can already change the news feeds so that people spend less time [on it] shows that they do have control of that.28 24. Mr Harris told us that, while we think that we are in control of what we look at when we check our phones (on average, around 150 times a day), our mind is being hijacked, as if we were playing a slot machine: Every time you scroll, you might as well be playing a slot machine, because you are not sure what is going to come up next on the page. A slot machine is a very simple, powerful technique that causes people to want to check in all the time. Facebook and Twitter, by being social products—by using your 26 As of February 2018, 79% of the UK population had Facebook accounts, 79% used YouTube, and 47% used Twitter, https://weareflint.co.uk/press-release-social-media-demographics-2018 27 The Center for Humane Technology website, accessed 27 June 2018 28 Tristan Harris, Q3149 11 Disinformation and ‘fake news’: Interim Report social network—have an infinite supply of new information that they could show you. There are literally thousands of things that they could populate that news feed with, which turns it into that random-reward slot machine.29 25. Coupled with this is the relentless feed of information that we receive on our phones, which is driven by tech engineers “who know a lot more about how your mind works than you do. They play all these different tricks every single day and update those tricks to keep people hooked”.30 Regulatory architecture The Information Commissioner’s Office 26. The Information Commissioner is a non-departmental public body, with statutory responsibility “for regulating the processing of personal data” in the United Kingdom,31 including the enforcement of the new Data Protection Act 2018 and the General Data Protection Regulation (GDPR).32 The ICO’s written evidence describes the Commission’s role as “one of the sheriffs of the internet”.33 27. The Commissioner, Elizabeth Denham, highlighted the “behind the scenes algorithms, analysis, data matching and profiling” which mean that people’s data is being used in new ways to target them with information.34 She sees her role as showing the public how personal data is collected, used and shared through advertising and through the micro-targeting of messages delivered through social media.”35 She has a range of powers to ensure that personal data is processed within the legislative framework, including the serving of an information notice, requiring specified information to be provided within a defined timeframe. 28. The 2018 Act extends the Commissioner’s powers to conduct a full audit where she suspects that data protection legislation has, or is being, contravened and to order a company to stop processing data. Elizabeth Denham told us that these would be “powerful” measures.36 The recent legislative changes also increased the maximum fine that the Commissioner can levy, from £500,000 to £17 million or 4% of global turnover, whichever is greater, and set out her responsibilities for international co-operation on the enforcement of data protection legislation.37 29. The Data Protection Act 2018 created a new definition, called “Applied GDPR”, to describe an amended version of the GDPR, when European Union law does not apply (when the UK leaves the EU). Data controllers would still need to assess whether they are subject to EU law, in order to decide whether to follow the GDPR or the Applied GDPR. 29 Q3147 30 Tristan Harris, Q3147 31 Elizabeth Denham, Information Commissioner (FKN0051) 32 The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and is a regulation under EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). 33 Elizabeth Denham, Information Commissioner (FKN0051) 34 Elizabeth Denham, Information Commissioner (FKN0051) 35 Elizabeth Denham, Information Commissioner (FKN0051) 36 Q907 37 Guide to the GDPR, ICO website, accessed 21 July 2018 Disinformation and ‘fake news’: Interim Report 12 Apart from the exceptions laid down in the GDPR, all personal data processed in the United Kingdom comes within the scope of European Union law, until EU law no longer applies to the United Kingdom. However, when the United Kingdom leaves the EU, social media companies could “process personal data of people in the UK from bases in the US without any coverage of data protection law. Organisations that emulate Cambridge Analytica could set up in offshore locations and profile individuals in the UK without being subject to any rules on processing personal data”, according to Robert Madge, CEO of the Swiss data management company Xifrat Daten.38 30. The Data Protection Act 2018 gives greater protection to people’s data than did its predecessor, the 1998 Data Protection Act, and follows the law set out in the GDPR. However, when the UK leaves the EU, social media companies will be able to process personal data of people in the UK from bases in the US, without any coverage of data protection law. We urge the Government to clarify this loophole in a White Paper this autumn. Investigation into the use of data analytics for political purposes 31. In May 2017, the ICO announced a formal investigation into the use of data analytics for political purposes. The investigation has two strands: explaining how personal data is used in the context of political messaging; and taking enforcement action against any found breaches of data protection legislation.39 The investigation has involved 30 organisations, including Facebook and Cambridge Analytica. Elizabeth Denham said of the investigation: For the public, we need to be able to understand why an individual sees a certain ad. Why does an individual see a message in their newsfeed that somebody else does not see? We are really the data cops here. We are doing a data audit to be able to understand and to pull back the curtain on the advertising model around political campaigning and elections.40 32. In response to our request for the ICO to provide an update on the investigation into data analytics in political campaigning, the Commissioner duly published this update on 11 July 2018.41 We are grateful to the Commissioner for providing such a useful, detailed update on her investigations, and we look forward to receiving her final report in due course. 33. The ICO has been given extra responsibilities, but with those responsibilities should come extra resources. Christopher Wylie, a whistle-blower and ex-SCL employee, has had regular contact with the ICO, and he explained that the organisation has limited resources to deal with its responsibilities: “A lot of the investigators do not have a robust technical background. […] They are in charge of regulating data, which means that they should have a lot of people who understand how databases work”.42 34. Paul-Olivier Dehaye, founder of PersonalDataIO, told us that he had sent a letter to the ICO in August 2016, asking them if they were investigating Cambridge Analytica, because 38 Brexit risk to UK personal data, Robert Madge, Medium, 22 June 2018 39 Q895 40 Q899 41 Investigation into the use of data analytics in political campaigns: investigation update, ICO, July 2018. 42 Q1460 13 Disinformation and ‘fake news’: Interim Report of the information about the company that was publicly available at that time. He told us that “if the right of access was made much more efficient, because of increased staffing at the ICO, this right would be adopted by [...] educators, journalists, activists, academics, as a tool to connect civil society with the commercial world and to help document what is happening”.43 Data scientists at the ICO need to be able to cope with new technologies that are not even in existence at the moment and, therefore, the ICO needs to be as technically expert, if not more so, than the experts in private tech companies. 35. The Commissioner told us that the Government had given the ICO pay flexibility to retain and recruit more expert staff: “We need forensic investigators, we need senior counsel and lawyers, we need access to the best, and maybe outside counsel, to be able to help us with some of these really big files”.44 We are unconvinced that pay flexibility will be enough to retain and recruit technical experts. 36. We welcome the increased powers that the Information Commissioner has been given as a result of the Data Protection Act 2018, and the ability to be able to look behind the curtain of tech companies, and to examine the data for themselves. However, to be a sheriff in the wild west of the internet, which is how the Information Commissioner has described her office, the ICO needs to have the same if not more technical expert knowledge as those organisations under scrutiny. The ICO needs to attract and employ more technically-skilled engineers who not only can analyse current technologies, but have the capacity to predict future technologies. We acknowledge the fact that the Government has given the ICO pay flexibility to retain and recruit more expert staff, but it is uncertain whether pay flexibility will be enough to retain and attract the expertise that the ICO needs. We recommend that the White Paper explores the possibility of major investment in the ICO and the way in which that money should be raised. One possible route could be a levy on tech companies operating in the UK, to help pay for the expanded work of the ICO, in a similar vein to the way in which the banking sector pays for the upkeep of the Financial Conduct Authority. The Electoral Commission 37. The Electoral Commission is responsible for regulating and enforcing the rules that govern political campaign finance in the UK. Their priority is to ensure appropriate transparency and voter confidence in the system.45 However, concerns have been expressed about the relevance of that legislation in an age of social media and online campaigning. Claire Bassett, the Electoral Commission’s Chief Executive, told us that, “It is no great secret that our electoral law is old and fragmented. It has developed over the years, and we struggle with the complexity created by that, right across the work that we do.”46 38. The use of social media in political campaigning has had major consequences for the Electoral Commission’s work.47 As a financial regulator, the Electoral Commission regulates “by looking at how campaigners and parties receive income, and how they spend that.”48 While that is primarily achieved through the spending returns submitted 43 Q1460 44 Q923 45 Electoral Commission (FNW0048) 46 Q2617 47 The Electoral Commission’s remit covers the UK only and it has no power to intervene or to stop someone acting if they are outside the UK (Claire Bassett, Q2655) 48 Q2617 Disinformation and ‘fake news’: Interim Report 14 by registered campaigners, the Commission also conducts real-time monitoring of campaign activities, including on social media, that it can then compare the facts with what it is being told.49 Where the Electoral Commission suspects or identifies that rules have been breached it has the power to conduct investigations, refer matters to the police, and issue sanctions, including fines. 39. At present, campaign spending is declared under broad categories such as ‘advertising’ and ‘unsolicited material to electors’, with no specific category for digital campaigning, not to mention the many subcategories covered by paid and organic campaigning, and combinations thereof. Bob Posner, the Electoral Commission’s Director of Political Finance and Regulation and Legal Counsel, told us that “A more detailed category of spending would be helpful to understand what is spent on services, advertising, leaflets, posters or whatever it might be, so anyone can interrogate and question it.”50 The Electoral Commission has since recommended that legislation be amended so that spending returns clearly detail digital campaigning.51 40. Spending on election or referendum campaigns by foreign organisations or individuals is not allowed. We shall be exploring issues surrounding the donation to Leave. EU by Arron Banks in Chapter 4, but another example involving Cambridge Analytica was brought to our attention by Arron Banks himself. A document from Cambridge Analytica’s presentation pitch to Leave.EU stated that “We will co-ordinate a programme of targeted solicitation, using digital advertising and other media as appropriate to raise funds for Leave.EU in the UK, the USA, and in other countries.”52 In response to a question asking whether he had taken legal advice on this proposal, Alexander Nix, the then CEO of Cambridge Analytica, replied, “We took a considerable amount of legal advice and, at the time, it was suggested by our counsel that we could target British nationals living abroad for donations. I believe […] that there is still some lack of clarity about whether this is true or not.53 41. When giving evidence, the Electoral Commission repeated a recommendation first made in 2003 that online campaign material should legally be required to carry a digital imprint, identifying the source. While the Electoral Commission’s remit does not cover the content of campaign material, and it is “not in a position to monitor the truthfulness of campaign claims, online or otherwise”, it holds that digital imprints “will help voters to assess the credibility of campaign messages.”54 A recent paper from Upturn, Leveling the platform: real transparency for paid messages on Facebook, highlighted the fact that “ads can be shared widely, and live beyond indication that their distribution was once subsidized. And they can be targeted with remarkable precision”.55 For this reason, we believe digital imprints should be clear and make it easy for users to identify what is in adverts and who the advertiser is. 49 Q2717 50 Q2668 51 Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018, p12 52 Arron Banks (FKN0056) 53 Q3331 54 Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018, p9 55 Levelling the platform: real transparency for paid messages on Facebook, Upturn, May 2018 15 Disinformation and ‘fake news’: Interim Report 42. The Electoral Commission published a report on 26 June 2018, calling for the law to be strengthened around digital advertising and campaigning, including: • A change in the law to require all digital political campaign material to state who paid for it, bringing online adverts in line with physical leaflets and adverts; • New legislation to make it clear that spending in UK elections and referenda by foreign organisations and individuals is not allowed; • An increase in the maximum fine, currently £20,000 per offence, that the Electoral Commission can impose on organisations and individuals who break the rules; • Tougher requirements for political campaigns to declare their spending soon after or during a campaign, rather than months later; • A requirement for all campaigners to provide more detailed paperwork on how they spent money online.56 43. Claire Bassett told us that the current maximum fine that the Electoral Commission can impose on wrongdoings in political campaigning is £20,000, which she said is described as “the cost of doing business” for some individuals and organisations. Ms Bassett said that this amount was too low and should be increased, in line with other regulators that can impose more significant fines.57 She also commented on how she would like a change to the regulated periods, particularly in reference to referenda: One of the challenges we have as regulator is that we are a financial regulator, and we regulate the parties and campaigners, usually during just that regulated period or the extended period that is set out. That does create challenges in a referendum setting. We think there is value in looking at those campaign regulated periods and thinking about how they work.58 We are aware that the Report of the Independent Commission on Referendums made similar recommendations in its report of July 2018.59 44. The globalised nature of social media creates challenges for regulators. In evidence Facebook did not accept their responsibilities to identify or prevent illegal election campaign activity from overseas jurisdictions. In the context of outside interference in elections, this position is unsustainable and Facebook, and other platforms, must begin to take responsibility for the way in which their platforms are used. 45. Electoral law in this country is not fit for purpose for the digital age, and needs to be amended to reflect new technologies. We support the Electoral Commission’s suggestion that all electronic campaigning should have easily accessible digital imprint requirements, including information on the publishing organisation and who is legally responsible for the spending, so that it is obvious at a glance who has sponsored that campaigning material, thereby bringing all online advertisements and messages into line with physically published leaflets, circulars and advertisements. We note that a 56 Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018 57 Q2618 58 Claire Bassett, Q2617 59 Report of the Independent Commission on Referendums UCL Constitution Unit, July 2018 Disinformation and ‘fake news’: Interim Report 16 similar recommendation was made by the Committee on Standards in Public Life, and urge the Government to study the practicalities of giving the Electoral Commission this power in its White Paper. 46. As well as having digital imprints, the Government should consider the feasibility of clear, persistent banners on all paid-for political adverts and videos, indicating the source and making it easy for users to identify what is in the adverts, and who the advertiser is. 47. The Electoral Commission’s current maximum fine limit of £20,000 should be changed to a larger fine based on a fixed percentage of turnover, such as has been granted recently to the Information Commissioner’s Office in the Data Protection Act 2018. Furthermore, the Electoral Commission should have the ability to refer matters to the Crown Prosecution Service, before their investigations have been completed. 48. Electoral law needs to be updated to reflect changes in campaigning techniques, and the move from physical leaflets and billboards to online, micro-targeted political campaigning, as well as the many digital subcategories covered by paid and organic campaigning. The Government must carry out a comprehensive review of the current rules and regulations surrounding political work during elections and referenda, including: increasing the length of the regulated period; definitions of what constitutes political campaigning; absolute transparency of online political campaigning; a category introduced for digital spending on campaigns; reducing the time for spending returns to be sent to the Electoral Commission (the current time for large political organisations is six months); and increasing the fine for not complying with the electoral law. 49. The Government should consider giving the Electoral Commission the power to compel organisations that it does not specifically regulate, including tech companies and individuals, to provide information relevant to their inquiries, subject to due process. 50. The Electoral Commission should also establish a code for advertising through social media during election periods, giving consideration to whether such activity should be restricted during the regulated period, to political organisations or campaigns that have registered with the Commission. Both the Electoral Commission and the ICO should consider the ethics of Facebook or other relevant social media companies selling lookalike political audiences to advertisers during the regulated period, where they are using the data they hold on their customers to guess whether their political interests are similar to those profiles held in target audiences already collected by a political campaign. In particular, we would ask them to consider whether users of Facebook or other relevant social media companies should have the right to opt out from being included in such lookalike audiences. Platform or publisher? 51. How should tech companies be defined—as a platform, a publisher, or something in between? The definition of ‘publisher’ gives the impression that tech companies have the potential to limit freedom of speech, by choosing what to publish and what not to publish. Monika Bickert, Head of Global Policy Management, Facebook, told us that “our community would not want us, a private company, to be the arbiter of truth”.60 The 60 Q431 17 Disinformation and ‘fake news’: Interim Report definition of ‘platform’ gives the impression that these companies do not create or control the content themselves, but are merely the channel through which content is made available. Yet Facebook is continually altering what we see, as is shown by its decision to prioritise content from friends and family, which then feeds into users’ newsfeed algorithm.61 52. Frank Sesno, Director of the School of Media and Public Affairs, George Washington University, told us in Washington D.C. that “they have this very strange, powerful, hybrid identity as media companies that do not create any of the content but should and must—to their own inadequate levels—accept some responsibility for promulgating it. What they fear most is regulation—a requirement to turn over their data”.62 53. At both our evidence session and at a separate speech in March 2018, the then Secretary of State for DCMS, Rt Hon Matt Hancock MP, noted the complexity of making any legislative changes to tech companies’ liabilities, putting his weight behind “a new definition” that was “more subtle” than the binary choice between platform and publisher.63 He told us that the Government has launched the Cairncross Review to look (within the broader context of the future of the press in the UK) at the role of the digital advertising supply chain, at how fair and transparent it is, and whether it “incentivises the proliferation of inaccurate and/or misleading news.” The review is also examining the role and impact of digital search engines and social media companies including an assessment of regulation “or further collaboration between the platforms and publishers.” The consultation closes in September 2018.64 54. In Germany, tech companies were asked to remove hate speech within 24 hours. This self-regulation did not work, so the German Government passed the Network Enforcement Act, commonly known as NetzDG, which became law in January 2018. This legislation forces tech companies to remove hate speech from their sites within 24 hours, and fines them 20 million Euros if it is not removed.65 55. Some say that the NetzDG regulation is a blunt instrument, which could be seen to tamper with free speech, and is specific to one country, when the extent of the content spans many countries. Monika Bickert, from Facebook, told us that “sometimes regulations can take us to a place—you have probably seen some of the commentary about the NetzDG law in Germany—where there will be broader societal concerns about content that we are removing and whether that line is in the right place”.66 The then Secretary of State was also wary of the German legislation because “when a regulator gets to the position where they are policing the publication of politicians then you are into tricky territory”.67 However, as a result of this law, one in six of Facebook’s moderators now works in Germany, which is practical evidence that legislation can work.68 56. Within social media, there is little or no regulation. Hugely important and influential subjects that affect us—political opinions, mental health, advertising, 61 Monika Bickert, Q434 62 Frank Sesno, Q583 63 Matt Hancock MP on ‘The Future of the Media’ at the Oxford Media Convention, Monday 12 March 2018 and Q977 64 Terms of reference, Cairncross Review, DCMS, 12 March 2018. 65 Germany start enforcing hate speech law, BBC, 1 January 2018 66 Q386 67 Q973 68 Professor Lewandowsky, Q233 Disinformation and ‘fake news’: Interim Report 18 data privacy—are being raised, directly or indirectly, in these tech spaces. People’s behaviour is being modified and changed as a result of social media companies. There is currently no sign of this stopping. 57. Social media companies cannot hide behind the claim of being merely a ‘platform’, claiming that they are tech companies and have no role themselves in regulating the content of their sites. That is not the case; they continually change what is and is not seen on their sites, based on algorithms and human intervention. However, they are also significantly different from the traditional model of a ‘publisher’, which commissions, pays for, edits and takes responsibility for the content it disseminates. 58. We recommend that a new category of tech company is formulated, which tightens tech companies’ liabilities, and which is not necessarily either a ‘platform’ or a ‘publisher’. We anticipate that the Government will put forward these proposals in its White Paper later this year and hope that sufficient time will be built in for our Committee to comment on new policies and possible legislation. 59. We support the launch of the Government’s Cairncross Review, which has been charged with studying the role of the digital advertising supply chain, and whether its model incentivises the proliferation of inaccurate or misleading news. We propose that this Report is taken into account as a submission to the Cairncross Review. We recommend that the possibility of the Advertising Standards Agency regulating digital advertising be considered as part of the Review. We ourselves plan to take evidence on this question this autumn, from the ASA themselves, and as part of wider discussions with DCMS and Ofcom. 60. It is our recommendation that this process should establish clear legal liability for the tech companies to act against harmful and illegal content on their platforms. This should include both content that has been referred to them for takedown by their users, and other content that should have been easy for the tech companies to identify for themselves. In these cases, failure to act on behalf of the tech companies could leave them open to legal proceedings launched either by a public regulator, and/or by individuals or organisations who have suffered as a result of this content being freely disseminated on a social media platform. Transparency 61. What we found, time and again, during the course of our inquiry, was the failure on occasions of Facebook and other tech companies, to provide us with the information that we sought. We undertook fifteen exchanges of correspondence with Facebook, and two oral evidence sessions, in an attempt to elicit some of the information that they held, including information regarding users’ data, foreign interference and details of the so- called ‘dark ads’ that had reached Facebook users.69 Facebook consistently responded to questions by giving the minimal amount of information possible, and routinely failed to offer information relevant to the inquiry, unless it had been expressly asked for. It provided witnesses who have been unwilling or unable to give full answers to the 69 Oral evidence session, 8 February 2018; oral evidence session, 26 April 2018; exchanges of correspondence between the Chair of the DCMS Committee and Facebook representatives, between 24 October and 8 June 2018, can be found on the DCMS Committee’s inquiry page. 19 Disinformation and ‘fake news’: Interim Report Committee’s questions. This is the reason why the Committee has continued to press for Mark Zuckerberg to appear as a witness as, by his own admission, he is the person who decides what happens at Facebook. 62. We ask, once more, for Mr Zuckerberg to come to the Committee to answer the many outstanding questions to which Facebook has not responded adequately to date. Edward Lucas, a writer and security policy expert, rightly told us that Facebook should not be in a position of marking its own homework: “They have a duty as a platform to have transparent rules that can be discussed with the outside world and we should be able to check stuff. […] We cannot just trust Facebook to go after the event and say, ‘Nothing to see here, move along’. We should be able to see in real time who is advertising”.70 63. As the then Secretary of State, Rt Hon Matthew Hancock MP, pointed out when he gave evidence to us, the Defamation Act 2013 contains provisions stating that, if a user is defamed on social media, and the offending individual cannot be identified, the liability rests with the platform.71 64. Tech companies are not passive platforms on which users input content; they reward what is most engaging, because engagement is part of their business model and their growth strategy. They have profited greatly by using this model. This manipulation of the sites by tech companies must be made more transparent. Facebook has all of the information. Those outside of the company have none of it, unless Facebook chooses to release it. Facebook was reluctant to share information with the Committee, which does not bode well for future transparency. We ask, once more, for Mr Zuckerberg to come to the Committee to answer the many outstanding questions to which Facebook has not responded adequately, to date. 65. Facebook and other social media companies should not be in a position of ‘marking their own homework’. As part of its White Paper this Autumn, the Government need to carry out proactive work to find practical solutions to issues surrounding transparency that will work for both users, the Government, and the tech companies. 66. Facebook and other social media companies have a duty to publish and to follow transparent rules. The Defamation Act 2013 contains provisions stating that, if a user is defamed on social media, and the offending individual cannot be identified, the liability rests with the platform. We urge the Government to examine the effectiveness of these provisions, and to monitor tech companies to ensure they are complying with court orders in the UK and to provide details of the source of disputed content—including advertisements—to ensure that they are operating in accordance with the law, or any future industry Codes of Ethics or Conduct. Tech companies also have a responsibility to ensure full disclosure of the source of any political advertising they carry. Bots 67. Bots are algorithmically-driven computer programmes designed to carry out specific tasks online, such as analysing and scraping data. Some are created for political purposes, such as automatically posting content, increasing follower numbers, supporting political campaigns, or for spreading misinformation and disinformation. Samantha Bradshaw, 70 Q855 71 Section 5, ‘Operators’, Defamation Act 2013 Disinformation and ‘fake news’: Interim Report 20 from the Oxford Internet Institute, University of Oxford, described the different types of bots, with some being completely automated and some with real people who engage with the automated bots, described as ‘cyborgs’: “Those accounts are a lot harder to detect for researchers, because they feel a lot more genuine. Instead of just automating a bunch of tweets, so that something retweets different accounts 100 times a day, bots might actually post comments and talk with other users—real people—on the accounts”.72 68. When she gave evidence in February 2018, Monika Bickert, Head of Global Policy Management at Facebook, would not confirm whether there were around 50,000 bot accounts during the US presidential election of 2016.73 However, when Mike Schroepfer, CTO of Facebook, gave evidence in April 2018, after the Cambridge Analytica events had unfolded, he was more forthcoming about the problem of bots: The key thing here is people trying to create inauthentic identities on Facebook, claiming they are someone other than who they are. To give you a sense of the scale of that problem and the means, while we are in this testimony today it is likely we will be blocking hundreds of thousands of attempts by people around the world to create fake accounts through automated systems. This is literally a day-to-day fight to make sure that people who are trying to abuse the platform are kept off it and to make sure that people use Facebook for what we want it for, which is to share it with our friends.74 69. Mike Schroepfer also said that removal of such bots can be difficult, and was evasive about how many fake accounts had been removed, telling us: “We are purging fake accounts all the time and dealing with fraudulent ads and we do not tend to report each specific instance. I know we report aggregate statistics on a regular basis, but it is not something we are reporting here or there, so I don’t know.75 The problem with removing such bots without a systematic appraisal of their composition means that valuable information is then lost. Such information would prove invaluable to researchers involved in making connections, in order to prevent future attacks by malign players. Algorithms 70. Both social media companies and search engines use algorithms, or sequences of instructions, to personalise news and other content for users. The algorithms select content based on factors such as a user’s past online activity, social connections, and their location. Samantha Bradshaw, from the Oxford Internet Institute, told us about the power of Facebook to manipulate people’s emotions by showing different types of stories to them: “If you showed them more negative stories, they would feel more negatively. If you showed them positive stories, they would feel more positive”.76 The tech companies’ business models rely on revenue coming from the sale of adverts and, because the bottom line is profit, negative emotions (which appear more quickly than positive emotions) will always be prioritised. This makes it possible for negative stories to spread. 72 Q18 73 Q465 74 Q2126 75 Q2293 76 Q29 21 Disinformation and ‘fake news’: Interim Report 71. Information about algorithms that dictate what users see on their News Feed is not publicly available. But just as information about the tech companies themselves needs to be more transparent, so does information about the algorithms themselves. These can carry inherent biases, such as those involving gender and race, as a result of algorithms development by engineers; these biases are then replicated, spread, and reinforced. Monika Bickert, from Facebook, admitted that Facebook was concerned about “any type of bias, whether gender bias, racial bias or other forms of bias that could affect the way that work is done at our company. That includes working on algorithms”. She went on to describe ways in which they were attempting to address this problem, including “initiatives ongoing, right now, to try to develop talent in under-represented communities”.77 In our opinion, Facebook should be taking a more active and urgent role in tackling such inherent biases in algorithm development by engineers, to prevent these biases being replicated and reinforced. Claire Wardle, Executive Director of First Draft News, told us of the importance to get behind the ‘black box’ of the working of algorithms, in order to understand the rules and motivations of the tech companies: What are the questions to ask a platform about why it was created? What are the metrics for that particular algorithm? How can we have more insight into that algorithm? How can we think about frameworks of algorithms? Irrespective of the platform, how can we set up that framework so that platforms have to be not just transparent but transparent across particular aspects and elements?78 72. Just as the finances of companies are audited and scrutinised, the same type of auditing and scrutinising should be carried out on the non-financial aspects of technology companies, including their security mechanisms and algorithms, to ensure they are operating responsibly. The Government should provide the appropriate body with the power to audit these companies, including algorithmic auditing, and we reiterate the point that the ICO’s powers should be substantially strengthened in these respects. 73. If companies like Facebook and Twitter fail to act against fake accounts, and properly account for the estimated total of fake accounts on their sites at any one time, this could not only damage the user experience, but potentially defraud advertisers who could be buying target audiences on the basis that the user profiles are connected to real people. We ask the Competition and Markets Authority to consider conducting an audit of the operation of the advertising market on social media. Privacy settings and ‘terms and conditions’ 74. Facebook and other tech companies make it hard for users to protect their own data. A report by the Norwegian Consumer Council, ‘Deceived by Design’, published in June 2018, highlighted the fact that Facebook, Google and Microsoft direct users away from privacy-friendly options on their services in an “unethical” way, while giving users “an illusion of control”.79 Users’ privacy rights are usually hidden in tech companies’ ‘terms 77 Q441 78 Q582 79 Deceived by design, Norwegian Consumer Council, 26 June 2018. Disinformation and ‘fake news’: Interim Report 22 and conditions’ policies, which themselves are complicated, and do not follow their own terms of conditions in ensuring that they are age appropriate and that age ratification takes place.80 75. Social media companies have a legal duty to inform users of their privacy rights. Companies give users the illusion of users having freedom over how they control their data, but they make it extremely difficult, in practice, for users to protect their data. Complicated and lengthy terms and conditions, small buttons to protect our data and large buttons to share our data mean that, although in principle we have the ability to practise our rights over our data—through for example the GDPR and the Data Protection Act—in practice it is made hard for us. 76. The UK Government should consider establishing a digital Atlantic Charter as a new mechanism to reassure users that their digital rights are guaranteed. This innovation would demonstrate the UK’s commitment to protecting and supporting users, and establish a formal basis for collaboration with the US on this issue. The Charter would be voluntary, but would be underpinned by a framework setting out clearly the respective legal obligations in signatory countries. This would help ensure alignment, if not in law, then in what users can expect in terms of liability and protections. ‘Free Basics’ and Burma 77. One of Facebook’s unofficial company mottoes was to “move quickly and break things”; to take risks, to not consider the consequences. Sandy Parakilas, an ex-Facebook employee, told us that most of the goals of the company were centred around growth, in terms of the number of people using the service and the subsequent revenue.81 But with growth comes unintended consequences, if that growth happens unchecked. This unchecked growth of Facebook is continuing. ‘Free Basics’ is a Facebook service that provides people in developing countries with mobile phone access to various services without data charges. This content includes news, employment, health, information and local information. Free Basics is available in 63 countries around the world.82 78. Out of a 50 million population in Burma, there are 30 million monthly active users on Facebook.83 While Free Basics gives internet access for the majority of people in Burma, at the same time it severely limits the information available to users, making Facebook virtually the only source of information online for the majority of people in Burma.84 The United Nations accused Facebook of playing a determining role in stirring up hatred against the Rohingya Muslim minority in Rakhine State. In March 2018, the UN Myanmar investigator Yanghee Lee said that the platform had morphed into a ‘beast’ that helped to spread vitriol against Rohingya Muslins.85 79. When Mike Schroepfer, the CTO at Facebook, gave evidence in April 2018, he described the situation in Burma as “awful”, and that “we need to and are trying to do a lot more to get hate speech and all this kind of vile content off the platform”,86 but he could 80 The then Secretary of State, Rt Hon Matt Hancock MP Q968 81 Q1208 82 internet.org by Facebook, accessed 21 July 2018. 83 Myanmar group blasts Zuckerberg claim on Facebook hate speech prevention, Techcrunch, 6 April, 2018 84 Unliked: How Facebook is playing a part in the Rohingya genocide, The Conversation, 2 January 2018. 85 UN: Facebook has turned into a beast in Myanmar, BBC, 13 March 2018. 86 Q2490 23 Disinformation and ‘fake news’: Interim Report not tell us when Facebook had started work on limiting hate speech, he could not tell us how many fake accounts had been identified and removed from Burma, and he could not tell us how much revenue Facebook was making from Facebook users in Burma.87 80. Mr. Schroepfer promised to submit supplementary evidence to give us that information. However, Facebook’s supplementary evidence stated: “We do not break down the removal of fake accounts by country. […] Myanmar [Burma] is a small market for Facebook. We do not publish country advertising revenue figures”.88 We sent yet another letter, asking why Facebook does not break down the removal of fake accounts by country, which seems a serious lapse in demonstrating how it takes responsibility when problems with fake accounts arise.89 To date, we have not received an answer. 81. UK aid to Burma is planned at £100 million for 2018.90 The Department for International Development told the International Development Committee that “for our programme to be successful, Burma must work towards the implementation of inclusive peace agreements, a new political settlement; and the military serving, rather than ruling, Burma”.91 To date, the UK’s total support for the crisis since August 2017 is £129 million. 82. The United Nations has named Facebook as being responsible for inciting hatred against the Rohingya Muslim minority in Burma, through its ‘Free Basics’ service. It provides people free mobile phone access without data charges, but is also responsible for the spread disinformation and propaganda. The CTO of Facebook, Mike Schroepfer described the situation in Burma as “awful”, yet Facebook cannot show us that it has done anything to stop the spread of disinformation against the Rohingya minority. 83. The hate speech against the Rohingya—built up on Facebook, much of which is disseminated through fake accounts—and subsequent ethnic cleansing, has potentially resulted in the success of DFID’s aid programmes being greatly reduced, based on the qualifications they set for success. The activity of Facebook undermines international aid to Burma, including the UK Government’s work. Facebook is releasing a product that is dangerous to consumers and deeply unethical. We urge the Government to demonstrate how seriously it takes Facebook’s apparent collusion in spreading disinformation in Burma, at the earliest opportunity. This is a further example of Facebook failing to take responsibility for the misuse of its platform. Code of Ethics and developments 84. Facebook has hampered our efforts to get information about their company throughout this inquiry. It is as if it thinks that the problem will go away if it does not share information about the problem, and reacts only when it is pressed. Time and again we heard from Facebook about mistakes being made and then (sometimes) rectified, rather than designing the product ethically from the beginning of the process. Facebook has a ‘Code of Conduct’, which highlights the principles by which Facebook staff carry 87 Qq 2493 to 2496 88 Facebook letter from Rebecca Stimson, Head of Public Policy, to Damian Collins, 14 May 2018. 89 Letter from Damian Collins to Rebecca Stimson, 21 May 2018 90 Bangladesh, Burma and the Rohingya crisis, International Development Committee, fourth report of session 2017–19, HC 1054, para 11 91 Ibid. Disinformation and ‘fake news’: Interim Report 24 out their work, and states that employees are expected to “act lawfully, honestly, ethically, and in the best interests of the company while performing duties on behalf of Facebook”.92 Facebook has fallen well below this standard in Burma. 85. The then Secretary of State, Rt Hon Matt Hancock MP, talked about the need for tech companies to move from a libertarian attitude—“the foundation of the internet”—to one of “liberal values on the internet, which is supporting and cherishing the freedom but not the freedom to harm others”.93 He warned that tech company leaders have a responsibility, otherwise responsibility will be imposed on them: “I do not, for a moment, buy this idea that just because the internet is global therefore nation states do not have a say in it. We are responsible. We collectively, Parliament is responsible, for the statutory rules where our society lives”.94 Monopolies and the business models of tech companies 86. The dominance of a handful of powerful tech companies, such as Facebook, Twitter and Google, has resulted in their behaving as if they were monopolies in their specific area. Traditionally, the basis of competition policy with regard to monopolies has been the issue of consumer detriment, such as the risk of overcharging. However, in the tech world, consumer detriment is harder to quantify. In the digital sphere, many of these services have marginal running costs, are free to the consumer at the point of use, and have the potential of benefiting the consumer from being monopolistic—the sharing of information is the point of these companies and improves the accuracy of services such as Google Maps. As the Secretary of State told us, “The whole question of the concept of how we run competition policy in an era where many goods and many other new innovations have zero marginal costs and are free is intellectually difficult.”95 87. With the free access of services must come the means of funding the businesses; tech companies’ business models rely on the data of users for advertisers to utilise, in order to maximise their revenue. Facebook and Google have 60% of US digital ad spend and 20% of total global spend, as of February 2018.96 Therefore, consumer protection in the modern world is not only about goods, it is about the protection of data. Tech companies’ business models have extolled the fact that they are offering innovations that are free to use, but in doing so the users become the product of the companies, and this is where issues of mistrust and misuse arise. The new measures in GDPR allow users to see what data the companies hold about them, and users can request their data to be removed or transferred to other tech companies, but in order for this to be effective, users must have knowledge of and utilise these rights.97 88. Professor Bakir, from Bangor University, talked of how technology continually changes, with people adapting to that technology in unpredictable ways.98 She suggested the establishment of a working group, to monitor what is being developed in the area of misinformation and disinformation because “what is around the corner may be much 92 Code of Conduct, Facebook, 31 May 2018 93 Q954 94 Q954 95 Q979 96 Ian Lucas MP, Q619 97 Guide to the GDPR, ICO website 98 Q233 25 Disinformation and ‘fake news’: Interim Report more worrying than what we have experienced to date”.99 As technology develops so quickly, regulation needs to be based not on specifics, but on principles, and adaptive enough to withstand technological developments. 89. A professional global Code of Ethics should be developed by tech companies, in collaboration with this and other governments, academics, and interested parties, including the World Summit on Information Society, to set down in writing what is and what is not acceptable by users on social media, with possible liabilities for companies and for individuals working for those companies, including those technical engineers involved in creating the software for the companies. New products should be tested to ensure that products are fit-for-purpose and do not constitute dangers to the users, or to society. 90. The Code of Ethics should be the backbone of tech companies’ work, and should be continually referred to when developing new technologies and algorithms. If companies fail to adhere to their own Code of Ethics, the UK Government should introduce regulation to make such ethical rules compulsory. 91. The dominance of a handful of powerful tech companies, such as Facebook, Twitter and Google, has resulted in their behaving as if they were monopolies in their specific area. While this portrayal of tech companies does not appreciate the benefits of a shared service, where people can communicate freely, there are considerations around the data on which those services are based, and how these companies are using the vast amount of data they hold on users. In its White Paper, the Government must set out why the issue of monopolies is different in the tech world, and the measures needed to protect users’ data. 99 Q233 Disinformation and ‘fake news’: Interim Report 26 3 The issue of data targeting, based around the Facebook, GSR and Cambridge Analytica allegations 92. Arguably more invasive than obviously false information is the relentless targeting of hyper-partisan views, which play to the fears and the prejudices of people, in order to alter their voting plans. This targeting formed the basis of the revelations of March 2018, which brought to the general public’s attention the facts about how much of their own personal data is in the public domain, unprotected, and available for use by different players. Some of the events surrounding Cambridge Analytica and its use of Facebook data had been revealed at the end of 2015, when Harry Davies published an article in The Guardian, following investigations lasting around a year, and wrote: “a little known data company [Cambridge Analytica] […] paid researchers at Cambridge University to gather detailed psychological profiles about the US electorate using a massive pool of mainly unwitting US Facebook users built with an online survey”.100 93. Based on our knowledge of this article, we had explored the general issues surrounding the manipulation of data when we questioned Facebook in February 2018. However, it was in March 2018 when facts about this case became better known across the world, including how people’s data was used to influence election campaigning, in the US and the UK, through the work of Carole Cadwalladr, at The Observer, and the whistle- blower Christopher Wylie, a former employee of SCL Group, and Cambridge Analytica. Shortly after going public with his allegations, Christopher Wylie gave evidence to the Committee.101 This chapter will focus on the events that highlighted the extent of the misuse of data, involving various organisations including Facebook, Global Science Research (GSR), Cambridge Analytica, and Aggregate IQ (AIQ), and the alleged sharing of data in the EU Referendum. We received written and oral evidence from many of those intimately involved in these revelations. Issues relating to these companies and political campaigning are further examined in Chapter 4, as well as evidence regarding SCL’s involvement in overseas elections in Chapter 6. Cambridge Analytica and micro-targeting 94. Cambridge Analytica was founded in 2012, with backing from the US hedge fund billionaire and Donald Trump donor, Robert Mercer, who became the majority shareholder.102 He was the largest donor to the super political action committee (PAC) that supported the presidential campaigns of Ted Cruz and Donald Trump in the 2016 presidential election.103 Christopher Wylie argued that the funding of Cambridge Analytica enabled Mr Mercer to benefit from political campaigns that he supported, without directly spending money on them, thereby bypassing electoral finance laws: 100 Paul-Olivier Dehaye, Q1342, referring to Ted Cruz using firm that harvested data on millions of unwitting Facebook users, Harry Davies, The Guardian, 11 December 2015. 101 The DCMS Committee’s oral evidence session with Christopher Wylie and Paul-Olivier Dehaye, 27 March 2018, was described by Mark D’Arcy, parliamentary correspondent at the BBC, as “by a distance, the most astounding thing I’ve seen in Parliament”. Tweet, 17 March 2018, Mark D’Arcy. 102 Christopher Wylie, Q1273 103 Contributors, 2016 cycle, OpenSecrets.org 27 Disinformation and ‘fake news’: Interim Report “[Robert Mercer] can put in $15 million to create something and then only charge $50,000 for it. It would have been physically impossible to get the same value and level of service and data for that amount of money in any other way”.104 95. Cambridge Analytica was born out of the already established SCL consultancy, which had engaged in political campaigns around the world, using specialist communications techniques previously developed by the military to combat terror organisations, and to disrupt enemy intelligence and to give on the ground support in war zones. Cambridge Analytica’s primary purpose would instead be to focus on data targeting and communications campaigns for carefully selected Republican Party candidates in the United States of America. 96. Steve Bannon served as White House chief strategist at the start of President Donald Trump’s term, having previously been chief executive of President Trump’s general election campaign. He was the executive chairman of Breitbart News, a website he described as ‘the platform of the alt-right,’105 and was the former Vice President of Cambridge Analytica. A Cambridge Analytica invoice to UKIP was billed to the same address as Steve Bannon’s company, Glittering Steel.106 The Committee was also told that Steve Bannon introduced Cambridge Analytica to Arron Banks and to Leave.EU.107 97. We heard evidence from Alexander Nix, in February 2018, before the Observer and Guardian revelations in March 2018, and before the company and its associated company had gone into administration.108 Alexander Nix described the micro-targeting business of Cambridge Analytica: We are trying to make sure that voters receive messages on the issues and policies that they care most about, and we are trying to make sure that they are not bombarded with irrelevant materials. That can only be good. That can only be good for politics, it can only be good for democracy and it can be good in the wider realms of communication and advertising.109 98. The use of data analytics, based on the psychological profile of the audience, was at the heart of the work of Cambridge Analytica, “presenting a fact that is underpinned by an emotion”, as described by Mr. Nix.110 In order to match the right type of message to voters, Cambridge Analytica needed information about voters, such as what merchandise they bought, what media they read, what cars they drove.111 Mr. Nix told us that “we are able to match these data with first-party research, being large, quantitative research instruments, not dissimilar to a poll. We can go out and ask audiences about their preferences […] indeed we can also start to probe questions about personality and other drivers that might be relevant to understanding their behaviour and purchasing decisions”.112 Cambridge Analytica used ‘OCEAN psychological analysis’ to identify issues people might support and how to position the arguments to them. OCEAN categorises people based on their 104 Christopher Wylie, Qq 1410 and 1411 105 A brief history of Breitbart news, Business Insider UK, November 2016 106 Brittany Kaiser, Qq 1682–1684 107 Q1506 108 Cambridge Analytica and the SCL Group started insolvency proceedings in the US and the UK on 2 May 2018. 109 Q657 110 Q662 111 Alexander Nix, Q679 112 Q675 Disinformation and ‘fake news’: Interim Report 28 ‘Openness’, ‘Conscientiousness’, ‘Extraversion’, ‘Agreeableness’ and ‘Neuroticism’.113 As Alexander Nix explained in his talk at the 2016 Concordia Annual Summit, entitled ‘The Power of Big Data and Psychographics’, this approach helps you, for example, to decide how to persuade American voters on the importance of protection of the second amendment, which guarantees the right to keep and bear arms. In the example Mr Nix showed, you might play on the fears of someone who could be frightened into believing that they needed the right to have a gun to protect their home from intruders.114 99. When asked where the data used by Cambridge Analytica came from, Alexander Nix told us: “We do not work with Facebook data, and we do not have Facebook data. We do use Facebook as a platform to advertise, as do all brands and most agencies, or all agencies, I should say. We use Facebook as a means to gather data. We roll out surveys on Facebook that the public can engage with if they elect to”.115 When asked whether Cambridge Analytica was able to use information on users’ Facebook profile when they complete surveys, Mr. Nix replied, “No, absolutely not. Absolutely not”.116 100. Professor David Carroll, a US citizen, made a Subject Access Request (SAR) to Cambridge Analytica in January 2017, under the Data Protection Act 1998, because he believed that his data was being processed in the UK. He told us “there was no indication of where they obtained the data. […] We should be able to know where they got the data, how they processed it, what they used it for, who they shared it with and also whether we have a right to opt out of it and have them delete the data and stop processing it in the future”.117 The ICO’s investigation update of 11 July 2018 described Professor Carroll’s case as “a specific example of Cambridge Analytica/SCL’s poor practice with regard to data protection law”.118 101. The ICO served an Enforcement Notice on SCL Elections Ltd on 4 May 2018, ordering it to comply with the terms of the SAR, by providing copies of all personal information that SCL held on Professor Carroll. However, the terms of the Enforcement Notice were not complied with by the deadline of 3 June 2018, and the ICO is now considering criminal action against Cambridge Analytica and SCL Elections Ltd.119 Global Science Research 102. The Facebook data breach in 2014, and the role of Cambridge Analytica in acquiring this data, has been the subject of intense scrutiny. Ultimately the data breach originated at the source of the data, at Facebook. ‘Friends permissions’ were a set of permissions on Facebook between 2010 and 2014, and allowed developers to access data related to users’ friends, without the knowledge or express consent of those friends.120 One such developer, Aleksandr Kogan, an American citizen who had been born in the former Soviet Union, was a Research Associate and University Lecturer at the University of Cambridge in the 113 Alexander Nix, Q679 114 Q783 115 Q682 116 Q704 117 Q571 118 Investigation into data analytics for political purposes: investigation update, ICO, 11 July 2018 119 Investigation into data analytics for political purposes: investigation update, ICO, 11 July 2018 120 Sandy Parakilas, Q1202 29 Disinformation and ‘fake news’: Interim Report Department of Psychology. Kogan began collaborating “directly” with Facebook in 2013, and he told us that they “provided me with several macro-level datasets on friendship connections and emoticon usage.”121 103. Professor Kogan set up his own business, Global Science Research (GSR), in the spring of 2014, and developed an App, called the GSR App, which collected data from users, at an individual level.122 It was at around this time as well that Dr Kogan was in discussions about working on some projects with SCL Elections and Cambridge Analytica, to see whether his data collection and analysis methods could help the audience targeting of digital campaigns. Professor Kogan explained that he did not sell the GSR App itself as “it is not technically challenging in any way. Facebook explains how to do it, so there is great documentation on this”.123 What was valuable was the data. The aim was to recruit around 200,000 people who could earn money by completing an online survey. Recruits had to download the App before they could collect payment. The App would download some information about the user and their friends. Each person was paid $3 or $4, which totalled $600,000 to $800,000 across all participants. In this case SCL paid that amount, and then returned to get predictions about people’s personalities, for which they paid GSR £230,000.124 In the latter part of 2014, after the GSR App data collection was complete, Professor Kogan revised the application to become an interactive personality “quiz” and renamed the App “thisisyourdigitallife.”125 104. The exact nature of Dr Kogan’s work on this project is set out in the contract he signed with SCL, on 4 June 2014, along with his business partner, Joseph Chancellor, who was later hired to work for Facebook.126 Alexander Nix also signed this contract on behalf of SCL Elections. In the ‘Project and Specification’ schedule of the contract it states that ‘After data is collected, models are built using psychometric techniques (e.g. factor analysis, dimensional scaling etc) which uses Facebook likes to predict people’s personality scores. These models are validity tested on users who were not part of the training sample. Trait predictions based on Facebook likes are at near test-retest levels and have been compared to the predictions that romantic partners, family members and friends make about their traits. In all previous cases the computer-generated scores performed the best. Thus, the computer-generated scores can be more accurate than even the knowledge of very close friends and family members.’127 105. Furthermore, Dr Kogan and SCL knew that ‘scraping’ Facebook user data in this way was in breach of the company’s then recently revised terms of service. Instead the work was carried out under the terms of an agreement GSR has with Facebook which predated this change. It is stated in the contract that, “GSR’s method relies on a pre- existing application functioning under Facebook’s old terms of service. New applications are not able to access friend networks and no other psychometric profiling applications exist under the old Facebook terms.”128 121 Q1770 122 Aleksandr Kogan, Q1796 123 Q1809 124 Q1809 125 Aleksandr Kogan (FKN0077) 126 Background papers submitted by Christopher Wylie, p67 127 Background papers submitted by Christopher Wylie, p84 128 Background paper submitted by Christopher Wylie, p.84 Disinformation and ‘fake news’: Interim Report 30 106. The purpose of the project, however, was not to carry out this testing as part of an experiment into the predictive nature of understanding the insights about an individual that are provided by Facebook likes. Rather, data would be scraped to order to support political campaigns. Cambridge Analytica was involved with in eleven states in the USA in 2014. These were Arkansas, Colorado, Florida, Iowa, Louisiana, Nevada, New Hampshire, North Carolina, Oregon, South Carolina and West Virginia.129 Dr Kogan and his team were required under the contract to provide SCL with data sets that matched predictive personality scores, including someone’s likely political interests, to named individuals on the electoral register in those states. 107. When Dr Kogan gave evidence to us, he stated that he believed using Facebook likes to predict someone’s personality and interests was not particularly accurate. However, from the contract he signed with SCL in June 2014, he certainly thought it was at the time. Furthermore, Dr Kogan’s colleague at the Cambridge Psychometrics Centre, Michal Kosinski, co-authored an academic paper called ‘Tracking the Digital Footprints of Personality’, published in December 2014, where he re-states the case or the effectiveness of assessing personality from Facebook likes.130 This article claims that “Facebook likes are highly predictive of personality and number[s] of other psychodemographic traits, such as age, gender, intelligence, political and religious views, and sexual orientation”. The article goes on, rightly, to raise the ethical concerns that should exist in relation to this approach, stating that: The results presented here may have considerable negative implications because it can easily be applied to large numbers of people without obtaining their individual consent and without them noticing. Commercial companies, governmental institutions, or even one’s Facebook friends could use software to infer personality (and other attributes, such as intelligence or sexual orientation) that an individual may not have intended to share. There is a risk that the growing awareness of such digital exposure may decrease their trust in digital technologies, or even completely deter them from them.131 108. When Alexander Nix first gave evidence to us in February 2018, he denied that Dr Kogan and GSR had supplied Cambridge Analytica with any data or information, and that his datasets were not based on information received from GSR.132 We received evidence from both Dr Kogan and Mr Wylie that conflicted with Mr Nix’s evidence; indeed, Mr Wylie described the data obtained from Dr Kogan’s GSR App as the foundation dataset of the company, which collected data on up to 87 million users, over 1 million of whom were based in the UK.133 We believe that Dr Kogan also knew perfectly well what he was doing, and that he was in breach of Facebook’s own codes of conduct (which he told us he did not consider to be operative in practice, as they were never enforced). 109. During his second appearance, Mr Nix admitted that “I accept that some of my answers could have been clearer, but I assure you that I did not intend to mislead you”. He went on to explain that Cambridge Analytica had not at that time been in possession of 129 Background paper submitted by Christopher Wylie, pp.84–85 130 Tracking the digital footprints of personality, Michal Kosinski, proceedings of the IEEE,Vol 102, no 12, December 2014 131 Ibid. 132 Qq 730 to 731 133 Q1281 31 Disinformation and ‘fake news’: Interim Report data from GSR, due to the fact that they had “deleted all such data licensed in good faith from GSR under that research contract”.134 This suggests that Mr. Nix, who by his own admission to the Committee tells lies, was not telling the whole truth when he gave us his previous version of events, in February 2018. 110. In August 2014 Dr Kogan worked with SCL to provide data on individual voters to support US candidates being promoted by the John Bolton Super Pac in the mid-term elections in November of that year. Psychographic profiling was used to micro-target adverts at voters across five distinct personality groups. After the campaign, according to an SCL presentation document seen by the Committee, the company claimed that there was a 39% increase in awareness of the issues featured in the campaign’s advertising amongst those who had received targeted messages.135 In September 2014, SCL also signed a contract to work with the American Conservative advocacy organisation, ‘For America’. Again, they used behavioural micro-targeting to support their campaign messages ahead of the mid-term elections that year. SCL would later claim that the 1.5million advertising impressions they generated through their campaign led to a 30% uplift in voter turnout, against the predicted turnout, for the targeted groups. Facebook 111. Sandy Parakilas worked for Facebook for 16 months in 2011 and 2012, and told us that “once the data passed from Facebook servers to the developer, Facebook lost insight into what was being done with the data and lost control over the data”.136 There was no proper audit trail of where the data went and during Mr Parakilas’ 16 months of working there, he did not remember one audit of a developer’s storage.137 This is a fundamental flaw in Facebook’s model of holding data; Facebook cannot assure its users that its data is not being used by third parties and of the reasons for which that data may be being used. 112. Once the data had left Facebook, that data, or its derivatives, could be copied multiple times. Chris Vickery, Director of Cyber Risk Research at UpGuard, described to us the ‘sticky’ nature of data: “In this type of industry, data does not just go away. It does not just disappear. It is sticky. It gathers up. The good stuff stays. Even the bad stuff stays, but it is not used. It is held in an archive somewhere. Nothing disappears”.138 113. Furthermore, that data was specific and personal to each person with a Facebook account, including their names, their email addresses, and could even include private messages.139 Tristan Harris, from the Center for Humane Technology, told us that the entire premise of Facebook’s App platform was exactly this—to enable third-party developers to have access to people’s friends’ data: “The premise of the app platform was to enable as many developers as possible to use that data in creative ways, to build creative new social applications on behalf of Facebook”.140 114. Facebook claimed that Dr Kogan had violated his agreement to use the data solely for academic purposes. On Friday 16 March 2018, Facebook suspended Kogan from the 134 Q3288 135 Background papers submitted by Christopher Wylie 136 Q1188 137 Q1188 138 Q2534 139 Sandy Parakilas, Q1206 140 Q3168 Disinformation and ‘fake news’: Interim Report 32 platform, issued a statement saying that he “lied” to the company, and characterised his activities as “a scam—and a fraud”.141 Facebook also suspended Christopher Wylie at the same time. On Wednesday 21 March 2018, Mark Zuckerberg called Dr Kogan’s actions a “breach of trust”.142 However, when Facebook gave evidence to us in February 2018, they failed to disclose the existence of this “breach of trust” and its implications. 115. In its commitment to update our Committee on its ongoing investigation, the ICO decided to publish a Notice of Intent to issue a monetary penalty to Facebook of £500,000, “for lack of transparency and security issues relating to the harvesting of data constituting breaches of the first and seventh data protection principles”, under the Data Protection Act 1998.143 It should be noted that, if the new Data Protection Act 2018 had been in place when the ICO started its investigation into Facebook, the ICO’s Notice of Intent to impose 4% of its annual turnover of $7.87 billion, which would have totalled £315 million. 116. As recently as 20 July 2018, Facebook suspended another company that it believes harvested data from its site. Crimson Hexagon is based in Boston, US. Facebook is investigating whether this analytics firm’s contracts with the US government and a Russian not-for-profit organisation with ties to the Kremlin violated Facebook’s policies. For Crimson Hexagon to share such data with government agencies would be incredibly useful to those agencies, as it would show how large groups of people were feeling at a particular time, and could be used during political campaigns.6 Again, the same opportunities given by Facebook to, unwittingly, share their users’ data with Cambridge Analytica, via GSR, were being given, up until a few days ago, to Crimson Hexagon, despite Facebook’s reassurances that they were tightening their policies. Aggregate IQ (AIQ) 117. Jeff Silvester is one of the owners of the Canadian digital advertising web and software development company, Aggregate IQ (AIQ), which was incorporated in 2013. Mr Silvester gave evidence to us in May 2018 and explained that their first work for SCL was to “create a political customer relationship management software tool” for the Trinidad and Tobago election campaigning, in 2014.144 From that work, AIQ then started developing the Ripon tool, software that was commissioned and would be owned by SCL:145 The Ripon tool has been described in a lot of different ways. The part that we have done was a political customer relationship management tool focused on the US market. This was software that would help with people going door to door. There was a tool in there that you could do phone banking so you could call people and get their opinions on things and keep track of all that sort of information.146 118. Christopher Wylie gave us a different version of Ripon: “A lot of the papers that eventually became the foundation of the methods that were used on the Ripon project came out of research that was being done at the University of Cambridge, some of which 141 Suspending Cambridge Analytica and SCL Group from Facebook, Facebook statement, 16 March 2018; Facebook gave data about 57 billion friendships to academic, The Guardian, 22 March 2018 142 Zuckerberg on data debacle: ‘It was a breach of trust’, CNN interview with Mark Zuckerberg, 22 March 2018 143 Investigation into data analytics for political purposes: investigation update, ICO, July 2018 144 Q2770 and 2771 145 Q2779 146 Q2776