House of Commons
Digital, Culture, Media and
Sport Committee
Disinformation and
‘fake news’: Interim
Report
Fifth Report of Session 2017–19
Report, together with formal minutes relating
to the report
Ordered by the House of Commons
to be printed 24 July 2018
HC 363
Published on 29 July 2018
by authority of the House of Commons
The Digital, Culture, Media and Sport Committee
The Digital, Culture, Media and Sport Committee is appointed by the House
of Commons to examine the expenditure, administration and policy of the
Department for Digital, Culture, Media and Sport and its associated public bodies.
Current membership
Damian Collins MP (Conservative, Folkestone and Hythe) (Chair)
Clive Efford MP (Labour, Eltham)
Julie Elliott MP (Labour, Sunderland Central)
Paul Farrelly MP (Labour, Newcastle-under-Lyme)
Simon Hart MP (Conservative, Carmarthen West and South Pembrokeshire)
Julian Knight MP (Conservative, Solihull)
Ian C. Lucas MP (Labour, Wrexham)
Brendan O’Hara MP (Scottish National Party, Argyll and Bute)
Rebecca Pow MP (Conservative, Taunton Deane)
Jo Stevens MP (Labour, Cardiff Central)
Giles Watling MP (Conservative, Clacton)
The following Members were also members of the Committee during the inquiry
Christian Matheson MP (Labour, City of Chester)
Powers
The Committee is one of the departmental select committees, the powers of which
are set out in House of Commons Standing Orders, principally in SO No 152. These
are available on the internet via www.parliament.uk.
Publication
Committee reports are published on the Committee’s website at
www.parliament.uk/dcmscom and in print by Order of the House.
Evidence relating to this report is published on the inquiry publications page of the
Committee’s website.
Committee staff
The current staff of the Committee are Chloe Challender (Clerk), Joe Watt (Second
Clerk), Lauren Boyer (Second Clerk), Josephine Willows (Senior Committee
Specialist), Lois Jeary (Committee Specialist), Andy Boyd (Senior Committee
Assistant), Keely Bishop (Committee Assistant), Lucy Dargahi (Media Officer) and
Janet Coull Trisic (Media Officer).
Contacts
All correspondence should be addressed to the Clerk of the Digital, Culture, Media
and Sport Committee, House of Commons, London SW1A 0AA. The telephone
number for general enquiries is 020 7219 6188; the Committee’s email address is
cmscom@parliament.uk
1
Disinformation and ‘fake news’: Interim Report
Contents
Summary
3
1
Introduction and background
4
Definition of ‘fake news’
7
How to spot ‘fake news’
8
Our recommendations in this Report
9
2 The definition, role and legal responsibilities of tech companies
10
An unregulated sphere
10
Regulatory architecture
11
The Information Commissioner’s Office
11
The Electoral Commission
13
Platform or publisher?
16
Transparency
18
Bots
19
Algorithms
20
Privacy settings and ‘terms and conditions’
21
‘Free Basics’ and Burma
22
Code of Ethics and developments
23
Monopolies and the business models of tech companies
24
3 The issue of data targeting, based around the Facebook, GSR and
Cambridge Analytica allegations
26
Cambridge Analytica and micro-targeting
26
Global Science Research
28
Facebook
31
Aggregate IQ (AIQ)
32
The links between Cambridge Analytica, SCL and AIQ
33
4 Political campaigning
37
What is a political advert?
37
Electoral questions concerning the EU Referendum
38
Co-ordinated campaigns
38
Leave.EU and data from Eldon Insurance allegedly used for campaigning work 40
5 Russian influence in political campaigns
43
Introduction
43
Use of the data obtained by Aleksandr Kogan in Russia
44
Disinformation and ‘fake news’: Interim Report
2
The role of social media companies in disseminating Russian disinformation
45
Leave.EU, Arron Banks, and Russia
47
Foreign investment in the EU Referendum
49
Catalonia Referendum
50
Co-ordination between UK Departments and between countries
51
6 SCL influence in foreign elections
53
Introduction
53
General
53
St Kitts and Nevis
55
Trinidad and Tobago
56
Argentina
56
Malta
56
Nigeria and Black Cube
57
Conclusion
58
7 Digital literacy
60
The need for digital literacy
60
Why people connect on social media
60
Content on social media
61
Data on social media
61
A unified approach to digital literacy
62
Young people
62
School curriculum
62
Conclusions and recommendations
64
Annex
74
Formal minutes
77
Witnesses
78
Published written evidence
81
List of Reports from the Committee during the current Parliament
87
3
Disinformation and ‘fake news’: Interim Report
Summary
There are many potential threats to our democracy and our values. One such threat arises
from what has been coined ‘fake news’, created for profit or other gain, disseminated
through state-sponsored programmes, or spread through the deliberate distortion of
facts, by groups with a particular agenda, including the desire to affect political elections.
Such has been the impact of this agenda, the focus of our inquiry moved from
understanding the phenomenon of ‘fake news’, distributed largely through social
media, to issues concerning the very future of democracy. Arguably, more invasive than
obviously false information is the relentless targeting of hyper-partisan views, which
play to the fears and prejudices of people, in order to influence their voting plans and
their behaviour. We are faced with a crisis concerning the use of data, the manipulation
of our data, and the targeting of pernicious views. In particular, we heard evidence of
Russian state-sponsored attempts to influence elections in the US and the UK through
social media, of the efforts of private companies to do the same, and of law-breaking by
certain Leave campaign groups in the UK’s EU Referendum in their use of social media.
In this rapidly changing digital world, our existing legal framework is no longer fit for
purpose. This is very much an interim Report, following an extensive inquiry. A further,
substantive Report will follow in the autumn of 2018. We have highlighted significant
concerns, following recent revelations regarding, in particular, political manipulation
and set we out areas where urgent action needs to be taken by the Government and other
regulatory agencies to build resilience against misinformation and disinformation into
our democratic system. Our democracy is at risk, and now is the time to act, to protect
our shared values and the integrity of our democratic institutions.
Disinformation and ‘fake news’: Interim Report
4
1
Introduction and background
1.
In this inquiry, we have studied the spread of false, misleading, and persuasive
content, and the ways in which malign players, whether automated or human, or both
together, distort what is true in order to create influence, to intimidate, to make money, or
to influence political elections.
2. People are increasingly finding out about what is happening in this country, in their
local communities, and across the wider world, through social media, rather than through
more traditional forms of communication, such as television, print media, or the radio.1
Social media has become hugely influential in our lives.2 Research by the Reuters Institute
for the Study of Journalism has shown that not only are huge numbers of people accessing
news and information worldwide through Facebook, in particular, but also through social
messaging software such as WhatsApp. When such media are used to spread rumours
and ‘fake news’, the consequences can be devastating.3
3. Tristan Harris, Co-founder and Executive Director, at the Center for Humane
Technology—an organisation seeking to realign technology with the best interests of its
users—told us about the many billions of people who interact with social media: “There are
more than 2 billion people who use Facebook, which is about the number of conventional
followers of Christianity. There are about 1.8 billion users of YouTube, which is about the
number of conventional followers of Islam. People check their phones about 150 times a
day in the developed world.”4 This equates to once every 6.4 minutes in a 16-hour day. This
is a profound change in the way in which we access information and news, one which has
occurred without conscious appreciation by most of us.
4. This kind of evidence led us to explore the use of data analytics and psychological
profiling to target people on social media with political content, as its political impact
has been profound, but largely unappreciated. The inquiry was launched in January 2017
in the previous Parliament, and then relaunched in the autumn, following the June 2017
election. The inquiry’s Terms of Reference were as follows:
• What is ‘fake news’? Where does biased but legitimate commentary shade into
propaganda and lies?
• What impact has fake news on public understanding of the world, and also on
the public response to traditional journalism? If all views are equally valid, does
objectivity and balance lose all value?
•
Is there any difference in the way people of different ages, social backgrounds,
genders etc use and respond to fake news?
•
Have changes in the selling and placing of advertising encouraged the growth of
fake news, for example by making it profitable to use fake news to attract more
hits to websites, and thus more income from advertisers?5
1
News consumption in the UK: 2016, Ofcom, 29 June 2017
2
Tristan Harris, Co-founder and Executive Director, Center for Humane Technology, Q3147
3
The seventh annual Digital News Report, by the Reuters Institute for the Study of Journalism, University of
Oxford was based on a YouGov online survey of 74,000 people in 37 countries.
4
Tristan Harris, Q3147
5
Terms of reference, Fake News inquiry, DCMS Committee, 15 September 2017.
5
Disinformation and ‘fake news’: Interim Report
5. We will address the wider areas of our Terms of Reference, including the role of
advertising, in our further Report this autumn. In recent months, however, our inquiry
delved increasingly into the political use of social media, raising concerns that we wish
to address immediately. We had asked representatives from Facebook, in February 2018,
about Facebook developers and data harvesting.6 Then, in March 2018, Carole Cadwalladr
of The Observer,7 together with Channel 4 News, and the New York Times, published
allegations about Cambridge Analytica (and associated companies) and its work with
Global Science Research (GSR), and the misuse of Facebook data.8 Those allegations
put into question the use of data during the EU Referendum in 2016, and the extent of
foreign interference in UK politics. Our oral evidence sessions subsequently focussed on
those specific revelations, and we invited several people involved to give evidence. The
allegations highlighted both the amount of data that private companies and organisations
hold on individuals, and the ability of technology to manipulate people.
6. This transatlantic media coverage brought our Committee into close contact with
other parliaments around the world. The US Senate Select Committee on Intelligence, the
US House of Representatives Permanent Select Committee on Intelligence, the European
Parliament, and the Canadian Standing Committee on Access to Information, Privacy,
and Ethics all carried out independent investigations. We shared information, sometimes
live, during the hearings. Representatives from other countries, including Spain, France,
Estonia, Latvia, Lithuania, Australia, Singapore, Canada, and Uzbekistan, have visited
London, and we have shared our evidence and thoughts. We were also told about the
work of SCL Elections—and other SCL associates, including Cambridge Analytica—set
up by the businessman Alexander Nix; their role in manipulating foreign elections; and
the financial benefits they gained through those activities. What became clear is that,
without the knowledge of most politicians and election regulators across the world,
not to mention the wider public, a small group of individuals and businesses had been
influencing elections across different jurisdictions in recent years.
7. We invited many witnesses to give evidence. Some came to the Committee willingly,
others less so. We were forced to summon two witnesses: Alexander Nix, former CEO of
Cambridge Analytica; and Dominic Cummings, Campaign Director of Vote Leave, the
designated Leave campaign group in the EU Referendum. While Mr. Nix subsequently
agreed to appear before the Committee, Dominic Cummings still refused. We were then
compelled to ask the House to support a motion ordering Mr Cummings to appear before
the Committee.9 At the time of writing he has still not complied with this Order, and the
matter has been referred by the House to the Committee of Privileges. Mr Cummings’
contemptuous behaviour is unprecedented in the history of this Committee’s inquiries and
underlines concerns about the difficulties of enforcing co-operation with Parliamentary
scrutiny in the modern age. We will return to this issue in our Report in the autumn, and
believe it to be an urgent matter for consideration by the Privileges Committee and by
Parliament as a whole.
6
Monika Bickert, Q389
7
In June 2018, Carole Cadwalladr won the Orwell journalism prize, for her investigative work into Cambridge
Analytica, which culminated in a series of articles from March 2018.
8
Harry Davies had previously published the following article Ted Cruz using firm that harvested data on millions
of unwitting Facebook users, in The Guardian, on 11 December 2015, which first revealed the harvesting of data
from Facebook.
9
Following the motion being passed, Dominic Cummings did not appear before the Committee. The matter was
then referred to the Privileges Committee on 28 June 2018.
Disinformation and ‘fake news’: Interim Report
6
8.
In total, we held twenty oral evidence sessions, including two informal background
sessions, and heard from 61 witnesses, asking over 3,500 questions at these hearings. We
received over 150 written submissions, numerous pieces of background evidence, and
undertook substantial exchanges of correspondence with organisations and individuals.
We held one oral evidence session in Washington D.C. (the first time a Select Committee
has held a public, live broadcast oral evidence session abroad) and also heard from
experts in the tech field, journalists and politicians, in private meetings, in Washington
and New York. Most of our witnesses took the Select Committee process seriously, and
gave considered, thoughtful evidence, specific to the context of our inquiry. We thank
witnesses, experts, politicians, and individuals (including whistle-blowers) whom we met
in public and in private, in this country and abroad, and who have been generous with
their expertise, knowledge, help and ideas.10 We also thank Dr Lara Brown and her team
at the Graduate School of Political Management at George Washington University, for
hosting the Select Committee’s oral evidence session in the US.
9. As noted above, this is our first Report on misinformation and disinformation.
Another Report will be published in the autumn of 2018, which will include more
substantive recommendations, and also detailed analysis of data obtained from the
insecure AggregateIQ website, harvested and submitted to us by Chris Vickery, Director
of Cyber Risk Research at UpGuard.11 Aggregate IQ is one of the businesses involved most
closely in influencing elections.
10. Since we commenced this inquiry, the Electoral Commission has reported on serious
breaches by Vote Leave and other campaign groups during the 2016 EU Referendum;
the Information Commissioner’s Office has found serious data breaches by Facebook
and Cambridge Analytica, amongst others; the Department for Digital, Culture, Media
and Sport (DDCMS) has launched the Cairncross Review into press sustainability in the
digital age; and, following a Green Paper in May, 2018, the Government has announced
its intention to publish a White Paper later this year into making the internet and social
media safer. This interim Report, therefore, focuses at this stage on seven of the areas
covered in our inquiry:
•
Definition of fake news, and how to spot it;
•
Definition, role and legal liabilities of social media platforms;
•
Data misuse and targeting, focussing on the Facebook/Cambridge Analytica/
AIQ revelations;
•
Political campaigning;
•
Foreign players in UK elections and referenda;
•
Co-ordination of Departments within Government;
•
Digital literacy.
10
Our expert adviser for the inquiry was Dr Charles Kriel, Associate Fellow at the King’s Centre for Strategic
Communications (KCSC), King’s College London. His Declaration of Interests are: Director, Kriel.Agency, a digital
media and social data consulting agency; Countering Violent Extremism Programme Director, Corsham Institute,
a civil society charity; and Cofounder and shareholder, Lightful, a social media tool for charities.
11
In the early autumn, we hope to invite Ofcom and the Advertising Standards Authority to give evidence, and
to re-invite witnesses from the Information Commissioner’s Office and the Electoral Commission, and this oral
evidence will also inform our substantive Report.
7
Disinformation and ‘fake news’: Interim Report
Definition of ‘fake news’
11. There is no agreed definition of the term ‘fake news’, which became widely used in
2016 (although it first appeared in the US in the latter part of the 19th century).12 Claire
Wardle, from First Draft, told us in our oral evidence session in Washington D.C. that
“when we are talking about this huge spectrum, we cannot start thinking about regulation,
and we cannot start talking about interventions, if we are not clear about what we mean”.13
It has been used by some, notably the current US President Donald Trump, to describe
content published by established news providers that they dislike or disagree with, but is
more widely applied to various types of false information, including:
•
Fabricated content: completely false content;
• Manipulated content: distortion of genuine information or imagery, for example
a headline that is made more sensationalist, often popularised by ‘clickbait’;
•
Imposter content: impersonation of genuine sources, for example by using the
branding of an established news agency;
• Misleading content: misleading use of information, for example by presenting
comment as fact;
•
False context of connection: factually accurate content that is shared with false
contextual information, for example when a headline of an article does not
reflect the content;
•
Satire and parody: presenting humorous but false stores as if they are true.
Although not usually categorised as fake news, this may unintentionally fool
readers.14
12. In addition to the above is the relentless prevalence of ‘micro-targeted messaging’,
which may distort people’s views and opinions.15 The distortion of images is a related
problem; evidence from MoneySavingExpert.com cited celebrities who have had their
images used to endorse scam money-making businesses, including Martin Lewis, whose
face has been used in adverts across Facebook and the internet for scams endorsing
products including binary trading and energy products.16 There are also ‘deepfakes’, audio
and videos that look and sound like a real person, saying something that that person has
never said.17 These examples will only become more complex and harder to spot, the more
sophisticated the software becomes.
13. There is no regulatory body that oversees social media platforms and written
content including printed news content, online, as a whole. However, in the UK, under
the Communications Act 2003, Ofcom sets and enforces content standards for television
12
Fake News: A Roadmap, NATO Strategic Centre for Strategic Communications, Riga and King’s Centre for
Strategic Communications (KCSE), January 2018.
13
Claire Wardle, Q573
14
Online information and fake news, Parliamentary Office of Science and Technology, July 2017, box 4.
Also see First Draft News, Fake news. It’s complicated, February 2017; Ben Nimmo (FNW0125); Full Fact,
(FNW0097)
15
Micro-targeting of messages will be explored in greater detail in Chapter 4.
16
MoneySavingExpert.com (FKN0068)
17
Edward Lucas, Q881
Disinformation and ‘fake news’: Interim Report
8
and radio broadcasters, including rules relating to accuracy and impartiality.18 On 13
July 2018, Ofcom’s Chief Executive, Sharon White, called for greater regulation of social
media, and announced plans to release an outline of how such regulation could work in
the autumn of this year.19 We shall assess these plans in our further Report.
14. The term ‘fake news’ is bandied around with no clear idea of what it means, or
agreed definition. The term has taken on a variety of meanings, including a description
of any statement that is not liked or agreed with by the reader. We recommend that the
Government rejects the term ‘fake news’, and instead puts forward an agreed definition
of the words ‘misinformation’ and ‘disinformation’. With such a shared definition, and
clear guidelines for companies, organisations, and the Government to follow, there will
be a shared consistency of meaning across the platforms, which can be used as the basis
of regulation and enforcement.
15. We recommend that the Government uses the rules given to Ofcom under the
Communications Act 2003 to set and enforce content standards for television and
radio broadcasters, including rules relating to accuracy and impartiality, as a basis
for setting standards for online content. We look forward to hearing Ofcom’s plans for
greater regulation of social media this autumn. We plan to comment on these in our
further Report.
How to spot ‘fake news’
16. Standards surrounding fact-checking exist, through the International Fact-
Checking Network’s Code of Principles, signed by the majority of major fact-checkers.20
A recent report of the independent High-Level Expert Group on Fake News and Online
Disinformation highlighted that, while a Code of Principles exists, fact-checkers themselves
must continually improve on their own transparency.21
17. Algorithms are being used to help address the challenges of misinformation. We
heard evidence from Professor Kalina Bontcheva, who conceived and led the Pheme
research project, which aims to create a system to automatically verify online rumours
and thereby allow journalists, governments and others to check the veracity of stories
on social media.22 Algorithms are also being developed to help to identify fake news.
The fact-checking organisation, Full Fact, received funding from Google to develop an
automated fact-checking tool for journalists.23 Facebook and Google have also altered
their algorithms so that content identified as misinformation ranks lower.24 Many
organisations are exploring ways in which content on the internet can be verified, kite-
marked, and graded according to agreed definitions.25
18. The Government should support research into the methods by which misinformation
and disinformation are created and spread across the internet: a core part of this is fact-
18
Ofcom (FNW0107)
19
‘It’s time to regulate social media sites that publish news’ The Times 13 July 2018
20
The International Fact-Checking Network website, accessed 21 June 2018.
21
A multi-dimensional approach to disinformation, Report of the independent High Level Expert Group on Fake
News and Online Disinformation, March 2018.
22
Pheme website, www.pheme.eu, accessed 21 June 2018
23
Full Fact website, fullfact.org, accessed 21 June 2018
24
Mosseri, Facebook, “Working to stop misinformation and false news”. 6/4/2017
25
Full Fact (FNW0097); Disinformation Index (FKN0058); HonestReporting (FKN0047); Factmata Limited, UK
(FKN0035).
9
Disinformation and ‘fake news’: Interim Report
checking. We recommend that the Government initiate a working group of experts to
create a credible annotation of standards, so that people can see, at a glance, the level
of verification of a site. This would help people to decide on the level of importance that
they put on those sites.
Our recommendations in this Report
19. During the course of this inquiry we have wrestled with complex, global issues,
which cannot easily be tackled by blunt, reactive and outmoded legislative instruments.
In this Report, we suggest principle-based recommendations which are sufficiently
adaptive to deal with fast-moving technological developments. We look forward to
hearing the Government’s response to these recommendations.
20. We also welcome submissions to the Committee from readers of this interim Report,
based on these recommendations, and on specific areas where the recommendations
can incorporate work already undertaken by others. This inquiry has grown through
collaboration with other countries, organisations, parliamentarians, and individuals,
in this country and abroad, and we want this co-operation to continue.
Disinformation and ‘fake news’: Interim Report
10
2 The definition, role and legal
responsibilities of tech companies
21. At the centre of the argument about misinformation and disinformation is the role of
tech companies, on whose platforms content is disseminated.26 Throughout the chapter,
we shall use the term ‘tech companies’ to indicate the different types of social media and
internet service providers, such as Facebook, Twitter, and Google. It is important to note
that a series of mergers and acquisitions mean that a handful of tech companies own the
major platforms. For example, Facebook owns Instagram and WhatsApp; Alphabet owns
both Google and YouTube.
22. The word ‘platform’ suggests that these companies act in a passive way, posting
information they receive, and not themselves influencing what we see, or what we do not
see. However, this is a misleading term; tech companies do control what we see, by their
very business model. They want to engage us from the moment we log onto their sites and
into their apps, in order to generate revenue from the adverts that we see. In this chapter,
we will explore: the definitions surrounding tech companies; the companies’ power in
choosing and disseminating content to users; and the role of the Government and the
tech companies themselves in ensuring that those companies carry out their business in
a transparent, accountable way.
An unregulated sphere
23. Tristan Harris of the Center for Humane Technology27 provided a persuasive
narrative of the development and role of social media platforms, telling us that engagement
of the user is an integral part both of tech companies’ business model and of their growth
strategy:
They set the dial; they don’t want to admit that they set the dial, and instead
they keep claiming, “We’re a neutral platform,” or, “We’re a neutral tool,” but
in fact every choice they make is a choice architecture. They are designing
how compelling the thing that shows up next on the news feed is, and their
admission that they can already change the news feeds so that people spend
less time [on it] shows that they do have control of that.28
24. Mr Harris told us that, while we think that we are in control of what we look at when
we check our phones (on average, around 150 times a day), our mind is being hijacked, as
if we were playing a slot machine:
Every time you scroll, you might as well be playing a slot machine, because
you are not sure what is going to come up next on the page. A slot machine
is a very simple, powerful technique that causes people to want to check in
all the time. Facebook and Twitter, by being social products—by using your
26
As of February 2018, 79% of the UK population had Facebook accounts, 79% used YouTube, and 47% used
Twitter, https://weareflint.co.uk/press-release-social-media-demographics-2018
27
The Center for Humane Technology website, accessed 27 June 2018
28
Tristan Harris, Q3149
11
Disinformation and ‘fake news’: Interim Report
social network—have an infinite supply of new information that they could
show you. There are literally thousands of things that they could populate
that news feed with, which turns it into that random-reward slot machine.29
25. Coupled with this is the relentless feed of information that we receive on our phones,
which is driven by tech engineers “who know a lot more about how your mind works than
you do. They play all these different tricks every single day and update those tricks to keep
people hooked”.30
Regulatory architecture
The Information Commissioner’s Office
26. The Information Commissioner is a non-departmental public body, with statutory
responsibility “for regulating the processing of personal data” in the United Kingdom,31
including the enforcement of the new Data Protection Act 2018 and the General Data
Protection Regulation (GDPR).32 The ICO’s written evidence describes the Commission’s
role as “one of the sheriffs of the internet”.33
27. The Commissioner, Elizabeth Denham, highlighted the “behind the scenes
algorithms, analysis, data matching and profiling” which mean that people’s data is being
used in new ways to target them with information.34 She sees her role as showing the public
how personal data is collected, used and shared through advertising and through the
micro-targeting of messages delivered through social media.”35 She has a range of powers
to ensure that personal data is processed within the legislative framework, including the
serving of an information notice, requiring specified information to be provided within a
defined timeframe.
28. The 2018 Act extends the Commissioner’s powers to conduct a full audit where
she suspects that data protection legislation has, or is being, contravened and to order
a company to stop processing data. Elizabeth Denham told us that these would be
“powerful” measures.36 The recent legislative changes also increased the maximum fine
that the Commissioner can levy, from £500,000 to £17 million or 4% of global turnover,
whichever is greater, and set out her responsibilities for international co-operation on the
enforcement of data protection legislation.37
29. The Data Protection Act 2018 created a new definition, called “Applied GDPR”, to
describe an amended version of the GDPR, when European Union law does not apply
(when the UK leaves the EU). Data controllers would still need to assess whether they are
subject to EU law, in order to decide whether to follow the GDPR or the Applied GDPR.
29
Q3147
30
Tristan Harris, Q3147
31
Elizabeth Denham, Information Commissioner (FKN0051)
32
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and is a regulation under
EU law on data protection and privacy for all individuals within the European Union (EU) and the European
Economic Area (EEA). It forms part of the data protection regime in the UK, together with the new Data
Protection Act 2018 (DPA 2018).
33
Elizabeth Denham, Information Commissioner (FKN0051)
34
Elizabeth Denham, Information Commissioner (FKN0051)
35
Elizabeth Denham, Information Commissioner (FKN0051)
36
Q907
37
Guide to the GDPR, ICO website, accessed 21 July 2018
Disinformation and ‘fake news’: Interim Report
12
Apart from the exceptions laid down in the GDPR, all personal data processed in the
United Kingdom comes within the scope of European Union law, until EU law no longer
applies to the United Kingdom. However, when the United Kingdom leaves the EU, social
media companies could “process personal data of people in the UK from bases in the
US without any coverage of data protection law. Organisations that emulate Cambridge
Analytica could set up in offshore locations and profile individuals in the UK without
being subject to any rules on processing personal data”, according to Robert Madge, CEO
of the Swiss data management company Xifrat Daten.38
30. The Data Protection Act 2018 gives greater protection to people’s data than did
its predecessor, the 1998 Data Protection Act, and follows the law set out in the GDPR.
However, when the UK leaves the EU, social media companies will be able to process
personal data of people in the UK from bases in the US, without any coverage of data
protection law. We urge the Government to clarify this loophole in a White Paper this
autumn.
Investigation into the use of data analytics for political purposes
31. In May 2017, the ICO announced a formal investigation into the use of data analytics
for political purposes. The investigation has two strands: explaining how personal data
is used in the context of political messaging; and taking enforcement action against
any found breaches of data protection legislation.39 The investigation has involved 30
organisations, including Facebook and Cambridge Analytica. Elizabeth Denham said of
the investigation:
For the public, we need to be able to understand why an individual sees a
certain ad. Why does an individual see a message in their newsfeed that
somebody else does not see? We are really the data cops here. We are doing
a data audit to be able to understand and to pull back the curtain on the
advertising model around political campaigning and elections.40
32. In response to our request for the ICO to provide an update on the investigation into
data analytics in political campaigning, the Commissioner duly published this update on
11 July 2018.41 We are grateful to the Commissioner for providing such a useful, detailed
update on her investigations, and we look forward to receiving her final report in due
course.
33. The ICO has been given extra responsibilities, but with those responsibilities should
come extra resources. Christopher Wylie, a whistle-blower and ex-SCL employee, has had
regular contact with the ICO, and he explained that the organisation has limited resources
to deal with its responsibilities: “A lot of the investigators do not have a robust technical
background. […] They are in charge of regulating data, which means that they should
have a lot of people who understand how databases work”.42
34. Paul-Olivier Dehaye, founder of PersonalDataIO, told us that he had sent a letter to the
ICO in August 2016, asking them if they were investigating Cambridge Analytica, because
38
Brexit risk to UK personal data, Robert Madge, Medium, 22 June 2018
39
Q895
40
Q899
41
Investigation into the use of data analytics in political campaigns: investigation update, ICO, July 2018.
42
Q1460
13
Disinformation and ‘fake news’: Interim Report
of the information about the company that was publicly available at that time. He told us
that “if the right of access was made much more efficient, because of increased staffing at
the ICO, this right would be adopted by [...] educators, journalists, activists, academics, as
a tool to connect civil society with the commercial world and to help document what is
happening”.43 Data scientists at the ICO need to be able to cope with new technologies that
are not even in existence at the moment and, therefore, the ICO needs to be as technically
expert, if not more so, than the experts in private tech companies.
35. The Commissioner told us that the Government had given the ICO pay flexibility
to retain and recruit more expert staff: “We need forensic investigators, we need senior
counsel and lawyers, we need access to the best, and maybe outside counsel, to be able to
help us with some of these really big files”.44 We are unconvinced that pay flexibility will
be enough to retain and recruit technical experts.
36. We welcome the increased powers that the Information Commissioner has been
given as a result of the Data Protection Act 2018, and the ability to be able to look behind
the curtain of tech companies, and to examine the data for themselves. However, to be
a sheriff in the wild west of the internet, which is how the Information Commissioner
has described her office, the ICO needs to have the same if not more technical expert
knowledge as those organisations under scrutiny. The ICO needs to attract and employ
more technically-skilled engineers who not only can analyse current technologies, but
have the capacity to predict future technologies. We acknowledge the fact that the
Government has given the ICO pay flexibility to retain and recruit more expert staff, but
it is uncertain whether pay flexibility will be enough to retain and attract the expertise
that the ICO needs. We recommend that the White Paper explores the possibility of
major investment in the ICO and the way in which that money should be raised. One
possible route could be a levy on tech companies operating in the UK, to help pay for the
expanded work of the ICO, in a similar vein to the way in which the banking sector pays
for the upkeep of the Financial Conduct Authority.
The Electoral Commission
37. The Electoral Commission is responsible for regulating and enforcing the rules
that govern political campaign finance in the UK. Their priority is to ensure appropriate
transparency and voter confidence in the system.45 However, concerns have been expressed
about the relevance of that legislation in an age of social media and online campaigning.
Claire Bassett, the Electoral Commission’s Chief Executive, told us that, “It is no great
secret that our electoral law is old and fragmented. It has developed over the years, and we
struggle with the complexity created by that, right across the work that we do.”46
38. The use of social media in political campaigning has had major consequences for
the Electoral Commission’s work.47 As a financial regulator, the Electoral Commission
regulates “by looking at how campaigners and parties receive income, and how they
spend that.”48 While that is primarily achieved through the spending returns submitted
43
Q1460
44
Q923
45
Electoral Commission (FNW0048)
46
Q2617
47
The Electoral Commission’s remit covers the UK only and it has no power to intervene or to stop someone acting
if they are outside the UK (Claire Bassett, Q2655)
48
Q2617
Disinformation and ‘fake news’: Interim Report
14
by registered campaigners, the Commission also conducts real-time monitoring of
campaign activities, including on social media, that it can then compare the facts with
what it is being told.49 Where the Electoral Commission suspects or identifies that rules
have been breached it has the power to conduct investigations, refer matters to the police,
and issue sanctions, including fines.
39. At present, campaign spending is declared under broad categories such as ‘advertising’
and ‘unsolicited material to electors’, with no specific category for digital campaigning,
not to mention the many subcategories covered by paid and organic campaigning, and
combinations thereof. Bob Posner, the Electoral Commission’s Director of Political
Finance and Regulation and Legal Counsel, told us that “A more detailed category of
spending would be helpful to understand what is spent on services, advertising, leaflets,
posters or whatever it might be, so anyone can interrogate and question it.”50 The Electoral
Commission has since recommended that legislation be amended so that spending returns
clearly detail digital campaigning.51
40. Spending on election or referendum campaigns by foreign organisations or
individuals is not allowed. We shall be exploring issues surrounding the donation to Leave.
EU by Arron Banks in Chapter 4, but another example involving Cambridge Analytica
was brought to our attention by Arron Banks himself. A document from Cambridge
Analytica’s presentation pitch to Leave.EU stated that “We will co-ordinate a programme
of targeted solicitation, using digital advertising and other media as appropriate to raise
funds for Leave.EU in the UK, the USA, and in other countries.”52 In response to a question
asking whether he had taken legal advice on this proposal, Alexander Nix, the then CEO
of Cambridge Analytica, replied, “We took a considerable amount of legal advice and,
at the time, it was suggested by our counsel that we could target British nationals living
abroad for donations. I believe […] that there is still some lack of clarity about whether
this is true or not.53
41. When giving evidence, the Electoral Commission repeated a recommendation first
made in 2003 that online campaign material should legally be required to carry a digital
imprint, identifying the source. While the Electoral Commission’s remit does not cover
the content of campaign material, and it is “not in a position to monitor the truthfulness
of campaign claims, online or otherwise”, it holds that digital imprints “will help voters
to assess the credibility of campaign messages.”54 A recent paper from Upturn, Leveling
the platform: real transparency for paid messages on Facebook, highlighted the fact that
“ads can be shared widely, and live beyond indication that their distribution was once
subsidized. And they can be targeted with remarkable precision”.55 For this reason, we
believe digital imprints should be clear and make it easy for users to identify what is in
adverts and who the advertiser is.
49
Q2717
50
Q2668
51
Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018, p12
52
Arron Banks (FKN0056)
53
Q3331
54
Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018, p9
55
Levelling the platform: real transparency for paid messages on Facebook, Upturn, May 2018
15
Disinformation and ‘fake news’: Interim Report
42. The Electoral Commission published a report on 26 June 2018, calling for the law to
be strengthened around digital advertising and campaigning, including:
•
A change in the law to require all digital political campaign material to state
who paid for it, bringing online adverts in line with physical leaflets and adverts;
•
New legislation to make it clear that spending in UK elections and referenda by
foreign organisations and individuals is not allowed;
•
An increase in the maximum fine, currently £20,000 per offence, that the
Electoral Commission can impose on organisations and individuals who break
the rules;
•
Tougher requirements for political campaigns to declare their spending soon
after or during a campaign, rather than months later;
•
A requirement for all campaigners to provide more detailed paperwork on how
they spent money online.56
43. Claire Bassett told us that the current maximum fine that the Electoral Commission
can impose on wrongdoings in political campaigning is £20,000, which she said is described
as “the cost of doing business” for some individuals and organisations. Ms Bassett said
that this amount was too low and should be increased, in line with other regulators that
can impose more significant fines.57 She also commented on how she would like a change
to the regulated periods, particularly in reference to referenda:
One of the challenges we have as regulator is that we are a financial
regulator, and we regulate the parties and campaigners, usually during just
that regulated period or the extended period that is set out. That does create
challenges in a referendum setting. We think there is value in looking at
those campaign regulated periods and thinking about how they work.58
We are aware that the Report of the Independent Commission on Referendums made
similar recommendations in its report of July 2018.59
44. The globalised nature of social media creates challenges for regulators. In evidence
Facebook did not accept their responsibilities to identify or prevent illegal election
campaign activity from overseas jurisdictions. In the context of outside interference in
elections, this position is unsustainable and Facebook, and other platforms, must begin
to take responsibility for the way in which their platforms are used.
45. Electoral law in this country is not fit for purpose for the digital age, and needs
to be amended to reflect new technologies. We support the Electoral Commission’s
suggestion that all electronic campaigning should have easily accessible digital imprint
requirements, including information on the publishing organisation and who is legally
responsible for the spending, so that it is obvious at a glance who has sponsored that
campaigning material, thereby bringing all online advertisements and messages into
line with physically published leaflets, circulars and advertisements. We note that a
56
Digital campaigning: increasing transparency for voters, Electoral Commission, 25 June 2018
57
Q2618
58
Claire Bassett, Q2617
59
Report of the Independent Commission on Referendums UCL Constitution Unit, July 2018
Disinformation and ‘fake news’: Interim Report
16
similar recommendation was made by the Committee on Standards in Public Life, and
urge the Government to study the practicalities of giving the Electoral Commission this
power in its White Paper.
46. As well as having digital imprints, the Government should consider the feasibility
of clear, persistent banners on all paid-for political adverts and videos, indicating
the source and making it easy for users to identify what is in the adverts, and who the
advertiser is.
47. The Electoral Commission’s current maximum fine limit of £20,000 should be
changed to a larger fine based on a fixed percentage of turnover, such as has been
granted recently to the Information Commissioner’s Office in the Data Protection Act
2018. Furthermore, the Electoral Commission should have the ability to refer matters to
the Crown Prosecution Service, before their investigations have been completed.
48. Electoral law needs to be updated to reflect changes in campaigning techniques,
and the move from physical leaflets and billboards to online, micro-targeted political
campaigning, as well as the many digital subcategories covered by paid and organic
campaigning. The Government must carry out a comprehensive review of the current
rules and regulations surrounding political work during elections and referenda,
including: increasing the length of the regulated period; definitions of what constitutes
political campaigning; absolute transparency of online political campaigning; a category
introduced for digital spending on campaigns; reducing the time for spending returns to
be sent to the Electoral Commission (the current time for large political organisations is
six months); and increasing the fine for not complying with the electoral law.
49. The Government should consider giving the Electoral Commission the power to
compel organisations that it does not specifically regulate, including tech companies and
individuals, to provide information relevant to their inquiries, subject to due process.
50. The Electoral Commission should also establish a code for advertising through
social media during election periods, giving consideration to whether such activity
should be restricted during the regulated period, to political organisations or campaigns
that have registered with the Commission. Both the Electoral Commission and the ICO
should consider the ethics of Facebook or other relevant social media companies selling
lookalike political audiences to advertisers during the regulated period, where they are
using the data they hold on their customers to guess whether their political interests
are similar to those profiles held in target audiences already collected by a political
campaign. In particular, we would ask them to consider whether users of Facebook
or other relevant social media companies should have the right to opt out from being
included in such lookalike audiences.
Platform or publisher?
51. How should tech companies be defined—as a platform, a publisher, or something
in between? The definition of ‘publisher’ gives the impression that tech companies have
the potential to limit freedom of speech, by choosing what to publish and what not to
publish. Monika Bickert, Head of Global Policy Management, Facebook, told us that
“our community would not want us, a private company, to be the arbiter of truth”.60 The
60
Q431
17
Disinformation and ‘fake news’: Interim Report
definition of ‘platform’ gives the impression that these companies do not create or control
the content themselves, but are merely the channel through which content is made available.
Yet Facebook is continually altering what we see, as is shown by its decision to prioritise
content from friends and family, which then feeds into users’ newsfeed algorithm.61
52. Frank Sesno, Director of the School of Media and Public Affairs, George Washington
University, told us in Washington D.C. that “they have this very strange, powerful, hybrid
identity as media companies that do not create any of the content but should and must—to
their own inadequate levels—accept some responsibility for promulgating it. What they
fear most is regulation—a requirement to turn over their data”.62
53. At both our evidence session and at a separate speech in March 2018, the then
Secretary of State for DCMS, Rt Hon Matt Hancock MP, noted the complexity of
making any legislative changes to tech companies’ liabilities, putting his weight behind
“a new definition” that was “more subtle” than the binary choice between platform and
publisher.63 He told us that the Government has launched the Cairncross Review to look
(within the broader context of the future of the press in the UK) at the role of the digital
advertising supply chain, at how fair and transparent it is, and whether it “incentivises
the proliferation of inaccurate and/or misleading news.” The review is also examining
the role and impact of digital search engines and social media companies including an
assessment of regulation “or further collaboration between the platforms and publishers.”
The consultation closes in September 2018.64
54. In Germany, tech companies were asked to remove hate speech within 24 hours. This
self-regulation did not work, so the German Government passed the Network Enforcement
Act, commonly known as NetzDG, which became law in January 2018. This legislation
forces tech companies to remove hate speech from their sites within 24 hours, and fines
them 20 million Euros if it is not removed.65
55. Some say that the NetzDG regulation is a blunt instrument, which could be seen to
tamper with free speech, and is specific to one country, when the extent of the content spans
many countries. Monika Bickert, from Facebook, told us that “sometimes regulations can
take us to a place—you have probably seen some of the commentary about the NetzDG
law in Germany—where there will be broader societal concerns about content that we are
removing and whether that line is in the right place”.66 The then Secretary of State was also
wary of the German legislation because “when a regulator gets to the position where they
are policing the publication of politicians then you are into tricky territory”.67 However,
as a result of this law, one in six of Facebook’s moderators now works in Germany, which
is practical evidence that legislation can work.68
56. Within social media, there is little or no regulation. Hugely important and
influential subjects that affect us—political opinions, mental health, advertising,
61
Monika Bickert, Q434
62
Frank Sesno, Q583
63
Matt Hancock MP on ‘The Future of the Media’ at the Oxford Media Convention, Monday 12 March 2018 and
Q977
64
Terms of reference, Cairncross Review, DCMS, 12 March 2018.
65
Germany start enforcing hate speech law, BBC, 1 January 2018
66
Q386
67
Q973
68
Professor Lewandowsky, Q233
Disinformation and ‘fake news’: Interim Report
18
data privacy—are being raised, directly or indirectly, in these tech spaces. People’s
behaviour is being modified and changed as a result of social media companies. There
is currently no sign of this stopping.
57. Social media companies cannot hide behind the claim of being merely a ‘platform’,
claiming that they are tech companies and have no role themselves in regulating the
content of their sites. That is not the case; they continually change what is and is not
seen on their sites, based on algorithms and human intervention. However, they are also
significantly different from the traditional model of a ‘publisher’, which commissions,
pays for, edits and takes responsibility for the content it disseminates.
58. We recommend that a new category of tech company is formulated, which
tightens tech companies’ liabilities, and which is not necessarily either a ‘platform’ or
a ‘publisher’. We anticipate that the Government will put forward these proposals in
its White Paper later this year and hope that sufficient time will be built in for our
Committee to comment on new policies and possible legislation.
59. We support the launch of the Government’s Cairncross Review, which has been
charged with studying the role of the digital advertising supply chain, and whether
its model incentivises the proliferation of inaccurate or misleading news. We propose
that this Report is taken into account as a submission to the Cairncross Review. We
recommend that the possibility of the Advertising Standards Agency regulating digital
advertising be considered as part of the Review. We ourselves plan to take evidence on
this question this autumn, from the ASA themselves, and as part of wider discussions
with DCMS and Ofcom.
60. It is our recommendation that this process should establish clear legal liability for
the tech companies to act against harmful and illegal content on their platforms. This
should include both content that has been referred to them for takedown by their users,
and other content that should have been easy for the tech companies to identify for
themselves. In these cases, failure to act on behalf of the tech companies could leave them
open to legal proceedings launched either by a public regulator, and/or by individuals or
organisations who have suffered as a result of this content being freely disseminated on
a social media platform.
Transparency
61. What we found, time and again, during the course of our inquiry, was the failure
on occasions of Facebook and other tech companies, to provide us with the information
that we sought. We undertook fifteen exchanges of correspondence with Facebook, and
two oral evidence sessions, in an attempt to elicit some of the information that they held,
including information regarding users’ data, foreign interference and details of the so-
called ‘dark ads’ that had reached Facebook users.69 Facebook consistently responded
to questions by giving the minimal amount of information possible, and routinely
failed to offer information relevant to the inquiry, unless it had been expressly asked
for. It provided witnesses who have been unwilling or unable to give full answers to the
69
Oral evidence session, 8 February 2018; oral evidence session, 26 April 2018; exchanges of correspondence
between the Chair of the DCMS Committee and Facebook representatives, between 24 October and 8 June
2018, can be found on the DCMS Committee’s inquiry page.
19
Disinformation and ‘fake news’: Interim Report
Committee’s questions. This is the reason why the Committee has continued to press for
Mark Zuckerberg to appear as a witness as, by his own admission, he is the person who
decides what happens at Facebook.
62. We ask, once more, for Mr Zuckerberg to come to the Committee to answer the
many outstanding questions to which Facebook has not responded adequately to date.
Edward Lucas, a writer and security policy expert, rightly told us that Facebook should
not be in a position of marking its own homework: “They have a duty as a platform to have
transparent rules that can be discussed with the outside world and we should be able to
check stuff. […] We cannot just trust Facebook to go after the event and say, ‘Nothing to
see here, move along’. We should be able to see in real time who is advertising”.70
63. As the then Secretary of State, Rt Hon Matthew Hancock MP, pointed out when he
gave evidence to us, the Defamation Act 2013 contains provisions stating that, if a user is
defamed on social media, and the offending individual cannot be identified, the liability
rests with the platform.71
64. Tech companies are not passive platforms on which users input content; they
reward what is most engaging, because engagement is part of their business model and
their growth strategy. They have profited greatly by using this model. This manipulation
of the sites by tech companies must be made more transparent. Facebook has all of the
information. Those outside of the company have none of it, unless Facebook chooses
to release it. Facebook was reluctant to share information with the Committee, which
does not bode well for future transparency. We ask, once more, for Mr Zuckerberg to
come to the Committee to answer the many outstanding questions to which Facebook
has not responded adequately, to date.
65. Facebook and other social media companies should not be in a position of ‘marking
their own homework’. As part of its White Paper this Autumn, the Government need to
carry out proactive work to find practical solutions to issues surrounding transparency
that will work for both users, the Government, and the tech companies.
66. Facebook and other social media companies have a duty to publish and to follow
transparent rules. The Defamation Act 2013 contains provisions stating that, if a user is
defamed on social media, and the offending individual cannot be identified, the liability
rests with the platform. We urge the Government to examine the effectiveness of these
provisions, and to monitor tech companies to ensure they are complying with court
orders in the UK and to provide details of the source of disputed content—including
advertisements—to ensure that they are operating in accordance with the law, or any
future industry Codes of Ethics or Conduct. Tech companies also have a responsibility
to ensure full disclosure of the source of any political advertising they carry.
Bots
67. Bots are algorithmically-driven computer programmes designed to carry out specific
tasks online, such as analysing and scraping data. Some are created for political purposes,
such as automatically posting content, increasing follower numbers, supporting political
campaigns, or for spreading misinformation and disinformation. Samantha Bradshaw,
70
Q855
71
Section 5, ‘Operators’, Defamation Act 2013
Disinformation and ‘fake news’: Interim Report
20
from the Oxford Internet Institute, University of Oxford, described the different types of
bots, with some being completely automated and some with real people who engage with
the automated bots, described as ‘cyborgs’: “Those accounts are a lot harder to detect for
researchers, because they feel a lot more genuine. Instead of just automating a bunch of
tweets, so that something retweets different accounts 100 times a day, bots might actually
post comments and talk with other users—real people—on the accounts”.72
68. When she gave evidence in February 2018, Monika Bickert, Head of Global Policy
Management at Facebook, would not confirm whether there were around 50,000 bot
accounts during the US presidential election of 2016.73 However, when Mike Schroepfer,
CTO of Facebook, gave evidence in April 2018, after the Cambridge Analytica events had
unfolded, he was more forthcoming about the problem of bots:
The key thing here is people trying to create inauthentic identities on
Facebook, claiming they are someone other than who they are. To give
you a sense of the scale of that problem and the means, while we are in
this testimony today it is likely we will be blocking hundreds of thousands
of attempts by people around the world to create fake accounts through
automated systems. This is literally a day-to-day fight to make sure that
people who are trying to abuse the platform are kept off it and to make sure
that people use Facebook for what we want it for, which is to share it with
our friends.74
69. Mike Schroepfer also said that removal of such bots can be difficult, and was evasive
about how many fake accounts had been removed, telling us: “We are purging fake accounts
all the time and dealing with fraudulent ads and we do not tend to report each specific
instance. I know we report aggregate statistics on a regular basis, but it is not something
we are reporting here or there, so I don’t know.75 The problem with removing such bots
without a systematic appraisal of their composition means that valuable information is
then lost. Such information would prove invaluable to researchers involved in making
connections, in order to prevent future attacks by malign players.
Algorithms
70. Both social media companies and search engines use algorithms, or sequences
of instructions, to personalise news and other content for users. The algorithms select
content based on factors such as a user’s past online activity, social connections, and
their location. Samantha Bradshaw, from the Oxford Internet Institute, told us about the
power of Facebook to manipulate people’s emotions by showing different types of stories
to them: “If you showed them more negative stories, they would feel more negatively. If
you showed them positive stories, they would feel more positive”.76 The tech companies’
business models rely on revenue coming from the sale of adverts and, because the bottom
line is profit, negative emotions (which appear more quickly than positive emotions) will
always be prioritised. This makes it possible for negative stories to spread.
72
Q18
73
Q465
74
Q2126
75
Q2293
76
Q29
21
Disinformation and ‘fake news’: Interim Report
71. Information about algorithms that dictate what users see on their News Feed is not
publicly available. But just as information about the tech companies themselves needs to
be more transparent, so does information about the algorithms themselves. These can
carry inherent biases, such as those involving gender and race, as a result of algorithms
development by engineers; these biases are then replicated, spread, and reinforced. Monika
Bickert, from Facebook, admitted that Facebook was concerned about “any type of bias,
whether gender bias, racial bias or other forms of bias that could affect the way that work
is done at our company. That includes working on algorithms”. She went on to describe
ways in which they were attempting to address this problem, including “initiatives
ongoing, right now, to try to develop talent in under-represented communities”.77 In
our opinion, Facebook should be taking a more active and urgent role in tackling such
inherent biases in algorithm development by engineers, to prevent these biases being
replicated and reinforced. Claire Wardle, Executive Director of First Draft News, told us
of the importance to get behind the ‘black box’ of the working of algorithms, in order to
understand the rules and motivations of the tech companies:
What are the questions to ask a platform about why it was created? What
are the metrics for that particular algorithm? How can we have more insight
into that algorithm? How can we think about frameworks of algorithms?
Irrespective of the platform, how can we set up that framework so that
platforms have to be not just transparent but transparent across particular
aspects and elements?78
72. Just as the finances of companies are audited and scrutinised, the same type of
auditing and scrutinising should be carried out on the non-financial aspects of technology
companies, including their security mechanisms and algorithms, to ensure they are
operating responsibly. The Government should provide the appropriate body with the
power to audit these companies, including algorithmic auditing, and we reiterate the
point that the ICO’s powers should be substantially strengthened in these respects.
73. If companies like Facebook and Twitter fail to act against fake accounts, and
properly account for the estimated total of fake accounts on their sites at any one time,
this could not only damage the user experience, but potentially defraud advertisers who
could be buying target audiences on the basis that the user profiles are connected to real
people. We ask the Competition and Markets Authority to consider conducting an audit
of the operation of the advertising market on social media.
Privacy settings and ‘terms and conditions’
74. Facebook and other tech companies make it hard for users to protect their own data.
A report by the Norwegian Consumer Council, ‘Deceived by Design’, published in June
2018, highlighted the fact that Facebook, Google and Microsoft direct users away from
privacy-friendly options on their services in an “unethical” way, while giving users “an
illusion of control”.79 Users’ privacy rights are usually hidden in tech companies’ ‘terms
77
Q441
78
Q582
79
Deceived by design, Norwegian Consumer Council, 26 June 2018.
Disinformation and ‘fake news’: Interim Report
22
and conditions’ policies, which themselves are complicated, and do not follow their own
terms of conditions in ensuring that they are age appropriate and that age ratification
takes place.80
75. Social media companies have a legal duty to inform users of their privacy rights.
Companies give users the illusion of users having freedom over how they control their
data, but they make it extremely difficult, in practice, for users to protect their data.
Complicated and lengthy terms and conditions, small buttons to protect our data and
large buttons to share our data mean that, although in principle we have the ability
to practise our rights over our data—through for example the GDPR and the Data
Protection Act—in practice it is made hard for us.
76. The UK Government should consider establishing a digital Atlantic Charter
as a new mechanism to reassure users that their digital rights are guaranteed. This
innovation would demonstrate the UK’s commitment to protecting and supporting users,
and establish a formal basis for collaboration with the US on this issue. The Charter
would be voluntary, but would be underpinned by a framework setting out clearly the
respective legal obligations in signatory countries. This would help ensure alignment, if
not in law, then in what users can expect in terms of liability and protections.
‘Free Basics’ and Burma
77. One of Facebook’s unofficial company mottoes was to “move quickly and break
things”; to take risks, to not consider the consequences. Sandy Parakilas, an ex-Facebook
employee, told us that most of the goals of the company were centred around growth,
in terms of the number of people using the service and the subsequent revenue.81 But
with growth comes unintended consequences, if that growth happens unchecked. This
unchecked growth of Facebook is continuing. ‘Free Basics’ is a Facebook service that
provides people in developing countries with mobile phone access to various services
without data charges. This content includes news, employment, health, information and
local information. Free Basics is available in 63 countries around the world.82
78. Out of a 50 million population in Burma, there are 30 million monthly active
users on Facebook.83 While Free Basics gives internet access for the majority of people
in Burma, at the same time it severely limits the information available to users, making
Facebook virtually the only source of information online for the majority of people in
Burma.84 The United Nations accused Facebook of playing a determining role in stirring
up hatred against the Rohingya Muslim minority in Rakhine State. In March 2018, the
UN Myanmar investigator Yanghee Lee said that the platform had morphed into a ‘beast’
that helped to spread vitriol against Rohingya Muslins.85
79. When Mike Schroepfer, the CTO at Facebook, gave evidence in April 2018, he
described the situation in Burma as “awful”, and that “we need to and are trying to do a
lot more to get hate speech and all this kind of vile content off the platform”,86 but he could
80
The then Secretary of State, Rt Hon Matt Hancock MP Q968
81
Q1208
82
internet.org by Facebook, accessed 21 July 2018.
83
Myanmar group blasts Zuckerberg claim on Facebook hate speech prevention, Techcrunch, 6 April, 2018
84
Unliked: How Facebook is playing a part in the Rohingya genocide, The Conversation, 2 January 2018.
85
UN: Facebook has turned into a beast in Myanmar, BBC, 13 March 2018.
86
Q2490
23
Disinformation and ‘fake news’: Interim Report
not tell us when Facebook had started work on limiting hate speech, he could not tell us
how many fake accounts had been identified and removed from Burma, and he could not
tell us how much revenue Facebook was making from Facebook users in Burma.87
80. Mr. Schroepfer promised to submit supplementary evidence to give us that
information. However, Facebook’s supplementary evidence stated: “We do not break down
the removal of fake accounts by country. […] Myanmar [Burma] is a small market for
Facebook. We do not publish country advertising revenue figures”.88 We sent yet another
letter, asking why Facebook does not break down the removal of fake accounts by country,
which seems a serious lapse in demonstrating how it takes responsibility when problems
with fake accounts arise.89 To date, we have not received an answer.
81. UK aid to Burma is planned at £100 million for 2018.90 The Department for
International Development told the International Development Committee that “for our
programme to be successful, Burma must work towards the implementation of inclusive
peace agreements, a new political settlement; and the military serving, rather than ruling,
Burma”.91 To date, the UK’s total support for the crisis since August 2017 is £129 million.
82. The United Nations has named Facebook as being responsible for inciting hatred
against the Rohingya Muslim minority in Burma, through its ‘Free Basics’ service. It
provides people free mobile phone access without data charges, but is also responsible
for the spread disinformation and propaganda. The CTO of Facebook, Mike Schroepfer
described the situation in Burma as “awful”, yet Facebook cannot show us that it has
done anything to stop the spread of disinformation against the Rohingya minority.
83. The hate speech against the Rohingya—built up on Facebook, much of which is
disseminated through fake accounts—and subsequent ethnic cleansing, has potentially
resulted in the success of DFID’s aid programmes being greatly reduced, based on the
qualifications they set for success. The activity of Facebook undermines international aid
to Burma, including the UK Government’s work. Facebook is releasing a product that is
dangerous to consumers and deeply unethical. We urge the Government to demonstrate
how seriously it takes Facebook’s apparent collusion in spreading disinformation in
Burma, at the earliest opportunity. This is a further example of Facebook failing to take
responsibility for the misuse of its platform.
Code of Ethics and developments
84. Facebook has hampered our efforts to get information about their company
throughout this inquiry. It is as if it thinks that the problem will go away if it does not
share information about the problem, and reacts only when it is pressed. Time and again
we heard from Facebook about mistakes being made and then (sometimes) rectified,
rather than designing the product ethically from the beginning of the process. Facebook
has a ‘Code of Conduct’, which highlights the principles by which Facebook staff carry
87
Qq 2493 to 2496
88
Facebook letter from Rebecca Stimson, Head of Public Policy, to Damian Collins, 14 May 2018.
89
Letter from Damian Collins to Rebecca Stimson, 21 May 2018
90
Bangladesh, Burma and the Rohingya crisis, International Development Committee, fourth report of session
2017–19, HC 1054, para 11
91
Ibid.
Disinformation and ‘fake news’: Interim Report
24
out their work, and states that employees are expected to “act lawfully, honestly, ethically,
and in the best interests of the company while performing duties on behalf of Facebook”.92
Facebook has fallen well below this standard in Burma.
85. The then Secretary of State, Rt Hon Matt Hancock MP, talked about the need for tech
companies to move from a libertarian attitude—“the foundation of the internet”—to one
of “liberal values on the internet, which is supporting and cherishing the freedom but not
the freedom to harm others”.93 He warned that tech company leaders have a responsibility,
otherwise responsibility will be imposed on them: “I do not, for a moment, buy this idea
that just because the internet is global therefore nation states do not have a say in it. We
are responsible. We collectively, Parliament is responsible, for the statutory rules where
our society lives”.94
Monopolies and the business models of tech companies
86. The dominance of a handful of powerful tech companies, such as Facebook, Twitter
and Google, has resulted in their behaving as if they were monopolies in their specific
area. Traditionally, the basis of competition policy with regard to monopolies has been
the issue of consumer detriment, such as the risk of overcharging. However, in the tech
world, consumer detriment is harder to quantify. In the digital sphere, many of these
services have marginal running costs, are free to the consumer at the point of use, and
have the potential of benefiting the consumer from being monopolistic—the sharing of
information is the point of these companies and improves the accuracy of services such as
Google Maps. As the Secretary of State told us, “The whole question of the concept of how
we run competition policy in an era where many goods and many other new innovations
have zero marginal costs and are free is intellectually difficult.”95
87. With the free access of services must come the means of funding the businesses; tech
companies’ business models rely on the data of users for advertisers to utilise, in order
to maximise their revenue. Facebook and Google have 60% of US digital ad spend and
20% of total global spend, as of February 2018.96 Therefore, consumer protection in the
modern world is not only about goods, it is about the protection of data. Tech companies’
business models have extolled the fact that they are offering innovations that are free to
use, but in doing so the users become the product of the companies, and this is where
issues of mistrust and misuse arise. The new measures in GDPR allow users to see what
data the companies hold about them, and users can request their data to be removed or
transferred to other tech companies, but in order for this to be effective, users must have
knowledge of and utilise these rights.97
88. Professor Bakir, from Bangor University, talked of how technology continually
changes, with people adapting to that technology in unpredictable ways.98 She suggested
the establishment of a working group, to monitor what is being developed in the area of
misinformation and disinformation because “what is around the corner may be much
92
Code of Conduct, Facebook, 31 May 2018
93
Q954
94
Q954
95
Q979
96
Ian Lucas MP, Q619
97
Guide to the GDPR, ICO website
98
Q233
25
Disinformation and ‘fake news’: Interim Report
more worrying than what we have experienced to date”.99 As technology develops so
quickly, regulation needs to be based not on specifics, but on principles, and adaptive
enough to withstand technological developments.
89. A professional global Code of Ethics should be developed by tech companies, in
collaboration with this and other governments, academics, and interested parties,
including the World Summit on Information Society, to set down in writing what is and
what is not acceptable by users on social media, with possible liabilities for companies
and for individuals working for those companies, including those technical engineers
involved in creating the software for the companies. New products should be tested to
ensure that products are fit-for-purpose and do not constitute dangers to the users, or
to society.
90. The Code of Ethics should be the backbone of tech companies’ work, and should be
continually referred to when developing new technologies and algorithms. If companies
fail to adhere to their own Code of Ethics, the UK Government should introduce
regulation to make such ethical rules compulsory.
91. The dominance of a handful of powerful tech companies, such as Facebook, Twitter
and Google, has resulted in their behaving as if they were monopolies in their specific
area. While this portrayal of tech companies does not appreciate the benefits of a shared
service, where people can communicate freely, there are considerations around the data
on which those services are based, and how these companies are using the vast amount
of data they hold on users. In its White Paper, the Government must set out why the
issue of monopolies is different in the tech world, and the measures needed to protect
users’ data.
99
Q233
Disinformation and ‘fake news’: Interim Report
26
3 The issue of data targeting, based
around the Facebook, GSR and
Cambridge Analytica allegations
92. Arguably more invasive than obviously false information is the relentless targeting of
hyper-partisan views, which play to the fears and the prejudices of people, in order to alter
their voting plans. This targeting formed the basis of the revelations of March 2018, which
brought to the general public’s attention the facts about how much of their own personal
data is in the public domain, unprotected, and available for use by different players. Some
of the events surrounding Cambridge Analytica and its use of Facebook data had been
revealed at the end of 2015, when Harry Davies published an article in The Guardian,
following investigations lasting around a year, and wrote: “a little known data company
[Cambridge Analytica] […] paid researchers at Cambridge University to gather detailed
psychological profiles about the US electorate using a massive pool of mainly unwitting
US Facebook users built with an online survey”.100
93. Based on our knowledge of this article, we had explored the general issues
surrounding the manipulation of data when we questioned Facebook in February 2018.
However, it was in March 2018 when facts about this case became better known across
the world, including how people’s data was used to influence election campaigning, in the
US and the UK, through the work of Carole Cadwalladr, at The Observer, and the whistle-
blower Christopher Wylie, a former employee of SCL Group, and Cambridge Analytica.
Shortly after going public with his allegations, Christopher Wylie gave evidence to the
Committee.101 This chapter will focus on the events that highlighted the extent of the
misuse of data, involving various organisations including Facebook, Global Science
Research (GSR), Cambridge Analytica, and Aggregate IQ (AIQ), and the alleged sharing
of data in the EU Referendum. We received written and oral evidence from many of those
intimately involved in these revelations. Issues relating to these companies and political
campaigning are further examined in Chapter 4, as well as evidence regarding SCL’s
involvement in overseas elections in Chapter 6.
Cambridge Analytica and micro-targeting
94. Cambridge Analytica was founded in 2012, with backing from the US hedge
fund billionaire and Donald Trump donor, Robert Mercer, who became the majority
shareholder.102 He was the largest donor to the super political action committee (PAC)
that supported the presidential campaigns of Ted Cruz and Donald Trump in the 2016
presidential election.103 Christopher Wylie argued that the funding of Cambridge
Analytica enabled Mr Mercer to benefit from political campaigns that he supported,
without directly spending money on them, thereby bypassing electoral finance laws:
100 Paul-Olivier Dehaye, Q1342, referring to Ted Cruz using firm that harvested data on millions of unwitting
Facebook users, Harry Davies, The Guardian, 11 December 2015.
101
The DCMS Committee’s oral evidence session with Christopher Wylie and Paul-Olivier Dehaye, 27 March 2018,
was described by Mark D’Arcy, parliamentary correspondent at the BBC, as “by a distance, the most astounding
thing I’ve seen in Parliament”. Tweet, 17 March 2018, Mark D’Arcy.
102 Christopher Wylie, Q1273
103 Contributors, 2016 cycle, OpenSecrets.org
27
Disinformation and ‘fake news’: Interim Report
“[Robert Mercer] can put in $15 million to create something and then only charge $50,000
for it. It would have been physically impossible to get the same value and level of service
and data for that amount of money in any other way”.104
95. Cambridge Analytica was born out of the already established SCL consultancy, which
had engaged in political campaigns around the world, using specialist communications
techniques previously developed by the military to combat terror organisations,
and to disrupt enemy intelligence and to give on the ground support in war zones.
Cambridge Analytica’s primary purpose would instead be to focus on data targeting and
communications campaigns for carefully selected Republican Party candidates in the
United States of America.
96. Steve Bannon served as White House chief strategist at the start of President Donald
Trump’s term, having previously been chief executive of President Trump’s general election
campaign. He was the executive chairman of Breitbart News, a website he described as ‘the
platform of the alt-right,’105 and was the former Vice President of Cambridge Analytica.
A Cambridge Analytica invoice to UKIP was billed to the same address as Steve Bannon’s
company, Glittering Steel.106 The Committee was also told that Steve Bannon introduced
Cambridge Analytica to Arron Banks and to Leave.EU.107
97. We heard evidence from Alexander Nix, in February 2018, before the Observer and
Guardian revelations in March 2018, and before the company and its associated company
had gone into administration.108 Alexander Nix described the micro-targeting business
of Cambridge Analytica:
We are trying to make sure that voters receive messages on the issues and
policies that they care most about, and we are trying to make sure that they
are not bombarded with irrelevant materials. That can only be good. That
can only be good for politics, it can only be good for democracy and it can
be good in the wider realms of communication and advertising.109
98. The use of data analytics, based on the psychological profile of the audience, was at
the heart of the work of Cambridge Analytica, “presenting a fact that is underpinned by an
emotion”, as described by Mr. Nix.110 In order to match the right type of message to voters,
Cambridge Analytica needed information about voters, such as what merchandise they
bought, what media they read, what cars they drove.111 Mr. Nix told us that “we are able to
match these data with first-party research, being large, quantitative research instruments,
not dissimilar to a poll. We can go out and ask audiences about their preferences […]
indeed we can also start to probe questions about personality and other drivers that might
be relevant to understanding their behaviour and purchasing decisions”.112 Cambridge
Analytica used ‘OCEAN psychological analysis’ to identify issues people might support
and how to position the arguments to them. OCEAN categorises people based on their
104 Christopher Wylie, Qq 1410 and 1411
105 A brief history of Breitbart news, Business Insider UK, November 2016
106 Brittany Kaiser, Qq 1682–1684
107 Q1506
108 Cambridge Analytica and the SCL Group started insolvency proceedings in the US and the UK on 2 May 2018.
109 Q657
110 Q662
111 Alexander Nix, Q679
112 Q675
Disinformation and ‘fake news’: Interim Report
28
‘Openness’, ‘Conscientiousness’, ‘Extraversion’, ‘Agreeableness’ and ‘Neuroticism’.113 As
Alexander Nix explained in his talk at the 2016 Concordia Annual Summit, entitled
‘The Power of Big Data and Psychographics’, this approach helps you, for example, to
decide how to persuade American voters on the importance of protection of the second
amendment, which guarantees the right to keep and bear arms. In the example Mr Nix
showed, you might play on the fears of someone who could be frightened into believing
that they needed the right to have a gun to protect their home from intruders.114
99. When asked where the data used by Cambridge Analytica came from, Alexander
Nix told us: “We do not work with Facebook data, and we do not have Facebook data.
We do use Facebook as a platform to advertise, as do all brands and most agencies, or all
agencies, I should say. We use Facebook as a means to gather data. We roll out surveys
on Facebook that the public can engage with if they elect to”.115 When asked whether
Cambridge Analytica was able to use information on users’ Facebook profile when they
complete surveys, Mr. Nix replied, “No, absolutely not. Absolutely not”.116
100. Professor David Carroll, a US citizen, made a Subject Access Request (SAR) to
Cambridge Analytica in January 2017, under the Data Protection Act 1998, because he
believed that his data was being processed in the UK. He told us “there was no indication
of where they obtained the data. […] We should be able to know where they got the data,
how they processed it, what they used it for, who they shared it with and also whether we
have a right to opt out of it and have them delete the data and stop processing it in the
future”.117 The ICO’s investigation update of 11 July 2018 described Professor Carroll’s
case as “a specific example of Cambridge Analytica/SCL’s poor practice with regard to
data protection law”.118
101. The ICO served an Enforcement Notice on SCL Elections Ltd on 4 May 2018, ordering
it to comply with the terms of the SAR, by providing copies of all personal information
that SCL held on Professor Carroll. However, the terms of the Enforcement Notice were
not complied with by the deadline of 3 June 2018, and the ICO is now considering criminal
action against Cambridge Analytica and SCL Elections Ltd.119
Global Science Research
102. The Facebook data breach in 2014, and the role of Cambridge Analytica in acquiring
this data, has been the subject of intense scrutiny. Ultimately the data breach originated
at the source of the data, at Facebook. ‘Friends permissions’ were a set of permissions on
Facebook between 2010 and 2014, and allowed developers to access data related to users’
friends, without the knowledge or express consent of those friends.120 One such developer,
Aleksandr Kogan, an American citizen who had been born in the former Soviet Union,
was a Research Associate and University Lecturer at the University of Cambridge in the
113 Alexander Nix, Q679
114 Q783
115 Q682
116 Q704
117 Q571
118
Investigation into data analytics for political purposes: investigation update, ICO, 11 July 2018
119
Investigation into data analytics for political purposes: investigation update, ICO, 11 July 2018
120
Sandy Parakilas, Q1202
29
Disinformation and ‘fake news’: Interim Report
Department of Psychology. Kogan began collaborating “directly” with Facebook in 2013,
and he told us that they “provided me with several macro-level datasets on friendship
connections and emoticon usage.”121
103. Professor Kogan set up his own business, Global Science Research (GSR), in the spring
of 2014, and developed an App, called the GSR App, which collected data from users, at
an individual level.122 It was at around this time as well that Dr Kogan was in discussions
about working on some projects with SCL Elections and Cambridge Analytica, to see
whether his data collection and analysis methods could help the audience targeting of
digital campaigns. Professor Kogan explained that he did not sell the GSR App itself as
“it is not technically challenging in any way. Facebook explains how to do it, so there is
great documentation on this”.123 What was valuable was the data. The aim was to recruit
around 200,000 people who could earn money by completing an online survey. Recruits
had to download the App before they could collect payment. The App would download
some information about the user and their friends. Each person was paid $3 or $4, which
totalled $600,000 to $800,000 across all participants. In this case SCL paid that amount,
and then returned to get predictions about people’s personalities, for which they paid GSR
£230,000.124 In the latter part of 2014, after the GSR App data collection was complete,
Professor Kogan revised the application to become an interactive personality “quiz” and
renamed the App “thisisyourdigitallife.”125
104. The exact nature of Dr Kogan’s work on this project is set out in the contract he
signed with SCL, on 4 June 2014, along with his business partner, Joseph Chancellor, who
was later hired to work for Facebook.126 Alexander Nix also signed this contract on behalf
of SCL Elections. In the ‘Project and Specification’ schedule of the contract it states that
‘After data is collected, models are built using psychometric techniques (e.g. factor analysis,
dimensional scaling etc) which uses Facebook likes to predict people’s personality scores.
These models are validity tested on users who were not part of the training sample. Trait
predictions based on Facebook likes are at near test-retest levels and have been compared
to the predictions that romantic partners, family members and friends make about their
traits. In all previous cases the computer-generated scores performed the best. Thus, the
computer-generated scores can be more accurate than even the knowledge of very close
friends and family members.’127
105. Furthermore, Dr Kogan and SCL knew that ‘scraping’ Facebook user data in this
way was in breach of the company’s then recently revised terms of service. Instead the
work was carried out under the terms of an agreement GSR has with Facebook which
predated this change. It is stated in the contract that, “GSR’s method relies on a pre-
existing application functioning under Facebook’s old terms of service. New applications
are not able to access friend networks and no other psychometric profiling applications
exist under the old Facebook terms.”128
121 Q1770
122 Aleksandr Kogan, Q1796
123 Q1809
124 Q1809
125 Aleksandr Kogan (FKN0077)
126 Background papers submitted by Christopher Wylie, p67
127 Background papers submitted by Christopher Wylie, p84
128 Background paper submitted by Christopher Wylie, p.84
Disinformation and ‘fake news’: Interim Report
30
106. The purpose of the project, however, was not to carry out this testing as part of an
experiment into the predictive nature of understanding the insights about an individual
that are provided by Facebook likes. Rather, data would be scraped to order to support
political campaigns. Cambridge Analytica was involved with in eleven states in the USA in
2014. These were Arkansas, Colorado, Florida, Iowa, Louisiana, Nevada, New Hampshire,
North Carolina, Oregon, South Carolina and West Virginia.129 Dr Kogan and his team
were required under the contract to provide SCL with data sets that matched predictive
personality scores, including someone’s likely political interests, to named individuals on
the electoral register in those states.
107. When Dr Kogan gave evidence to us, he stated that he believed using Facebook likes
to predict someone’s personality and interests was not particularly accurate. However,
from the contract he signed with SCL in June 2014, he certainly thought it was at the
time. Furthermore, Dr Kogan’s colleague at the Cambridge Psychometrics Centre, Michal
Kosinski, co-authored an academic paper called ‘Tracking the Digital Footprints of
Personality’, published in December 2014, where he re-states the case or the effectiveness
of assessing personality from Facebook likes.130 This article claims that “Facebook likes
are highly predictive of personality and number[s] of other psychodemographic traits,
such as age, gender, intelligence, political and religious views, and sexual orientation”. The
article goes on, rightly, to raise the ethical concerns that should exist in relation to this
approach, stating that:
The results presented here may have considerable negative implications
because it can easily be applied to large numbers of people without
obtaining their individual consent and without them noticing. Commercial
companies, governmental institutions, or even one’s Facebook friends could
use software to infer personality (and other attributes, such as intelligence
or sexual orientation) that an individual may not have intended to share.
There is a risk that the growing awareness of such digital exposure may
decrease their trust in digital technologies, or even completely deter them
from them.131
108. When Alexander Nix first gave evidence to us in February 2018, he denied that Dr
Kogan and GSR had supplied Cambridge Analytica with any data or information, and that
his datasets were not based on information received from GSR.132 We received evidence
from both Dr Kogan and Mr Wylie that conflicted with Mr Nix’s evidence; indeed, Mr
Wylie described the data obtained from Dr Kogan’s GSR App as the foundation dataset of
the company, which collected data on up to 87 million users, over 1 million of whom were
based in the UK.133 We believe that Dr Kogan also knew perfectly well what he was doing,
and that he was in breach of Facebook’s own codes of conduct (which he told us he did not
consider to be operative in practice, as they were never enforced).
109. During his second appearance, Mr Nix admitted that “I accept that some of my
answers could have been clearer, but I assure you that I did not intend to mislead you”. He
went on to explain that Cambridge Analytica had not at that time been in possession of
129 Background paper submitted by Christopher Wylie, pp.84–85
130 Tracking the digital footprints of personality, Michal Kosinski, proceedings of the IEEE,Vol 102, no 12, December
2014
131
Ibid.
132 Qq 730 to 731
133 Q1281
31
Disinformation and ‘fake news’: Interim Report
data from GSR, due to the fact that they had “deleted all such data licensed in good faith
from GSR under that research contract”.134 This suggests that Mr. Nix, who by his own
admission to the Committee tells lies, was not telling the whole truth when he gave us his
previous version of events, in February 2018.
110. In August 2014 Dr Kogan worked with SCL to provide data on individual voters to
support US candidates being promoted by the John Bolton Super Pac in the mid-term
elections in November of that year. Psychographic profiling was used to micro-target
adverts at voters across five distinct personality groups. After the campaign, according
to an SCL presentation document seen by the Committee, the company claimed that
there was a 39% increase in awareness of the issues featured in the campaign’s advertising
amongst those who had received targeted messages.135 In September 2014, SCL also signed
a contract to work with the American Conservative advocacy organisation, ‘For America’.
Again, they used behavioural micro-targeting to support their campaign messages ahead
of the mid-term elections that year. SCL would later claim that the 1.5million advertising
impressions they generated through their campaign led to a 30% uplift in voter turnout,
against the predicted turnout, for the targeted groups.
Facebook
111. Sandy Parakilas worked for Facebook for 16 months in 2011 and 2012, and told us
that “once the data passed from Facebook servers to the developer, Facebook lost insight
into what was being done with the data and lost control over the data”.136 There was no
proper audit trail of where the data went and during Mr Parakilas’ 16 months of working
there, he did not remember one audit of a developer’s storage.137 This is a fundamental
flaw in Facebook’s model of holding data; Facebook cannot assure its users that its data is
not being used by third parties and of the reasons for which that data may be being used.
112. Once the data had left Facebook, that data, or its derivatives, could be copied multiple
times. Chris Vickery, Director of Cyber Risk Research at UpGuard, described to us the
‘sticky’ nature of data: “In this type of industry, data does not just go away. It does not just
disappear. It is sticky. It gathers up. The good stuff stays. Even the bad stuff stays, but it is
not used. It is held in an archive somewhere. Nothing disappears”.138
113. Furthermore, that data was specific and personal to each person with a Facebook
account, including their names, their email addresses, and could even include private
messages.139 Tristan Harris, from the Center for Humane Technology, told us that the
entire premise of Facebook’s App platform was exactly this—to enable third-party
developers to have access to people’s friends’ data: “The premise of the app platform was
to enable as many developers as possible to use that data in creative ways, to build creative
new social applications on behalf of Facebook”.140
114. Facebook claimed that Dr Kogan had violated his agreement to use the data solely
for academic purposes. On Friday 16 March 2018, Facebook suspended Kogan from the
134 Q3288
135 Background papers submitted by Christopher Wylie
136 Q1188
137 Q1188
138 Q2534
139
Sandy Parakilas, Q1206
140 Q3168
Disinformation and ‘fake news’: Interim Report
32
platform, issued a statement saying that he “lied” to the company, and characterised his
activities as “a scam—and a fraud”.141 Facebook also suspended Christopher Wylie at the
same time. On Wednesday 21 March 2018, Mark Zuckerberg called Dr Kogan’s actions a
“breach of trust”.142 However, when Facebook gave evidence to us in February 2018, they
failed to disclose the existence of this “breach of trust” and its implications.
115. In its commitment to update our Committee on its ongoing investigation, the ICO
decided to publish a Notice of Intent to issue a monetary penalty to Facebook of £500,000,
“for lack of transparency and security issues relating to the harvesting of data constituting
breaches of the first and seventh data protection principles”, under the Data Protection
Act 1998.143 It should be noted that, if the new Data Protection Act 2018 had been in place
when the ICO started its investigation into Facebook, the ICO’s Notice of Intent to impose
4% of its annual turnover of $7.87 billion, which would have totalled £315 million.
116. As recently as 20 July 2018, Facebook suspended another company that it believes
harvested data from its site. Crimson Hexagon is based in Boston, US. Facebook is
investigating whether this analytics firm’s contracts with the US government and a Russian
not-for-profit organisation with ties to the Kremlin violated Facebook’s policies. For
Crimson Hexagon to share such data with government agencies would be incredibly useful
to those agencies, as it would show how large groups of people were feeling at a particular
time, and could be used during political campaigns.6 Again, the same opportunities
given by Facebook to, unwittingly, share their users’ data with Cambridge Analytica, via
GSR, were being given, up until a few days ago, to Crimson Hexagon, despite Facebook’s
reassurances that they were tightening their policies.
Aggregate IQ (AIQ)
117. Jeff Silvester is one of the owners of the Canadian digital advertising web and software
development company, Aggregate IQ (AIQ), which was incorporated in 2013. Mr Silvester
gave evidence to us in May 2018 and explained that their first work for SCL was to “create
a political customer relationship management software tool” for the Trinidad and Tobago
election campaigning, in 2014.144 From that work, AIQ then started developing the Ripon
tool, software that was commissioned and would be owned by SCL:145
The Ripon tool has been described in a lot of different ways. The part that we
have done was a political customer relationship management tool focused
on the US market. This was software that would help with people going
door to door. There was a tool in there that you could do phone banking so
you could call people and get their opinions on things and keep track of all
that sort of information.146
118. Christopher Wylie gave us a different version of Ripon: “A lot of the papers that
eventually became the foundation of the methods that were used on the Ripon project
came out of research that was being done at the University of Cambridge, some of which
141
Suspending Cambridge Analytica and SCL Group from Facebook, Facebook statement, 16 March 2018; Facebook
gave data about 57 billion friendships to academic, The Guardian, 22 March 2018
142 Zuckerberg on data debacle: ‘It was a breach of trust’, CNN interview with Mark Zuckerberg, 22 March 2018
143
Investigation into data analytics for political purposes: investigation update, ICO, July 2018
144 Q2770 and 2771
145 Q2779
146 Q2776