The digital firm AggregateIQ based in Victoria has been found to have breached Canadian privacy laws.
The Office of the Information and Privacy Commissioner for British Columbia and for Canada found the breach when the firm used and disclosed the personal information of millions of voters in B.C., the United States, and the United Kingdom.
They say AIQ:
- failed to ensure appropriate consent for its use and disclosure of the personal information of voters.
- did not take reasonable steps to ensure that consent obtained by its international clients was valid for its practices in Canada.
- did not take reasonable security measures to protect personal information, leading to a privacy breach in 2018.
Officials say the company provides election-related software and political advertising services, and was linked to Cambridge Analytica – a company caught up in a global scandal involving the micro-targeting of voters in various political campaigns.
They also say the firm worked with SCL Elections Ltd. on various U.S. political campaigns between 2014 and 2016 — including midterm elections and a presidential primary campaign.
SCL was a British behavioural research and strategic communication company.
AggregateIQ’s COO Jeff Silvester sent a statement to CHEK News following the report.
He says they were “happy to cooperate fully with the Commissioners, including many meetings and telephone calls with their investigators and responding openly and completely to every single request for information they made.”
Silvester also says they are glad the commissioners were finally completed their work, and released a report. “as the report confirms, and as we told the Commissioners long ago, we have already implemented all of the recommendations,” he said in the statement.
It went on to say “while this investigation imposed a tremendous burden on a small company, and took a very long time to complete, the privacy issues engaged by a new and internationally-connected economy are important. This is why we have been sharing our experience of navigating the complexities of cross jurisdictional information and privacy laws with other organizations through private meetings and public speaking opportunities.”
Officals recommended that AIQ implement measures to ensure the company obtains valid consent in the future and that it delete all personal information that is no longer necessary for legal or business purposes — and the firm agreed.
They also found inadequate safeguards, that resulted in unauthorized access to U.S. voter information and left vulnerable the personal information of around 35 million people — the safeguard failure was in contravention of Canadian privacy laws.
Back in March 2018 the firm denied involvement in Cambridge Analytica’s gathering and use of data about Facebook users.
AIQ said in a post on their website that “[They have] never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica.”
In a news conference, officials said that while AIQ may not have directly obtained Facebook data improperly, they were given data that likely was collected from Facebook improperly.
The most shocking thing to officials was the amount of in-depth data they had used, like ethnicity and psychological profiles of voters.
They also said officials had to use legal powers to have the firm answer questions, and that AIQ is looking to implement the recommendations.
The United Kingdom’s news outlet The Guardian reported that the digital firm was found to have played a role in the U.K.’s official Vote Leave campaign in 2016, and has undisclosed links to the political consulting firm Cambridge Analytica.
Christopher Wylie, a former employee of Cambridge Analytica, blew the whistle on Cambridge Analytica, accusing it of misusing the personal information from millions of Facebook users to manipulate voters during the 2016 U.S. election.
Wylie is a former Victoria resident, and the Guardian said he was a central figure in setting up AIQ — which allegedly accounted for 40 per cent of Vote Leave’s campaign budget.
A post on AIQ’s website also said that Chris Wylie had never been employed by them.
Officals went on to say AIQ was found to have created a political customer relationship management tool for SCL called Ripon. It was used to collect and store vast amounts of voter data and to provide lists of voters to various campaigns for targeting.
The personal information given from SCL to AIQ included psychographic profiles, ethnicity and religion, political donation history, birthdates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information, and vehicle ownership details.
The privacy commissioners also raised concerns about how they were unable to impose penalties like fines limiting their impact, but that this has likely hurt AIQ.
They also said no laws in the U.S. protected their citizens against collecting this kind of data.
In cases in B.C. officials say the only data of concern used was personal emails.
AIQ is now asked to insure all information gathered has proper consent, as they are subject to provincial and federal privacy laws.
B.C. officials will continue to participate in a application to have Facebook appear in court.
They will follow up with AIQ in the coming months to confirm if they have implemented their recommendations.
Julian Kolsut
