Brexit looks set to further sink the already battered reputation of tracking cookies after a Buzzfeed report yesterday revealed what appears to be a plan by the UK’s minority government to use official government websites to harvest personal data on UK citizens for targeting purposes.
According to leaked government documents obtained by the news site, the prime minister has instructed government departments to share website usage data that’s collected via gov.uk websites with ministers on a cabinet committee tasked with preparing for a ‘no deal’ Brexit.
It’s not clear how linking up citizens use of essential government portals could further ‘no deal’ prep.
Rather the suspicion is it’s a massive, consent-less voter data grab by party political forces preparing for an inevitable general election in which the current Tory PM plans to campaign on a pro-Brexit message.
The instruction to pool gov.uk usage data as a “top priority” is also being justified internally in instructions to civil servants as necessary to accelerate plans for a digital revolution in public services — an odd ASAP to be claiming at a time of national, Brexit-induced crisis when there are plenty more pressing priorities (given the October 31 EU exit date looming).
A government spokesperson nonetheless told Buzzfeed the data is being collected to improve service delivery. They also claimed it’s “anonymized” data.
“Individual government departments currently collect anonymised user data when people use gov.uk. The Government Digital Service is working on a project to bring this anonymous data together to make sure people can access all the services they need as easily as possible,” the spokesperson said, further claiming: “No personal data is collected at any point during the process, and all activity is fully compliant with our legal and ethical obligations.”
However privacy experts quickly pointed out the nonsense of trying to pretend that joined up user data given a shared identifier is in any way anonymous.
So the "it's anonymised" is a lie. You cannot combine individual visits into a single journey without having a shared user identifier. Even a shared pseudonymisation method is a million miles away from "anonymised". https://t.co/TSv7TGLrK6
— Eerke Boiten (@EerkeBoiten) September 10, 2019
For those struggling to keep up with the blistering pace of UK political developments engendered by Brexit, this is a government led by a new (and unelected) prime minister, Boris ‘Brexit: Do or Die’ Johnson, and his special advisor, digital guru Dominic Cummings, of election law-breaking Vote Leave campaign fame.
Back in 2015 and 2016, Cummings, then the director of the official Vote Leave campaign, masterminded a plan to win the EU referendum by using social media data to profile voters — blitzing them with millions of targeted ads in final days of the Brexit campaign.
Vote Leave was later found to have channelled money to Cambridge Analytica-linked Canadian data firm Aggregate IQ to target pro-Brexit ads via Facebook’s platform. Many of which were subsequently revealed to have used blatantly xenophobic messaging to push racist anti-EU messaging when Facebook finally handed over the ad data.
Setting aside the use of xenophobic dark ads to whip up racist sentiment to sell Brexit to voters, and ongoing questions about exactly how Vote Leave acquired data on UK voters for targeting them with political ads (including ethical questions about the use of a football quiz touting a £50M prize run on social media as a mass voter data-harvesting exercise), last year the UK’s Electoral Commission found Vote Leave had breached campaign spending limits through undeclared joint working with another pro-Brexit campaign — via which almost half a million pounds was illegally channeled into Facebook ads.
The Vote Leave campaign was fined £61k by the Electoral Commission, and referred to the police. (An investigation is possibly ongoing.)
Cummings, the ‘huge brain’ behind Vote Leave’s digital strategy, did not suffer a dent in his career as a consequence of all this — on the contrary, he was appointed by Johnson as senior advisor this summer, after Johnson won the Conservative leader contest and so became the third UK PM since the 2016 vote for Brexit.
With Cummings at his side, it’s been full steam ahead for Johnson on social media ads and data grabs, as we reported last month — paving the way for a hoped for general election campaign, fuelled by ‘no holds barred’ data science. Democratic ethics? Not in this digitally disruptive administration!
The Johnson-Cummings pact ignores entirely the loud misgivings sounded by the UK’s information commissioner — which a year ago warned that political microtargeting risks undermining trust in democracy. The ICO called then for an ethical pause. Instead Johnson stuck up a proverbial finger by installing Cummings in No.10.
The UK’s Digital, Culture, Media and Sport parliamentary committee, which tried and failed to get Cummings to testify before it last year as part of a wide-ranging enquiry into online disinformation (a snub for which Cummings was later found in contempt of parliament), also urged the government to update election law as a priority last summer — saying it was essential to act to defend democracy against data-fuelled misinformation and disinformation. A call that was met with cold water.
This means the same old laws that failed to prevent ethically dubious voter data-harvesting during the EU referendum campaign, and failed to prevent social media ad platforms and online payment platforms (hi, Paypal!) from being the conduit for illegal foreign donations into UK campaigns, are now apparently incapable of responding to another voter data heist trick, this time cooked up at the heart of government on the umbrella pretext of ‘preparing for Brexit’.
The repurposing of government departments under Johnson-Cummings for pro-Brexit propaganda messaging also looks decidedly whiffy…
Duty-free shopping with the EU is coming back, if we leave without a deal.
People travelling to EU countries will be able to buy beer, spirits, wine and tobacco without duty being applied in the UK.
— HM Treasury (@hmtreasury) September 10, 2019
Given Cummings' focus on data science in the Vote Leave campaign the sudden urgent need for big data collection is extremely concerning. We need immediate clarity about how citizens' data will be protected and won’t be misused for party political purposes.https://t.co/1qtyI6fUJ4
— Tom Watson (@tom_watson) September 10, 2019
Asked about the legality of the data pooling gov.uk plan as reported by Buzzfeed, an ICO spokesperson told us: “People should be able to make informed choices about the way their data is used. That’s why organisations have to ensure that they process personal information fairly, legally and transparently. When that doesn’t happen, the ICO can take action.”
Can — but hasn’t yet.
It’s also not clear what action the ICO could end up taking to purge UK voter data that’s already been (or is in the process of being) sucked out of the Internet to be repurposed for party political purposes — including, judging by the Vote Leave playbook, for microtargeted ads that promote a no holds barred ‘no deal’ Brexit agenda.
One thing is clear: Any action would need to be swiftly enacted and robustly enforced if it were to have a meaningful chance of defending democracy from ethics-free data-targeting.
Sadly, the ICO has yet to show an appetite for swift and robust action where political parties are concerned.
Likely because a report it put out last fall essentially called out all UK political parties for misusing people’s data. It followed up saying it would audit the political parties starting early this year — but has yet to publish its findings.
Concerned opposition MPs are left tweeting into the regulatory abyss — decrying the ‘coup’ and forlornly pressing for action… Though if the political boot were on the other foot it might well be a different story.
Among the cookies used on gov.uk sites are Google Analytics cookies which store information on how visitors got to the site; the pages visited and length of time spent on them; and items clicked on. Which could certainly enable rich profiles to be attached to single visitors IDs.
Visitors to gov.uk properties can switch off Google Analytics measurement cookies, as well as denying gov.uk communications and marketing cookies, and cookies that store preferences — with only “strictly necessary” cookies (which remember form progress and serve notifications) lacking a user toggle.
What should concerned UK citizens to do to defend democracy against the data science folks we’re told are being thrown at the Johnson-Cummings GSD data pooling project? Practice good privacy hygiene.
Clear your cookies. Indeed, switch off gov.uk cookies. Deny access wherever and whenever possible.
It’s probably also a good idea to use a fresh (incognito) browser session each time you need to visit a government website and close the session (with cookies set to clear) immediately you’re done. And use a good tracker blocker.
When the laws have so spectacularly failed to keep up with the data processors, limiting how your information is gathered online is the only way to be sure. Though as we’ve written before it’s not easy.
Privacy is personal and unfortunately, with the laws lagging, the personal is now trivially cheap and easy to weaponize for political dark arts that treat democracy as a game of PR, debasing the entire system in the process.
If you want to make it more difficult for Dominic Cummings and The Charlatan to scrape data from Government sources to help them turn our democracy into a Turkey-on-the-Thames can I suggest you turn off cookies here? https://t.co/czXnmNtTaj
— Jo Maugham QC (@JolyonMaugham) September 11, 2019