Data Firms Team Up TO Prevent the Next Cambridge Analytica Scandal

WIRED: A bipartisan group of political data firms are drafting a set of industry standards that they hope will prevent voter data from being misused as it was in 2016. The guidelines cover transparency, foreign influence in elections, responsible data sourcing and storage, and other measures meant to root out bad actors in the industry and help fend off security threats.

The conversations, which are being organized by Georgetown University's Institute of Politics and Public Service, come at a time when data collection more broadly faces increased scrutiny from lawmakers and consumers. Ever since news broke this spring that the political firm Cambridge Analytica used an app to hoover up data on tens of millions of Americans and exploited it for political purposes, Facebook and other Silicon Valley tech giantshave had to answer to Congress and their customers about their mass data-collection operations. But the Georgetown group focuses specifically on the responsibilities of the companies that undergird some of the country's biggest political campaigns. Among the firms participating in these discussions are Republican shops like DeepRoot Analytics, WPA Intelligence, and Targeted Victory, as well as Democratic firms such as Bully Pulpit Interactive, NGP VAN, and DSPolitical.

"These are the firms that power all of the elections in America, and so my hope was if you can get them in a room and get them to understand the importance of the data they’re using and to self-regulate, you could achieve a dramatic improvement on behalf of voters," says Tim Sparapani, a fellow at the Georgetown Institute who is overseeing the group.

Sparapani served as Facebook's first director of public policy from 2009 until 2011, after spending several years at the American Civil Liberties Union. A self-proclaimed privacy advocate, he has warned about the need for stricter oversight of data brokers for years. These are companies that collect, store, and analyze data about consumers for a variety of purposes. In the political world, that data can include basic information about how many times a person has voted, their party registration, and their donation record, but it can also include social media and commercial data that can help campaigns better understand who a given person is and target them with political advertising.

The data broker industry remains largely unregulated, both inside and outside politics. The Federal Trade Commission has urged Congress to regulate data brokers since at least 2012, but nothing has come of it so far. In June, Vermont became the first state to pass a data broker law, which goes into effect in January.

The Georgetown group first met last fall, months before Cambridge Analytica began making headlines. At the time, the industry's primary concern was the risk of a data breach or a hack at the hands of a foreign threat: In the summer of 2017, a cybersecurity firm discovered that DeepRoot Analytics' entire trove of 198 million voter records was exposed in a misconfigured database, constituting the largest known voter data leak in history. Brent McGoldrick, CEO of DeepRoot, says the leak was a shock to the system.

"You just have a different mindset coming out of something like that, where you start to think differently about everything from security to privacy to the data you have and the perceptions of it," he says.

Coupled with the intelligence community warnings about Russia and other foreign actors' continued attacks on the American electoral system, McGoldrick says, it seemed well past time for his company and its competitors on both sides of the aisle to talk about protecting themselves and the people whose data they hold.

McGoldrick brought up the idea with Mo Elleithee, a former Democratic National Committee spokesperson who founded Georgetown's Institute of Politics and Public Service in 2015. Together, they tapped Sparapani to oversee the effort. "We understand that in order to move the ball forward on privacy and security issues, we’re going to have to hear from people who, maybe we don't like hearing what they have to say," McGoldrick says. When the Cambridge Analytica story broke months later, he says, it only underscored the need for this kind of work.

The group, which has yet to be named, has begun circulating a set of guiding principles among data privacy advocates and the companies themselves to see what the participants are willing to agree to. While the final list is still being ironed out, Sparapani described a number of commitments for which there is broad-based support. One proposal would require the companies involved to alert one another and the proper government officials of any attempts by a foreign actor to influence the election. Another would have the companies vow to only use their tools to support people's right to vote, not to suppress it. The group is working on a standard that would guarantee some transparency for consumers and educate them about how their data is being used. They're also working on security standards around data storage, as well as language that they would commit to include in any contract with a potential client.

"It would make contractually binding not only their practices, but their clients'," Sparapani says.

The hope is that these guidelines would act as a sort of seal of approval for political campaigns. "If firms have publicly stated they're following these guidelines, hopefully candidates, committees, and causes will look for this when they’re trying to hire someone," says Mark Jablonowski, DSPolitical's chief technology officer, who has been involved in the initiative since its early days.

Of course, getting dozens of political opponents and business competitors who have never been regulated before to agree to any set of standard practices is no easy task. "Everyone’s got to have everything vetted through their lawyers," McGoldrick says. "The last thing a lawyer likes is you voluntarily saying something you don't have to say."

"Sadly over the last few cycles there have been bad actors on both sides working in multiple campaigns," says Chris Wilson, CEO of WPA Intelligence, which worked briefly with Cambridge Analytica during US senator Ted Cruz's 2016 presidential campaign. "I believe all in our industry, WPAi included, are hopeful that a set of standards will allow us, and the public, to be cognizant of the origins of data and its ultimate use."

Until the details are finalized, it's impossible to assess the effectiveness of this collaborative effort. As with any discussion around data privacy, it's the fine print that matters. In California, where the governor recently signed a landmark privacy bill, lobbying groups have already begun picking apart nearly every sentence to better align with their interests.

Still, it is worth asking how much good this kind of work can ever do. These are well-known, well-regarded players in the industry committing themselves to a certain set of values. But what about everyone else? What about the people who are intending to deceive? Without substantive regulation, there's nothing stopping anyone from harvesting data for nefarious purposes with impunity.

Then there's the fact that these proposed guidelines don't give consumers any real power. While other data privacy laws, like the one that passed in California or Europe's General Data Protection Regulation, give people the ability to control what data is collected and see who it's shared with, these proposed guidelines can't promise the same.

Elleithee stresses that this is just the first step. Once the companies have all agreed to a set of standards, the institute plans to convene a larger group from the broader tech and privacy communities. "As the conversation progresses, we want to bring more voices in," he says.

Whatever the group eventually proposes, Sparapani says he fully expects pushback from privacy advocates. Even he has concerns. "If it were me, and I was critiquing this document, I could point out a dozen things I'd have the companies commit to," he says. "In the room, they get an earful from me every time we meet, where I find this to be insufficient."

But he also believes that waiting on the perfect solution that satisfies all parties will take more time than the country can afford. "Is it a fulsome commitment that I have been pushing for as an advocate? No. But does it begin to push companies to raise their standards to meet government and consumer expectations? Yes. And that’s a good thing."

Max Magid