A loophole that led to a political data firm using unauthorised information collected from Facebook users in Donald Trump’s campaign was raised with an Irish regulator in 2011 but not closed for three years.
In his complaint about Facebook to Ireland’s Data Protection Commissioner in August 2011, Austrian privacy campaigner Max Schrems flagged the loophole that allowed apps installed by users of the social media network to “harvest” data from their friends without their direct knowledge or explicit consent.
The same loophole was used to collect information on millions of Facebook users in the US in early 2014 that was passed on to Cambridge Analytica, a firm that worked on Trump’s campaign and the Leave side in the Brexit referendum, to create a system to target voters with personalised political advertisements.
Whistleblower Christopher Wylie, who worked with a Cambridge University academic to obtain the data, disclosed in reports published by The Observer and New York Times over the weekend how users’ personal information was used to build models “to exploit what we knew about them and target their inner demons”.
The newspaper reports detailed how Academic Aleksandr Kogan through his company Global Science Research, in collaboration with Cambridge Analytica, paid hundreds of thousands of Facebook users to take a personality test and agree to have their data collected through an app called thisisyourdigitallife.
The Observer and Times claimed that details from 50 million profiles were gathered without the knowledge of users as the app was able to collect data from the Facebook friends of the paid users.
Facebook’s “platform policy” permitted the collection of friends’ data only to improve the app and prohibited it from being sold on or used for advertising.
Mr Wylie worked closely with Steve Bannon, Trump’s campaign manager, and hedge fund billionaire Robert Mercer, a donor to the US Republican Party, to develop the voter-targeting system.
Instead of closing the loophole, Mr Schrems said the Irish commissioner ordered only cosmetic changes from Facebook. The loophole was a key concern of his 2011 complaint, he said.
“We flagged it in 2011. Now it emerges that in 2014 Cambridge Analytica started doing precisely what we warned about three years earlier,” he told The Irish Times.
A spokesman for the commissioner said it recommended that Facebook make changes after a 2011 audit and a 2012 re-audit, but the company did not update to its platform until April 2014.
As Facebook’s EU-wide regulator given its European base in Ireland, the commissioner is being kept informed by the company of an investigation by the British Information Commissioner’s Office into the use of data analytics for political purposes, particularly in the run-up to the Brexit referendum.
A spokeswoman for Facebook Ireland was unable to say if the data of any Irish users was affected.
Data protection consultant Daragh O’Brien warned legislation before the Oireachtas would create a “free-for-all” for firms such as Cambridge to set up in Ireland and influence voters anywhere in the world.
Section 43 of the Data Protection Bill 2018, which aims to give effect to the EU’s new General Data Protection Regulation, creates an exemption from a prohibition on processing data relating to political opinions.
Simon McGarr, a solicitor and data protection consultant, said the section would make it lawful for anyone to process specially-protected data during an election as long as it is for any candidate or political party. This would not be limited to Irish elections, candidates or political parties, he said.
“The result would make Ireland a haven for profiling and non-transparent voter analysis in every election in the EU, driving a coach and four through the protections given to this sort of data in EU law and leaving Ireland open to significant fines if the commission fines us for failing to comply with EU law,” he said.