Victoria-based data company broke privacy laws in work for pro-Brexit campaign, report says

Victoria-based AggregateIQ Data Services broke Canadian and B.C. privacy laws in work it carried out on behalf of the 2016 pro-Brexit Vote Leave campaign, as well as political campaigns in the U.S. and Canada, according to findings by the B.C. and federal privacy commissioners.

According to the report, AIQ failed to obtain adequate consent for use and disclosure of the personal information of voters, which was used to produce microtargeted political ads.

It also said that AIQ "failed to take reasonable security measures" to protect personal information it collected in a database containing the names and contact information of 35 million people.

At a news conference, B.C. Information and Privacy Commissioner Michael McEvoy and Privacy Commissioner of Canada Daniel Therrien said even though AIQ works globally, it still must follow Canadian and B.C. privacy laws.

"Canadian companies operating globally must know the rules at home and abroad," said McEvoy.

Jeff Silvester, co-founder of AggregateIQ, said the company has been co-operating with the investigation since December of 2017.

Speaking from Victoria, Silvester said he believed AIQ was in compliance with domestic privacy laws at the time of the campaigns. 

"Both laws, the Canadian and B.C. laws, allow for companies here to rely on the proper consent obtained by our clients abroad. And that's what we did," he said. "Everything our clients did was allowed in their jurisdiction, but the [privacy commissioners] are saying we didn't have enough consent to do it on their behalf."

Silvester said he had been unaware that some data supplied to AIQ had been illegally scraped from Facebook by third parties, including Cambridge Analytica parent company SCL.

"Some of the processed data came to us in the form of a list of people, for example, to go door knock or to send an email to," he said. "We were aware that they had used social data but we weren't aware of how they got all of it."

The report appears to lean on the work of cyber risk researcher Chris Vickery, who sounded the alarm on AggregateIQ after gaining online access to the company's software development lab, source codes and access credentials.

Speaking from Santa Rosa, Calif., Vickery called AggregateIQ's handling of data "abhorrent, and an affront to privacy and security." 

Vickery said people need to take privacy and personal data use issues seriously.

"There are widespread manipulations and alteration attempts on elections and democracies worldwide," he said. "We can fix this, but this is clearly a beacon to let people know that there are problems that need to be addressed."

The commissioners' report makes two recommendations, which it says AIQ has already complied with.

Therrien said Canadian privacy laws have fallen behind technological advances that allow companies and campaigns to amass vast amounts of voter data, which can be used to influence elections.

"We urge the government to move quickly ... and amend the laws to protect Canadians' privacy," he said. "Canadians expect and deserve to have their privacy respected as they exercise their democratic rights."

According to financial disclosures, AggregateIQ was paid $5.4 million to do work for the Vote Leave campaign.

The company came to prominence when former Cambridge Analytica employee and Victoria native Christopher Wylie blew the whistle on shady dealings within the pro-Brexit campaign.