This investigation has already uncovered broad, international data laundering, being used to manipulate geopolitics and the financial markets with the state-backing of Russia, and has found the first clear example of the complex machinery in practice while investigating crime and immigration in Sweden.
The figures, companies, and groups involved in the UK arm of this operation – which relies on hacking, psychometric targeting, propaganda, and disinformation – are left exposed by the same thing they are using as a weapon: big data.
Extraordinarily, those involved have received an unveiled warning from the Information Commissioner’s office ahead of next month’s general election.
The findings of this piece of investigative work have been referred to the Electoral Commission – as Leave.EU may have further undeclared donations of services within their complex company structure, taking them well beyond permissible campaign limits – and to the ICO due to the complex of issue of ‘sugging’ across multiple companies.
“The ICO holds information on all companies handling controlled data in the UK and, in the wake of revelations about the use of ‘big data’, has issued starkly worded guidance for political parties ahead of the general election 2017.”
The Information Commissioner’s Office, known as the ICO, is the UK’s independent body set up to ensure information rights in the public interest. They keep a national register of data controllers – people authorised to handle our data – and uphold the laws set out in the Data Protection legislation. Their powers are similar to the Electoral Commission in terms of demanding compliance through orders and agreements, issuing substantial fines, or instigating prosecutions.
The data protection regulations are set to change next year and, though this enhancement is an EU initiative, the current government has committed to implementing the new framework. The General Data Protection Regulations is the title of the new law, which will replace the Data Protection 1998 on the 25th of May 2018.
The ICO holds information on all companies handling controlled data in the UK and, in the wake of revelations about the use of ‘big data’, has issued starkly worded guidance for political parties ahead of the general election 2017.
The ICO were initially approached with three specific questions arising from this investigation:
1) Was Vote Leave (not Leave.EU) ever fined or reported over spam messages sent by US company UCampaign via their app?
2) Is there an official, ongoing inquiry into Cambridge Analytica / SCL Elections and, if so, what is the official comment?
3) Where one company is restricted to transfers of data within the European Economic Area (EEA) and they transfer data to a non-restricted company (who can transfer data anywhere in the world), is it legal?
The ICO replied with an unprecedented press release, headed “Information Commissioner warns political groups to campaign within the law,” which confirms just how serious the situation really is as we approach a contentious, snap general election.
“Information Commissioner warns political groups to campaign within the law”
The ICO has written to all major political parties reminding them of their obligations when contacting potential supporters during the election campaign. Extraordinarily, the Commissioner’s Office has invited every party to a briefing session, to hear details of the “updated guidance on the use of personal data in political campaigning,” which includes “data analytics and associated technologies.”
The ICO briefing for political parties is scheduled for tomorrow, the 4th of May, the same day as local elections across the United Kingdom.
Elizabeth Denham was appointed UK Information Commissioner in July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada and Assistant Privacy Commissioner of Canada. In her statement, she said “engagement with the electorate is vital to the democratic process. But, if a party or campaign group fails to comply with the law, it may face enforcement action as well as reputational damage to its campaign. People have a right to expect that their information will be used in line with the law and my office is there to uphold that right.”
“engagement with the electorate is vital to the democratic process. But, if a party or campaign group fails to comply with the law, it may face enforcement action as well as reputational damage to its campaign. People have a right to expect that their information will be used in line with the law”
The ICO make clear the new guidance was issued in response to an “increase in complaints from members of the public about the promotion of political parties, their candidates, and their views during political campaigns.”
The Commissioner’s Office has received complaints about “the use of surveys to gain support for campaigns now or in the future” and also “concerns that their personal information has been shared between national and local organisations.”
The employment of surveys is broadly cited by controversial company Cambridge Analytica, who use the data gathered to form psychometric profiles which guide targeted messaging and were successfully deployed in both the Brexit and Trump campaigns. Both campaigns are linked to Russia, hacking, and the use of disinformation to drive voter behaviour.
The ICO guidance explicitly covers ‘viral’ marketing, stating that it must comply with the same rules as direct marketing and cannot dip around consent to the use of data by simply asking people to pass it on.
Leave.EU, the campaign of Arron Banks fronted by Nigel Farage, trading under the name Better For The Country Limited, was fined £50,000 by the ICO for sending 500,000 unsolicited text messages asking people to support Brexit between May and October 2015 – a year before the referendum.
The ICO, though specifically asked, have made no comment on the official Vote Leave campaign’s use of American app provider UCampaign, which used phone book access via the application to send unsolicited messages to the relatives of hundreds of thousands of voters. The ICO database shows no registrations for UCampaign, the company behind it, Political Social Media LLC, Vote Leave, Vote Leave Limited, or Get Change Limited.
Both of these activities would fall well within the definition of viral marketing set out in the guidance.
In terms of the survey data gathering, such as that deployed by Cambridge Analytica, the ICO specifically define this practice as “sugging.” They make clear that using surveys to collect data (whether it is ultimately used by the company conducting the survey, or sold on to others, or intended to gather the information for use in marketing) falls within direct marketing.
Even open source data, they say, requires adherence to data protection legislation and this would include your social media likes and posts. There is no access to collection and retention of this data which escapes the legal protections.
“The employment of surveys is broadly cited by controversial company Cambridge Analytica, who use the data gathered to form psychometric profiles which guide targeted messaging and were successfully deployed in both the Brexit and Trump campaigns. Both campaigns are linked to Russia, hacking, and the use of disinformation to drive voter behaviour”
Leave.EU and Cambridge Analytica worked together during the Brexit campaign, though comments have been made attempting to distance themselves from this.
This investigation has already exclusively uncovered that the Electoral Commission are investigating Leave.EU for undeclared and potentially illegal donations of services by Cambridge Analytica, also known in the UK as SCL Elections, during the Brexit campaign.
The documents seen point out that “the market rate for a donation of this kind could amount to hundreds of thousands of pounds, based on the previous experience of referendum campaigns and political parties for such analytical tools. Yet Leave.eu have not declared this donation-in-kind at any point in their returns to the Electoral Commission.”
Though the ICO have refused to confirm whether they are investigating these companies in tandem with the Electoral Commission, with this investigation revealing a broader picture of Russian-linked data laundering the ICO’s public access database holds valuable information on both companies.
It appears both are structurally designed to engage in ‘sugging’ and facilitate transfers of data within and outside of the EEA.
The ICO state that ‘sugging’ “attracts a maximum fine of £500,000” as it is a “breach of the Privacy and Electronic Communications Regulations (PECR).”
“Though the ICO have refused to confirm whether they are investigating these companies in tandem with the Electoral Commission, with this investigation revealing a broader picture of Russian linked data laundering the ICO’s public access database holds valuable information on both companies.”
Leave.EU, the company behind the unofficial Brexit campaign, registered with the ICO on the 29th of February 2016 and this expires in 2018. They give their headline reason for processing data as being to “enable us to promote our goods & services” and state they hold “personal, family, lifestyle, social circumstances, and financial details.”
In the sensitive class of information, they are registered to hold “political interests and racial/ethnic origin” data and the company is authorised to share what it holds with affiliate groups, central government, suppliers and service providers, financial organisations, and the Electoral Commission.
Despite being a company established specifically to support the domestic Brexit campaign, the register for Leave.EU shows that “personal information is traded as a primary business function” and adds the information may be shared with “business associates, advisers, associates” and “traders in personal data.”
The UK based company entry also states “it may sometimes be necessary to transfer personal information overseas” though this is restricted to within the EEA.
“Despite being a company established specifically to support the domestic Brexit campaign, the register for Leave.EU shows that “personal information is traded as a primary business function”
Cambridge Analytica is slightly different.
The company was first registered in November 2015, and the registration expires this year. The address listed is at the Cooperation Trust Center, Wilmington, Delaware, though it also gives a UK representative, Jordanna Zetter, based in London. She is an Operations Executive at SCL Group.
Listed as a “data analytics” company, they state they carry out marketing, advertising, and PR functions, as well as undertaking research. They hold the same classes of primary data as Leave.EU but the sensitive information is much deeper.
Cambridge Analytica holds information on people’s physical and mental health, racial and ethnic origin, religious or “other similar” beliefs, trade union memberships and “political opinions.”
The other differences from Leave.EU are that the US company includes retained data from survey respondents, and can transfer the data they hold to territories and countries around the world.
One of their primary functions is to acquire data through surveys – a
method first developed by a Cambridge academic and which bears similarities to
aspects of Cambridge Analytica’s psychometric profiling.
But Cambridge Analytica is not the principle trading name for the organisation in the United Kingdom, in fact, it is the US brand which became famous as a result of the Trump campaign. In the UK the primary business is SCL Elections Limited, and its registration strengthens the depth of connection to Leave.EU and the businesses (and people) behind it.
“Cambridge Analytica holds information on people’s physical and mental health, racial and ethnic origin, religious or “other similar” beliefs, trade union memberships and “political opinions.”
SCL Elections Limited registered in November 2015, the same month as Cambridge Analytica but trades at a separate London address in E14. The sensitive data classes held are the same as CA but the headline data is expanded to include “memberships, employment, and education” information.
Again the transfer of data is worldwide, not EEA restricted, and the company can share data with business associates. Working with Leave.EU, whose primary business function is the trade of data, this means a legitimate transfer from the UK could reach America or another worldwide territory without the law technically being broken.
This also means Leave.EU, via its connection with CA/SCL, could buy in databases created outside of the EEA area where data is regulated, or simply buy ‘sugged’ databases created through CA/SCL surveys hosted outside of the EEA.
As this investigation has previously highlighted, Steve Bannon has defined links to Cambridge Analytica by way of his former seat on the board, and the company’s owner, Robert Mercer, was a key donor to Trump’s campaign.
In January 2017, Trump signed an executive order exempting non-US citizens from the privacy shield – an EU-US law which defined what data could be shared between businesses on both sides of the Atlantic ocean and how that data can be used. It was designed so data protection laws can be upheld between EU’s the member states and the US.
Wired reported at the time that “the Privacy Shield was developed by EU and US negotiators in 2015 after the previous data sharing agreement between the two groups was struck down by Europe’s highest court. In October 2015, the European Court of Justice ruled the Safe Harbour framework was invalid as data being sent out of the EU was not being properly protected.”
Both the EU and the US were aware of the capabilities of data exploitation in circumstances exactly matching the Leave.EU and CA/SCL scenario, and it appears Trump has interfered in enhanced protections while being directly connected to parties benefitting the arrangement.
The data laundering trade, also highlighted by this investigation, involves reportedly legitimate purchases of hacked data in exchange for Bitcoin.
The arrangements of international transfer available to CA/SCL provide a direct channel for the use of laundered data in the UK.
When Leave.EU received it’s £50,000 fine for the 2015 spam campaign, they claimed they obtained the lists from a third-party supplier.
In much the same way, the official Vote leave campaign would have avoided data protections – they were not registered themselves and nor was the app provider, UCampaign, who would have retained the data captured by the app in the US.
The data wash is clear: whether it is legally or illegally sourced it can enter the country and leave it freely.
“Both the EU and the US were aware of the capabilities of data exploitation in circumstances exactly matching the Leave.EU and CA/SCL scenario, and it appears that Trump has interfered in enhanced protections while being directly connected to parties benefitting the arrangement.”
Looking behind Leave.EU, the mirror of SCL’s registration is much clearer. Better For The Country Limited registered in August 2015 at the same address as Leave.EU but included transfers to countries and territories throughout the world.
The company connections are labyrinthine, but finally provide the direct connections which have been missing.
While Leave.EU has not yet posted accounts, Better For The Country Limited last filed showing £1.295 million in shareholder funds. The company was registered with Companies House in May 2015, listing its nature as “other information services.”
The current directorships show Andrew Wigmore (prominent Leave.EU figure), Maria Ming, Alison Marshall, Elizabeth Bilney, Arron Banks (well-known UKIP Donor), Ranja Abbot, and Dawn Williams.
Bilney is interesting, also being listed as a director at Banks’ flagship alternative media outlet Westmonster, and a new venture ‘Big Data Dolphins’ alongside Alison Marshall.
Big Data Dolphins is an unknown quantity but was only registered with Companies House in December 2016 giving its nature as “business and domestic software development” and “data processing, hosting and related activities.”
The ICO registration is a mirror of SCL’s but is shown as having data transfers restricted to the EEA. The shareholders also link to Rock Services, Banks’ insurance company, though the majority share (91%) shows as being owned by Deep DD Limited which returns no trace on any company searches.
Also registered at Lysander House, a development in Bristol and the home of most of Banks’ businesses, Bilney is listed as an active director of Chartwell Political Limited, a company set up in June 2014 to carry out “market research and public opinion polling.”
The company currently shows as owing £339,000.
The second director, Bridget Rowe, is listed on the company website underneath a picture of the back of Banks talking to journalists, and alongside the name James Pryor. Rowe worked in print news, including alongside Rupert Murdoch, and previously worked as the director of communications for UKIP. Pryor has worked on elections all over the world, for the Conservatives at Downing Street, and as a campaign director for UKIP.
They claim to be uniquely able to “identify the range of threats that can emerge to destabilise political and election campaigns” and go on to say “it is well known that ‘best intelligence’ wins wars, especially Information Wars. The battle for hearts and minds hinges, crucially, on securing, shaping, re-shaping and controlling the Message.”
“it is well known that ‘best intelligence’ wins wars, especially Information Wars. The battle for hearts and minds hinges, crucially, on securing, shaping, re-shaping and controlling the Message.”
Bilney is also a director of Westmonster, the ‘Breitbart’ styled news agency launched by Arron Banks, which was incorporated in January 2017 and lists a major shareholder as Better For The Country Limited. The second major shareholder and director is Michael Heaver, previously the communications officer of MEP Nigel Farage and former chair of UKIP’s youth arm, Young Independence.
In 2014, Heaver was actively writing for Breitbart, the right-wing alternative news outlet then run by Steven Bannon and funded by Robert Mercer. Bannon launched the site in the UK at that time specifically to further his “cultural war” and influence the 2015 general election.
While Banks and Farage were openly with each other while in the US, supporting the Trump campaign, Heaver provides a prior connection between Farage, his official office, and Bannon.
“The company connections are labyrinthine, but finally provide the direct connections which have been missing.”
The background information is of such a complex nature, it’s easy to understand how difficult it has been for media agencies to reduce the available evidence to the short, sharp punches needed for headline-led reporting.
For example, both Mercer and Trump have now been linked to Russia’s 12th richest businessman, Dmitry Rybolovlev. Mercer’s yacht was docked near the oligarch in March 2017, and Trump’s plane was seen next to his prior to the US election – though they are also linked by a $95 million property deal in Florida.
Rybolovlev has a controversial history, associating with criminals in the 1990s before becoming embroiled in a murder trial relating to a business partner. During his divorce – the most expensive settlement in history, he was implicated in the April 2016 Panama Papers, with reports saying his use of offshore companies in the British Virgin Islands was deemed a “textbook example of the lengths rich people (in most cases men) go to protect their considerable wealth in case of a marital breakup.”
He was also implicated in the Football Leaks scandal which revealed he and football agent Jorge Mendes set up a secret system to illegally buy players’ shares. Using a Cyprus-based offshore investment fund named Browsefish Limited, Rybolovlev illegally manipulated the price of his own players through third-party ownerships.
Arron Banks was also named in the Panama Papers as a shareholder of PRI Holdings Limited, which Panamanian-based Mossack Fonseca set up as an offshore company in 2013. The British Virgin Islands (BVI), is a UK offshore territory and international tax haven which snubbed an anti-corruption summit held in London by the then prime minister, David Cameron. Another shareholder of PRI was Elizabeth Bilney.
Banks is also more directly linked to Russia.
In his own account of the Brexit campaign, Banks describes meeting “a shady character called Oleg” while at UKIP’s annual conference in September 2015. “He was introduced to us as the First Secretary of the embassy – in other words, the KGB’s man in London,” wrote the UKIP donor, who went on to say he was invited to a private meeting with the Russian ambassador Alexander Yakovenko.
“Our host wanted the inside track on the Brexit campaign and grilled us on the potential implications,” Banks wrote in his memoir.
Banks’ own directorships at Companies House are relatively straight forward. He’s an active director at Avista Awards (a food award scheme), Parsons Jewellers, Old Down event catering, Rock Services (his insurance company) and Precision Risk Services – an insurance investigator.
However, a variant of the Precision Risk company name featured in Bank’s Panama Papers listings under the PRI Holdings umbrella, and was linked back to Gibraltar based STM Fidecs Management Ltd, which acted as secretary to Banks’s PRI Holdings Limited. The Observer reported at the time that STM Fidecs Ltd was the first to register Leave.EU as a wholly owned subsidiary before its ownership passed to Banks.
“The background information is of such a complex nature, it’s easy to understand how difficult it has been for media agencies to reduce the available evidence to the short, sharp punches needed for headline led reporting.”
The international link between the alt-right and far-right parties has already been established. The interference of Russia in western democracy and the substantial and genuine security threat it poses has also been confirmed. The conjoined use and extent of disinformation and propaganda has also been proven.
On reviewing the ICO statement and the Electoral Commission documents, it is clear that our own independent bodies are deeply concerned about interference in democracy during the general election, and are alive to the specific risks we face.
There is a web of companies, both national and international, linked directly to Arron Banks and these include agencies which are specifically geared towards tailored political messaging and the collection, use, and sale of intricate personal data.
Our personal data is being harvested both here and abroad and is bought and sold as a commodity, potentially illegally, while also being used for political purposes – which additionally relies on alternative media outlets to drive specific messages, including from parties directly serving in public offices. The parties who control the alternative media outlets also control the data (and its use) and are indisputably linked to each other on both sides of the Atlantic.
Robert Mercer, Donald Trump, Nigel Farage, Arron Banks, Steve Bannon, Michael Heaver and Elizabeth Bilney are now indisputably connected to one another.
Whether by data acquisition, personal association or through other linear exposure, all of these parties are linked to Russia – a country which is directly implicated, at a state-sponsored level, in interfering with elections across the western world.
Cambridge Analytica has openly sourced data from survey operations too, using it to build psychometric profiles of electorates. This data has either, in part or in full, been sold on or transferred and subsequently used in the direct viral marketing of political messages. Leave.EU has used this data, working with Cambridge Analytica, and it appears this falls within the ICO definition of ‘sugging’ which is against the law.
SCL have been contacted, asking:
If they or Cambridge Analytica have ever been investigated by the ICO for data breaches, or if they are currently under investigation;
What is their official comment on the Electoral Commission investigation in the Leave.EU campaign is;
Whether they are aware of the ‘sugging’ definition and if they are continuing the practice;
And whether they buy (or have bought), from or sell (or have sold) data to, Leave.EU, Better For The Country Ltd, or Big Data Dolphins.
As yet, they have not responded.
The international data wash is now exposed and the question now is: who else is involved…
*This article was updated on the 4th of May 2017.