In the aftermath of a lively Alberta election, the the midst of a closely-watched PEI election campaign, and the run-up to a late-fall Canadian federal election, it’s worth taking a moment to make some observations about how privacy concerns and digital marketing tools have forever-altered the landscape of Canadian political campaigns.
You may have seen some media coverage related to this issue last last year, when the Office of the Privacy Commissioner recommended that Canada’s political parties be brought under coverage of privacy laws. Though people are annoyed by unsolicited calls and text messages from political parties (including the recent provincial campaign in Alberta), I suspect that most Canadians do not know how they become targets for political campaigning, or that political parties can essentially do whatever they want with data they collect on you… however they collect it.
At the heart, all of this is because political parties aren’t government institutions: Canada’s Privacy Act does not apply to them. And though the Personal Information Protection and Electronic Documents Act (PIPEDA) covers non-governmental entities, it only applies to organizations engaged in commercial activity. As a result, parties are off the hook there, too.
The government is not totally blind to this problem, but it’s not being very proactive about it either. Recent changes to the Elections Act have resulted in registered parties being required to implement privacy policies, but the requirements do not include having to disclose to you what data they have collected. These changes were implemented as part of Bill C-76, which received royal assent in December 2018. Despite a poll showing that 72% of Canadians want political parties to fall under the jurisdiction of privacy laws, and despite recommendations from international experts in the light of the Cambridge Analytica affair, where personal data was mined to help target American campaign advertising, the government moved ahead without taking extra steps to protect your data (or your access to it). In fact, one Liberal Party legal advisor told the Privacy Commissioner that forcing adherence to privacy laws would create a chill and hinder political involvement.
To diverge briefly for the sake of rounding out this picture: political parties are also not subject to the Access to Information Act, since the law only applies to information that is controlled by government institutions. And while most jurisdictions in Canada require disclosure of financial information (see Elections Canada’s open data site as an example), the specific work that lobbyists and policy advocates are doing with parties is not at all transparent.
All of these conditions render the work of political parties in Canada partly-opaque to members of the public. This has sobering implications for your personal data privacy and the methods used to shape and target messaging for political campaigns.
Here are some points to ponder:
- Political parties are bad at securing data, and it’s not just because they use tools that are bad at securing data. The BC Privacy Commissioner’s recent report (see section 4.8.1; also, note that this is the only formal, regulatory investigation into how Canadian political parties use personal data) found that all three major parties in that province had disclosed personal voter information to Facebook in the course of running their campaigns. Facebook, as we know, has a poor data privacy record. And though there have been no major breaches of confidential voter data in Canada, there are many examples in other countries (see pages 28-33 of this Tactical Tech report on political persuasion). Frankly, it’s just a matter of time. The problem isn’t necessarily hacking; it can be carelessness, as illustrated in the 2018 RNC breach that exposed personal details for almost 200 million US voters (one of only two major breaches in that year).
- Parties collect everything they can about you, because there are no rules for data collection. According to the same BC Privacy Commissioner report, campaigners would look for religious symbols when going door-to-door and record that information, along with thoughts on “perceived ethnicity.” Registered political parties already have access to voter lists containing location and contact information, so observations like these just augment data that political parties already have about your likely voting preferences.
- Elections Canada doesn’t know if parties break the rules. Though they provide guidelines for the use of voter data, Elections Canada admitted last year that they have no way of knowing whether or not parties follow them. The guidelines state that recipients of voter lists should take reasonable precautions to protect data security and confidentiality (emphasis mine) but there is no formal requirement. Having worked as a volunteer for election campaigns, I can tell you that getting access to voter lists containing detailed personal information (for example, as part of the work of making phone calls to voters, or going door-to-door) is trivial.
- Parties purchase additional data from data brokers. Data collection goes beyond the tactic of door-to-door observations. A report by Colin J Bennett and Robin M Bayley (p. 10-11) notes that political parties are terrific customers for data brokers. Companies like Info Canada compile personal information based on 100 different sources including utility bills, tax assessments, behavioural information and more; an Environics system classifies people into 68 different lifestyles. The Bennett/Bayley report notes that Environics data is already in use by the Conservatives and the NDP.
- All of the federal parties already use advanced data analytics tools, created in partnership with commercial vendors. The Liberals have Liberalist, which is a modified form of the VoteBuilder platform used by the Obama campaign in 2008. The Conservative Party has CIMS, which is based on software used by the US Republican Party. The New Democrats have POPULUS, which may be connected to their association with 270 Strategies. These systems are used to compile and analyze data about you, to trace your connection to and relationship with political parties, to “score” your likelihood of support, and ultimately to target you with specific forms of campaign material aimed at securing your vote.
It should frighten all of us that political parties are ravenously interested in the same marketing tools used by corporations to profile, persuade and target you. This effort has had light cast on it by Tactical Tech’s data and politics project, which looked at practices in 13 different countries. The effort located and profiled a wide range of organizations that target political parties as customers by claiming to “power democracy” and “win elections with social intelligence.” This visual gallery of some their findings is difficult to watch, no matter what your political affiliation may be:
As has becoming increasingly clear in recent years, the issue is not one of privacy—though privacy rights are critical in and of themselves—but of understanding and taking ownership of the means by which organizations collect and mobilize behavioural data for the purposes of persuasion and manipulation (consistent with my recent pattern, this is a nod to Shoshana Zuboff’s work). We are already deeply creeped out by the ways games and media brazenly manipulate us; we should be even more concerned that political parties and campaigns are actively embracing the same tools. Examination of Chile’s 2017 election reveals an example of how far this work can go. In my opinion, the threat to democracy has never been limited to Russia meddling in elections: rather, it encompasses that and the wide dispersion of powerful tools for data collection and for election-related manipulation in general.
A critical first step to understanding the domestic effect of these systems is subjecting Canadian political parties to the (outdated) privacy laws that we use to hold the government to account. This should be a federal election issue in 2019.