The global war against the world’s data pirates
‘VERY BIG INDUSTRY’ AND ‘VERY BIG PROBLEM’
One night in March from his home in Santa Rosa, Calif., Chris Vickery watched a television news report on the scandal engulfing Cambridge Analytica and got the urge to start poking around.
Vickery is the director of cyber risk research for the U.S. security firm UpGuard with a long record of discovering data breaches and, if he had a slightly darker heart, he could have easily scooped up the data he has found over the years and sold it for enough money to fund an early retirement.
He hasn’t, though.
As a rule, Vickery always notifies the companies about any breach and lets them clean up the mess before any harm can be done. It’s been that way since he started doing this work as a hobby and didn’t change when he took on the role at UpGuard.
But he broke his rule the night he went sleuthing around Cambridge Analytica, because he was dismayed by what he found.
Vickery began by searching GitHub, a public source code repository that allows coders to share their work and solicit advice and collaborators.
After a few minutes of searching, Vickery found the profile of an engineer who worked for Strategic Communication Laboratories, the parent company of Cambridge Analytica, and he combed through the developer’s code. Buried in the comments of one project was a reference to Aggregate IQ, the Canadian company that the pink-haired whistleblower Chris Wylie said functioned almost like an affiliate of Cambridge Analytica.
In that code was a reference to a company server; Vickery followed the digital breadcrumbs until he came to a registration page inviting him to sign up for the website. In effect, the company had accidentally invited the public to look at the contents of its private server.
“I created an account, logged in and it hit me, ‘Oh my God. This is the repository of where these tools are that Aggregate IQ and, it looks like, Cambridge Analytica and SCL, are using,” he said, describing the moment last month to a British House of Commons committee investigating the companies.
“I immediately understood the gravity of the situation and thought, ‘I need to document this and download what’s here because a lot of people are going to be very interested in seeing this,’ ” he said.
There was no trove of personal data on the server, but all the tools to get it were there.
“It’s my contention that if I were a malicious actor I could have gotten into everything that Aggregate IQ has their hands in,” said Vickery. He didn’t, out of ethical concerns, and because he was worried about the legal peril it could put him and his employer in.
Vickery downloaded the contents of the server and shut down for the night. Cambridge Analytica had thrived thanks to unethically procured information from 87 million Facebook profiles and it was both unnerving and ironic to find the company so careless with its own data.
Normally, at this point, Vickery would inform the company about the breach and allow them to patch it up and notify their users. But what he’d seen on the Aggregate IQ server gave him pause.
“It seems weird for me to notify people that I suspect may be committing criminal acts that their criminal acts are being exposed to the world,” he said.
So, he tipped off a journalist, who made an inquiry to Aggregate IQ about the server’s contents. Eleven minutes later, the server was locked down.
Vickery is an important part of the story, but he’s just one player in the massive global effort to make sense of the sprawling controversy around Cambridge Analytica. The Canadian House of Commons ethics committee held one raucous meeting with the men who founded Aggregate IQ, while their committee counterparts in the United Kingdom — and Vickery himself — watched on a livestream.
It was at that meeting that the committee members found themselves in the middle of something resembling global intrigue. At one point, Toronto Liberal MP Nathaniel ErskineSmith received texts from the information commissioner in the United Kingdom contradicting testimony being given by the witnesses from Aggregate IQ in real time. After the meeting, infuriated MPs looked into ways to sanction the witnesses, such as holding them in contempt or even pursuing criminal perjury charges.
When Vickery appeared at a U.K. committee hearing, he exchanged a rueful laugh with its members about the Aggregate IQ testimony they’d all watched.
While Aggregate IQ faces questions in the U.K. about its behaviour during the Brexit referendum and whether it was aware of a potential scheme to breach spending limits, it continues to deny any tangible connection to Cambridge Analytica.
That has left MPs on both sides of the Atlantic incredulous. Wylie, the whistleblower, said Aggregate IQ grew out of a larger recruitment effort and was set up because some new hires from British Columbia didn’t want to move to London.
The complicated mix of companies, some publicly known, others hidden, was also part of a broader strategy. Alexander Nix, the Cambridge Analytica CEO, told undercover reporters from Britain’s Channel 4 that they are “used to operating through different vehicles, in the shadows.”
The companies worked on elections around the world, promising a “secret sauce” created with a massive brew of data. Nix claimed his “psychographic profiles” could determine voters’ personalities and give clues on how to persuade them. It was a sales pitch almost too tempting for marketers and political spin doctors.
Cambridge Analytica worked on the presidential campaign of Texas Senator Ted Cruz and, after Cruz dropped out, the campaign of Donald Trump.
The company’s globetrotting efforts may have allowed it to skip town whenever the cries of “snake oil” got too loud. Republican strategists were deeply skeptical of the company’s methods by the time votes were counted in the 2016 election, the news organization Mother Jones reported.
Cambridge Analytica went on to Brazil, Germany, India and Australia. Aggregate IQ has worked in the United Kingdom, Trinidad and Tobago and for Goodluck Jonathan in Nigeria, among others.
Vickery’s discovery shows how deeply intertwined the companies are. In the Aggregate IQ repository, he found references to “the Kogan data,” which refers to the original Cambridge researcher who developed a quiz that sucked up the information of Facebook users and their friends. That data was the catalyst for the scandal that consumed Cambridge Analytica and ultimately led to the company shutting down this month.
Vickery also found code for an application called Ripon, which was sold by Cambridge Analytica to the Cruz campaign to more accurately target voters. Cruz’s team paid the company for use of the application, only to find out that it was funding the actual development of it.
At the committee meeting in the United Kingdom, Vickery said Cambridge Analytica had subcontracted the app’s development to Aggregate IQ, without the knowledge of the Cruz campaign.
Ripon creates a batch of new logins for each state and two of those accounts are called “AIQ” and “SCL,” showing that, at least when it came to the source code, Aggregate IQ was embedded deeply within Cambridge Analytica.
As Cambridge Analytica announced to the world it was shutting down, officials from UpGuard sent an urgent letter to the Canadian committee investigating the controversy, pleading with the MPs to take action.
The letter was so urgent, in fact, that it arrived around 11 p.m. and there was no time for a French translation before the early morning committee. Ontario NDP MP Charlie Angus apologized sincerely and promised to get it translated as soon as the committee finished for the day.
“The news that Cambridge Analytica and SCL are being dissolved raises serious questions. Is there more data out there hosted on services such as Amazon Web Services that would be relevant to inquiries in Canada, the U.S. and the U.K.?” the letter read. UpGuard urged the governments to seek data preservation orders as soon as possible.
The question — “is there more data out there?” — is easily answered.
Of course there is. Cambridge Analytica may be in the spotlight now, but it most certainly wasn’t the only company to exploit Facebook’s loose handling of user data.
There are companies dealing in big data — legally — whose work would make most people squeamish. Vickery even found his own name and home address in a spreadsheet of “online activists” on the unsecured server. Aggregate IQ knew about him before he knew about them.
“I think it’s a very big industry out there. I think it’s a very big problem. I think it’s a much bigger problem than people realize,” said Vickery in an interview.
For anyone looking to get off the grid, there is some good news. Taking action now and limiting the amount of information you give to companies like Facebook can be effective.
“These people do need fresh data, they need a continuous stream and if you don’t share as much and watch who you’re spilling all your personal details to, you will become less valuable to these companies,” he said.