The Great Hack: How a subject access request exposed Cambridge Analytica

–– 26 Jul 2019

It was the scandal which finally exposed the dark side of the big data economy. The inside story of how one company, Cambridge Analytica (CA), misused personal Facebook data to micro-target and manipulate swing voters in the US election, is told in “The Great Hack”, a new documentary that was released this week. 

The Great Hack presents this scandal by directly affected persons: Cambridge Analytica insider and whistle-blower, Britney Kaiser, journalist Carol Cadwalladr, and David Carroll, an American professor who sued CA following an inadequate response to a data subject access request.

But how did a lone subject access request, one of the eight rights under the General Data Protection Regulation (GDPR), expose Cambridge Analytica? And what does The Great Hack tell us about data rights and protection?

A dark data world

As the former CEO of the now-defunct Cambridge Analytica, Alexander Nix tells the film-makers, this is “not just about one company”. 

Quite rightly. The Great Hack goes further in opening our eyes to the way we’re constantly being monitored – and controlled through technology. It goes into the very core of how business models have been made to seep into our lives and monetise us. And it’s much bigger than just Facebook and CA.

In an engaging way, the film shows how data harvesting models have become core to the data economy, and underpins a complex ecosystem of tech companies, data brokers, advertisers and even academics.

The Great Hack also shows how the model’s pioneers Google and Facebook have access to tracking and monetising our lives, by controlling the primary gateways – outside China – to the online world (between them Google Search, Chrome, Android, YouTube, Instagram and WhatsApp).

However, harvesting the data is just the start of the story. It’s how companies use sophisticated analytics powered by machine learning to profile people and influence their behaviour. Facebook’s own profiling practices largely escaped scrutiny. And yet the company has explored personality profiling, how to manipulate emotions, and target people based on psychological vulnerabilities such as when they felt “worthless” or “insecure”. 

But how was Cambridge Analytica finally exposed? And what role did a subject access request play? 

The power of the subject access request

Having been interested in data privacy issues for some time, it wasn’t until Trump was elected that professor David Carroll took an interest in CA. In an interview with Privsec, Carroll describes the lead up to the subject access request. He was told by data protection expert Paul-Olivier Dehaye to submit a DSAR to Cambridge Analytica in January 2017. Once David got the response he posted it on Twitter.

“The response I posted on Twitter got attention from British data protection experts and academics who suggested the response contained unlawful elements, and my solicitor agreed there were serious breaches of the Data Protection Act [2018].”

After filing complaints to the Information Commissioner’s Office (ICO), David filed a legal claim in the High Court and Cambridge Analytica served on March 16th 2018. This was the day that Facebook suspended the company. Once the press got a whiff of it, the issue became a global phenomenon.

But as David quite rightly points out in that interview…

“If Cambridge Analytica had not exported voter data to Britain, where citizens’ rights are vigorously supported by the ICO, we would have had no recourse to even do a DSAR and they could have lawfully ignored the request.”

Are we back to business as usual?

Despite regulations and data rights, it’s not clear everyone has learned their lesson. Not only that but it looks like most efforts don’t seem to be tackling the root causes of the problem. Two weeks ago, US regulators approved a record $5bn settlement against Facebook over Cambridge Analytica. But after news about it broke, Facebook’s share price went up.

It looks like the company and its investors would be happy for this to remain an isolated incident. They seem happy to pay $5bn which is a measly sum compared with their  $22bn in pure profit a year. Patching up a few improvements to their privacy protections, it looks like Facebook are going back to business as usual. 

Not to mention they’re planning on rolling out a cryptocurrency Libra, a currency project that could give them further ability to track and analyse the spending of millions of citizens. Creepy, eh?

Data rights to break into the mainstream

In a positive way, The Great Hack does a great way of showing why regulations like GDPR and data rights are fundamental in our modern-day society. We hope this publicity will help bring data protection and rights into mainstream conversations.

Rights & regulations

The Great Hack shows how data rights are a powerful tool for people to use in order to find out the truth about data practices at organisations. It’s rights like this that make it difficult for organisations to hide, helping transparency and better data ethics.

As David Carroll points out… 

“[The subject access request] taught me how much the United States badly needs to grant its citizens the equivalent data protection rights to those that Europeans enjoy.”

It’s our hope that rights will continue to roll out across the world, such as the Californian Consumer Privacy Act, due to go live in six months. Data rights will play a vital role in the future and protection of citizens around the world.

Subscribe to the Tapmydata newsletter.

    Media coverage
    and partners.

    Find out what’s being said about Tapmydata and discover our personal privacy partners.

    Download press kit