Saturday, 3 October 2015

EU Referendum, Data Mining And Hong Kong

Designation for the leave campaign means receiving official funding capped at £7million, a considerable sum which allows for more than a few contracts for friends. Designation also means that a large database, called Metis, consisting of millions of the electorate's details can be constructed in a national campaign as Mr Brexit notes. This database will have a lucrative market domestically particularly with the Conservative party and "Elliott's Four" have no qualms in spelling this out.

The AV referendum appears to have been acting as a dry run. During the campaign we can see the Action Centre section of the now defunct website (via Wayback Machine), where widgets could be added to blogs, Facebook and websites. Supportive tweets could be sent directly via the website and donations could be made which required names and addresses. All this information helping to build a database of supporters. Is it a coincidence that subsequently Metis began life in 2013 covering already 500,000 people?

What's interesting is this section of the Privacy Policy on the NotoAV website, (my emphasis): 
We may provide other third parties with information about our users, where this is likely to contribute to a successful outcome in the referendum for our campaign. Where you have not indicated that you agree to such sharing we will only provide third parties with statistical information cannot be used to identify you.

We may engage a third party to help us carry out any of our activities and these third parties may be located in countries that do not provide the same level of protection as is provided in the United Kingdom. We will ensure that these third parties have an obligation to protect your information in the same way that we protect your information.
Curiously one of Matthew Elliott's other business ventures Business for Britain does not have such an explicit "overseas third party" clause.

That NotoAV did begins to make more sense when we consider that Strateusis submitted a number of invoices to the AV campaign including this one below for £7,000 providing Search and Facebook marketing services:
Strateusis is, as we have noted before, registered in Hong Kong. Providing Facebook marketing services would strongly suggest it needs access to the database being accumulated, meaning that a copy of the data would be offshored.

If so this raises further concerns. Hong Kong data protection laws "are miles away" from developments internationally particularly within the EU. The main privacy law is the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance). But crucially Section 33 of the Ordinance which prohibits the transfer of data overseas has never been enacted, meaning there currently is no effective legal restriction on cross-border data transfers in Hong Kong (Guidance on Section 33 published by the Privacy Commissioner is voluntary and not binding).

NotoAV does try to reassure us that they "will ensure that these [offshore] third parties have an obligation to protect your information in the same way that we protect your information". But given the very suspicious way the campaign was constructed, how can we be so sure?

No comments:

Post a Comment