Cyber Security and Emerging Threats

They know all your secrets: Political data mining in Canada

The Liberals know where you are. So do the Conservatives and the NDP. Most people do not realize the amount of information that political parties have about the public. They know where you have lived, where you went to school, when you graduated, and who you have dated. Anything and everything you have put on Facebook or any other social media platform is floating around in party databases somewhere, being used by party operatives to micro-target and guide their interactions with you. In Canada, political parties can pretty much collect as much data as they want about you, and you do not have the right to know what it is, where they collected it from, how they are using it, and what they are doing to protect it. 

Background: Politicians decide if the laws apply to them

The idea of data security and surveillance has been at the heart of political debate in Canada and the House of Commons for the past number of years. In 2019 for example, the Liberal government introduced the “Digital Charter” which was meant to guide principles of digital life in Canada. Amongst the guiding principles of the Charter was the idea that Canadians would have to provide consent for the collection and use of their data. However, self-interest appears to have shaped the application of this charter, as political parties are not mentioned and are thus exempt from these principles. 

The parties have argued that the collection of data is necessary for the success of democracy and allows them to have more meaningful connections with the public. Using this data, they are able to better understand citizens and their concerns. However, the depth of the information they collect is often hidden from the public, and even from oversight bodies. For example, in a Federal Committee hearing on the issue, the political parties mentioned the collection of names, addresses, and phone number as being at the core of their data collection. But when the parties are pressed, more concerning information comes out. In the Committee hearing, the Speaker for the conservative party admitted to also collecting dates of birth and credit card information. Likewise, hidden on the Liberal webpage under Privacy, the Liberals admit to logging and tracking IP addresses. This allows the Liberals to see all other webpages that visitors go to and is a sizeable data contribution to their databanks. 

Why should we care?

There are several concerns at the heart of this issue. The first is around security.  It should be noted that this area is difficult to fully access as the political parties have been extremely secretive about how the data is stored and by whom. In regard to the massive data collection process, perhaps the most concerning element is the use of apps by all the major parties. The Conservative privacy policy surrounding their app specifically mentions that they cannot fully control who can access your information within their app, and that they cannot be held responsible for possible third-party data usage. This is especially troubling in the Conservative case, as their app was made by an American developer and little information has been released about the Developer’s access to information and disclosure to American political entities. 

All of the political parties have attempted to address some concerns about possible data access by making their apps multilevel. This allows them to limit the information certain users, such as volunteers can access. This in theory means that staff, volunteers and officials only have access to relevant information for their specific role within the party. However, this is all based on the idea that training their users and their personal policies surrounding data collection and usage are upheld by party officials. If a volunteer or constituency worker chose to go into the database and misuse the information, there is little to prevent them from doing so. This was supported by the Privacy Commissioner who held that all the major parties failed to appropriately explain how they protected their databases from misuse.

There are more threats than just misuse though. All of the major political parties have been incredibly vague about how the data is stored and protected from possible hacks, security breaches and espionage. The Liberals have disclosed that they do use a cloud-based server for their emails, but have not disclosed with which provider or if any special security measures such as double encryption have been employed. The NDP also use a cloud-based server, trying to depart from holding hard copy and electrical data themselves. However, they continue to remain quite vague when discussing further security protocols. Beyond the storage of data and the use of IT teams to test security and limit access, very little detail has been disclosed about concrete efforts to secure Canadians’ sensitive data. It should also be noted that as the existing legislation does not apply to political parties, they do not need to disclose data breaches and their magnitude. This means that your credit, personal, and political information might have been stolen and you would not even know about it. 

The governments’ Digital Charter specifically indicates that Canadians should know what organizations know about them, and that they should have control over the data. However, when examining the political parties’ privacy policies, it is evident that this is not the case. For example, the Conservative, the Liberals and the NDP privacy policies ignore the idea of limiting or erasing the data the parties have collected on you, only allowing Canadians to update their information. Moreover, the parties refuse to tell the public how long they plan to keep the collected data, likely because they have no plan to destroy it.  

What should be done?

Currently, pressure has been building for the government to expand existing legislation around cyber security. The current Privacy Commissioner has strongly recommended the application of existing laws to political parties, and that explicit laws be created to regulate the usage of data by political parties.  He has also criticized the government for failing to apply these recommendations. The Centre for Digital Rights (CDR) has also filed five complaints in different jurisdictions questioning the legality of these actions. However, in order for any real change to finally take place, Canadians need to understand what is happening and tell politicians they do not have the right to special rules or exemptions. These policies are putting Canadians at risk – it is up to Canadians to let them know that this is unacceptable.

Photo: Big Data Analytics Service Provider, Fragma Data via flickr

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

Nicole Dougherty
Nicole is is currently working on her Masters in political communications and marketing. She has an Honours BA in Political Science and History from the University of Guelph, where she focused on Canadian political development, propaganda and Quebec nationalism. She has a keen interest in intellectual property security, cyber security and Women in Security. Part of her interest in these areas dates back to her childhood obsession with science-fiction, notably Star Trek, which she believes has always demonstrated what can be accomplished when people from different cultures, regions and beliefs work together in the pursuit of common goals and interests. Contact Nicole at doughertynicole1@gmail.com
http://natoassociation.ca/nicole-dougherty/