New report: Voter data privacy concerns over apps used by political parties

• Open Rights Group’s investigation raises concerns about privacy and security of political parties’ canvassing apps.

• Our report illustrates how provisions in the Data Use and Access Bill could be exploited by an incumbent government for political advantage in elections.

• Questions also raised about whether the public’s data is being unlawfully shared with commerical organisations.

Moral Hazard

A new report, Moral Hazard: Voter Data Privacy and Politics in Election Canvassing Apps, raises concerns about the privacy and security of canvassing apps used by political parties. The report also found that there is a lack of transparency over how data is used, which also raised the question of whether voters’ data is being used unlawfully.

Open Rights Group is calling for clear and consistent rules to govern how our data is used by political parties, and for political parties to be transparent about the companies they work with, the financial arrangements they have with them, and the processes they are using to protect the public’s privacy.

The report analysed apps used by the Conservative, Labour and Liberal Democrat parties. The findings included:

• An analysis of Labour’s web-based Reach, Doorstep and Contact Creator apps found these apps were integrated with infrastructure owned by credit referencing agency Experian. It is not obvious how data was shared between Labour and Experian and the report calls for the ICO to investigate this.

• Static Application Security Testing analysis of the Liberal Democrat’s MiniVan App found that it was deployed with infrastructure with a history of security vulnerabilities.

• The Conservatives’ Share2Win app also presented security vulnerabilities and access to data that would raise privacy concerns, such as location tracking.

• All parties appear to be reliant on international commercial entities to run their digital campaigning infrastructure.

Data Use and Access (DUA) Bill threatens electoral integrity

Electoral integrity could be undermined by a new data protection bill, the Data Use and Access (DUA) Bill, which is currently progressing through the UK parliament. The Bill includes provisions to give the Secretary of State to change the rules around how data can be used without parliamentary scrutiny. It opens up the possibility of a government minister using these ‘Henry VIII’ powers’ close to a General Election, in ways that could favour the political party in power.

James Baker, Platform Power Programme Manager at Open Rights Group said:

“With trust in our democratic systems is at an all time low, the government should be working to improve the public’s confidence in electoral processes.

“Our report highlights that there is a data arms race to the bottom, pushing parties to make short cuts in safety and privacy. The answer to this is fair and robust rules and enforcement.

“Instead, the government is doing nothing to make the ICO keener to act. The new data bill proposes to give ministers the power to make arbitrary rules about our political parties can use our data, potentially timed to favour their own party in an election.

“This will further undermine public trust. We need transparency and a fair set of rules agreed by Parliament and enforced by an independent ICO and Electoral Commission.”