Data and Democracy
Moral Hazard: Voter Data Privacy and Politics in Election Canvassing Apps
In this report we analyse the technical architecture, and associated privacy policies, of the canvassing apps used by the Liberal Democrat, Conservative, and Labour parties during the 2024 general election.
The legal and ethical use of such canvassing data is critical for protecting the integrity of elections, and by extension democracy.
Data Arms Race
The UK’s political parties are seemingly caught in a data arms race, where the stakes and pace of electoral politics may be driving them to cut governance corners. A lack of transparency around how people’s sensitive data is used poses the risk of creating a chilling effect on voters. Private companies may claim grounds on which they can monetise voter data which is willingly handed over by canvassers of UK political parties, in return for perceived competitive advantage.
Our analysis of apps shows that concerns around privacy and security are already very significant. Our Static Application Security Testing analysis of the Liberal Democrat’s MiniVan App found that it was deployed with infrastructure with a history of security vulnerabilities. An analysis of Labour’s web-based Reach, Doorstep and Contact Creator apps found these apps were integrated with infrastructure owned by Experian. The Conservatives’ Share2Win app also presented security vulnerabilities and access to data that would raise privacy concerns, such as location tracking. All parties – including the Conservatives through their Share2Win and VoteSource App – appear to be reliant on international commercial entities to run their digital campaigning infrastructure.
Who Do They Think We Are?
Open Rights Group’s 2020 Who Do They Think We Are? research found the UK’s major political parties engaged in extensive problematic profiling of the electorate, enabled by questionable relationships with major data brokers such as Experian. Similar themes echo throughout this report, where our analysis raises questions around how secure these apps are, and if the public’s data is being unlawfully shared with commercial organisations. Power asymmetries between parties and providers potentially make it harder for parties to assert control over how apps are designed. Limited resources and curtailed delivery schedules also increase privacy and security risks, by paying less regard than necessary to data protection law.
Data Use and Access Bill
This report comes at a point where the current Data (Use and Access) Bill has removed proposals to extend the use of data for political campaigning purposes which were contained in the previous changes proposed by the Conservative administration. This is very welcome, but is undermined by the ease with which a future secretary of state could reintroduce wide use of data through Statutory Instrument, known as “Henry VIII powers”.
The ability of a secretary of state to change the rules around electoral data creates the possibility that new uses of data could be legitimised shortly before an election, changing the electoral game with short timescales to adapt technologies to take advantage: both a moral hazard for any future government, and a security and privacy nightmare.
Recommendations
To address this uncertainty around problematic canvassing app data sharing, and build much-needed trust in electoral processes, we recommend:
RECOMMENDATION ONE
Political parties must urgently publish in the full list of organisations they share canvassing data with. Our research suggests some parties only refer to generic organisation types (e.g. “commercial partners”), whilst others do not appear to have listed the organisations our technical analysis suggests are involved in supporting canvassing apps.
RECOMMENDATION TWO
Political parties should collectively agree to publish financial details of agreements with commercial providers to provide canvassing infrastructure. This would help to highlight any deals where data assets implicitly form part of the value of a commercial agreement (for example where data brokers provide free access to infrastructure in exchange for data access).
RECOMMENDATION THREE
Political parties should proactively publicly publish canvassing data protection policies to maintain trust – for example publishing DPIAs for canvassing apps, specific data sharing agreements with third parties, and privacy consent forms provided to voters. Our research team could find no public evidence of such materials, beyond general privacy policies and some partial information within app user manuals.
RECOMMENDATION FOUR
The ICO and Electoral Commission develop new “anticipatory” regulatory assurance programmes that ensure political campaigning is lawful before and during elections – not retrospectively after they have concluded and damage is already done. This could include the ICO delivering a regulatory sandbox scheme or committing to proactive assurance audits for all major political parties’ canvassing apps.
RECOMMENDATION FIVE
The current Labour government should introduce new measures to strengthen governance of political canvassing and opinion data under the DUA Bill and election reform agenda. This will deliver on their commitment in the King’s Speech to “strengthen the integrity of elections”. Reforms should include mandatory public publication of political opinion data sharing agreements, and outlawing the use of canvassing data for commercial benefit.
RECOMMENDATION SIX
The ICO investigates if and how data has been shared between Labour and Experian throughout the 2024 election period. This is critical given the various potential data protection compliance issues and risks raised by our investigation, and the history of regulatory activity focused on Experian and political campaigning.
RECOMMENDATION SEVEN
The ICO should provide explicit guidance that sharing of election canvassing data with third parties constitutes “large-scale” processing of special category data – meaning it is high risk processing under the UK GDPR, and heightened safeguards and DPIAs are required. This should remain the case even where data is pseudonymised.
RECOMMENDATION EIGHT
The government’s proposed Integrity and Ethics Commission should investigate the relationships between data brokers and elected officials as a priority – recognising that transfer of data to third parties is essentially transfer of money given the significant value of these datasets, and should therefore be held to the same public standards and levels of scrutiny as financial interests.
