On February 18th 2019, the UK Parliament’s DCMS (Digital, Culture, Media and Sport) Committee published the final report detailing their 18 month investigation into the emerging field of online disinformation as well as the privacy practices of platforms such as Facebook.
The report pulls no punches. The quote from Damian Collins, committee chairman, sums it up: “Democracy is at risk from the malicious and relentless targeting of citizens with disinformation and personalised ‘dark adverts’ from unidentifiable sources, delivered through the major social media platforms we use every day.”
UpGuard’s head of Cyber Risk Research, Chris Vickery, has been a key witness to the investigation since his original discovery of the AggregateIQ files in March 2018.
Chapter 4 of the published report explores the AggregateIQ breach discovered by Chris, focusing on:
- Relationships between key entities (AIQ, SCL and Cambridge Analytica)
- Work that AIQ carried out for the EU referendum
- Capabilities that were open to AIQ, by the types of tools that were exposed in the repository.
The Aggregate IQ Breach
It was with some astonishment to the residents of picturesque Victoria, British Columbia, that AggregateIQ - a small data firm of “about half a dozen employees,” headquartered on the city’s Market Square - emerged as a central player in an international news story stretching from London to Silicon Valley. With more evidence emerging of its close ties to Cambridge Analytica, the political analytics company has been under investigation for its harvesting of data from over 87 million Facebook user accounts. Facebook, under congressional fire, suspended the company from its platform, citing AIQ’s documented ties to Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL).
This was a significant discovery and took some time to process. As such, we split the story into four distinct parts.
Part One - How a Political Engineering Firm Exposed Their Code Base
In our first story, we discussed the initial discovery of an exposed Gitlab repository owned by AggregateIQ. Inside the repository we found the Ripon application, described by AggregateIQ co-owner Jeff Silvester as “a political customer relationship management tool focused on the US market”.
The story of the Ripon application, and its intersection with the presidential aspirations of Ted Cruz, Cambridge Analytica, and AggregateIQ, turned out to be one element in a greater story. Read more
Part Two - The Brexit Connection
In the second part, we examined more closely a particularly important category of AggregateIQ’s data set: code from several websites, each concerning a British political organization, party, or pressure group.
The repositories named for Vote Leave, the DUP, Gove 2016, Change Britain, and Veterans for Britain provided a detailed look into web assets produced by AggregateIQ on behalf of a wide array of pro-Brexit groups and figures. These repositories were rife with exposed credentials, tokens, and passwords. Read more
Part Three - A Monarch, A Peasant, and a Saga
The third part of the disclosure of the AggregateIQ breach covered the remainder of the tools found in their exposed Gitlab repository. With names like “Monarch” and “Saga”, these tools helped AIQ optimize their political advertising campaigns which is in of itself, uncontroversial.
However, we also uncovered the “Database of Truth”, a massive repository which includes US voter registration lists from every state that have been enhanced and scored via predictive behavioural analysis and advanced correlation methods. By combining the tools with the data, AIQ and Cambridge Analytica were able to scale and target voters at a level never seen before. Read more
Part Four - NorthWest Passage
In part four, we returned to examine data revealed in the exposure showing AIQ’s involvement in political efforts closer to its home base of Victoria, British Columbia. While AIQ’s work on behalf of a number of Canadian politicians was already known, the data provided clear insight into what specific assets were built and possessed by AIQ for their clients, along with previously unreported information - including about exposed credentials and passwords. Read more
Where to from here?
“Companies like Facebook should not be allowed to behave like ‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law.”
The DCMS report is a fascinating read, covering political campaigning, digital advertising and outright manipulation via online misinformation. Ultimately, the report concludes that companies such as Facebook should be brought under regulatory control, arguing “social media companies cannot hide behind the claim of being merely a ‘platform’ and maintain that they have no responsibility themselves in regulating the content of their sites”. Facebook has claimed that it is evolving, and is not the same company it was even a year ago.
It seems that the fight between social media giants and regulators may just be beginning.