The recent Office of the Director of National Intelligence (ODNI) report on Russia’s efforts to “undermine public faith in the US democratic process” through “an influence campaign in 2016 aimed at the US presidential election” also warns that similar influence operations could be waged against US allies, including France (where I’m from) and Germany. Both countries are set to hold elections in 2017 that will be crucial to the future of the EU.
As a European living in the United States, I am prompted to ask how France and Germany could defend against politically motivated cyber operations. Promising retaliation like the Obama administration has done is only a partially effective deterrence strategy to protect the electoral process; countries must also have defenses that prevent such campaigns from succeeding in the first place.
Creating an effective European defensive strategy requires close examination of how Russia’s influence campaign succeeded in the US. In a series of articles, Jonathan Albright has explained the Trump electoral campaign’s reliance on micro-targeting to gain social media support. Indeed, Trump’s campaign, working with British firm Cambridge Analytica, relied on personal data to target and convince, at a very fine-grain level, those people open to voting for him. As illustrated by the consequential statements of some politicians—think Mitt Romney’s infamous “47%” comment or Hillary Clinton’s “basket of deplorables”—today, political campaigns are not won by appealing to all the people. Instead, they are won by appealing to the right people, and the same personal data that can be strategically used in campaigns to find who the right people are also make the underlying election vulnerable to foreign influence.
Election Hacking 101
In largely bipartisan systems like that of France or the United States, most of the electorate locks onto a candidate several weeks before the election. The people who matter most in this time period are the “undecided voters” (Nate Silver’s first explanation for uncertainty two weeks before November 8 was “the high number of undecided and third-party voters”). In this context, campaigns must effectively target and convince these voters in order to be successful.
Previously, targeting and convincing voters required the following: political insights (to craft an adequate strategy fitting the electoral map), people on the ground (to gather information about what people think and where), political infrastructures and operatives (to shape the public debate and capture media attention), and an advertising and traveling budget (to spread the campaign’s message and control the media cycle). This system had many flaws but also one large advantage: because targeting and convincing people is costly, and indeed almost impossible, without the endorsement of major national organizations, it was difficult for a foreign country to successfully influence an election on the ground, short of coercing or co-opting an entire political party.
The internet changed this in two different, though related, ways. First, it diversified the supply side of news by increasing the number of media channels available. Second, and perhaps more importantly, the internet made it easier to segment the demand side of the news market. People can now be categorized relatively accurately through the digital breadcrumbs they leave behind on the internet. Bruce Schneier describes it as “data exhaust” in his book Data and Goliath. Since “surveillance is the business model of the Internet” and we live in an era of “surveillance capitalism,” in order to target people more precisely companies have the incentive to establish infrastructures that collect as much personal data as possible. This is the business model of Facebook and Twitter, and any startup knows the importance of “getting to know” their customers quickly. Beyond identification and targeting, these companies have also developed effective mechanisms to convince. Knowing one’s customers is not enough; a company must also be able to reach and persuade them.
Indeed, the business model of the Newsfeed rests on the profit generated by this “targeting-and-convincing” infrastructure. First, companies like Facebook or Twitter collect personal data on their users to profile them (the targeting phase). Second, these segments of users are served ads that are paid for by third parties (the convincing phase). If the ad content shifts from commercial to political, Facebook and Twitter’s Newsfeed algorithms can thereby be co-opted into a “micro-propaganda machine.” This machine, during election cycles, can then be exploited not just by companies but also for the political purposes of either national or foreign organizations. Indeed, the massive collection of personal data has enabled political entrepreneurs, both at home and abroad, to hack democracy.
Notably, the freewheeling collection and circulation of personal data have implications for national security threats beyond election hacking. For instance, terrorist organizations have used the internet to target individuals susceptible to adopting their ideology and carrying out terrorist attacks. Purely online radicalization is rare but major technology companies have increasingly focused on solving the problem. Companies like Google fight against this use by working with governments to take down illegal content, but they also leverage their own targeting methods to promote counter-narratives to dissuade those who might be susceptible to recruitment.
Data Protection Is About Security, Not Just Privacy
For years, the arguments in favor of data protection have centered on privacy. It is now necessary to also consider the importance of a comprehensive data protection framework as a security tool that could be used to increase the resilience of political processes against foreign influence and other threats, like online radicalization.
The EU’s 1995 Data Protection Directive, updated last year with the General Data Protection Regulation, provides more robust protection against such kinds of operations than the industry-specific privacy frameworks in place in the US (e.g. governing medical records or education data). By and large, robust data protection frameworks limit companies’ ability to maintain large databases of personal information that could then be weaponized through targeting-and-convincing infrastructures.
In an age when personal data is increasingly collected and used by private companies, the argument for implementing data protection frameworks such as the General Data Protection Regulation should not revolve solely around privacy. It is also about promoting the autonomy and agency of the citizenry’s decision-making processes.
To this end, a number of measures beyond data protection frameworks could increase the resiliency of our political processes against micro-targeting. We need to work with digital platforms to reduce their incentives to collect personal data for profit—what some call data minimization, others digital labor. We must determine the responsibilities of digital platforms to help moderate the digital arenas they enable and strike appropriate balances between privacy and free speech. And recognizing the power of data in the wrong hands, we must increase the security requirements of information systems storing vast amounts of personal data. This includes mandatory breach disclosure requirements where possible, and information-sharing among national, regional, or international institutions about those breaches to facilitate a responsible, immediate response.
As others have argued, the balance between security and privacy is not a zero-sum game. Rather, from a data-centric perspective, security and privacy are two sides of the same coin. When corporations and political organizations can free-ride on incredibly effective targeting-and-convincing infrastructure, it is not only our privacy that is at stake; it is our national security as well.
This article was initially published on Lawfare.
- EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals Cybercrime
- Preserving Digital Footprints and Cyber Resilience: Training the Swiss Police Cybercrime
- Ransomware in Six Questions (by the Ministerial Delegation to the Security Industries and the Fight Against Cyberthreats, French Ministry of the Interior) Cybercrime