Elections and data privacy
The electoral process is a crucial pillar of any democratic country. It’s one of those things that sets a nation apart from peers that are ruled by either a tyrant or a wealthy, exclusive few. Protecting it has always been a core objective among all freedom-loving people.
In recent years, elections have increasingly become more dependent on digital technologies and systems that rely on the collection and processing of vast amounts of personal data. This applies not just to the act of voting, but to the entire gamut of the election cycle: from political surveys, to the campaign proper, all the way up to the transmission of poll results. In practically every step of the way, personal data is front and center. Every single step represents an opportunity to abuse or misuse the data, intentionally or otherwise.
Because of this, few are surprised to see the role of data privacy in this milieu increase in scope and relevance. Data protection legislations have become de facto auxiliaries to existing election laws and regulations. Thus far, they have been used to address threats that come in several forms, including the
- Unauthorized data collection and function creep. Using various strategies and techniques, political operators and campaign mavens collect vast quantities of data meant for various uses during the election cycle. Among the more common tactics include the conduct of questionable polls or surveys and sign-up forms prepared by some candidates’ campaign teams. In July this year, the National Privacy Commission (NPC) issued a cease and desist order against the administrator of a particular website for committing what the agency considered as “multiple violations of the Data Privacy Act”. The website, named “Pilipinas2022.ph”, was requiring voters to give their respective names, addresses, and mobile phone numbers in order for them to take part in a survey relating to the 2022 national elections. The Commission felt the platform had failed to “meet the lawful criteria for processing of personal information” and to comply with the general principles for personal data processing. There have also been rumors about information gathered via contact tracing forms and apps being scooped up for later use. While this remains unsubstantiated, the idea is not exactly far-fetched.
- Profiling. Among the many uses for the collected data is the creation of individual profiles based on people’s political views, preferences, characteristics, and activities. The profiles, in turn, are used both by online platforms and campaign teams to target people with news, ads, and other content meant to influence their perspectives relative to specific candidates, political parties, or beliefs.
- Disinformation, misinformation, and defamation. Personal data is also used to create and spread false information either to improve a particular candidate’s image or to tarnish another’s. In most cases, they involve true information—for some semblance of legitimacy—mixed with outright falsehoods. Apart from inflicting damage on people’s reputations, this strategy sows distrust in legitimate data sources and contributes to the polarization of society.
- Identity theft and trolling. Identity theft per se is a distinct criminal offense under the country’s anti-cybercrime law. In an election setting, however, it assumes an entirely new meaning by lending itself to the offensive online behavior called “trolling”. Trolls are people whose sole intention when they go online is to upset others or start an argument with them. In most instances, they either use a fictitious name or an identity they’ve stolen from another person. They support their curated persona using photos and other content also stolen from other people’s accounts or profiles. A number of political figures are rumored to employ hundreds of them. The trolls are used either to improve their patron’s image or to attack the latter’s critics, or both.
- Manipulation of votes and election results. Of course, there is always the threat of vote manipulation; a charge that almost always surfaces in every election that has embraced digital technology. It’s been raised here in the Philippines during the last three or four national elections. In the U.S., it was the lynchpin that resulted in their January 6 insurrection.
The Cambridge Analytica scandal that erupted in 2018 involved practically all of these problems, except probably the last one. In that affair, it was alleged that the personal data of millions of Facebook users were improperly collected and shared with third parties who went on to conduct profiling, spread disinformation, and encourage trolling behavior. Despite Meta’s (formerly known as “Facebook”) statements to the contrary, a recently surfaced whistleblower claims the problems are very much alive and are just as pervasive.
How much of that is true is irrelevant at this point. Everyone can sense that the issues are still around, and they are by no means limited to Facebook and its affiliate platforms. Equally clear is the fact that the problems are more than just a handful of low-grade risks one can afford to set aside. Quite the opposite,
they are dangers that must be taken seriously given their potential to compromise the future of entire countries and the lives of real people.
In terms of solutions, the following suggestions offer a good starting point:
- Greater transparency. Everyone benefits if more transparency is observed throughout the entire election cycle. Survey and polling platforms must be more upfront about their data collection and data processing activities. Campaign teams and social media outfits should also shed more light on the way they run their campaigns and targeting activities. Their use of profiles, in particular, is key. How exactly do they develop and use profiles when formulating and delivering content and key messages? If lawmakers and regulators are kept blind regarding matters they are supposed to govern, they come up with poor and ineffective policies.
- Strict and consistent implementation of data protection laws. Countries that have a data protection law have a leg-up over their counterparts that don’t. Even without election laws or regulations that deal specifically with election-related data processing activities, they already have the necessary legal framework with which to police such activities. The only thing left to do is ensure there is a strict and consistent enforcement of said framework. The NPC’s enforcement action in July was a good start, but that cannot be all there is to it. There are far too many surveys and sign-up initiatives being carried out these days. Most operate in the same manner (i.e., opaque and lacking in accountability) the NPC has already found objectionable and worth stopping. How are they able to continue undisturbed?
- Effective coordination between online platforms and law enforcement. If companies like Meta are serious about their commitment to make sure their platforms are safe spaces not just from malicious actors, but also false information, they need to put up more effective controls. It has to include better coordination with law enforcement authorities in the latter’s pursuit of the responsible parties.
- Fact-checking and counter-narratives. Civil society, journalists, and even regular netizens also bear a portion of the burden. Civil society organizations need to allocate a portion of their advocacy efforts towards establishing a counterbalance to the proliferation of disinformation and misinformation. One way to do this is by working with the online platforms and journalists to engage in fact-checking sorties. It’s a difficult and often thankless endeavor, but someone has got to do it for everyone’s sake. Meanwhile, every person who maintains an online presence also needs to be more responsible when sharing information, especially if they include personal data. It’s not just to avoid charges of crimes like cyber libel or the malicious disclosure of personal information; it also reinforces every individual’s right to (accurate) information.
As an essential democratic institution, elections are as imperfect as they come. There will always be people who will attempt to cheat, or at least undermine such processes. As digital technologies and intensive data processing become more ingrained in the way they are conducted, all these disruptive operations will almost certainly target such technologies and processes with increasing frequency and effectiveness.
That is something we cannot allow unchallenged. If we truly value our rights and our freedoms, we will have to fight for every inch of space we want to enjoy them in—not only for ourselves, but for all those who will inherit our place generations from now.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.