On November 23, 2020, The International Digital Accountability Council (IDAC) hosted a webinar, “How the 2020 Presidential Campaigns Collect, Share Voter Data and Best Practices Moving Forward,” to discuss the IDAC’s investigation of apps created by political campaigns. Moderated by IDAC President, Quentin Palfrey, the webinar’s panelists of leading digital privacy and election integrity experts included MIT Internet Policy Research Initiative Director Daniel Weitzner, Warren for President campaign Senior Advisor Kassia DeVorsey, and The New Yorker writer Sue Halpern.
IDAC conducted a two-month investigation during the 2020 general election in the United States to evaluate the data collection and third party data-sharing practices of election apps and websites, including the apps and websites of President Donald Trump, President-elect Joe Biden, and more than a hundred senatorial, gubernatorial, and U.S. House of Representatives campaigns. This investigation found a number of concerning privacy practices from political campaigns, including: 1) accessing permissions that platforms deem “dangerous,” 2) transmitting enough identifier data to circumvent Apple/Google privacy guard rails (so called “ID Bridging”), 3) sending data to an excessive number of third parties. These behaviors raise very profound and challenging questions about what the nature of online digital organizing is and ought to be.
What is Digital Organizing? DeVorsey provided an overview on how campaigns collect and use data provided by voters. Voter data can be broadly categorized in two buckets: public voter rolls (e.g. the individual’s name, date of birth, party affiliation, vote history, etc) and information collected over the course of the campaign (e.g. from apps, websites, paper-based signup forms, etc). Campaigns typically have three main use cases for data collection: persuasion, turnout (encouraging people to show up to the polls) and registration (providing information about the registration process).
What should privacy advocates be worried about? IDAC having found that one of the third parties that the Trump app was sending data to was Phunware, Halpern, having reported on Phunware, drew parallels to how Cambridge Analytica mined data from Facebook in 2016. Phunware has thus been able to collect a vast array of data including demographic info, device IDs, and geographic information which became a valuable set of data for the Trump campaign. This practice of collecting geolocation also gave the campaign the ability to identify individuals who attended Trump rallies and target them with campaign ads and appeals.
What challenges arise when trying to address these concerns? Weitzner discussed that although the efficacy of current digital organization techniques has not been methodologically established, there would be many concerns if such techniques did work as well as alleged. However, one challenge is that the current rules surrounding campaigns are limited in scope, and campaigns often exist during shorter time frames than the lengthier time required of investigations conducted by the Federal Trade Commission (FTC) and state Attorneys General. In any case, Weitzner stated, there should be a set of rules that balance the fair use of collecting campaign data while protecting voter data privacy. He acknowledged that the political process should be allowed to exercise its first amendment rights and that campaigns should be able to build digital tools in order to organize more effectively, though he also brought up concerns relating to the de-personalized nature of automated analytics. Such analytics are more driven by opaque processes that are difficult to see and analyze.
Where do we go from here? The broader questions about speech and organizing are challenging, but there are nonetheless some common sense reforms that would make for a better ecosystem. IDAC recommends that apps should:
- Be explicit and forthcoming in privacy policies (e.g. disclosing what data is collected, why, and specifically which organizations it is shared with)
- Do NOT engage in “ID Bridging” which circumvents privacy protections
- Refrain from requesting excessive, and at times, invasive permissions characterize as “dangerous”
- Do not collect geolocation data and persistent identifiers beyond what is necessary for user functionality
- Decrease the number of third parties to which the user’s data is sent
IDAC’s full report on the election app investigation can be found here.