Canadian political parties are gathering more and more data on voters all the time. It’s time we regulated what data they glean, and what they can do with it.
The allegations of vote suppression through the practice of robo-calling using automatic dialing and announcing devices during the last Canadian federal election campaign has raised troubling questions about the impact of technology on the way political parties conduct modern campaigns. Both the RCMP and Elections Canada are conducting investigations, and Parliament has resounded with partisan denunciations and denials of wrong-doing. But the rise of robo-calling is merely the tip of the data revolution that is raising deeper questions about what information our political parties actually know about voters, how they collect it, and what they do with it.
The recent US election cycle revealed the extent and sophistication of personal data mining and profiling by political campaigns as never before. The modern political consultant’s arsenal includes smartphone applications for political canvassers. It boasts integrated platforms such as NationBuilder or Google’s Political Campaign Toolkit that provide campaign Web sites, e-mail services, ”social customer relationship management,” and fundraising software. Targeted e-mail and texting campaigns match IP addresses with other data sets showing party affiliation, donation history, and socio-economic characteristics.
Campaigns now extensively use both ”robo-calling” and ”robo-texting.” And no political strategy is complete without the use of social media to plan campaigns, target likely voters and donors, and measure the impact of policies and advertising on engagement.
Some of these data are gathered from the conscious activities of individuals. Others are gleaned surreptitiously from the digital trails that people leave through their various online activities. Reports suggest that there were no fewer than 76 different tracking programs on barackobama.com. The capture of personal data by political parties is no longer selfgenerated, obvious or consensual.
Surveillance during Canadian elections has been less extensive and intrusive — so far. Canadian parties and candidates have a minute fraction of the resources that are available to their American counterparts to fund the same degree of data collection. Nor do they have the same ease of opportunity to gather it. In the US, parties play a central role in registering voters for both primary and general elections.
But Canadian political consultants are always drawing lessons from south of the border, and it is not unusual for the latest campaign techniques to filter north. Furthermore, these new integrated campaign technologies can be easy to use, and cost far less than the more traditional and labour-intensive methods of acquiring information by going door-to-door.
The 2011 robo-call scandal was not the first time that privacy issues involving Canadian political parties have surfaced. A string of incidents over the last decade raises troubling, if subtly different, issues about the ways that parties and politicians use personal data for political purposes.
In 2006, Conservative Party MP Cheryl Gallant sent birthday cards to her constituents using data from passport applications, an incident that was later investigated by the Office of the Ethics Commissioner. The same year, the RCMP found lists of voter names and addresses in the office of a Toronto cell of the Tamil Tigers, a group classified as a terrorist organization. In October 2007, the Prime Minister’s Office sent Rosh Hashanah cards to supporters with Jewish sounding names, many of whom were unsettled and left wondering how such a list could be compiled.
During the 2011 election, a Conservative candidate from Winnipeg mistakenly sent a misdirected e-mail containing the names, address, phone numbers and e-mails of 6,000 of her constituents to a local environmental activist during the 2011 federal election. And in the same year, about 10,000 people signed a petition addressed to Jason Kenney and his ministry, Citizenship and Immigration Canada, demanding that a young gay Nicaraguan artist who was facing deportation be allowed to stay in Canada. Kenney later sent out an e-mail to those who had signed the petition, extolling what the government of Canada has been doing to promote ”gay and lesbian refugee protection.” Many in the gay community were startled that a federal minister had their contact information at his disposal.
All these cases occurred in an uncertain legal and ethical environment. Elections Canada responded to the robo-call incidents with a discussion paper on ”Issues Arising from Improper Communications with Electors,” and the Chief Electoral Officer is to make recommendations to Parliament in March of this year. The Federal Privacy Commissioner, Jennifer Stoddart, lacks the jurisdiction under Canada’s privacy laws to act. But Stoddart did commission Robin M. Bayley and me to conduct a study of the issues. Our analysis appeared in a report, ”Canadian Federal Political Parties and Personal Privacy Protection: A Comparative Analysis,” which outlined the vast quantity and variety of information processed by federal parties on voters, donors, members and supporters.
The main federal parties now administer extensive voter management systems: the Conservative Information Management System (CIMS); Liberalist; and NDP Vote. The foundation for these databases is the electoral list provided under the authority of the Elections Act by Elections Canada. Upon this framework, a range of other data about voters is added and analyzed. These data come from a variety of sources: telephone polling, traditional canvassing methods, petitions, letters, commercially available geo-demographic and marketing databases, and the analysis of online behaviour, including social media. Overall, however, the contents of these systems are shrouded in secrecy.
Privacy risks come in a number of forms. First, there is the careless handling of personal data resulting in data breaches. Every other kind of public and private organization in Canadian society has experienced the embarrassment and cost (both financial and reputational) of a data breach. The costs of a serious data breach to a political party during an election campaign would be incalculable.
A second area of concern is the nonconsensual capture and use of personal data for campaigning. For example, the Liberal Party of Canada has already announced that it will be using a new smartphone application that canvassers can use to record the results of conversations on the doorstep. Would the average voter reasonably expect that these conversations might be transmitted to central party databases? And then there is the uneasy fear that personal information communicated to MP’s constituency offices might filter into party databases. This should not happen, and the parties have stated that it does not happen. But the technology makes it increasingly easy to break down any firewalls.
Parties also undertake analysis of the social circles apparent through Facebook to broaden the range of potential supporters and targets for campaigning. Do people who ”like” a party realize that this will be entered on a database and result in their being labelled as a supporter and targeted for fundraising and get-out-the vote efforts?
A third area relates to intrusions through telemarketing. Policical parties are generally exempted from the national do-not-call list administered by the CRTC, and none of the Web sites of the major political parties provide any mechanism through which individuals can register on these lists to avoid a potential barrage of political solicitation. Most voters have to take extraordinary initiatives to avoid intrusive calls.
Canadian privacy protection laws and federal and provincial privacy commissioners are more comprehensive than those in the US. But no commissioner (with the possible exception of the Office of the Information and Privacy Commissioner of British Columbia) has jurisdiction over the personal information captured by political parties. Parties do not engage in much commercial activity and are therefore largely unregulated under the 1999 Personal Information Protection and Electronic Documents Act (PIPEDA), or similar provincial laws. Political parties are not government agencies, and therefore remain unregulated by the 1983 Privacy Act.
The only federal law that governs their practices is the Canada Election Act, but this legislation only applies to voter registration data collected and shared with parties and candidates under the authority of that legislation. Parties are also exempt from the new anti-spam legislation (C-28).
Thus, for the most part, individuals have no legal rights to learn what information is contained in party databases; to access and correct those data; to remove themselves from the systems; or to restrict the collection, use and disclosure of their personal data.
And for the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, and to control who has access to it.
Virtually every other public or private organization in Canada must abide by these basic rules. Why should political parties be any different? Some argue that because political parties play a crucial role in democracy, they should have access to personal information in order to mobilize and educate voters. These important civic responsibilities, they claim, outweigh the arguments for regulation, and voluntary self-regulation by the parties will suffice.
As our report demonstrates, however, from the point of view of an ordinary supporter or contributor who wishes to exercise control over his or her personal information, the existing voluntary privacy commitments of Canada’s main federal parties are often difficult to find, inconsistent and vague. There is little evidence that any federal party (with the possible exception of the Green Party) has given sustained consideration to privacy and to the risks associated with amassing vast amounts of personal data in centralized databases.
There is no link to privacy on the homepages of either the Liberal Party of Canada or the New Democratic Party. The link on the Conservative Party Web site is more prominent, but the policy is incomplete and replete with vague assertions and exemptions. Parties are also supposed to operate internal do-not-call lists.
The process for getting on these lists is rarely publicized.
Canadian federal political parties need to be brought within the statutory requirements of PIPEDA, and therefore under the authority of the Privacy Commissioner of Canada. But on the assumption that politicians are going to be reluctant to regulate themselves, far more can be done to make self-regulation work. All political parties should
- revise their privacy policies based on the 10 privacy principles upon which PIPEDA is based, and publish them more prominently;
- appoint a responsible official (the equivalent of a chief privacy officer) who has overall responsibility for the collection, use and dissemination of personally identifiable information;
- more effectively operate their internal do-not-call lists;
- train staff and volunteers on privacy and security issues;and
- adopt appropriate risk management strategies in the case of a data breach.
This process of self-regulation could, of course, be jointly agreed as a common code of ethics. An accredited third party could certify compliance with this code. Obtaining a certification could also be a condition of receiving the list of electors from Elections Canada.
The implications of these concerns go beyond the well-known risks associated with the unregulated processing of personal data. Lack of attention to the protection of personal information can erode the already low trust that Canadians have in political parties and in our democratic system. In an age of social media, being more proactive about privacy protection and providing those necessary assurances, is good organizational practice. The appropriate management of personal data is in the interests of not only individual citizens, but also the long-term health of our democratic system.