One Man’s Obsessive Fight to Reclaim His Cambridge Analytica Data

Credit to Author: Issie Lapowsky| Date: Fri, 25 Jan 2019 11:00:00 +0000

It’s 8 on a Wednesday morning in January, and David Carroll’s Brooklyn apartment, a sunny, wood-beamed beauty converted from an old sandpaper factory, is buzzing.

His 10-year-old daughter, dressed in polka-dot pants, dips out the front door and off to school, Jansport backpack slung over her shoulders. His 5-year-old son darts into the living room in a luchador mask he picked up on the family’s holiday trip to Mexico. (His wrestling name, he tells me, is Diablo.) Carroll’s wife, Alex, who was unaware a reporter was coming to interview her husband this morning, hurries around picking up the detritus any family of four might leave behind in the morning rush and tucking away product samples from her job as a market researcher. There’s a crayon drawing on the coffee table, an intricate toy camping scene set up on the floor. And on the refrigerator, someone—I suspect the boy—has spelled out the word POOP in multicolored alphabet magnets.

For most everyone in Carroll’s bustling household, today is a morning like any other. Not for Carroll. This morning, he rolled out of bed at 6 am to news that the parent company of Cambridge Analytica, the now defunct international conglomerate, had pled guilty to criminal charges of disobeying a British data regulator.

The story of how the data analytics firm and former Trump campaign consultant misappropriated the Facebook data of tens of millions of Americans before the 2016 election is by now well known. But the company’s guilty plea wasn’t really about all those headlines you’ve seen splattered in the news over the past year. Instead, their crime was defying a government order to hand over all of the data they had ever collected on just one person: David Carroll.

For more than two years, Carroll, a professor of media design at The New School in Manhattan, has been on an obsessive, epically nerdy, and ultimately valuable quest to retrieve his data from Cambridge Analytica. During the 2016 election, when the firm worked for both the Trump campaign and senator Ted Cruz’s campaign, its leaders bragged openly about having collected thousands of data points to build detailed personality profiles on every adult in the United States. They said they used these profiles to target people with more persuasive ads, and when President Trump won the White House, they hungrily accepted credit.

A year ago, Carroll filed a legal claim against the London-based conglomerate, demanding to see what was in his profile. Because, with few exceptions, British data protection laws allow people to request data on them that’s been processed in the UK, Carroll believed that even as an American, he had a right to that information. He just had to prove it.

Carroll shuffles past me barefoot, a mug of coffee in one hand, his phone in the other. “Enjoy the moment,” he says, reading a message from his lawyer, Ravi Naik, who’s been feeding him updates from London all morning. About an hour later, an email floats into Carroll’s inbox from the British Information Commissioner’s Office, the regulator that brought the charges. Carroll turns his phone toward me to reveal the news. Cambridge Analytica’s parent company, SCL, is being fined the equivalent of roughly $27,000. Carroll’s cut? About $222.

He couldn’t help but laugh. The sum is insignificant. The moment, anything but.

When he started out, Carroll was an underdog, facing off against a corporation with ties to the president of the United States and backed by billionaire donor Robert Mercer. If he lost, Carroll would be on the hook for the opposing team’s legal fees, which he wasn’t quite sure how he’d pay.

But if he won, Carroll believed he could prove an invaluable point. He could use that trove of information he received to show the world just how powerless Americans are over their privacy. He could offer up a concrete example of how one man’s information—his supermarket punch card, his online shopping habits, his voting patterns—can be bought and sold and weaponized by corporations and even foreign entities trying to influence elections.

But more importantly, he could show what’s possible in countries like the UK where people actually have the right to reclaim some of that power. He could prove why people in the United States, who have no such rights, deserve those same protections.

Much has changed since David Carroll picked this fight with Goliath. Following a relentless flood of scandals last spring, SCL shuttered and is now going through insolvency proceedings in the UK. The Cambridge Analytica scandal spurred just the kind of privacy awakening in the US that Carroll was seeking. Facebook tightened its hold on user data and has been increasingly asked to answer for all the ways it gave that data away in the first place. A strict data protection law passed unanimously in California last summer, and members of Congress have begun floating plans for broader federal privacy legislation.

Carroll, meanwhile, has emerged as a cult hero of privacy hawks, who follow every turn in his case, Twitter fingers itching. This week, he’ll become a movie star, appearing as a central character in a feature-length documentary called The Great Hack, premiering at the Sundance Film Festival. “We hope this film sheds light on what it means to sign the terms and conditions that we agree to every day,” the filmmakers, Jehane Noujaim and Karim Amer, explained in an email. “What does it mean when we actually become a commodity being mined?”

But for all that’s changed during these past two years, so much has stayed the same. Despite SCL’s guilty plea, Carroll still hasn’t gotten his data. And Americans today have no more legal rights to privacy than they did when Carroll’s crusade began two years ago. That could change this year. With a strict data protection law set to go into effect in California next January, even tech giants have begun pushing for federal regulation that would set rules for businesses across the country. Now more than ever, Carroll says, having that information in hand could help illustrate exactly how this new economy—so often misunderstood and discussed in the abstract—works. Which is why, nearly a year after the Cambridge Analytica story broke, and many months after its name has fallen out of the daily headlines, Carroll keeps fighting.

If you know Carroll from Twitter—where, as @profcarroll, he spends his days tweeting bombastically about Facebook’s duplicity or stridently skewering obscure figures from the Trump campaign in long, snarky, and inscrutable threads—then you couldn’t possibly imagine the nervous, affable guy I first met in a downtown Manhattan coffee shop back in 2017.

He looked exactly the way I expected a tenured liberal arts professor to look: gray stubble on his face, a disarming smile. I could easily imagine him in tweed. It was November 8, a year to the day since Donald Trump was elected president of the United States. That evening, Carroll sat across the table from me, a lit tea light casting his face in a film noir glow, and told me what he knew so far of his story.

Carroll hadn’t always been in academia. During the dotcom boom and bust, he worked in digital marketing and watched as advertising evolved from the sort of broad branding exercise that had been the dominion of television and print to an industry dominated by Google, which used infinite quantities of user data to hyper-target ads. When he left his marketing career to teach full time, Carroll, who has an MFA in design and technology, transformed from an industry participant to a chief critic, lecturing students on what he calls the “myth” that advertising doesn’t work if it’s not targeted.

In 2014, while he was on sabbatical, Carroll began working on a startup called Glossy, which integrated with Facebook to recommend articles from magazine archives based on users’ interests. The idea never took off; Carroll couldn’t get funding, and his early employees got quickly poached by tech giants. But he got just far enough to see how much user data Facebook was willing to give away in the name of growth. At the time, the social networking giant allowed developers to slurp up data not just from their own users but from their users’ friends, all without their friends’ awareness or explicit consent. Facebook didn't officially end this policy until April 2015, and continued to give some developers access even after that.

“I saw how the sausage got made and how easy it was to amass data and create a surveillance infrastructure,” Carroll says.

Around that same time, across the Atlantic Ocean, another young professor at the University of Cambridge named Aleksandr Kogan was building an app of his own. It used a personality quiz to collect users’ profile information, including their location, gender, name, and Page likes, and then spit out predictions about their personality types. Like Carroll, Kogan knew that when Facebook users took the quizzes, not only would their data be free for the taking, so would the data belonging to millions of their friends. Unlike Carroll, Kogan viewed that not as an invasion of privacy but as an opportunity.

“It didn’t even dawn on us that people could react this way,” Kogan says.

Beginning in 2014, Kogan paid about 270,000 US Facebook users to take the quiz, which Kogan has said unlocked access to some 30 million people’s data. But Kogan wasn’t just working on his own. He was collecting this information on behalf of SCL, which had big plans to use it to influence American elections. Kogan sold the data and his predictions to the company, and though he didn’t know it then, lit the fuse of a time bomb that would detonate three years down the line.

Carroll knew none of this at the time. But his experience building Glossy made him enough of a self-proclaimed “privacy nerd” that by the time the 2016 election rolled around he was keeping a close eye on the presidential campaigns and their digital strategies. He was watching SCL’s spinoff Cambridge Analytica, in particular, because it had taken credit for helping senator Ted Cruz win the Iowa primary, using so-called psychographic targeting techniques. But it wasn’t until President Trump’s upset victory, in a campaign that had been buoyed by Cambridge Analytica data scientists and consultants, that Carroll, a Democrat, began to worry about what this firm could really do with millions of Americans’ information.

He wasn’t the only one. Thousands of miles away, in Geneva, Switzerland, a researcher named Paul-Olivier Dehaye, who now runs a digital rights nonprofit called PersonalData.IO, was deep into a months-long investigation of SCL. At the time, he was trying to answer a fundamental question about the company that was also rumored to have played a hand in promoting the Brexit referendum: Did Cambridge Analytica really know as much as it claimed? Or was it just selling snake oil? One way to answer that question conclusively, Dehaye believed, would be to see what information the company actually held.

The UK’s Data Protection Act guarantees the right to access data that’s processed within the UK. But in the past, it was mainly British residents who had exercised that right. Few had ever tested whether the law applied to people outside of the country as well. Dehaye believed this would be the perfect opportunity to try, so he began reaching out to American academics, activists, and journalists, urging them to submit what is known as a “subject access request” to the company. It was Americans’ data, after all, that Cambridge Analytica seemed most interested in. Carroll was one of Dehaye’s targets.

“David was very vocal on Twitter, and he already knew a lot about ad tech,” Dehaye says. “That’s why I thought I had a chance to convince him.”

He was right. Carroll was one of a handful of people who accepted the challenge. He says he viewed the project as an academic experiment at first, and, he says, a good use of his tenure. “I can’t get fired for what I do,” he said. “My job gives me the freedom to pursue these things. If I don’t do it, who’s going to?”

In early 2017, Carroll submitted his request, along with a copy of his driver’s license, his electric bill, and a £10 fee, which Dehaye paid. Then he waited. Dehaye never really expected Carroll to receive a response. In fact the story may have ended there, had SCL denied that Carroll had the right to his data from the outset. “They could have just said UK law doesn’t apply to you because you’re an American,” Dehaye says.

Instead, one Monday morning about a month later, as Carroll sat alone in his apartment, sipping coffee at the dining room table, an email landed in his inbox from the data compliance team at SCL Group. It included a letter signed by the company’s chief operating officer, Julian Wheatland, and an Excel file laying out in neatly arranged rows and columns exactly who Carroll is—where he lives, how he’s voted, and, most interestingly to Carroll, how much he cares about issues like the national debt, immigration, and gun rights, on a scale of one to 10. Carroll had no way of knowing what information informed those rankings; the thousands of data points Cambridge Analytica supposedly used to build these predictions were nowhere to be found.

“I felt very invaded personally, but then I also saw it was such a public interest issue,” Carroll says.

He promptly tweeted out his findings. To Carroll, his file seemed woefully incomplete. But to Dehaye and other experts of the internet, it seemed like exactly what he needed to prove a case. In answering Carroll at all, Dehaye argued, SCL conceded that even as an American, he was entitled to his data. But in showing him only the smallest slice of that data, Carroll and Dehaye believed, SCL had broken the law.

Dehaye put Carroll in touch with Ravi Naik, a British human rights lawyer, who had worked on data rights cases in the past. “Immediately, he was like, ‘This is going to be a massive case. It’s going to set precedents,’” Carroll says.

Still, Naik was cautious, knowing that the case law regarding foreigners gaining access to their data was extremely limited, resting on just two cases where death row inmates from Thailand and Kenya had attempted to get their data from the British police. But Naik also viewed Carroll’s case as the beginning of a new civil rights movement. “It’s really balancing the rights of individuals against those with mass power,” Naik says.

In April 2017, Carroll and Naik sent what’s known as a “pre-action” letter to SCL, laying out a legal claim. In the UK, these letters are used to determine if litigation can be avoided. In the letter, Naik and Carroll argued that not only had SCL violated the UK’s Data Protection Act by failing to give Carroll all of the underlying data, the company hadn’t received the proper consent to process data related to his political views to begin with. Under the law, political opinions are considered sensitive data.

Once again, Carroll got no additional data in return. According to Alexander Nix, Cambridge Analytica's then-CEO, the company shared certain data with Carroll as a gesture of "good faith," but received legal advice that foreigners didn't have rights under the Data Protection Act. Asked why the company didn't share more of that data, Nix said, "There was no legal reason to comply with this request, and it might be opening … a bottomless pit of subject access requests in the United States that we would be unable to fulfill just through the sheer volume of requests in comparison to the size of the company." (After answering WIRED's questions, Nix retroactively asked for these answers to be off the record. WIRED declined.)

Carroll wasn’t the only person who had tried and failed to get his data from SCL. Initially, Naik says, about 20 people around the world were on board. But when it came time to bring the case to court, he says, they needed only one complainant, and it was Carroll who was most willing to take the risk. “It says a lot about David that he’s willing to stand by not just his own rights but also the rights of everyone affected, to work out what this company was doing,” Naik says.

Carroll and Naik spent the bulk of 2017 preparing the case and hedging their bets against worst case scenarios, of which there were many. In the British legal system, whoever loses a legal case winds up paying the winning side’s fees. Carroll worried that could amount to hundreds of thousands of dollars, the kind of costs he couldn’t bear on his own. So that fall, Carroll launched his own legal defense fund on CrowdJustice and announced his plans to file the complaint in The Guardian. Suddenly, he was flooded with support from strangers who’d grown similarly suspicious of Cambridge Analytica. He raised nearly $33,000 in a matter of weeks. Today, he’s raised another $10,000 more.

But for all the encouragement Carroll received, almost as soon as he went public with his plans he also got more than a few words of warning. Once, Carroll says, a Cambridge Analytica employee approached him after a film screening at The New School, shook his hand for a few beats too long, and told him to drop the case. Another time, Carroll got a mysterious email about a British journalist who had supposedly been investigating SCL when he died suddenly falling down the stairs. “Please don’t forget how powerful these individuals are,” the email read.

It was almost certainly a coincidence, and Carroll never followed up with the woman who sent the email. “I didn’t want her to talk me out of it,” Carroll says. But he still couldn’t help but feel spooked. In the fall of 2017, he rightly felt like he had a lot to lose.

The night we met in the coffee shop, I asked Carroll whether all these risks he was taking worried him. He smiled anxiously and said, “It scares the shit out of me.”

A few months later, I spotted Carroll across a crowded auditorium at PutinCon, a gathering of reporters, foreign policy experts, intelligence officials, and professional paranoiacs being held in an undisclosed location in Manhattan. The express purpose of the conference was to discuss “how Russia is crippled by totalitarian rule” and explore how Russian president Vladimir Putin’s power “is based in fear, mystery, and propaganda.”

But Carroll had other matters on his mind. That day, March 16, 2018, his lawyers in London were finally serving SCL with a formal legal claim, requesting disclosure of his data and laying out their intention to sue for damages. The request had been more than a year in the making, and Carroll spent much of the morning darting out to the hallway, exchanging Signal messages with Naik, even though he was scared that any venue hosting something called PutinCon must have been hacked.

After Naik’s colleague served SCL with the paperwork, Carroll stood looking at his phone in satisfied disbelief. “It’s finally real,” he told me. “It’s not just an idea anymore.”

There was one other thing. Carroll said he’d heard “rumblings” from British journalist Carole Cadwalladr that some big news regarding Cambridge Analytica was coming from The Guardian and The New York Times. “It’s going to make Facebook look really bad,” he said.

Less than 24 hours later, Carroll turned out to be more right than he even knew. The next morning, photos of a pink-haired, self-styled whistleblower and former SCL contractor named Christopher Wylie were splashed across pages of The New York Times and The Guardian. “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach,” read the Guardian headline. “How Trump Consultants Exploited the Facebook Data of Millions,” read the Times’. The night before, Facebook had tried to preempt the stories, announcing it was suspending Wylie, Cambridge Analytica, SCL, and Aleksandr Kogan for violating its policies against sharing Facebook data with third parties.

That hardly helped Facebook’s case. The news did more than make Facebook look bad. It did what history may judge to be irreparable damage to a company at the peak of its unprecedented power. Facebook’s stock price plummeted. Zuckerberg was summoned to Congress. The company gave itself the impossible task of auditing apps that had access to mass amounts of data, and began cutting off other developers from collecting even more. Google searches for “how to delete Facebook” spiked.

In the end, Facebook CEO Mark Zuckerberg acknowledged that as many as 87 million people may have been affected by the data intrusion. Eventually, the Federal Trade Commission launched an investigation into whether Facebook violated a 2011 consent decree regarding its data privacy practices. "I started Facebook, and at the end of the day I'm responsible for what happens on our platform," Zuckerberg wrote on Facebook days after the news broke. "While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past."

Earlier this month, The Washington Post reported that the FTC is considering “imposing a record-setting fine” against Facebook.

As bad as things were for Facebook, they soon got worse for Cambridge Analytica. Days after Wylie’s story first made headlines, Britain’s Channel 4 News began airing a series of devastating undercover videos that showed the firm’s once sought-after CEO, Alexander Nix, discussing using dirty tricks like bribery and blackmail on behalf of clients. In one case, Nix boasted that using Ukrainian women to entrap politicians “works very well.”

Alexander Nix, ex-CEO of Cambridge Analytica, was captured on camera by Britain’s Channel 4 News, discussing using tactics like extortion and bribery on behalf of clients. Nix later denied the company used such tactics, but was replaced as CEO before SCL went out of business last May.

After the news about Cambridge Analytica’s use of Facebook data made headlines in March, the British Information Commissioner’s Office searched the company’s London-based office and seized its servers as part of an ongoing investigation into the use of data in politics.

Former SCL contractor Christopher Wylie blew the whistle on Cambridge Analytica last March, telling *The Guardian* and *The New York Times* that the company misappropriated the data of tens of millions of Facebook users and used it for political purposes during the 2016 presidential election in the US.

During the 2016 election, Cambridge Analytica staffers and data scientists worked side by side with President Trump’s staff in the campaign’s digital headquarters in San Antonio, Texas.

Before working on the Trump campaign, Cambridge Analytica consulted for senator Ted Cruz’s campaign. The company would later claim credit for helping Cruz win the Iowa primary.

As a professor at the University of Cambridge, Aleksandr Kogan built a personality profiling quiz that scraped its users’ Facebook data, as well as the data of millions of their friends. Kogan sold those people’s data, and his predictions about their personalities to SCL, which used it to build psychological profiles of every adult in the United States. SCL’s American spinoff, Cambridge Analytica, then pitched its so-called “psychographic” ad targeting methods to political operatives in the US.

The Cambridge Analytica scandal hit Facebook hardest, revealing just how much data the company gave away to app developers before 2015. In April, Facebook CEO Mark Zuckerberg was called to Congress to answer for the company’s actions.

Nix has since denied that the company engages in those practices. "That was just a lie to impress the people I was talking to,” he told a parliamentary committee last summer. But almost as soon as the videos aired, Nix was replaced as CEO. By May, buried under an avalanche of negative press, SCL Group announced it was shutting down completely and filing for bankruptcy and insolvency in the US and the UK. Today, just one of its many corporate properties—SCL Insights—is still up and running.

As SCL was crumbling, Carroll’s case took on a new sense of urgency. He was thrown into the media firestorm, crisscrossing Manhattan as he discussed his claim on an alphabet soup of television networks. Suddenly, this wasn’t just a wonky academic endeavor to retrieve data from some company. It was a story about rescuing that data from the one company the public had decided, and Facebook had claimed, was singularly sinister. “Chris Wylie took the story that I knew was a big deal for a long time and made it a worldwide story, a household name,” Carroll says.

When the news broke in March, the UK’s Information Commissioner’s Office was already investigating SCL for its refusal to hand over Carroll’s data. Carroll and Naik had filed a complaint with the ICO in 2017. But for months, SCL told the regulator that as an American, Carroll had no more rights to his data “than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan.” The ICO disagreed. In May, days after SCL declared bankruptcy, the regulator issued an order, directing the firm to give Carroll his data once and for all. Failure to comply within 30 days, they warned, would result in criminal charges.

SCL never complied. Julian Wheatland, director of SCL Group, told me he thinks the guilty plea the company issued in January is a “shame” and says it merely represented the path of least resistance for SCL’s liquidators, who oversee the insolvency proceedings and are duty bound to maximize the company’s assets. “There was little option but to plead guilty, as the cost of fighting the case would far outweigh the cost of pleading guilty,” Wheatland says. SCL’s administrators declined WIRED’s request for comment.

The ICO fine was ultimately measly. Carroll’s slice of it couldn’t buy him more than a MetroCard and a bag of groceries. It’s also no guarantee he’ll get his data. Naik is still waging that battle on Carroll’s behalf, as SCL’s insolvency proceedings progress. Meanwhile, an ICO spokesperson confirmed that the office now has access to SCL’s servers and is “assessing the material on them,” which could help to bring Carroll’s information to light.

But the ICO’s charges were meaningful nonetheless. It clearly underscored the fact that people outside the UK had these rights to begin with. "This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law,” the information commissioner, Elizabeth Denham, said in a statement following the hearing. “Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply.”

By the time I interviewed Carroll in June 2018, about a month after SCL announced it was shutting down and just days after the ICO’s deadline had ticked by, the fear Carroll felt that first time we met had almost evaporated. We were in London to hear Cambridge Analytica’s fallen CEO Alexander Nix state his case before a committee of British parliamentarians. It seemed as if the entire cast of characters involved in the story had settled into the hearing room’s green upholstered chairs. There was Cadwalladr, The Guardian reporter who’d cracked the story open, and Wylie, the pink-haired source who’d helped her do it. Carroll sat to my right, busily tweeting every tense exchange between a defiant and defensive Nix and his inquisitors.

There was also a documentary film crew, stationed toward the back of the room. They’d been trailing Carroll for months.

When husband and wife team Jehane Noujaim and Karim Amer initially set out to make what is now The Great Hack, back in 2015, they planned to follow the story of the Sony Pictures breach that had exposed the film studio’s secrets in what US intelligence officials said was an attack by North Korea. But as time went on, their attention, like that of the public’s, shifted focus from the ways in which private information is straight-up stolen to all of the little ways we give it away to powerful corporations, often without realizing it or knowing what will happen to it—and certainly without any way to claw it back.

That led them to Carroll. “We were initially drawn to David’s story because his mission to reclaim his data summarized the complexities of this world into a single question: What do you know about me?” the directors, who were nominated for an Academy Award for their film The Square, wrote in an email. “One of the things that has become increasingly clear is that whether David gets his data back or not, his case has brought to light some of the largest questions around data privacy.”

This weekend, Carroll will head to Park City, Utah, to see himself on the big screen. For Naik, the fact that a film like this is debuting to mainstream audiences represents an “astonishing step in the data rights movement.” “This shows a rapid change in interest in this field and the interest in data rights as a real and enforceable facet of human rights,” he says.

Over the past few years, these rights have expanded drastically. Last May, Europe’s General Data Protection Regulation went into effect across the European Union, giving Europeans the right to request and delete their data, and requiring businesses to receive informed consent before collecting that data. The law also established stricter reporting protocols around data breaches and created harsh new penalties for those who violate them.

Last summer, the state of California unanimously passed its own privacy law, which lets residents of the state see the information businesses collect on them and request that it be deleted. It also enables people to see which companies have purchased their data and direct businesses to stop selling it at all.

Some of the most influential business leaders in the world have simultaneously rallied around the cause. In Brussels last year, Apple CEO Tim Cook condemned what he called the “data industrial complex” and called for a federal law that would prevent personal information from being "weaponized against us with military efficiency." Even data gobblers like Google, Amazon, and Facebook have finally come out in support of a federal privacy law, partly due to the fact that such legislation could prevent the stricter California bill from taking effect in 2020.

If Congress is ever going to make good on its recent promises to crack down on rampant data mining, this could be the year. So far, senator Ron Wyden (D-Oregon) has floated some draft legislation. Senator Marco Rubio (R-Florida) proposed a bill that would task the FTC with drafting new rules. And in December, senator Brian Schatz (D-Hawaii) introduced a bill of his own, cosponsored by 14 other Democrats, that requires companies to "reasonably secure" personally identifying information and promise not to use it for harm. It would also force businesses and the third parties they work with to notify users of data breaches and gives the FTC new authority to fine violators.

“Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same,” Schatz said in a statement when the bill was announced. “Our bill will help make sure that when people give online companies their information, it won’t be exploited.”

Carroll isn’t so sure. He says bills like this hardly address the underlying problem. If data is the new oil powering the economy, then what Schatz is proposing is a process for cleaning up the next oil spill. It’s not a set of safety procedures to prevent that spill from happening in the first place. That’s what Carroll says the United States, whose homegrown tech giants control so much of the world’s data, desperately needs. He continues to believe his SCL file would prove how badly it’s needed.

Cambridge Analytica may have taken data from Facebook that it didn’t have the right to, and Facebook may have made that data too easy to access. But the most overlooked fact in the whole saga is that Cambridge Analytica wasn’t alone. From data brokers that track your every purchase to mobile phone carriers that sell your location to social media companies that give far more detail to developers than is necessary, there’s an invisible, unregulated marketplace of personal information in the United States. And it’s no longer just being used to sell us new boots or connect us with high school classmates. It’s being used to influence decisions about who the most powerful people in the world get to be.

“They’re not the only ones by any stretch of the imagination,” Carroll says of SCL. “It’s a dirty business, but sunlight is the best disinfectant.”

This is, perhaps, the one issue on which Carroll and Wheatland, SCL’s director, see eye to eye. Wheatland predictably disagrees with the broad characterization of his company, whose very name has become a proxy for everything wrong with the data trade. He says Cambridge Analytica was a “lightning rod” for a confluence of feelings about President Trump’s election, Facebook, Brexit, and the rising use of data. “We found ourselves at the nexus of all of those and became the whipping boy,” he says.

He doesn’t find many sympathetic audiences for that message these days. But he, too, says that regulation is imperative, given the “huge power” of data modeling. And he too says there’s a risk to casting Cambridge Analytica as somehow unique. “This is an issue that is much bigger than one company,” he says. “If we take this villain mentality and think that we’ve moved on, we haven’t. We’ve lost Cambridge Analytica, but we haven’t moved on at all.”

Carroll is hardly pouring one out for the loss of Cambridge Analytica. Far from it. As he watched Nix stammer and squirm in his tailored suit that June afternoon in Parliament, Carroll couldn’t help but recognize how dramatically their roles had been reversed.

These last two years have been emotionally taxing and at times lonely for Carroll, who’s become absorbed by an issue that sometimes even the people closest to him failed to understand. But every new break in the case has provided some validation that it’s all been worth it. “I don’t feel like I’m up against the wall,” he told me the night of Nix’s hearing, the documentary crew’s cameras trained on his face. “They’re up against the wall.”

But he stopped short of declaring victory. Not until he gets his data back, and sees some real change come of it. “All I want is everything,” he said. “Because I’m entitled to it. And so is everyone.”

https://www.wired.com/category/security/feed/