Analysis
Italian regulators caught Facebook selling citizen data to political parties
Facebook gathered information about voters’ opinions on the Italian elections that brought Meloni to power. This highly valuable package of information may have been sold to those who were after their votes.
The “conscious vote,” in the end, was to Zuckerberg’s benefit, having little to do with democracy. Quite the contrary. To understand what we’re talking about, it is essential to note the quotation marks, because we’re not referring to a legal or constitutional principle, but simply to an advertising campaign. It was a campaign passed off as a public service, launched in Italy by Meta/Facebook on social media, which stressed the term “conscious vote.” But in reality, it seems to have allowed the digital giant to profile its voting users – without their knowledge.
It appears to have allowed Facebook to collect data about how old they are, where they live, what their opinions are, what doubts they have. And this highly valuable package of information may have been sold to those who were after their votes.
Does that sound like a conspiracist fantasy? It’s all laid out in black and white in a ruling – a few weeks old, but communicated only a few days ago – by the Italian Data Protection Authority (GPDP). And, even more alarmingly, the matter refers to the last general election, which anointed Giorgia Meloni as prime minister.
Let’s take a look.
Those who are actually using the “walled garden” called Facebook may have noticed that some time before September 25 last year, a notice appeared on the social platform reminding everyone to “go vote.”
Even more: this service – which Zuckerberg’s behemoth called “EDI,” short for “election day information” – made it so that with a simple click one could access the ministry website where one could “gather all truthful information about the election.” In addition, there was also a fact-checking service, entrusted to a group of experts – chosen, of course, by Facebook itself.
The same happened on Instagram, where a button showed up in a prominent place on its pages. Again, a one-click service.
To take advantage of this service, however, it was necessary to provide your email address, first name, last name, age and other information. This is all personal data which – as anyone knows by now – can be combined with other data collected in the most diverse ways. And, put together, they amount to an accurate profile of a voter. Such information is coveted by many, all the more so on the eve of an election.
At the Italian privacy guarantor’s headquarters, this immediately rang alarm bells. And, as European rules require, it sent a complaint over to Dublin.
This is because on the Old Continent, Zuckerberg’s group is called “Meta Platforms Ireland Limited”: it chose Dublin as its headquarters, where it pays far less tax, and since it has created some jobs, it can count on a lot of acquiescence from the authorities. And in Dublin – again, as everyone knows – the supervisory authority seems lost in the fog most times: dozens if not hundreds of requests for investigations on Facebook’s practices are gathering dust in drawers. For every fifty complaints about probable violations, there’s just one investigation and one – small – fine.
In any case, those are the rules, and they require that the Irish Data Supervisor be informed first. The latter, decidedly unhurried, asked Meta for an explanation. The company’s first response was, essentially: don’t worry, everything’s fine.
Of course, such a claim could not be enough all by itself. In short, “there were serious doubts, given also the sensitivity of the matter,” explains lawyer Claudio Scorza, who works for the Italian Guarantor’s office.
As a result, a new request for an investigation was sent from Rome and a new answer came back from Meta/Facebook to the Irish authority. The second time it was even more dismissive and arrogant.
But this had obvious errors, in both form and substance. Because the company – claiming rather fancifully that its EDI project was very “transparent” and that in any case it complied with European data laws – added that the information collected concerned “only” Italian users of age, that it was kept “only” for 90 days, and that in the end it was made available to scholars, sociologists, and analysts. And also – we read at the very end of the statement – “to electoral committees.” In short, to political parties.
These things all seem to blatantly violate European laws. Because without any verification there is no way to ascertain whether the user is really of age – and one of the most serious violations is precisely the profiling of minors; and because if the EDI project had a social function related to the elections, it’s not clear why the data still needs to be kept for three months. And in no way can it be justified for that information to end up in the hands of political parties, i.e., those with a particular interest in how Facebook users are voting.
In short, there were enough issues for the Italian GPDP to decide to take advantage of a lesser-known rule, also provided for in European laws (and used very few times, the experts say), which applies when there is an “urgent” need to act in the face of delays in an investigation.
This is how Rome’s privacy watchdog overruled Dublin and issued a ruling – a formal notice, in bureaucratic parlance. In short: pending the outcome of the investigation in Ireland, Meta/Facebook now has three months to delete the data and to introduce a policy that from now on will prohibit the extraction of sensitive data for political purposes. If it doesn’t comply, there will be trouble for Zuckerberg.
Of course, the damage to democracy (whether small or big, nobody knows) has already been done. But this time, for once, Italian bureaucracy is not to blame.
Originally published at https://ilmanifesto.it/facebook-passava-i-dati-dei-votanti-ai-partiti-il-garante-per-la-privacy-interviene-durgenza on 2023-02-19