Last March I was sitting at the kitchen table, enjoying my morning coffee, when an email from [email protected] arrived. Two months earlier, I had requested my data from the Trump campaign’s data analytics firm, Cambridge Analytica, and the subject line of this new email (“Next steps in your request”) seemed promising. Cambridge Analytica, a part of the British company SCL Group, had boasted about collecting upward of 4,000 personal data points on people, including 240 million Americans, and as a researcher of the advertising industry’s use of data and technology, I had requested my own data profile out of academic curiosity.

Even as it dissolves, Cambridge Analytica epitomizes a distressing new era of digital colonialism. The next dark data machines are already being built for the next elections.

The plan was not to take down the whole company. But when that email and its attachments failed to provide more than a cursory, generic profile lacking specific details on how they created it, I filed an official complaint with the Information Commissioner’s Office, the United Kingdom’s data regulator, on July 4, 2017. As a U.S. citizen, there was very little I could do under U.S. law, but the legal challenge in British court that followed my ICO complaint centered on Cambridge Analytica’s compliance with the UK Data Protection Act of 1998. Both my complaint and separate legal claim challenge whether or not the company has been providing full disclosure as required by British law. They also seek to assert the right to be protected from this particular abuse of personal data in the future.

Cambridge Analytica has argued that because I am a U.S. citizen, I am no more entitled to UK data protection rights “than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan.” But, thankfully, nearly a year after my formal complaint, the ICO disagreed, saying that because my data was processed in the United Kingdom, the Data Protection Act of 1998 applies.

Not only is commercial foreign election interference anathema to democratic institutions, but consultancies such as SCL serve as bait for hostile state actors.

In an unprecedented and necessary flex of its muscle, the ICO served an Enforcement Notice against the executives that lurk behind the façade of Cambridge Analytica. They were told to provide all the information and details of my profile, including where they got the data and what they did with it. SCL was given thirty days (until June 4) to comply, appeal, or face criminal sanctions.

One would assume that Julian Wheatland, SCL’s new CEO, does not want criminal penalties over a stubborn refusal to give me my complete voter profile, but this company has, from the beginning, shown a remarkable disdain for its regulator (the ICO) and a stunning refusal to fully cooperate with its watchdog and lawmakers. That it has come to a criminal warrant and the risk of criminal charges illustrates the absurdity. Unless, of course, they are hiding something.

• • •

Cambridge Analytica’s servers were seized under criminal warrant back in March, and the company filed for bankruptcy not long after it was revealed that it improperly exploited the data of 87 million Facebook users beginning in 2014, likely in contravention of UK data protection law, pending a report by the Information Commissioner. The ensuing media firestorm—to say nothing of the escalating legal fees—decimated the firm’s reputation.

But this big data debacle was, in my opinion, just the start of a seismic shift. As a privacy nerd, I warily cultivated a Facebook presence for myself but kept my settings on lockdown. According to Facebook’s own notification tool, I was not among the 87 million victims of the original data leakage. However, we can assume that Cambridge Analytica used data from many companies to compile its voter profiles, including data brokers such as Experian and Acxiom, media ratings agencies such as ComScore and Nielsen, and Oracle’s data management platforms for advertising tech.

By June 4, we should have a much fuller picture as to which of these other companies provided data that was matched to our voter registrations, without our knowledge, beyond our reach, and across international borders. Even as Cambridge Analytica rushes to liquidate and close up shop, the ICO has made it clear that Cambridge Analytica must still release my data, and if it does not, the executives could face criminal charges. Their business model was based on the premise that they could amass data on voters from countries with weak privacy laws, such as the United States, but it turns out they were operating based on a crucial misunderstanding of British privacy law.

There is still a lot we do not know about Cambridge Analytica’s involvement in the 2016 presidential election.

Getting to this point has taken more than a year of time and effort. It has involved crowdsourcing a legal defense fund, weaving together many nested Twitter threads, and putting myself and my family at some considerable risk. All to test a privacy law in another country. But I am hopeful that when I win, everyone wins. We all have the right to know how firms connected to Cambridge Analytica got hold of our data, how they processed it, and who could have accessed it. This is how we can repatriate our voter files, something none of us ever imagined would become a necessity.

Moreover, my case serves as a test case in this strange new realm of internationalized (and possibly militarized) election management, voter data technology, and political consulting firms who apparently employ tactics inspired by state intelligence agencies. For those of us whose democracies have been monetized by SCL Group and its affiliates, we may soon be able to reassert some control over our personal data before it is liquidated to the highest bidder.

And not a moment too soon. Even as it dissolves, SCL Group epitomizes a distressing new era of digital colonialism. The next dark data machines are already being built for the next elections. Americans and citizens from other nations affected by SCL are finally beginning to appreciate why we all need data rights such as those afforded to citizens of the United Kingdom and European Union.

• • •

But regulations such as the UK’s Data Protection Act and the EU’s newly enforceable General Data Protection Regulation can only do so much. Indeed, the Cambridge Analytica story resonates for many because it epitomizes the worst-case scenario. Cambridge Analytica enjoyed notoriety for its self-proclaimed psychological methods, but it is not likely to be a historic company in the long-run because of its invasive psychographics. More likely, this scandal illustrates how data crimes can undermine democracies around the world.

The scandal illustrates how data crimes can undermine democracies around the world.

There is still a lot we do not know about Cambridge Analytica’s involvement in the 2016 presidential election, but the Justice Department and the FBI are now reported to be investigating the company, along with several state attorneys general. Amidst a narrative of corruption and intrigue, Cambridge Analytica serves as a needed focal point in a transnational escapade spanning the United States, the UK, Canada, Kenya, Nigeria, India, and far beyond.

When this saga concludes, we will better understand how and why the Mercers, the family of influential conservative donors whose patriarch founded Cambridge Analytica, allegedly funded the importing of illicit data science talent and software development from abroad. (I am guessing that expert data scientists willing to work on invasive and dubious Republican campaigns are a rare breed.) And we may also better understand Russia’s interference.

We know, based on testimony by whistleblower Christopher Wylie to Senate Judiciary and Parliament select committees, that the disgraced Alexander Nix pitched Lukoil’s CEO, Vagit Alekperov (who, like all oligarchs, is allegedly tight with Vladimir Putin), with a sensitive white paper on SCL’s voter data assets. Wylie also surmised that the Soviet-born, U.S. academic at the center of the Facebook data misappropriation scandal, Dr. Aleksander Kogan, could have easily been infiltrated and key-logged by Russian intelligence services during his travels back and forth between St. Petersburg University and Cambridge University in 2014. Wylie has also emphasized on multiple occasions that SCL Group was a prime target for hostile espionage based on its political clientele and its work in the Baltics for NATO. 

Even beyond its very flawed business model, this company should never have existed. Not only is commercial foreign election interference anathema to democratic institutions, but dodgy consultancies such as SCL serve as bait for hostile state actors—actors who are keen to amass personal data and weaponize it for information operations that sow chaos, divide an electorate against itself, and undermine confidence in democratic elections everywhere.

We need to unravel the tangled web of money and data laundering to show how ordinary citizens can support election integrity in the information age.

The election interference data crimes of 2016 may not even be limited to potentially treasonous conspiracies with Russian oligarchs and clandestine agents. Just this week, Bloomberg reported on a previously unknown information operations shop, PSY Group, which had links to Saudi Arabia and the United Arab Emirates and was led by a former commander of an Israeli psychological warfare unit. PSY Group “formed an alliance with Cambridge Analytica” after Trump’s election “to try to win U.S. government work” by presumably offering services that include “infiltrating target audiences with elaborately crafted social-media personas and spreading misleading information through websites meant to mimic news portals.”

Cambridge Analytica may be dead, but this story is not yet over. I hope we manage to unravel this tangled web of money and data laundering to show how ordinary citizens can support election integrity in the information age. Our democracy and sovereignty—both personal and national—depend on it.