especially if used for electoral purposes, raises serious risks to voter privacy. In the most notorious example implicating voter data from social media sites, the Cambridge Analytica scandal involved alleged improper third-party uses of Facebook data by campaign consultants, although Facebook disputes the extent.
The Elections Modernization Act
The Elections Modernization Act of 2018 makes a host of changes to federal election law, including some important measures to improve cyber security. First, social media platforms with a minimum number of users are required to keep a repository of all political advertisements run on their websites.5 This move offsets, to some extent, the influence of microtargeting. Microtargeted advertisements are only seen by the viewers to whom they are directed, and rules on disclosing the source are easier to evade online. There is, therefore, less public scrutiny of the content and the source than there would be with a traditional advertisement on television or radio. A mandatory repository of advertisements imposes transparency and facilitates public scrutiny of advertisements. This new legislative requirement will not prevent foreign-placed advertisements or domestic ones that otherwise breach campaign finance laws, but it increases oversight as the advertisements will be made available to the public, media and politicians to examine. Second, the act also creates a host of offences that are directed at digital threats, including interfering with a computer.6 Social media platforms will not be permitted to take foreign advertisements communicated for the purpose of influencing an elector.7 The statute also creates new offences of impersonating a politician or Elections Canada.8 These offences are promising attempts to update the Elections Act to account for digital democracy and existing cyber threats. Yet, they collectively face some challenges, in particular around deterrence and enforcement. It is unlikely that new offences will deter foreign actors funded by a hostile government from hacking into the database of a political party or from placing misleading content on Facebook. Even if the wrongdoers can be identified, if they reside outside of Canada in hostile countries it is unlikely that they would ever be held
accountable. It is also unclear whether the provision on impersonation will cover deep fakes. Finally, the legislation will require political parties to have privacy policies that address specific issues, but does not go so far as to grant voters an enforceable right to their personal information and does not give them a cause of action to combat privacy infringements.9 This tepid approach to regulating political parties and privacy is a significant missed opportunity, not only for privacy but for cyber security as well. Laws imposing stringent privacy protections would have the salutary indirect effect of requiring parties to strengthen their cyber security protections and would limit the collection of the massive amounts of personal data that underwrite data-driven electoral threats.
Messaging apps that are end-to-end encrypted, such as WhatsApp, increase the risks of misinformation and impersonation of election administrators. (Photo: Tero Vesalainen / Shutterstock.com)