Alternative War: Unabridged Read online

  The pages of documents also pointed out that “The market rate for a donation of this kind could amount to hundreds of thousands of pounds, based on the previous experience of referendum campaigns and political parties for such analytical tools. Yet Leave.eu have not declared this donation-in-kind at any point in their returns to the Electoral Commission.” I’d found that the Commission’s guidelines I was directed to specifically defined a donation as “money, goods, or services which is given towards campaign spending “without charge or on non-commercial terms and has a value of over £500.” In short, there was definitely a declaration of some kind warranted.

  The documents were also explicit in stating:“Neither Cambridge Analytica, as a US company, nor Robert Mercer, as a US citizen, fit the Electoral Commission’s list of permissible donors” adding there was “no record that this donation was returned within 30 days as required.” Robert Mercer, the American Billionaire and Trump campaign donor, had been funding the use of Cambridge Analytica directly since the time of Ted Cruz’s Super PAC and Steve Bannon sat on the board of the company. The rules about foreign donations are very clear, so neither would be acceptable in any case.

  In their Expert Paper On Splitting Campaign Spending84, the Electoral Commission set out the circumstances in which the costs of services might need to be divided – which includes items used before or during the regulated period of a referendum. They highlight that campaign groups must make an honest, factual assessment of the proportion of costs to be attributed to their overall expenditure. What this means, essentially, is you can’t just spend a lot of money by getting donations up front for campaign activity and then disregard it if there is an overlap of official and unofficial time periods. My source’s documentation specified the identification of this as a serious concern, stating: “In his interview with the Observer, Mr Wigmore states that the service provided by Cambridge Analytica were Leave.eu’s most potent weapon…because using artificial intelligence, as we did, tells you all sorts of things about that individual and how to convince them with what sort of advert. And you knew there would also be other people in their network who liked what they liked, so you could spread. And then you follow them. The computer never stops learning and it never stops monitoring.”

  “Given his stated views on the importance to their campaign of the service which was provided free of charge by Cambridge Analytica it seems inconceivable that the donation was not split and partially included in their returns for expenditure during the regulated period,” the evidence continued. The documents also stated that Leave.EU only became a permitted participant in the referendum on the 15th of February 2016, and so would not have legally been allowed to “hold and use the full electoral register for referendum purposes prior to that date.” This raised initial questions about the possession of data, which I rather doggedly pursued afterwards.

  All of this didn’t, however, start and end with Cambridge Analytica. The documents also referred to US-based election consultants Goddard Gunster as being employed by Leave.EU and stated: “This service has not been included in their returns as an item of split spending.” Again, Leave.EU’s deleted science behind our strategy page was cited as saying: “While Cambridge Analytica will be helping with the data, Goddard Gunster, who have fought some of the most contentious referendum campaigns all over the world (with a success rate of over 90%) will be helping us turn that data into a comprehensive strategy. Working alongside them will be Ian Warren, an expert on the issues that matter to people on lower incomes.”

  I kept searching for information and found the regulated referendum period began on the 15th of April 2016. When the limits on expenditure came into force for the designated official campaigns, the lead campaigns were given higher spending limits of seven million pounds, ten times that of Leave.EU.

  The documents I saw also made a number of assessments of potential over-spending by the official Vote Leave campaign but there was no indication of an investigation by the Electoral Commission at the time. However, Guardian journalist Carole Cadwalladr and I had been working almost in tandem, attacking the same issue from two very different angles, and she later managed to assemble evidence of, what she says is: “A close working relationship between the two data analytics firms employed by the campaigns – AggregateIQ, which Vote Leave hired, and Cambridge Analytica, retained by Leave.EU.” She states AggregateIQ is, in fact, a Canadian field office of Cambridge Analytica and the two campaigns are linked by a memorandum on joint operations, making both of them illegal85. Following her series of articles, the Guardian was confronted with legal action, with the companies using a law firm linked to Russian-owned Rosneft and Donald Trump. Carole told me this while we were sitting on a panel discussing weaponised data at the Byline Festival, at the start of June 2017. Trump himself had also been linked to the Rosneft deal by the now infamous Steele dossier, through his association with Carter Page.

  Page was a foreign policy advisor to Trump until September 2016, and British ex-spy Christopher Steele’s dossier86 is – to say the least – disparaging, noting: “The Rosneft president was so keen to lift personal and corporate Western sanctions imposed on the company, that he offered Page and his associates the brokerage of up to a 19 percent (privatised) stake in Rosneft.”

  “In return, Page had expressed interest and confirmed that were Trump elected US president, then sanctions on Russia would be lifted,” Steele added.

  At the early stage of the Electoral Commission investigation, when I reported on the documents, I didn’t know any of this and there was no reason to believe anyone had been arrested, summonsed, or charged in relation to the Leave.EU investigation. The Commission refused to confirm or deny this too – though they were asked directly, so I could make sure there were no contempt of court issues to consider alongside the distinct matter of public interest in writing the article. It is, however, worth pointing out that, prior to an investigation being launched, an assessment is always made by the EC and – according to their policy – they “robustly dismiss the investigative option without credible evidence.” They only open formal investigations themselves where there are reasonable grounds and where the offence is “in the public interest.”

  Trying to get the other side of the story was a dead end – I found getting hold of Leave.EU nigh on impossible. Andy Wigmore still hasn’t replied to my original request for the company’s official response, even now, though we have spoken since.

  In terms of enforcement, the EC can either force compliance of parties with a contempt of court order or prosecute them. They can also issue a Stop Notice, requiring an individual or organisation not to begin, or to cease their activity and, in addition – in the case of impermissible or unidentifiable donations or loans being involved – the Commission may also apply for forfeiture. The formal sanction structure is simplistic and consists of a sliding scale, which runs from a fixed monetary penalty of two hundred pounds, then a variable penalty between two hundred and fifty and twenty thousand pounds, then escalates to Compliance and Restoration notices (which set out what not to do and how conduct must be managed, or force the party to restore ‘the position’ to what it would have been before the offence). They can also issue an Enforcement Undertaking – a binding agreement to conduct matters in a specified fashion. Taking into account the likely impact of interference in something as serious as a referendum which changes the entire economic model of a country, the options available are clearly woeful. However, the Electoral Commission was instrumental in the electoral fraud investigations arising from the 2015 General Election, despite the fact these cases were left with the Crown Prosecution Service for charging decisions and no further action was taken in around thirty cases – with the exception of South Thanet, where three people were charged with offences.

  Looking at other recent cases, reported by the Commission on the 19th of April 2017, it was possible to gain insight into sanctions and financial scales in a more related – though indirectly comparable – cas
e to the non-political party Leave.EU group. Greenpeace and Friends of the Earth worked as campaign groups during the 2015 General Election and, following an EC investigation, Greenpeace was fined thirty thousand pounds for incurring over a hundred and ten thousand pounds in campaign-related expenditure. Friends of The Earth were fined a further grand for a twenty-four-thousand-pound campaigning spend in conjunction with Greenpeace. Despite this, it didn’t strike me as something which would be an effective sanction in a case which changed the whole course of a nation.

  I’ll be the first to admit, while there appeared to be a lot to go at in terms of leads to follow up, there were equally a number of dead ends. I was also conscious, not having the financial backing of a large newspaper group, if I rocked the boat too hard I might face a litigious backlash and have to walk away. After I took a pause for thought, I realised the only way to start to unravel all of this was with cold, hard information. Data. So, I started to treat the investigation like the intelligence-led operations I used to carry out in the old days.

  It paid off.

  Ten:

  Our individual data is electronically stored on thousands of servers across the world. Our employment records, personal lives, medical histories, psychological profiles, political views, and our private communications. When assembled together, this forms what’s become known as a Big Data Profile and, in reality, none of us can escape its existence. Though I didn’t know this when I first started my investigation, HB Gary had recognised this would become a weapon years ago.

  Scientific research, including important work by Michael Kosinski87 at Cambridge University, has shown that a big data profile can be used to develop targeted marketing or messaging, designed to drive a behavioural response in an individual. The technique is known as either psychographics or psychometrics and became famous, or infamous, following its use by Cambridge Analytica in the Trump and Brexit campaigns. Kosinski’s work initially used surveys to develop a profile, then he developed it and, with enough social media likes alone, he got to a point where he could “know” people as well as – if not better than – they knew themselves. There are also rumours his work was less than scrupulously taken elsewhere, though Cambridge Analytica fiercely denied any involvement when this was reported.

  Data is, in fact, now the single biggest commodity in the world and can be used to drive electorates in almost every aspect of their decision making – the ownership of this data subsequently controls geopolitics and the world financial markets. But, our data is also unsafe and being deliberately stolen on a regular basis. The largest known hack to date was centred around international technology company Yahoo, with the information of around 1.5 billion users stolen across its platforms. The company believed the attack was “state sponsored” and, in March 2017, the FBI and the United States Department of Justice announced charges against Russian individuals, including Russian Federal Security Service (FSB) agents Dmitry Dokuchaev and Igor Sushchin88. The indictment reads: “The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the US and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.” The legal papers also highlight that: “During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by US and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.” This means they actively managed the assets and trained them in counter-espionage.

  In commenting beyond the dry indictment wording, the US law enforcement community did not pull any punches. “The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney, General McCord89, adding: “Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat.”

  By June 2017, Vladimir Putin had been backed into a corner by the weight of evidence against Russia and started trying to distance himself from any involvement in subverting the 2016 US election. In comments to reporters at the St. Petersburg Economic Forum, Putin glibly described hackers as artists and peddled a line they “may act on behalf of their country.” Referring to these “artists”, he added: “They wake up in good mood and paint things. Same with hackers, they woke up today, read something about the state-to-state relations. If they are patriotic, they contribute in a way they think is right, to fight against those who say bad things about Russia.” By the time these words left his lips90, I had accrued more than enough evidence to believe we weren’t talking about lone, digital artisans and that the FBI was right: Russia was using outside help in its operations. Deniable assets.

  After reading the indictments against the FSB, I carried on researching and found the illegal data trade was well documented across the world – with so-called Data Laundering now clearly defined as: “Obscuring, removing, or fabricating the provenance of illegally obtained data such that it may be used for lawful purposes.” Security experts were also well aware of the huge scale of the problem and had been for several years. New Zealand based expert Andy Prow91 had previously said turning hacked data into a legitimate commercial asset was: “the nature of a maturing industry” and highlighted that hacked data is easily made to look legitimate then sold on to, often unsuspecting, clients.”

  “It doesn't raise too many warnings,” he added.

  I also found that hackers, traditionally, sell stolen data not for cash currencies, but for Bitcoin payments. In May 2016, one hacker offered the private data of nearly one hundred and twenty million Linked In users, including passwords, in exchange for five Bitcoin and in September 2016, a further sixty-eight million account details, this time from Dropbox, were offered for sale for two Bitcoin. Both offers were made on the Dark Web outlet TheRealDeal.

  The Real Deal is a website considered a part of the cyber-arms industry, also reported to be selling code and zero-day software exploits – the latter of which is something I returned to later in my investigation, after a worldwide cyber-attack took out critical infrastructure across several countries and caused major disruption to the National Health Service in the UK. In July 2015 the Real Deal website was down for twenty-four hours at the same time as cybercrime forum Darkode was seized by the FBI and various people were arrested under Operation Shrouded Horizon92. The FBI called the raid: “The largest-ever coordinated law enforcement effort directed at an online cyber-criminal forum.” However, by December the 1st 2015 The Real Deal announced its reopening for business on DeepDotWeb, a news site dedicated to events in – and surrounding – the Dark Web. (For the uninitiated, the Dark Web is the content which exists on overlay networks that require specific software, configurations or authorization to access them, while the Deep Web is the whole of the internet which isn’t covered by mainstream listings and search engines.)

  Returning to the financial currency of the shadier side of the internet, Bitcoin are worth around one thousand pounds each, though this varies by the current exchange rates, and their value increased exponentially over the five years leading to 2017. It is worth explaining, though, there have been other electronic global currencies before Bitcoin’s creation. Back in 2006, Donald Trump’s advisor Steve Bannon was involved in a company called IGE who, via Goldman Sachs investments, spent sixty million dollars on a ‘gold farming’ enterprise within the online game World of Warcraft93. This involved harvesting virtual gold resources and selling it back to players. Eventually,
IGE was confronted with a lawsuit, the gold trade came to an end, and Bannon went on to head up the right-wing news site Breitbart, then sat on the board at Cambridge Analytica before moving to the White House.

  In the time after IGE, the online currency market began to change drastically. Bitcoin’s cryptographic, decentralised currency first appeared in 2007 and was developed by what is thought to be a collective of people operating under the pseudonym Satoshi Nakamoto94. The patents for bitcoin and its encryption first appeared in 2008 and were registered by Neal Kin, Vladimir Oksman, and Charles Bry, though they have always denied being involved with Nakamoto.

  The Nakamoto persona itself disappeared from Bitcoin forums – and then altogether – in December 2010 and this came after Wikileaks began to accept the currency for donations, despite pleas from the Bitcoin founder for this not to happen. They wrote at the time, “I make this appeal to Wikileaks not to try to use bitcoin. Bitcoin is a small beta community in its infancy. You would not stand to get more than pocket change, and the heat you would bring would likely destroy us at this stage.” WikiLeaks went on to harness the use of Bitcoin regardless and has since reportedly hidden messages in blockchain code associated with the currency transactions. In one such episode after reports of law enforcement raids, they inserted a “we are okay” message into their transaction data95. It was this, really, which started to draw my attention to the operation who I had once thought of as transparency champions and I didn’t really like what I found.