2019 also became the year when election contestants actively collected citizens’ information online, which could be later used for targeting them with political ads and other personalised communication. All five political parties elected to parliament in 2019 – Servant of the People, Opposition Platform – For Life, Batkivshchya, European Solidarity, and Holos – collected voters’ personal data through various registration forms on websites or social networks, cookies, and other methods. Based on the data from the websites of Servant of the People and European Solidarity, at least 102,000 people registered online with these two parties alone as prospective members, supporters or volunteers. And while Ukraine’s electoral legislation contains no regulations aimed at safeguarding the use of voters’ personal information, the country’s 2010 personal data protection law sets mandatory requirements for all automated processing of personal data, which should also apply to online practices of political parties and candidates.
Despite this, an analysis of parliamentary parties’ websites and social media activity indicates that none of them fully complied with the requirements and user consent principles set out in Ukraine’s data protection legislation. For example, only two parties offered privacy policies on their websites. Three parties requested the consent of users to the processing of their personal data, although one of them failed to specify exact ways in which the data could be used. Four of the five parties used a variety of analytical services that could track user’s activity across the web or share information with third parties and all five used cookies installed by social media platforms for advertising purposes, of which only two parties even tried to notify users but never asked for their consent. Moreover, fewer and far less consistent attempts to fulfill personal data protection requirements were made when parties engaged with voters via social media or other customisable tools, such as Google forms, online petitions or email marketing services.
A simple inspection of the five parliamentary parties’ websites also revealed some security issues on four of them, which were of particular concern since the websites were used for personal data collection. These included lack of proper encryption of the whole website or its parts, failure to update modules and software with known vulnerabilities – issues that could have been easily fixed had political parties dedicated sufficient attention to the matter. The post-election hacking of Holos’ server holding supporter data – although appeared to be an unofficial penetration test by a group of Ukrainian hacktivists – was further indicative of the cyber security level maintained by the parties.
While Ukraine’s local elections held on 25 October seem to have brought about a shift in voters’ political sympathies, not much has changed in the realm of digital campaigning. According to Facebook’s library data, the number of political ads published on the platform during the current campaigning period nearly doubled compared to the 2019 parliamentary elections, with parties and candidates spending around 3.1 million US dollars on advertising.
Yet online political campaigning remains largely unregulated in Ukraine despite the efforts of civil society. Even after the Central Election Commission recently took steps to increase the transparency of political parties’ online spending in 2020, legal ambiguities still make it practically impossible to hold those in violation of online campaign financing accountable, while simultaneously enabling the use of digital advertising outside the official campaigning period.
For instance, election observers noted that over 50 political parties ran political ads on Facebook ahead of the start of the local campaign, and that numerous parties and candidates failed to disable their advertisements during the election silence period. When asked whether the platform would take any measures to limit campaigning on the election day, Facebook’s Public Policy Manager for Ukraine noted that such limitations so far have only been foreseen for the US elections and do not extend to any country outside the United States. At the same time, Facebook continued to be the only platform that offers some transparency with regard to political and social advertising in the country, while details of such activity on Google or YouTube remained undisclosed to Ukrainians.
As to the treatment of voters’ personal data during local elections, political parties and candidates have again demonstrated a rather low regard for voters’ privacy and data protection regulations. Out of the ten parties that most actively advertised on Facebook, nine invited voters to register with them online, while only three outlined how they would process the data in privacy policies on their websites and only five asked for users’ consent for such processing. Neither Batkivshchyna nor Opposition Platform – For Life were among them, continuing the same data practices that researchers found problematic in 2019.
At the same time, a number of recent mass personal data leaks from what appear to be Ukrainian government registries and commercial databases, as well as indications of possible illicit data sharing between the political campaigns and government entities, demonstrate that the disregard for personal data protection in Ukraine extends beyond the electoral cycle. This poses multiple dangers to the country simultaneously juggling domestic reforms and a continued armed conflict with Russia.
Given the proliferation of commercial digital technologies now used for political means, it is of crucial importance for Ukraine to introduce important clarifications, mechanisms and safeguards pertaining to online campaigning and protection of citizens’ personal data – before the situation is further exploited by either domestic or external actors.Print