Cambridge Analytica’s secret coding sauce allegedly leaked

Not only did Cambridge Analytica (CA) scrape Facebook user data without permission, all while Facebook turned a blind eye; the company has also been tied to another analytics firm that allegedly left its code flapping on the laundry line.

That includes exposed political data and microtargeting tools that Republican campaigns used to target ads designed to sway the 2016 US presidential election. CA’s clients included not only campaigns for the victorious Donald Trump; also-rans Ted Cruz and Ben Carson also forked over big bucks to CA for microtargeting, as did Arkansas Senator Tom Cotton and former US Ambassador to the United Nations John Bolton (now being considered to replace H.R. McMaster as White House national security adviser), among others.

Security firm UpGuard claims that it found a large code repository from AggregateIQ (AIQ), a Canadian political data firm also active in the 2016 US presidential race, left publicly downloadable online.

You might remember that data analytics firm’s name for its part in Brexit: the official Vote Leave campaign gave £3.5m to AIQ, which, like CA, specializes in highly targeted Facebook advertising.

Over the weekend, The Guardian reported that CA has undisclosed links to AIQ. The Guardian reports that former CA employee/founder turned whistleblower Christopher Wylie has revealed that besides setting up CA, he was also a central figure in setting up AIQ.

AIQ and CA’s parent company, SCL Group, are tied by an intellectual property license, but the threads that bind go way beyond that: Wylie says that some CA staff referred to AIQ as a “department” within the company and that the two businesses shared the same underlying technology.

According to UpGuard, it found that technology within an open repository that holds a smorgasbord of tools used to influence individuals, including…

…a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing, and Facebook ads.

It also allegedly found what it says is a possible misconfiguration at AIQ’s customized Gitlab code repository. Last Tuesday, UpGuard Director of Cyber Risk Research Chris Vickery – if you know breaches, you’ll surely recognize that name – discovered what UpGuard says is a large data warehouse hosted on a subdomain of AIQ.

Getting into it was no problem: after entering the URL, the warehouse prompts the visitor to register to see the contents, for free. All you have to do is enter an email address. After that, dozens of code repositories are downloadable, handing you the keys to the psychographic kingdom:

Within these repositories appear to be nothing less than mechanisms capable of organizing vast quantities of data about individuals, measuring how they are being influenced or reached by advertising, and even tracking their internet browsing behavior.

Vickery found that the “simple matter” of neglecting to fix a permission setting to exclude public registrants from waltzing into the development repository rendered the code exposed.

UpGuard says beyond the voter targeting tools, it found data that could have been used by “any malicious actors encountering the exposure,” including…

…numerous credentials, keys, hashes, usernames, and passwords to access other AIQ assets, including databases, social media accounts, and Amazon Web Services repositories…

… As it was left publicly downloadable, many sets of internal credentials that could have been used to launch damaging attacks were left out in the open.

The files confirm that CA didn’t come up with its own software platform; rather, it was AIQ’s technology behind campaign apps created for Ted Cruz and Texas Governor Greg Abbott, as well as a Ukrainian steel magnate named Serhiy Taruta, head of the country’s newly formed Osnova party. The software was called Ripon (named for the town of Ripon, Wisconsin, where the Republican Party was founded).

The files were quickly taken offline Sunday night after Gizmodo reached out to AIQ co-founder Jeff Silvester.

Gizmodo says AIQ was solely responsible for the platform, but that the company was bound by a non-disclosure agreement from discussing its contract with CA.

The US Federal Trade Commission (FTC) is now investigating Facebook, looking for answers as to how it lost control of more than 50 million users’ personal data to CA.

British authorities are also investigating whether the Brexit campaign violated election finance rules by illegally funneling money to AIQ through other Brexit groups. That includes a donation of £625,000 pounds ($888,000) allegedly sent to the pro-Brexit student group BeLeave but which wound up going directly to AIQ.