North America Dot Map

Trail from AggregateIQ Data Leak points to GOP-Linked Firms

A data leak by a company called AggregateIQ has revealed that the obscure Canadian firm developed the software Cambridge Analytica used and sold to clients during the 2016 election to help Republican campaigns target voters, security firm UpGuard revealed this week. Clues in the data suggest other well known GOP linked data and research firms were also involved.

Data uncovered by Chris Vickery, research director at UpGuard, a California-based cyber risk firm, shows a clear link between AggregateIQ and the strategy and activity of Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL), to use technology platforms, consumer information and social networks to sway voters in the favor of Republican candidates in U.S. elections, he said.

However, clues in the data – including mention of a project called the “Database of Truth” – suggests more elaborate plans were afoot to leverage Republican voter data and powerful analytics tools to aid GOP candidates up and down the ballot, with two well-known GOP linked market research and data analysis firms also named in the documents.

The data store is “a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing and Facebook ads,” the firm said in a blog post on its website.

Vickery has made a name for himself and UpGuard by uncovering vast data troves – often left exposed in unprotected or lightly defended cloud based repositories like GitHub or Amazon’s S3 cloud based storage service. In the past, Vickery has uncovered data from firms like the data broker Alteryx and brand promotion agency Octoly. The data leak came to light as a result of an online search of a public source code repository, GitHub. Vickery said he discovered a “large code repository” originating at the Victoria, British Columbia-based company that was left for public download.

His method often relies on programmatic searches of web domains on platforms like Amazon’s S3 or GitHub, followed up by more targeted probing to see if sensitive data is publicly accessible.

“I had seen a reference to AggregateIQ and I didn’t know what it was,” Vickery explained to Security Ledger about how he found the data repository. “I decided to check out what sub-domains existed under One was called Gitlab.” When he arrived at the Gitlab domain, the account registration was still available. So he did what any curious security researcher would do—registered for an account. What this gave him access to was a custom code repositories that clearly tied AggregateIQ to the activities of Cambridge Analytica, he said.

North America Dot Map
Clues in the leak of data from the firm AggregateIQ point to the involvement of other GOP linked market research and analytics firms.

Links to Republican candidates

One such file links AggregateIQ to the development of the Ripon program, which Republican presidential hopeful Ted Cruz used to target voters in his unsuccessful bid for that party’s nomination in 2016. Ripon did not just extend to Cruz’s campaign, however—it was a platform that Cambridge Analytic intended for Republican candidates so they could use psychological profiling to win over voters. The platform appeared to use data culled from social networks in its voter targeting, according to the UpGuard post.

“The ‘libs’ folder within ‘Ripon_canvas’ begins to give some illustration as to how this actually was meant to function,” according to the post. “Contained within these libraries are configuration files for using Ripon in a number of crucial primary and caucus states….Among the most interesting is the configuration file titled ‘config.ia.php,’ likely signifying Iowa, the crucial first caucus state Ted Cruz won in 2016 while using Cambridge Analytica’s data. This configuration file, like all the others, contains an exposed Facebook app ID and secret key, as well as credentials accessing Twilio, an SMS messaging service.”

AggregateIQ took the files down minutes after being contacted about the breach, Vickery said.

From a security perspective alone, Vickery’s ability to get such easy access to such damning information is jarring enough, he told us. “Misconfigurations can be catastrophic for a business,” Vickery said. “Leaving public registration available for a code repository is a misconfiguration—potentially.”

More than a mere security issue

The discovery has much larger ramifications, however. Cambridge Analytica and its parent company SCL is under intense scrutiny for its role on behalf of Republican campaigns, including the Presidential campaign of Donald Trump. The New York Times has reported on how the firm used information collected from Facebook and other sources to target voters during the 2016 elections. The ongoing investigation of Cambridge Analytica and its connection to Facebook and election activities has spurred a maelstrom of criticism and potential legal implications over how political operations can use and harvest consumer information. It also forced Facebook Chief Information Security Officer Alex Stamos to leave his post.

[Read also:For Facebook’s Stamos, conflicts over breaches and disclosure a theme]

“If this was an innocuous marketing company not involved in the democratic process, the story here would be more about configuration,” Vickery said. “But because I have a civic duty to democracy and the overwhelming public interest, we [felt] we had a duty to dive a bit deeper as public citizens.”

AggregateIQ is insisting in a statement on its home page that is not a part of Cambridge Analytica or its parent company, SCL, nor does it have contractual ties to Cambridge Analytica. Noticeably absent is any mention of not having contractual ties to SCL.

“AggregateIQ is a digital advertising, web and software development company based in Canada,” the company said. “It is and has always been 100 percent Canadian owned and operated.”

Moreover, the company said that Chris Wylie has never been an employee of AggregateIQ. Wylie is the whistleblower who revealed how Cambridge Analytica used data obtained from more than 50 million Facebook users to target voters in the 2016 election.

AggregateIQ did not immediately respond for a request for comment.

Clear ties between AggregateIQ and Cambridge Analytica

Vickery doesn’t buy the company’s story that it’s an independent firm for a second. Based on the data he viewed, he called AggregateIQ more a “department within SCL” than a separate entity. “There is so much interaction between [the companies], he said. “It’s like with AT&T or Sprint–they may have a small 20-person department that works on their antennas or something, but that doesn’t mean those 20 employees are part of a separate company.”

Rather, he believes that AggregateIQ has a “specific purpose within the SCL universe.” “It’s disingenuous to say that they’re a different company.”

Playing the Canada card also seems strategic, Vickery told us. AggregateIQ  is already under investigation for a potentially illegal role it may have played in the Brexit vote in the United Kingdom and has used its Canadian location as a way to shrug off legal responsibilities overseas, he said.

“They have already wielded the fact that they are a foreign company [by saying] they don’t have to hand over [information] because they’re not subject to U.K. laws,” Vickery said.

AggregateIQ’s link to Cambridge Analytica is yet another detail in an ongoing and important investigation into how social media and its methods for collecting data online–and then disseminating that information, whether knowingly or not–can be used to influence the political landscape in ways that have not been seen before.

Trail points to GOP Linked Firms

Also of interest is the internal project named “The Database of Truth.” Documents discovered by Vickery describe that as a more powerful tool than Ripon. A “database system that integrates, obtains and normalizes data from disparate sources.” The foundation, according to the internal document is “the RNC data trust” – a “primary data source” that would be combined with “state voter files, consumer data (and) third party data providers.” Data Trust is a data management firm that has an exclusive list-sharing agreement with the national Republican party. The firm shares RNC voter data with other political action groups such as American Crossroads, American Action Network and groups linked to the billionaire Koch brothers, according to published reports.

Also listed as a data source for the Database of Truth: “WPA,” an apparent reference to WPA Intelligence, the market research firm started by Republican pollster Chris Wilson.

The Database of Truth was described as being a tool that could “make decisions based upon the data source and quality as to which data constitutes the accepted truth.”  The goal was to create a rough version of the tool that would allow “direct SQL queries and exports of the normalized RNC data” in order to give WPA the ability “right away to use the RNC data in an efficient manner.”

It is still not known if or how AggregateIQ came to possess the Data Trust and WPA data and whether the firms were also customers of Cambridge Analytica and AggregateIQ.

Vickery said he hopes that the ongoing investigation and revelations surrounding Cambridge Analytica, AggregateIQ and other potential co-conspirators will inspire laws against the use of data in a way that can so drastically affect the public landscape.

“I believe the people that will be able to fully dive into it and see everything–such as law enforcement agencies and regulators–will see a very clear roadmap to weaponization of voter data, commercial data and how incredibly influential this can be when it’s made into a weaponized format and automated,” he said. “Personally I hope there are some new regulations that come out in the ways that this data can be wielded against the public.”

Paul Roberts contributed to this report.