Interview with Tetyana Bohdanova
In 2019, Ukraine held national elections in which political parties embraced digital campaigning tools. After the election, researcher Tetyana Bohdanova investigated these tools and whether they were in line with national and party privacy policies. Varoon Bashyakarla and Tetyana discuss her research about the national elections, the political landscape in 2021 and the historical events that are critical to understanding the 2019 elections.
Note: This interview was recorded in June 2021, 8 months before the Russian military invasion of Ukraine.
About the Speaker: Tetyana Bohdanova is an elections and civil society specialist, technology and democracy research as well as activist. Since 2010, Tetyana has written about the social media and digital activism in Ukraine and neighbouring countries. Currently a freelancer, Tetyana has worked at the National Democratic Institute for International Affairs (NDI), Prague Civil Society Centre, and Global Voices. Connect with Tetyana on Twitter at @tetyUAna or on LinkedIn.
Listen to the audio:
Please note that this interview has been edited for clarity and brevity.
My research covers the 2019 election cycle in Ukraine, specifically the parliamentary elections. I guess it's good to know that in 2013, 2014, we had a big protest in Ukraine. Well, it started as a pro-EU integration protest, so it was quickly nicknamed “Euromaidan”. And Maidan Nezalezhnosti is the name of the main square in the capital, Kyiv, which is historically the place where people go to protest. So it started as “Euromaidan”, but Ukrainians now refer to it as the “Revolution Of Dignity” because what started as a pro-EU integration demonstration turned into really a big political movement against the government that cracked down on protesters.
In the end, the president that we had back then, [Viktor] Yanukovych, who was pro-Russian and who we suspect might have been controlled by the Kremlin at that point, had to flee to Russia after there was a mass shooting of protesters in Kyiv. So that's why we refer to this as the Revolution Of Dignity. The people that got shot in the square, we called them the heavenly hundred, basically the heroes. After that, Russia occupied and illegally annexed Crimea and instigated an armed conflict in the east of Ukraine.
In 2019, we elected both the president and the parliament. And the elections themselves, the parliamentary elections were actually called early, quickly after the new president got elected. The elections themselves were pretty democratic, which is something that I'm continuously proud of in Ukraine. Since another protest, which was called The Orange Revolution in 2004, we have had fairly good elections, I would say, especially if you compare it to our neighbours, like Russia and Belarus, that continuously have elections that aren't recognized by the international community. Ukraine wasn't like that.
So, coming into the 2019 election cycle, because of the hybrid war with Russia, people were concerned about disinformation and election interference. All of the attention, or a lot of the attention was directed outwards. There were special election protection initiatives set up to watch out for Russian disinformation and electoral interference. We also have a pretty strong civil society, so we have these traditional election watchdogs that are observing elections domestically in a very methodological manner. They look into basically all of the aspects that usually are observed about elections, like campaigning, finance, the pre-election campaigning, the actual voting, et cetera. But no one really looked into the use of personal voters' data and into the issues that are at the intersection of digital campaigning and privacy.
When we speak about digital campaigning, not much attention was being paid to domestic actors, which was mind-blowing to me. Because in the West we had already had this whole discourse about Cambridge Analytica and personal data and targeted political advertising, and so on. And somehow, even though people in Ukraine definitely heard about this, that just never translated into, “oh, but what is happening here? Why aren't we looking at this in our context?” I think it was perceived as an issue that hadn't reached Ukraine yet, or maybe the election observers already had their hands full, trying to watch out for Russian disinformation and whatnot.
This was one of the motivations for my research. I felt like, well, all of the technologies are there. In Ukraine in 2019, we had about 21 million internet users; at least 13 million of them were on Facebook. Polls continuously showed that over 20% of the population received their political news via social networks. At the same time, we don't have a very strong privacy culture. We don't have a very strong legal framework for personal data protection. Ukraine has a personal data protection law, but it's not nearly as strong as GDPR, although we are getting pulled into that orbit little by little. GDPR definitely influences us as a neighbour that's looking to integrate with the EU. But still, it was just amazing to me that nobody was exploring this.
I was a fellow at the Prague Civil Society Center, and I enlisted two Ukrainian NGOs to help me with this research, just because it was a big undertaking for one person. One NGO is called a Opora, which is an election watchdog, or at least election operation is one of the things that they do. Another one is called Digital Security Lab Ukraine, which does post-digital security for civil society and digital rights work. So they were the perfect partners for me to conduct this research. Basically, we looked into... well, not the presidential elections, even though the presidential elections started this hype about using social media and really engaging voters that were never active before in elections through social media. But then political parties came and rode the wave, and we felt it was much more fun to look at political parties as organizations with structures.
The 2014 protests, it seemed, were about a vision of Ukraine that was either more EU-aligned or Russia-aligned. How did that sentiment play out in these elections? And what other issues were part of the Ukrainian zeitgeist at the time?
So, 2019 was an interesting election in the sense that we had an outsider that came in and won the presidential race. Post-Euromaidan, post- Revolution Of Dignity, we had a snap election because the president ran away. So we had a snap election where we elected Petro Poroshenko, who was a very pro-European leader and took a strong stance against a war with Russia and really rallied the international community, let's say, in support of Ukraine.
But come 2019, I think people were tired of the war. The war in the east continued basically since 2014. Crimea was occupied and annexed by Russia. There were still some issues with corruption inside the country. Their reforms were not going as fast as people had hoped. The economy wasn't that great. I mean, there's only so much economic development you can expect was in the country that's at war. I think people really wanted change.
And the person that came to represented change was Volodymyr Zelenskyy. There was also a lot of rhetoric about ending the war. I think many people sympathized with that as well. And many just wanted someone else, someone who's not part of the system, someone who's not part of the establishment, someone who created this hope that he's going to come in and do this radical overhaul of everything in Ukrainian politics.
So this was the 2019 elections, and the pro-presidential party was poised to win the majority in the parliamentary elections as well. And that's one of the reasons why Zelenskyy, as soon as he got elected, called for snap parliamentary elections. However, we still had five strong contenders. Well, more than five, but five got elected in addition to the pro-presidential party, which was also called Servant of the People.
We basically wanted to analyze how these five political parties are using personal data of the Ukrainian voters. First, we wanted to look at what the parties themselves were saying in their privacy policies, on their websites, in the media interviews, et cetera. Then we wanted to investigate things on our own as well. We wanted to analyze it against the personal data protection law, and against the practices that we saw in digital campaigning against technology that the parties have used. We also wanted to think about it a little bit in the international context. What does it mean for Ukraine, but what does it mean also for the region, and for other countries that maybe don't have a very robust data protection legislation like GDPR?
We analyzed all five websites of these political parties, and then looked into their social media pages and their candidates’ pages, and so on. We looked at the official pages of the parties. It would be impossible to look at the page of every candidate and every digital tool that they used for campaigning, but we tried to look at the main things. Quickly, I think, this is where actually partnership with Opora and Digital Security Lab came very handy, because Opora was running and was monitoring campaign finance, specifically digital political advertising spending. They scraped data from Facebook’s Political Ad Library. We were able to look at the number of ads every party ran, and analyze how many ads they paid for where they encourages people to leave their data for the parties to use in communication with the voters later.
Digital Security Lab analyzed the security of the websites and helped formulate some legal recommendations as well. When we started looking at the websites, even before we really looked into social media, it became apparent that none of the parties were fulfilling all of the requirements of the data protection law in Ukraine.
Just at first glance at the websites, did they feel fresh, user friendly?
It really depends. I think some parties were new. As with many organizations that are just being set up now, we see them use the latest tools. And somebody who's been there for a while, they're a bit slower. So I think we saw the same with the political parties. One of the political parties that’s been around for a long time had been using mailing lists forever. Even though MailChimp is around now and they are now using MailChimp, MailChimp has all of the functionality that would be needed in order to ask for voters' consent for providing their personal data for processing. And also for informing people about what the party is about to do with that data. MailChimp has all that functionality because MailChimp also fulfills GDPR requirements. Yet the party failed to activate those features, even though Ukrainian law also says that you have to get people's consent, which has to be informed, voluntary, et cetera, in order to be processing their personal data.
It feels like these legal restrictions were designed more with commercial entities in mind. It is one of the ways in which we might be able to, at the end of the day, limit how political entities are using this information as well. Of course, because they tend to get a lot of their data from standard commercial sources, too.
Exactly. And the technology comes from the commercial sector. So why shouldn't the same regulations apply?
And even in Ukraine, we would have special protections that are granted for what's called “sensitive” data, and somebody's political preference would fall under that definition. So legally the political parties even have to apply extra measures to make sure that the data of their supporters is protected. That's why it was especially concerning. We heard stories about data leaks in the electoral context, hacks, et cetera, and the kind of damage that this can do in the course of a political campaign. And that's why it was especially concerning to see that some political parties didn't even have privacy policies on their websites, and others, even through some superficial analysis of the website, had certain security issues.
You found one was unencrypted, right?
Yes. So the website itself didn't even use an HTTPS protocol, and yet it actively asked people to subscribe, to sign up with the party. As soon as you visit the website there is this window where you can join the party. And then they ask for a lot of information. Where you live. Well, obviously your name and everything, but also, what's your address? And then the party would say, please describe why you want to keep in touch with us? So if somebody was to describe an issue that they were concerned with, basically all of that data was left in the open when they were providing it to the party. I kept going to the website of this party, and I think they changed the protocol maybe six months after the election or something.
All of that is especially concerning, because even in the run up to 2019 we had quite a few big data leaks and scandals, both with commercial entities and with an anonymous Telegram bot that was offering data of an insane number of citizens for sale. Basically, they seemed to have combined all the leaked data sets that they could find. Some of them came from the big commercial companies in Ukraine. For example, we have a big logistics company that had their data leaked. Then we had one of the main banks that had their customer data leaked a couple of years ago. Whoever they were, the people that operated this bot seem to have accumulated all the data together.
When journalists analyzed the data sets, it seems that some of the data came from government registries, including the voter registry, which is a nationwide database. It was a bit outdated, maybe a 2014 version or whatever, but it's basically a nationwide database of all citizens eligible to vote, which is insane, especially for a country that's at war. I'm sure there were also strategic risks, security risks with regards to having data about all of your citizens out there. In light of all of that, seeing that some parties wouldn't even update their software, or make sure their connection is encrypted is concerning to me.
And these are just the websites. When we looked at their social media, even the parties that had bothered to formulate privacy policies for their websites, none of that was in regards to social media or the use of other tools that helped them collect personal data. The mailing lists, online registration forms, chat bots, mobile apps, what have you. All of those collect data about you when you interact with them, but none of the parties bothered to inform their supporters about the data being collected and what they're going to do with it.
Some candidates did try to say, by providing this data you acknowledge that you consent within the framework of the law, et cetera, et cetera. But there was no systematic application. Websites lived separately, and all of that was being used separately. We collected all of that and analyzed and formulated some recommendations and published our report, I think, about a year after.
So we tried to time it around the one-year anniversary of the elections. In Ukraine, the data protection body currently is the Ombudsman's office. We had a representative of the office come to the presentation and talk about what they were doing to make sure that the law is enforced. But basically, one of problems is that we don't have a separate data protection body. The Ombudsman's office is spread thin to deal with these violations as well. And they live in a reactive mode. They react to complaints, maybe conduct some inspections, but they're not doing something proactive necessarily, because they don't have the resources.
And then the law is badly enforced anyway. There aren't really effective mechanisms to hold those that violate it accountable. I think this is one of the reasons why the parties themselves are also sloppy when it comes to data protection. But also because we aren't demanding it. Maybe after these data leaks, people have begun to think about these things a bit more, but it's still going to be a little while before this privacy culture catches on. The good thing is that Ukraine is considering a new data protection law right now, which is a lot more like GDPR and will update the old law and close some of the loopholes. And hopefully we'll establish some of these mechanisms to really hold whatever entity to account. This is the hope.
You contacted the parties, didn't you? Did any of them end up responding?
No. Which was also a bit upsetting that they didn't. None of them came to the presentation. We hope our findings didn't go unnoticed, because we did circulate it widely. And there were copies sent to the Ombudsman's office notifying them of our research and so on. But I also looked at the local elections a year later, and I saw some improvements.
I guess the role of digital campaigning will only continue to increase, and the use of personal data in campaigns will not go away. It would be really great to see what this new law is, because we had no regulations about digital political advertising in the election legislation. Neither did it provide any special safeguards for the personal data of voters. Also, it would be great to see if we have a data protection authority that's proactive and maybe formulates some provisions that act as a guide to political parties about how they should and shouldn't use personal voters' data during the election period. And then actively monitor whether they fulfill these regulations or not. So this would be really interesting to see during the next national elections. Also, it's a bit scary to think about all of the personal data that's out there. In 2019, we saw no indication that any of the parties were using these leaked data sets in their campaigning. I don't necessarily want to give people bad ideas. It's not difficult to buy a data set on the internet and use it for targeting voter supporters.
Nor is it difficult to imagine a political actor anywhere in the world, not just in Ukraine, but an opportunistic political actor who would be willing to use illegally or improperly collected data for their own political advancement.
And we did see a targeted disinformation campaign in 2020 in Ukraine, outside of the electoral cycle, when someone disseminated false information in the beginning of the pandemic to incite basically a riot in one of the small towns to where Ukraine brought citizens that they evacuated from Wuhan at the beginning of pandemic.
Journalists have looked into this, and they discovered that somebody spread misinformation through Viber, which is another very popular messaging app in Ukraine. They had targeted people based on their geographical location. I don't recall at least seeing this in Ukraine before. Someone acquired thousands of phone numbers of residents. And you register on Viber with a phone number, so somebody must have acquired a set of phone numbers, was able to identify which of them belong to the residents of a certain area, and then targeted those people on Viber. Because they're usually Viber groups, Viber chats that they're dedicated to certain areas or whatever.
Specifically, they set up Viber groups to spread misinformation and would actively add these particular users to these Viber groups. So this is a great and scary example of how someone can single out people that are living in a certain location and push information at them. The fact that it hasn't been used in the electoral context, I think, is only a matter of time. I don't imply that nobody's being targeted based of their geography during elections. Obviously, that's what you do with Facebook and whatnot, but we just haven't seen this kind of operation where somebody would set up groups a day in advance, aggressively push disinformation at people in order to incite a physical riot.
One of the really tough parts about doing work on this topic is that I feel like it's one of those things that everyone is hoping someone else will take care of. I think voters are hoping and expecting lawmakers to fix the problem while still just clicking “I agree” to everything. Meanwhile, lawmakers, I feel, are hoping companies are going to be doing the right thing. Even when the law does exist, it feels at times like the law is ill-equipped. Also, it's much more slow moving than fast moving political entities or private companies. And then I think these private companies are just saying, we're just doing what users want us to do. We're just responding to their needs. And likewise, could even make the argument that political parties are saying, well, we are just doing what voters are demanding or not demanding.
It feels like responsibility is being shifted from one group to another. And the end result is that it's not fixed. This was a really good point you made about how parties probably want some very practical hands-on guide about how to do it correctly. But I think it would be helpful having an example for political parties of what it looks like when you do it the right way.
I think we also need to hold them actively to account during the election campaign. Had we published some findings during elections, if we were looking at it during the active campaign phase, I think we might have been able to turn some things around. If there was a group that published a report about personal data protection during campaigning every two weeks and actively publicized their findings and pressured parties to change certain practices while they're campaigning, I think that might have... I keep thinking about how to do this better.
And of course it feels like these parties are the most responsive during the campaigning period.
One of the solutions, in my opinion, is that we need to create a toolkit, a standard methodology for civil society actors to monitor personal data use during election campaigns, advocacy campaigns, et cetera. I mean, in Ukraine, it could be all-year-round because these issues, they don't end with the end of the elections. We see these strange data practices in between the election periods as well.
I feel like this is something that researchers like I and Opora and Digital Security Lab could think about providing to civil society, some kind of toolkit to use, something anyone could use during an active campaign period. And more communication with the parties would be great, because obviously if you find a security flaw on their website, you don't want to publicize it. You want to inform them first and hope that they get rid of it, so that you don't really need to publicly shame them for having it, because somebody may just use it to their advantage.
It is a good lesson as well, because in line with practices like responsible disclosure, in which if we find a security flaw we should be notifying the party before publishing it and naming and shaming them, and having an existing relationship with the representative of the party to begin with would not only help whatever issues we identify get fixed faster, it also might make the parties themselves pay more attention to what it is that we're trying to call attention to in the first place.
I mean, if we had a good data protection authority that we could partner with around something like this. Because, I mean, Ukraine has a Ministry of Digital Transformation, but I feel like they have their hands full with digitizing all the public services. The government is formed by the parties that have gotten into the parliament, so it's very difficult to separate political interests from the work that the government does.
Can you talk briefly about the case of this researcher and the email address and the digital ministry?
The Digital Transformation Ministry was actually set up after Volodymyr Zelenskyy was elected; it was one of his campaign promises. The idea is to have “your state in a smartphone,” where you can minimize your interaction with the state, and that everything is going very handy in your phone. Any issue solved, you can just pull out your phone and do it via a mobile app, or what have you. Actually a social media marketing person runs one of the agencies, I think as a part of his professional interest he has created separate special email accounts and signed up for each political campaign, or at least some political campaigns.
And later after the elections, after the Ministry of Digital Transformation has been set up, he began receiving emails to that email address that he provided to the campaign from the Ministry of Digital Transformation. Of course, during the campaign the ministry wasn't there yet. I doubt that the campaign would have asked people that signed up with it to consent to providing an email address for the future Ministry of Digital Transformation that would be established if they win the election.
I think that's one of the big challenges with a lot of these data-driven operations is that they can blur the lines between the political party occupying the seat of government, and the apparatus and function of the government itself. A natural question here is, well, if Zelenskyy is not reelected, what happens to that information? Where does it go? Would Zelenskyy hold onto it? Could he use it for another purpose? Could he share it with a like-minded political candidate?
Yeah. Those are very good questions. Especially, I think, when sharing your data with a political campaign you don't necessarily expect it to end up in the hands of a state agency. I think in many countries this would be a concern. Another thing that I discovered in the course of my research is that there were these NGOs that were loosely affiliated with political parties that also collected data, and apparently shared it with the political campaigns, and then political campaigns might have shared it with the government. So there's this murky illicit data sharing going on outside of this electoral cycle, election regulations. I think that's a concern, because this data makes these political actors more powerful. And then it's easier for them to stay in power because of the data that they have accumulated.
I think data is an asset. It's very important for the parties, when they ask for people's consent, to clearly inform people about what they are planning to do with this data and how they're going to use it, so that if you're going to use this data after the election you need to inform people that there is a certain period of time for which you're going to hold onto this data for these purposes. Because I don't think voters are going to like it when their email address ends up in the hands of a candidate. And this is not even speaking about whether it's legal or not. I think even from the political standpoint, it doesn't really suit you well as a political force to do this.
Also this story you just shared about the claim that people from Wuhan were being brought into a town in Ukraine shared specifically with residents of a particular town is that this convergence of how people's personal data is being used in combination with disinformation to help accomplish a political agenda, I think is ripe in places - I mean, everywhere, but particularly perhaps in places with some physical proximity to Russia, where there is a long history of disinformation campaigns. Now disinformation campaigns will have the newfound benefit of also being able to target people's personal information which is a new asset as well.
Yes. And then the companies are benefiting from it as well. I think it's a concern. That's why I am particularly worried about these massive data leaks that we had, because it's only a matter of time, I think, before someone tries to use this for whatever purpose. I think it's very important for this privacy culture to grow in Ukraine, for people to become more aware. Hopefully post-2019, they have, but still I think disinformation is a good example. I think many Ukrainians are aware of disinformation. Now I even look at my parents. My mom, before sharing something on Facebook, she checks where is this information coming from? My mom is in her 60s, so this shows you how aware Ukrainians have become.
So my hope is that one day every time we receive an email, an average person would be asking, where did they get my email address from? Or if they're asked to provide their personal data, they'd be asking, well, what are you going to do with it? Therefore, if a voter goes to a political party website and they don't privacy policies, they would A, not be signing up with them. B, they'd be messaging them asking, where's your privacy policies?
It's really quite shocking and striking how so many of these data related problems, these political problems, are the same everywhere in the world.
It's not just these negative things. It's not just malicious actors that are learning from each other. But basically activists, people that are trying to prevent these things from happening are also learning from each other and are translating things between different contexts and are applying the lessons learned elsewhere. It is a bit difficult to imagine that something that's happening in the US can happen in Ukraine, or something that happened in Ukraine can happen in the US. When I met Nino [Nino Macharashvili] from ForSet, from Georgia, who did similar research, speaking about how Georgia was completely not prepared for some of these data practices that are coming in terms of legislation, in terms of local civil society, being aware of these kind of risks, et cetera. So that's why I think it's important for people, let's say, maybe in the region to start speaking about these things first, and then we can have some cross-regional learning as well. But certainly it's easier for people in Georgia to imagine that something that happened in Ukraine can happen there. And people in Ukraine can imagine that something that's happened in Georgia can happen in Ukraine.
But I think if we contextualize things just a bit wider than one country, if we try to look at the region, it's a bit easier for people to imagine, if it happened to our neighbours it may happen to us.
Please note that this interview has been edited for clarity and brevity.
The influence industry is led since 2016 by Tactical Tech’s Data and Politics team addressing the pervasive data-driven technologies used by political groups within elections and political campaigns.
This interview was edited by Cassiane Cladis.