Skip to main content

AggregateIQ, the Victoria consultancy that was suspended by Facebook amid controversy over its role in political campaigns in Britain and elsewhere, worked on a range of smaller elections in Canada – including an ill-fated comeback last year by a former mayor in Newfoundland.

A list of AggregateIQ’s Canadian clients is detailed in files uncovered online in late March by UpGuard Inc. The U.S. cybersecurity consulting firm discovered some of the inner workings of AggregateIQ after the B.C. company had failed to protect computer code and other files its software developers had housed on an online service.

One name revealed in UpGuard’s findings is that of Andy Wells, who resigned as mayor of St. John’s in 2008, after serving for about a decade. In 2017, Mr. Wells ran for his old job but finished a distant second.

In an interview, Mr. Wells said he hired AggregateIQ after reading about the firm’s work in the 2016 Brexit vote.

“They didn’t turn out to be very useful,” said Mr. Wells. AggregateIQ worked on his website, provided advice and used only publicly available voter information, he said. “I wouldn’t recommend them to anybody.”

Open this photo in gallery:

Whistleblower Christopher Wylie.Dan Kitwood/Getty Images

AggregateIQ’s work on a lost civic campaign in Newfoundland has become a footnote for a company that is being probed by privacy commissioners from Britain, Canada and British Columbia. The firm was catapulted into public view over its role in the 2016 Brexit vote. For the past several weeks, Canadian whistle-blower Chris Wylie has been publicly denouncing AggregateIQ, saying he helped set it up before it went on to deploy questionable campaign tactics to influence voters during Brexit and in the United States, Nigeria and Trinidad.

On Tuesday, Chris Vickery, UpGuard’s director of cyberrisk research, will appear as a technical expert at the House of Commons standing committee on access to information, privacy and ethics. The committee meeting is about the misuse of personal information involving the British political consultancy Cambridge Analytica and data mined from Facebook, a scandal to which AggregateIQ has been tied.

AggregateIQ was suspended by Facebook on April 6. The Victoria company has said it had never entered into a contract with Cambridge Analytica and has never managed or had access to any Facebook data from Cambridge Analytica. AggregateIQ did not respond Sunday to a request for comment.

It was an eye-opening moment, once it hits you: ’Oh my god, this is what they’re using to influence elections across the globe.

Chris Vickery, UpGuard’s director of cyberrisk research

Mr. Vickery discovered AggregateIQ’s work in late March. UpGuard has already published information about AggregateIQ’s Brexit efforts, where it worked closely with campaigns to leave the European Union, and for Ted Cruz, in his failed U.S. presidential bid last year. None of the information, however, included personal details of individual voters.

Now, Mr. Vickery is set to talk about AggregateIQ’s work in Canada, which appears to be more mundane than work it has done elsewhere. UpGuard’s research highlights AggregateIQ’s efforts for politicians who were previously reported to have worked with AggregateIQ. The list includes three BC Liberal candidates in last year’s provincial election, former finance minister Michael de Jong among them. It also includes Todd Stone, a Liberal MLA who ran for his party’s leadership early this year, and for the BC Green Party in 2016. Mr. Wells was the new name.

While AggregateIQ’s work in Canadian politics appears to be straightforward campaigning, there have been some interesting crossovers. For example, in Mr. de Jong’s campaign, AggregateIQ appears to have reused a graphic previously used for changebritain.org, a pro-Brexit group that was formed after the referendum.

UpGuard’s Mr. Vickery has made a name for himself over the past several years as he has discovered unguarded yet sensitive data online. Mr. Vickery said the typical data leak stems from basic human errors – effectively leaving the door open – rather than a malicious hacker breaking through defences. A major find by Mr. Vickery was the personal information of almost 200 million voters in the U.S., left unsecured last year by Deep Root Analytics, which worked for the Republican National Committee.

When Mr. Vickery saw the news of AggregateIQ’s connection with the Cambridge Analytica-Facebook story, he looked online for clues about its work. He found AggregateIQ’s exposed data on the software development hub GitLab on March 20.

“I started poking around and I realized, ‘Holy cow, the registration is open,’ ” Mr. Vickery said.

Once inside the code repositories, Mr. Vickery saw how AggregateIQ did its online campaign work.

“It was an eye-opening moment, once it hits you: ‘Oh my god, this is what they’re using to influence elections across the globe,’ ” he said.

Mr. Vickery said the sum of AggregateIQ’s work showed “the engine or heart of tracking people, figuring out what their political leanings are, influencing them … and focusing your message and seeing how effective various ads are.”

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe