While the impact of Russian disinformation campaigns and propaganda on Ukrainian politics have drawn significant attention from scholars and policymakers, other modes of digital political influence have received comparatively little attention.

A recent report (which I co-authored with Digital Security Lab, election watchdog OPORA and the Tactical Technology Collective) shines a light on the use of personal voter data in the 2019 Ukrainian elections and the issues arising at the intersection of privacy and digital campaigning. In particular, its findings outline a wide range of data collection mechanisms and targeted digital campaigning methods being used by major political entities against the backdrop of legal loopholes in campaign finance regulations, shortcomings of digital platforms, cybersecurity lapses, and ambiguities of the country's data protection regime.

Prompted by the presidential campaign of Volodymyr Zelenskyy, Ukraine’s 2019 elections were the first to be particularly impacted by targeted digital political communications. Their audience included over 21 million internet users (13 million of them on Facebook), with 23.5% of Ukrainains receiving their news primarily from social media. According to Mykhailo Fedorov, Zelenskyy’s chief digital strategist and now Ukraine’s Minister of Digital Transformation, their campaign amassed 180,000 subscribers on its Telegram channel, recruited 608,527 volunteers online, and ran over 3,200 digital advertising campaigns, targeting audiences segmented into 32 categories according to age, gender, professional affiliation, or political interest.

The parliamentary elections that followed in the summer brought about a comparative level of digital activity. Political parties actively campaigned on the country's six most popular social networks, including the Telegram and Viber apps, launched chatbots, operated mailing lists, and developed customised mobile applications. Using Facebook’s data, Ukrainian election watchdog OPORA established that parties ran 40,427 targeted political ads during the active campaign period, spending over 1,800,000 US dollars. It also discovered that, despite recently tightened Facebook’s election-related rules, some pages published unmarked ads with elements of negative campaigning or so-called “black PR” against certain candidates.

Despite increasingly sophisticated targeted advertising services provided by Facebook and other platforms, Ukrainian electoral legislation did not distinguish between offline and online campaigning and has failed to establish clear mechanisms for reporting funds spent on digital ads. As a result, some 2019 parliamentary election contestants refrained from accurately reporting spending on online advertising, leaving civil society and regulators with no assurance of fair online practices. Under these circumstances, Facebook’s political ad library became the de facto source of online spending and other oversight, while no other platform offered the same level of transparency.

2019 also became the year when election contestants actively collected citizens’ information online, which could be later used for targeting them with political ads and other personalised communication. All five political parties elected to parliament in 2019 - Servant of the People, Opposition Platform - For Life, Batkivshchya, European Solidarity, and Holos - collected voters’ personal data through various registration forms on websites or social networks, cookies, and other methods. Based on the data from the websites of Servant of the People and European Solidarity, at least 102,000 people registered online with these two parties alone as prospective members, supporters or volunteers. And while Ukraine’s electoral legislation contains no regulations aimed at safeguarding the use of voters’ personal information, the country’s 2010 personal data protection law sets mandatory requirements for all automated processing of personal data, which should also apply to online practices of political parties and candidates.

Despite this, an analysis of parliamentary parties’ websites and social media activity indicates that none of them fully complied with the requirements and user consent principles set out in Ukraine’s data protection legislation. For example, only two parties offered privacy policies on their websites. Three parties requested the consent of users to the processing of their personal data, although one of them failed to specify exact ways in which the data could be used. Four of the five parties used a variety of analytical services that could track user’s activity across the web or share information with third parties and all five used cookies installed by social media platforms for advertising purposes, of which only two parties even tried to notify users but never asked for their consent. Moreover, fewer and far less consistent attempts to fulfill personal data protection requirements were made when parties engaged with voters via social media or other customisable tools, such as Google forms, online petitions or email marketing services.

A simple inspection of the five parliamentary parties’ websites also revealed some security issues on four of them, which were of particular concern since the websites were used for personal data collection. These included lack of proper encryption of the whole website or its parts, failure to update modules and software with known vulnerabilities - issues that could have been easily fixed had political parties dedicated sufficient attention to the matter. The post-election hacking of Holos’ server holding supporter data - although appeared to be an unofficial penetration test by a group of Ukrainian hacktivists - was further indicative of the cyber security level maintained by the parties.

While Ukraine’s local elections held on 25 October seem to have brought about a shift in voters’ political sympathies, not much has changed in the realm of digital campaigning. According to Facebook’s library data, the number of political ads published on the platform during the current campaigning period nearly doubled compared to the 2019 parliamentary elections, with parties and candidates spending around 3.1 million US dollars on advertising.

Yet online political campaigning remains largely unregulated in Ukraine despite the efforts of civil society. Even after the Central Election Commission recently took steps to increase the transparency of political parties’ online spending in 2020, legal ambiguities still make it practically impossible to hold those in violation of online campaign financing accountable, while simultaneously enabling the use of digital advertising outside the official campaigning period.

For instance, election observers noted that over 50 political parties ran political ads on Facebook ahead of the start of the local campaign, and that numerous parties and candidates failed to disable their advertisements during the election silence period. When asked whether the platform would take any measures to limit campaigning on the election day, Facebook’s Public Policy Manager for Ukraine noted that such limitations so far have only been foreseen for the US elections and do not extend to any country outside the United States. At the same time, Facebook continued to be the only platform that offers some transparency with regard to political and social advertising in the country, while details of such activity on Google or YouTube remained undisclosed to Ukrainians.

As to the treatment of voters’ personal data during local elections, political parties and candidates have again demonstrated a rather low regard for voters’ privacy and data protection regulations. Out of the ten parties that most actively advertised on Facebook, nine invited voters to register with them online, while only three outlined how they would process the data in privacy policies on their websites and only five asked for users’ consent for such processing. Neither Batkivshchyna nor Opposition Platform - For Life were among them, continuing the same data practices that researchers found problematic in 2019.

At the same time, a number of recent mass personal data leaks from what appear to be Ukrainian government registries and commercial databases, as well as indications of possible illicit data sharing between the political campaigns and government entities, demonstrate that the disregard for personal data protection in Ukraine extends beyond the electoral cycle. This poses multiple dangers to the country simultaneously juggling domestic reforms and a continued armed conflict with Russia.

Given the proliferation of commercial digital technologies now used for political means, it is of crucial importance for Ukraine to introduce important clarifications, mechanisms and safeguards pertaining to online campaigning and protection of citizens’ personal data - before the situation is further exploited by either domestic or external actors.