A Your Party WhatsApp group leaked 1,600 numbers, sparking privacy and GDPR concerns over unsolicited campaign messages

Your Party WhatsApp data leak

An official Your Party  supporter WhatsApp-based group exposed more than 1,600 user phone numbers. The numbers were then used by candidates in Your Party’s ‘CEC’ elections to send unsolicited campaign texts.

The group — set up for the party’s conference last November — was promoted by their interim leadership — comprising ‘independent group’ MPs, Jeremy Corbyn, Shockat Adam, and Ayoub Khan. But the group setup left membership information available to all participants, including phone numbers.

The Your Party pre-conference email promoting the WhatsApp group.

The independent MPs and their administrative group had responded to an alleged breach of GDPR by reporting the opposing faction to the Information Commissioner’s Office. However, the loose handling of supporters’ personal data would similarly be a potential GDPR breach.

The exposure of phone numbers allowed candidates campaigning for election to Your Party’s new ruling committee (CEC) to send unsolicited text or direct messages asking members for their vote.

Also, complaints by members about the “massive personal data implications” of such unsolicited messages appeared quite widely on social media. This included reference to texts sent by independent candidate Qamar Qurban. Qurban denied any wrongdoing. Instead, he blamed the breach on party practices.

Your Party organisers have been urged to suspend and purge the WhatsApp community as an immediate threat to privacy. As Inacio Vieira, who broke the story, noted:

The ICO’s guidance on personal data explains that identifying someone “could be as simple as a name or a number”, and the ICO’s wider guidance on political campaigning emphasises the importance of retaining trust and confidence when processing data in an electoral context. If the use of a large WhatsApp group also reveals political opinions or affiliation by inference (for example, because membership of the group itself implies political alignment), the ICO notes that political opinions are classed as special category data, which carries additional protections.

Separately, there is an obvious governance concern during internal elections: when a large pool of member contact details is readily accessible inside an official group, it can create information asymmetries in internal contests if some candidates exploit that access for unsolicited outreach. That is distinct from motive, and can be described neutrally as a risk to member trust and to perceptions of process fairness.

On its own, the breach would be a serious concern. Coming after the infighting and procedural missteps of the party’s launch makes it look worse still.

Read more on Vieira’s Substack here.

Featured image via Inacio Viera

By Skwawkbox

From Canary via This RSS Feed.