With the publication of an interim report on her investigation into the Brexit referendum, the information commissioner has issued a strong statement of intent against the tech giants

Nobody does cool, calm and collected like Elizabeth Denham does cool, calm and collected. In a week that has seen Britain near-implode under the twin psychic assaults of a World Cup semi-final and a Donald Trump visit, the UK information commissioner offered a rare moment of poise as she explained in her clear, calm voice – on Radio 4’s Today programme – that she had notified Facebook of her intention to serve it the maximum possible fine for breaking the law and misusing data – £500,000. And that she was pursuing a criminal prosecution of SCL Elections Ltd, the parent company of Cambridge Analytica.

It was a big moment, more than 18 months in the making, though it’s still only the start. Because this was an interim report of an investigation into the Brexit referendum that Denham launched in February last year – triggered by our first Observer article on Cambridge Analytica – and which in May broadened out to become a wider inquiry into the use of data in politics. It has become the biggest data protection investigation anywhere, and these were not just her first targets – a strong statement of intent against the tech giants and any company with the potential or ability to abuse people’s data – but it was also the first insight into what her 60-strong team has been doing. And it was as revealing in its own way as Robert Mueller’s latest set of indictments of 12 Russian intelligence officers that was unsealed on Friday.

There is an overlap between what the special counsel is doing in the US and what Denham is doing in the UK, and what became clear last week is that there is a zone of convergence between the two. As Mueller continues to disentangle the web of relationships at the heart of the Trump campaign and laid out a detailed picture last week of the hacking of the Democratic National Committee and Hillary Clinton by Russian intelligence officers – including crucially, the theft of the campaign’s data analytics – Denham has been quietly carrying out a narrower but in some ways just as forensic investigation in almost as much secrecy.

There is even, the Observer has learned, an ongoing channel of communication between them. A source familiar with the FBI investigation revealed that the commissioner and her deputy spent last week with law enforcement agencies in the US including the FBI. And Denham’s deputy, James Dipple-Johnstone, confirmed to the Observer that “some of the systems linked to the investigation were accessed from IP addresses that resolve to Russia and other areas of the CIS [Commonwealth of Independent States]”.

It was a recent discovery, he said, but an explosive one, potential evidence of a direct link between the company at the heart of the Trump campaign – and files holding information of 220 million US voters – and the Russian government’s disinformation campaign.

Facebook Twitter Pinterest Denham has issued information notices to force disclosure from Facebook and in her prosecution of Cambridge Analytica she is robustly asserting the rights of individuals against companies. Photograph: PA

From Mueller’s most recent indictments, it is clear that the data trail must be coming soon: the chain of evidence that is required to understand how the Russian government’s influence operation targeted American voters. And here is the clue and where it is believed Denham comes in – what data it was based on.

This being Britain, however, there is no special counsel, no crack FBI agents. Instead, the whole thing is being conducted by civil servants from an office block in Wilmslow, Cheshire. But Denham – who arrived from Canada two years ago, taking a pay cut to do so – is the person who’s leading a charge to transform what was a somewhat dusty regulator dealing in a niche topic into something of an armed militia at the frontline of an assault on our rights, including our democratic ones. Data is power and it is power concentrated in huge companies and her view is that “regulators need to have individuals’ backs. We have to protect people because how else can individuals act against some of these large, large companies?” It’s why, she says, “this investigation is so important on so many levels. We still rely on journalists, on civil society, on whistleblowers bringing evidence forward, but as a regulator we need to act on it.”

It’s a hugely reassuring statement – or at least cause for hope – after more than a year and a half of silence in which we and other news organisations have continued to produce evidence and whistleblowers. Reassuring, also, to know that there are 40 full-time investigators working on the case, 20 specialist contractors, and they have an interview list that numbers 264 people. An operation that the head of investigation, Steve Wood, describes involving “hundreds of laptops, mobile phones, servers, and then millions of documents and huge, huge datasets”. And last week’s fine against Facebook was a marker, the maximum that could be imposed under Britain’s old data protection laws. But under our new laws it would be 4% of annual turnover, which in Facebook’s case would be nearly £500m. “It’s not about the size of the fine,” Denham says. It is the seriousness of the crime. And if regulators had catchphrases, what she says next would be hers: “Data crimes are real crimes.”

She is damning about Facebook. If it had taken action to “stem the bleed”, she says, when the Guardian first revealed the scale of the data abuse in December 2015, it would have been one thing, but it did not. What is clear is that the scale of the Facebook fiasco has yet to be fully told. “We have evidence that data was passed on to third parties,” Denham says but will not say more. There are further revelations to come and if Denham had had the same powers then as she has now … well, it’s a flight of fantasy to a very different version of history. But she is taking what powers she has now seriously. She has issued information notices to force disclosure from Facebook and in her prosecution of Cambridge Analytica she is robustly asserting the rights of individuals against companies.

The report sets out in detail a case brought by David Carroll, an associate professor at the Parson’s School of Design in New York, first reported in the Observer last October and it is this that has enabled her to bring the first set of charges against the company. He has been asserting his rights as a US citizen to his data that was processed in the UK and used in the Trump election, rights that he does not have under US law and that can now be extended to 220 million other American voters. “I found the publication both of the report and then Mueller’s indictments very significant and also interlinked,” Carroll says. “They separately lay out such detailed, forensic, incontrovertible evidence. For the US, what’s so interesting and useful is that she’s this neutral third party who doesn’t have skin in the game and can actually provide proof on servers and in the data and answer the questions we’ve been asking for two years.””

Facebook Twitter Pinterest David Carroll: ‘She’s this neutral third party who doesn’t have skin in the game and can actually provide proof on servers and in the data and answer the questions we’ve been asking for two years.’ Photograph: Christopher Lane/The Observer

The relationship between the Trump campaign and Brexit still has not penetrated public consciousness in the UK, but Carroll believes they are converging, circling the same ground.

“We now have investigations in the US, Canada and the UK that are actively coordinating and we are getting closer to this knowledge of how this transnational collaboration [allegedly] worked and how they [ allegedly] used jurisdictional arbitrage to get around laws. Denham has had the time and resources and what’s clear from the interim report is that she’s finding stuff. There are hints of explosive revelations to come. There are findings here that finally smash the narrative that the Facebook data was not used for Trump,” he says. And it’s not finished yet. We know there’s more to come.”

Denham likes order. Order and control. Six weeks or so ago, we both gave evidence to the European parliament, but only one of us was sweating and fumbling with our notes. She is the regulator but in person she is also very regulated; composed. “And I’m also Canadian,” she points out. “Which is a whole other level of control.”

The “Canadian-ness” of the investigation is just one of its quirks. She is from British Columbia – where she was previously information commissioner – as was her deputy, though he has now left to go back to Canada to take up her old job. AIQ, the Cambridge Analytica-linked company used by Vote Leave that is a central focus of the investigation, is based in Victoria, which is just “down the road” from where she used to live. And the Cambridge Analytica whistleblower, Christopher Wylie, is also from just a couple of miles away. “There’s no explanation to it,” she says, it is one of the many “quirks” of the investigation.

What drew her to data protection in the first place? “I’m a professional archivist. I like order and I like records and information. I think I have a mind for that. Organising information and also understanding the value of information. So when I was an archivist, I was a bit of a handmaiden to history. Preserve the records and make them available. And on the other side protect them, appropriately.”

In fact, Denham has walked into one of the thorniest, most contentious episodes of modern British history, and she has become the handmaiden to it. And what her interim report lays out is the extent and scale and complexity of what she is undertaking: multiple lines of investigation, multiple potential crimes, covering much of the ground that we have been detailing in the Observer over many months.

The report points to a whole range of evidence of a relationship between Cambridge Analytica and AIQ that had been denied for so long by both. Between Vote Leave and BeLeave – setting out evidence that echoes allegations put forward in the Observer by the whistleblower Shahmir Sanni – and other investigations include the relationship between Arron Banks’s Leave.EU campaign and his insurance company. Notably, she has taken action against AIQ – the company used by the official Vote Leave campaign – and issued an enforcement notice to ban it from processing UK citizens’ data.

Will Denham get to the bottom of any of this? It remains to be seen. And it is only partial: she cannot and is not addressing, for example, the source of Banks’s money.

But what we do know is that if she had not opened this investigation we would be – and would remain – in total darkness about the referendum. The Electoral Commission, the body mandated by parliament to regulate our electoral laws, has almost no chance of getting at this information and itself announced three weeks ago that it desperately needs new laws. The ICO echoes this, calling for an “ethical pause” on the use of data in politics “to allow the key players – government, parliament, regulators, political parties, online platforms and citizens – to reflect on their responsibilities”.

The heart of Denham’s investigation is Cambridge Analytica. It was the company’s use of data that kicked off the entire inquiry a year and a half ago. An investigation that went up a gear in February when I, Wylie and other whistleblowers handed over evidence to the ICO. The ICO tried to use this to execute a search warrant before publication of our articles though it was not granted until days later. Was that frustrating, I ask.

Facebook Twitter Pinterest The shiny blue jackets worn by the ICO team when they raided Cambridge Analytica’s offices are now in the Science Museum. Photograph: Yui Mok/PA

It was, but Denham’s deputy, Dipple-Johnstone, says they are working to recover material and that it has also led to further evidence of potential criminal wrongdoing. “We’ve got issues around conspiracy, perverting the course of justice.” They’re also looking at potential offences under the Computer Misuse Act alongside “law enforcement colleagues”.

And the delay and public outcry enabled Denham to go to parliament and ask for extra powers in the new data protection bill which was, at that moment, being written into law. She got them.

The shiny blue ICO jackets that the officers wore, and which looked like they’d been ordered on Amazon the day before, were a statement of intent, she says: “It was sort of like the data cops are here”. And their place in history has already been recognised – they’re now in the Science Museum, she says.

Wylie with his pink hair. Denham with her data cops. There is more than a touch of theatrics about the whole story, theatrics that have shaken up the dry, dusty world of data protection in ways nobody could have predicted.

She noticed it, she says, on a trip to the fracture clinic with her husband “where these young women were sitting around talking about their online profiles and whether they should stay on Facebook. And I thought, ‘OK, this is not just the techies in a little group.’ I do think there’s been a shift. I feel the shift.”

There is. And Denham’s role in all this is significant because she is not a campaigner, she is the regulator, and the words she uses matter. Twice she says the word “surveillance”. Facebook does not call it that, I say. They have a privacy policy, not a surveillance policy, I point out. But that’s what it is, she says.

Cambridge Analytica: how did it turn clicks into votes? Read more

“Data surveillance”, “deep surveillance” “invisible processing”. These, she says, have impacts on all of us. “And there’s something significantly at risk – democracy and the integrity of our elections”.

The polite Canadian exterior is something of a red herring, it turns out. Denham is softly spoken but she also points out she’s an ice hockey fan. “It’s our national sport and if you’ve watched an ice hockey game you’ll know that we are not that gentle.”

Let’s hope so. The final report is due in the autumn.

The investigations

ICO

The Information Commissioner’s Officer is conducting an inquiry into potential data sharing between: Vote Leave, BeLeave, Veterans for Britain and the DUP; Cambridge Analytica and AIQ; and Leave.EU and Eldon insurance. Notices have been served on Ukip and Britain Stronger In Europe. Criminal proceedings have begun against Cambridge Analytica for failing to deal with an enforcement notice. An enforcement notice has been served against AIQ. There are also inquiries into third parties accessing Cambridge Analytica data.

Electoral Commission

An investigation continues into whether Arron Banks’s Better for the Country Ltd was “the source of donations made to referendum campaigners in its name”. Another inquiry – into whether Vote Leave and BeLeave breached campaign finance rules by exceeding spending limits – is now nearing its conclusion.

The Met

An inquiry is under way into Liz Bilney, the CEO of Leave.EU, after the Electoral Commission ruled that Arron Banks’s campaign had exceeded its spending limits.