UPDATE: Brexit Party Donations – “It Couldn’t Be Less Secure”
Turlough Conway’s conclusion looks at Nigel Farage’s “Never seen anything like it” claim of mass donations to his new party.
During the EU referendum campaign in 2016 multiple fines for data misuse and overspending were brought against Nigel Farage’s Leave.EU campaign and it was referred to the Met Police and National Crime Agency (NCA) for electoral wrongdoing. Given this background, it would have seemed logical for the Brexit Party to ensure that its funding and data campaigns were as open and transparent as possible.
However, Byline Times can reveal that this is far from being the case.
With notable exceptions, it’s remarkable how little interest the media has taken in the Brexit Party. The concept was seeded in August 2016 when Brexit Party domains were bought by West Dorset UKIP. When Farage launched his party on 12 April this year he claimd that, during the preceding 10 days, it had amassed funding at record rates through its website – £750,000, all in small donations of less than £500, he said.
Farage’s mentioning that the “small sums” were all less than £500 seemed unnecessary and stood out. But it is significant in terms of electoral funding law.
The Law on Donations
The UK law on donations to political parties is regulated by the Political Parties, Elections and Referendums Act (PPERA) 2000. In general, permissible donors are individuals who are on the UK electoral register or UK companies, political parties, trade unions etc.
However, contributions of £500 or less are outside the scope of PPERA and do not need to be recorded or reported. They are not regarded as ‘donations’ under the law and are exempt from it. Such donations could be made by anyone and from anywhere.
Despite this, election watchdog the Electoral Commission advises political parties to “be alert to situations where it appears that a donor is attempting to evade PPERA by making a series of small donations” and it points out that “facilitating the making of donations by impermissible donors is a criminal offence”.
Let’s examine the architecture that facilitated the collection of Farage’s “never seen anything like it” miracle £750k from small contributions of less than £500.
Contributions can be made on the Brexit Party website by two methods: contributing via a ‘donate’ button,which allows sums of between £5 and £500.01 to be selected for payment.
Secondly you can contribute by becoming a ‘registered supporter’, which is supposed to result in a subscription of £25. (Becoming a registered supporter does not entitle the individual to party membership, but to be on an email list for updates while contributing financially to the party.)
The Dodgy Donate Button
The ‘donate’ area of the Brexit Party’s website differs from other political parties in that it is not mandatory, or even possible, to leave any personal details during the donation process.
In designing its ‘donate’ button the Brexit Party has ignored the advanced configuration available and opted for minimum security – it couldn’t be less secure.
This is a red flag for the kind of transactional laundering that the Electoral Commission warned of: multiple, small, anonymous donations from one large donor. The less identifying information obtained on the underlying subject during a transaction, the easier it is for that subject to avoid PPERA by repeatedly performing transactions without detection.
Matters take a decided turn for the worse when it’s payment time.
The donor is taken to a PayPal page via a PayPal “donate” button. PayPal protects users from identity theft, but this can be exploited by bad actors who seek to disguise their identities for more nefarious purposes. A famous recent example of this was when 13 Russians indicted in the Mueller Report used fake PayPal identities to transfer money for general expenses and to pay for digital propaganda.
In designing its ‘donate’ button the Brexit Party has ignored the advanced configuration available and opted for minimum security – it couldn’t be less secure. By declining to receive the donor’s mailing address, the only identifier returned will be the donor’s PayPal account name (which could be stolen or fake).
Example configuration.
The lack of a Captcha human identifier or something similar means that the transactions can be automated and multiple. With little chance of detection, an impermissible large donor could covertly and tactically move a large sum while evading PPERA.
Complicating things further, the website’s server is located in the United States (it was moved from the UK on 9 March). Conservative MEP Sajjad Karim questioned Farage in the European Parliament on the PayPal architecture a week after the launch.
“PayPal, through donations of under GBP 500, is facilitating the flow of money into the European Union and to Nigel Farage. And I ask him as a Member of this House to come and explain to this House: Nigel Farage, where is your money actually coming from?”
Ropey Registered Supporters
Since questions were raised about the PayPal donors, the Brexit Party has now claimed the main source of money is a rising number of ‘registered supporters’. They claim to have up to 90,000 registered supporters paying £25 each – a total of of £2.25m, topped up with a few hundred grand from bigger donors.
Let’s look at the ‘Registered Supporter’ transactions on the website.
These are similar to the ‘Donate’ transactions except that an information form must be filled out with personal details before you are taken to the PayPal site.
This doesn’t improve transparency: there is a complete absence of verification of identity. There is nothing whatsoever ‘Registered’ about this process. There are not even data constraints on any of the fields. Barring the email field which requires an email format (boaty@boaty.com works) anything can be entered in any other field in any format.
Things go downhill even faster from here. Contrary to what the Brexit Party will have you believe, every ‘Registered Supporter’ has not paid £25. Once you click “Become a Registered Supporter” after filling out the form, you are already one regardless of making the payment or not. If you don’t tick the receive emails box you will go straight to an acknowledgement that you are now a Registered User.
There is no security Captcha again to guard against non-human automation. An automated loop could be run through a database of email addresses to batch produce hundreds or thousands of spurious ‘Registered Supporters’. Multiple PayPal payments could be made just as with the ‘Donate’ button. The architecture is highly conducive for hiding impermissible big donations among many small donations.
Conclusions for Electoral Law
It appears to me that there are some potentially extremely serious issues here that need to be addressed urgently. The assertion that 90,000 so-called ‘registered Supporters’ via the Brexit websites represents some remarkable political movement is false and absolutely baseless. The data on that database has no integrity as an indicator of human interest in or financial donation to a political party.
This is a red flag for the kind of transactional laundering that the Electoral Commission warned of: multiple, small, anonymous donations from one large donor.
Clearly a Political funding act nearly 20 years old cannot be fit for purpose
in the digital age. In 2019, only suspicious transactions have faint or invisible traces and there is no reason why data on all contributions should not be comprehensive and available to the Electoral Commission on request.
In my opinion, modern money laundering obligations on companies could provide the basis for a kind of system suited for modern elections and Political Parties. Architectures that allow transactions that are opaque or appear to be unnecessarily complex, making it difficult to identify the beneficial owner should be disallowed and preemptively punished.
In 2018 the Electoral Commission’s guidelines stated: “We check the information parties provide to us, and evaluate the risk of those we regulate to prioritise our compliance monitoring. In the run-up to major elections and referendums we also carry out targeted campaign monitoring to check that people are complying with the rules on spending and donations.”
The Electoral Commission must put action where these words are.
Byline Times has approached the Brexit Party and the Electoral Commission for comment and will incorporate their responses in an update.
UPDATE – THE BREXIT PARTY RESPONDS
The Brexit Party could not be more conscious of compliance issues, particularly around donations. Our system is clearly and specifically designed for grassroots activists and supporters. The vast majority of our funding comes from ordinary individuals who give small sums.
We hope Byline is expending as much time and energy investigating theoretical flaws in the operating systems of other political parties, and look forward to seeing the results of these inquiries.
Any actual evidence of anyone using our system to deliberately commit fraud will be dealt with swiftly and appropriately. For the time being, your investigation exposes nothing more than your bewilderment at the scale of voter support for the Brexit Party – and your determination to present it in the worst possible light.