DATA PRIVACY STANDARDS IN THE UNITED STATES: A CASE STUDY OF FACEBOOK

Abstract

With approximately 40 billion active users as of early 2022, Facebook is the largest social media platform in the world. Facebook collects roughly one million data points of sensitive information every minute and utilizes this personal data for targeted advertisements. The majority of users are unaware, or simply unconcerned, about the infringement of their privacy rights. And the majority of governments in the world have no comprehensive legislation protecting data privacy.

This article first discusses the potential dangers of Facebook`s collection of its users` data, including data breaches. Then, it analyzes data privacy standards in the United States and compares those standards to privacy legislation in other countries to make a well-informed suggestion about how the nation might protect personal data. Although the imposition of legal restraints for Facebook and others is necessary to protect individual data privacy, industry indicators reveal that placing burdensome limits on data collection capabilities could have significant repercussions for companies that provide free social media platforms, which could potentially force them to become paid services.

Key Terms: Facebook, data, privacy rights, targeted advertisements, legal policy

Introduction :

Ever since the industrial revolution of the 18th and 19th centuries, technological advances in modern society have rapidly changed the way most people around the world live their day-to-day lives. One of the most impactful technological improvements that have changed the way the world works in recent years is big data. The ability to collect and store extraordinary amounts of data at little cost is revolutionizing the way many businesses—not just technology companies—operate and generate income. Social media companies in particular thrive off the vast amount of personal data they collect from their billions of active users.

Any ordinary business can benefit from the optimization that data analytics provides. For example, grocery stores keep track of every single transaction and what each customer buys. By keeping track of who buys what items and which products are most commonly purchased together, grocery stores create models that can predict correlations between those products. Using this information, they can strategically place items in their stores to potentially increase sales. Data analysis guides grocery store managers to place essential commodities like milk, eggs, and meats in the back of the store.

The store`s predictive model identifies the highest-selling food items, and management capitalizes on this information with their product placement as far away from the entrance as possible. This strategic store layout is just one example of dozens of ways that a grocery store uses big data and predictive modeling to boost profitability. While the power that predictive modeling can add to the success of a grocery store is tremendous, the economic influence of this statistical technique is conceivably most prominent in the advertising industry. According to the website Business Insider (de Luce, 2019), "collectively, the top 200 advertisers in the US spent a record $163 billion on advertising in 2018. The site also mentions that Facebook spent $475 million on ads in 2018. Companies collect millions of data points, recording pracCompanies collect millions of data points, recording practically anything imaginable. This wealth of information allows businesses to provide higher quality products to their customers while maximizing their profits.

Despite these benefits of predictive modeling, potential privacy violations raise concerns. This paper examines the potential ethical and economic concerns that predictive modeling in targeted advertising presents for American society today. In particular, it will focus on how Facebook technically violates its users` data rights. Too much restriction on Facebook`s ability to use collected data for targeted ads could set a detrimental precedent for other social media When creating policy for better protection of individual's privacy rights, there should be a balance between the interests of consumers in securing personal data and the interests of social media services in maintaining profitable operations.

Privacy Concerns with Facebook's Use of Personal Data

The term “big data” essentially refers to the accumulation of large amounts of data in data warehouses over time. In order to use this data to inform business decisions, data analysts “clean,” or prepare, this raw data so that all entries in the dataset are readily usable. Then they manipulate the data through the use of programming languages such as R or SQL. Once the cleaning and intended transformations are complete, the analysts create charts and graphs that convey the relevant information in a meaningful way through programs like Data Studio or Tableau. Finally, utilizing the graphs created by the analysts, business executives can make well-informed decisions that are in the company`s best interest.

One of the largest sources of big data stems from social media platforms. Social media influences the way people spend their everyday lives. Facebook is the largest and most well-known social media platform. On Facebook, users create an online social profile where they usually share interesting facts about their life and post pictures of themselves. In a few easy steps, one can post pictures or life updates or share interesting articles on any of these platforms, where all of one`s friends can instantly view them and have a quick interaction. The ease of access to social media services facilitates their popularity.

Despite the convenience, however, the amount of personal information that is shared publicly on these social media sites can be dangerous. People provide data such as their phone number, birthday, location, religious views, the identity of family members, and life events on their Facebook profiles. It is surprising how willing people are to share their personal information on the Internet, considering how easy it is for someone to take advantage of this knowledge for their intentions, whether harmless or malicious. If a post or picture is public, any other Facebook user can access that information and manipulate it in any way they desire.

For example, even if a user does not explicitly indicate which side of the political spectrum he or she falls on, Facebook can predict quite accurately that user`s political affiliations based on what posts he or she likes or how that user responds to other people (Janjigian 2016). Even if we assume that Facebook has no corrupt intentions with all the personal data it has collected, this does not mean that Facebook users are immune from privacy violations. This is just one instance of how Facebook can take seemingly useless data and predict sensitive information through its specially crafted algorithms. The potential negative consequences of the Facebook predictive models are alarming.

According to the Varonis company website (Sobers, 2020), “on March 21, 2019, Facebook admitted that since 2012 it has not properly secured the passwords of as many as 600 million users… On December 19, 2019, over 267 million Facebook usernames, Facebook IDs, and phone numbers were exposed.” Once hackers have access to private Facebook datasets, they could steal people`s identities or credit card information.

Jennifer Golbeck and Matthew Mauriello (2016) from the University of Maryland recently published a study encompassing user understanding of what information Facebook can access. They surveyed 120 participants and sought both to discover the general public`s awareness of data privacy and to educate the subjects on the possible dangers of Facebook. Within the legal context, Facebook has already endured multiple challenges in the recent past. The Street (Fontana, 2018), which is a financial news website, lists sixteen different court cases against Facebook as of early 2018. Some experts have argued that Facebook violates the Civil Rights Act of 1964. For instance, in his article on advertising discrimination in the Northwestern University Law Review, Joseph Blass (2019) stated “though it is illegal to target job ads using statutorily defined protected characteristics (such as sex, race, age, and others), Facebook has recently faced criticism and legal action for targeting such ads in these exact ways” (p. 418). Facebook’s machine learning algorithm sends specific job postings to different people based on their demographic and economic classifications. Facebook is able to continue its actions because the laws have not been updated to address the Internet or data collection.

This is one example of why new policies need to be created that specifically address data privacy on the Internet. One of the most well-known privacy cases against Facebook is Smith v. Facebook in 2018. Winston Smith alleged that Facebook was tracking its users who access various healthcare websites. He claimed that it was an invasion of privacy to collect this biometric data. Facebook placed cookies (which are essentially tiny strings of text stored on an Internet browser that connects information you give to a website to your personal computer) through its online advertisements that were able to track users as they accessed healthcare websites. Smith also alleged that Facebook collected sensitive information provided on these external healthcare sites and sold this personal data to third-party sources for profit. Unfortunately for Smith, the District Court for the Northern District of California dismissed the case, stating that upon creating an account, users accept Facebook’s terms of service, thereby giving Facebook the right to sell such data.

Experts, such as Fred Cate (2006) from Indiana University, agree that existing principles or guidelines for data protection and privacy rights are not satisfactory. Because the technology industry changes rapidly, policymakers need to create comprehensive laws that adequately address this issue as soon as possible.

Big Data and Facebook Operates

Companies such as Facebook most likely desire to achieve maximum profitability with the least possible amount of effort. Like corporate America, intelligence agencies in the federal government gather personal data, particularly since the passage of the Patriot Act (2001) in the post 9/11 world. Consequently, the United States government knows more about each citizen than one would think, which exemplifies the pervasiveness of data privacy invasion. Harry Pence (2015), professor at the State University of New York at Oneonta, emphasizes the intrusiveness of this personal data collection: "The NSA [National Security Agency] is collecting almost 5 billion cell phone records a day to determine the locations of individuals and where they travel in the world even if they are not suspected of illegal activity… Even more troubling, it is illegal for the cell phone company to tell anyone they have received a subpoena of this type".

Although Congress passed an act later in 2015 to end the massive collection of American cell phone data, government monitoring of calls is a chilling thought. The vast majority of Americans do not realize that the government has recorded or tracked their calls, and most would likely consider this tracking an infringement of their privacy rights. If the government has been allowed to collect and use this information at its discretion now, further invasion of privacy may subtly increase in the future to the point that individual rights are complete While governmental agencies such as the NSA collected our data under the guise of national security, most international corporations like Facebook assemble billions of data points a day to maximize company profits.

Although the type of data collected and the purpose of the collection is different, the concept is still the same with Facebook. Before discerning whether or not this intrusive data accumulation violates any privacy rights that American citizens may or may not have, it is important to understand how Facebook operates and makes a profit. Facebook is a free service that can return a profit by selling screen space on its website or application to other businesses. These companies purchase this space to advertise their product or service to Facebook users. (Although Funk`s book was written in the last decade, the information about how Facebook works is still accurate as of early 2020. How much money Facebook charges to advertise on its platform is measured in cost per click (CPC) or cost per thousand views (CPM). Because advertising space works like any other open market system subject to the law of supply and demand, Facebook cannot simply increase its profits by continuing to raise the cost per click price higher and higher. At some price threshold, companies will simply stop buying ads from Facebook because the cost would outweigh the benefit. Therefore, to increase the profitability of the company, Facebook uses targeted advertising as a way to boost the likelihood of users clicking on an ad. Targeted advertising is a tactic that aggregates large amounts of preferential and demographic data to determine which users are more likely to click on a particular ad.

Legal Discussion

Despite the concerning problems with Facebook and data privacy, the United States government does not have a comprehensive legislative scheme protecting citizens` data privacy. Exactly half of the fifty states do have enforceable laws, but the legislation in place is not complete and differs from state to state. For example, Maine`s Act to Protect the Privacy of Online Customer Information (2019) requires consumers to opt into having their data collected while California`s Consumer Privacy Act (2018) requires companies to offer an opt-out option. The fact that the Internet transcends state boundaries and that Facebook has such a massive impact on our society demands a comprehensive federal law.

Running ads on Facebook suddenly becomes complicated because the advertisements must adhere to individual states` laws. If Tennessee and Maine passed legislation stating that Facebook may not use any personal information in targeting their advertisements, Facebook is forced to withdraw all advertising in Tennessee and Maine. Even if all fifty states had roughly the same enforceable data privacy legislation, it would still be less efficient than federal legislation. In addition to one comprehensive federal statute providing uniform protection, future amendments and updates to the legislation would be quicker than the varied schedules of the fifty state legislatures. From these simple hypothetical situations, it is clear that a federal mandate on data privacy protection is a better alternative than individual state solutions. Although the United States government has no law specific to data privacy protection for all citizens, a few less authoritative and precise rules and recommendations do exist. The least useful and most outdated solution to data privacy problems is the Federal Trade Commission`s fair information practice principles (FIPPs) from 1973. Despite providing the groundwork for many laws such as the Right to Financial Privacy Act (1978) or the Video Privacy Protection Act (1988), the FIPPs are simply recommendations and do not confer legal authority to regulate the data privacy of specific platforms like the Internet.

Policymakers need to create legislation that not only accounts for current privacy issues but also anticipates how innovative measures might further implicate data protection. Currently, the only federal law related to online privacy is the Children`s Online Privacy Protection Act of 1998 (COPPA). This statute restricts the collection of any personal information on a minor 13 years old or younger for any purpose. valid purpose in protecting children`s privacy, its implementation illustrates how data privacy laws have the potential to overly restrict companies.

For example, YouTube was fined approximately $170 million in late 2019 for tracking minor viewership to create more effective targeted advertising opportunities (Federal Trade Commission, 2019). Such a law harms individual content creators disproportionately more than it harms the actual company running the advertisements in the first place. Although COPPA protects data privacy for minors, it can negatively impact the lives of innocent entrepreneurs.

Implications of heavy restrictions on data collection

When considering the most effective method to implement a new data privacy law, it is important to study historical precedence. Although data privacy legislation is in its infancy stage, there are recent cases of success from which wisdom can be drawn, whether from domestic state laws or foreign policies, as discussed in the previous section. While Facebook does actively try to improve upon its privacy policy and other services with user feedback (through volunteer online surveys or focus groups), the consumers could use more education about their privacy rights. A privacy policy in favor of the user—no matter how beneficial Facebook claims it to be—does no good if the users never read or understand the policy.

The policy highlights that privacy is a shared responsibility and users need to be proactive as well. They mention that Facebook users do not see this as a contract and fail to update their privacy settings to better secure personal data. When creating a new Facebook account, the default privacy settings are set to maximum publicity, meaning that all the information, photographs, and comments posted on the website can be seen by every Facebook user—even users who are not your registered "friends. " From this discovery in the fine print of the privacy policy, it is clear that Facebook is not completely at fault in supposed privacy violations.

The benefit for consumers, the user is also held responsible for how much personal information they reveal online. And remember that the user legally gave Facebook permission to collect and use his data when he agreed to the terms of use and service. This is why the terms of use and service for Facebook—as well as the privacy policy— are important documents to keep in mind when considering how to create a new federal data privacy law. Although users are required to read and agree to the privacy policy when creating a new Facebook account, an overwhelming majority of Facebook users never read the fine print.

Either people have no interest or time to read the document, or they do not care if the information they share online is taken by someone else. Most of the time, Facebook is within its rights to do what they please with the data they receive. Golbeck and Mauriello (2016) found convincing evidence that "users are concerned about privacy on Facebook, particularly concerning the information apps can access. The obvious, yet least appealing option, is for users to just read the fine print of the document they are signing.

Another option is to educate all Facebook users on Facebook data privacy in simpler terms. Facebook users can make their accounts much more secure from unwanted visitors by taking a few short minutes to navigate to the privacy settings page and update their settings from "public" to "friends only. " Even though Facebook still collects and sells this data, users would be protected from strangers. While Facebook has its company profit in its best interest, the typical Facebook user is ill-informed about data privacy, as shown in the study by Golbeck and Mauriello (2016). We need an enforceable law encompassing data privacy for all social media applications—not just for Facebook. The government, however, should not completely disregard the interests of Facebook in crafting a new data privacy statute.

Limitations and potential solutions

This section addresses the limitations of the proposed solution and clarifies the primary need for both data privacy education and federal legislation. Although the referenced studies indicate many people are concerned with the security of their data, other people might However, it is better to assume the worst possible scenario rather than to assume that Facebook is solely focused on consumers` safety and privacy. Even if Facebook has the best possible security, some data hackers could still breach the firewall protection, as they have in the past. Companies should not have the right to collect data if it cannot be securely stored.

However, cyber security and technological firewall protections can experience breaches and their technicalities and legal implications are beyond the scope of this article. As for actions consumers can take to protect their data privacy rights on Facebook—and other social media sites— changing the privacy settings on their accounts is a good start. Alyson Young and Anabel Quan Haase (2013) surveyed college students to better understand what is called the "privacy paradox" on Facebook. Young and Quan-Haase conclude by calling upon policymakers to increase the clarity of what kind of data is collected, how the data are aggregated, and how the data are utilized for a certain Facebook feature such as advertisements.

This increase in clarity can be attained through legislation that requires Facebook to modify its practices and provide explicit details about its data collection. Meredydd Williams, Sadie Creese, and Jason Nurse (2019), who are computer science professors from the University of Oxford and the University of Kent, administered a survey to college students to collect data on privacy protection behaviors. They created an interactive smartwatch game that educated the participants about sound privacy behaviors on the Internet. Williams, Creese, and Nurse concluded that once their participants were well-informed about optimal privacy protection practices, most actively carried out these If more Americans understand data privacy risks, more will start to adopt practices to protect themselves and educate others.

With the authority to regulate corporate behavior, policymakers hold the most power over the protection of data privacy rights. Legislators need to become educated through the efforts of a data privacy protection task force. Understanding both the interests of the consumer in privacy and the ability of the companies to operate profitability while providing free services will help legislators to make well-informed decisions. Data privacy laws are needed as soon as possible to prevent further erosion of consumer rights.

STUDY CASES: Cambridge Analytica

A decade of apparent indifference to data privacy at Facebook has culminated in revelations that organizations harvested user data for targeted advertising, particularly political advertising, to apparent success. While the most well-known offender is Cambridge Analytica–the political consulting and strategic communication firm behind the pro-Brexit Leave EU campaign, as well as Donald Trump’s 2016 presidential campaign–other companies have likely used similar tactics to collect personal data of Facebook users.

Cambridge Analytica is a British consulting firm combining data mining, data brokerage, and data analysis with strategic communication for commercial or electoral processes. Since 2014, it has namely provided psychological tests on Facebook with the application thisisyourdigitallife. It must be underlined that the personal data of the user taking the test as well as his or her friends were harvested by the firm.

What is the Facebook data privacy scandal?

The Facebook data privacy scandal centers around the collection of personally identifiable information of “up to 87 million people” by the political consulting and strategic communication firm Cambridge Analytica. That company–and others–were able to gain access to the personal data of Facebook users due to the confluence of a variety of factors, broadly including inadequate safeguards against companies engaging in data harvesting, little to no oversight of developers by Facebook, developer abuse of the Facebook API, and users agreeing to overly broad terms and conditions.

In the case of Cambridge Analytica, the company was able to harvest personally identifiable information through a personality quiz app called thisisyourdigitiallife, based on the OCEAN personality model. Information gathered via this app is useful in building a “psychographic” profile of users (the OCEAN acronym stands for openness, conscientiousness, extraversion, agreeableness, and neuroticism). Adding the app to your Facebook account to take the quiz gives the creator of the app access to profile information and user history for the user taking the quiz, as well as all of the friends that the user has on Facebook. This data includes all of the items that users and their friends have liked on Facebook.

Researchers associated with Cambridge University claimed in a paper that it “can be used to automatically and accurately predict a range of highly sensitive personal attributes including sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender,” with a model developed by the researchers that use a combination of dimensionality reduction and logistic/linear regression to infer this information about users.

What is the timeline of the Facebook data privacy scandal?

Facebook has more than a decade-long track record of incidents highlighting inadequate and insufficient measures to protect data privacy. While the severity of these individual cases varies, the sequence of repeated failures paints a larger picture of systemic problems. In 2005, researchers at MIT created a script that downloaded publicly posted information of more than 70,000 users from four schools. In 2007, activities that users engaged in on other websites were automatically added to Facebook user profiles as part of Beacon, one of Facebook’s first attempts to monetize user profiles. As an example, Beacon indicated on the Facebook News Feed the titles of videos that users rented from Blockbuster Video, which was a violation of the Video Privacy Protection Act. In 2011, following an FTC investigation, the company entered into a consent decree, promising to address concerns about how user data was tracked and shared.

That investigation was prompted by an incident in December 2009 in which information thought private by users was being shared publicly, according to contemporaneous reporting by The New York Times. In 2013, Facebook disclosed details of a bug that exposed the personal details of six million accounts over approximately a year. When users downloaded their own Facebook history, that user would obtain in the same action not just their own address book, but also the email addresses and phone numbers of their friends that other people had stored in their address books. The data that Facebook exposed had not been given to Facebook by users, to begin with–it had been vacuumed from the contact lists of other Facebook users who happen to know that person.

The Cambridge Analytica portion of the data privacy scandal starts in February 2014. A spate of reviews on the Turkopticon website–a third-party review website for users of Amazon’s Mechanical Turk–detail a task requested by Aleksandr Kogan asking users to complete a survey in exchange for money. The survey required users to add the thisisyourdigitiallife app to their Facebook account, which is in violation of Mechanical Turk’s terms of service. In December 2015, Facebook learned for the first time that the data set Kogan generated with the app was shared with Cambridge Analytica.

" Facebook founder and CEO Mark Zuckerberg claim "we immediately banned Kogan’s app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly acquired data. "According to Cambridge Analytica, the company took legal action in August 2016 against GSR for licensing "illegally acquired data" to the company, with a settlement reached that November. " On March 16, 2018, Facebook threatened to sue The Guardian over the publication of the story, according to a tweet by Guardian reporter Carole Cadwalladr. Campbell Brown, a former CNN journalist who now works as head of news partnerships at Facebook, said it was "not our wisest move," adding "If it were me I would have probably not threatened to sue The Guardian." Similarly, Cambridge Analytica threatened to sue The Guardian for defamation.

On March 20, 2018, the FTC opened an investigation to determine if Facebook had violated the terms of the settlement from the 2011 investigation. In April 2018, reports indicated that Facebook granted Zuckerberg and other high-ranking executives powers over controlling personal information on a platform that is not available to normal users. Messages from Zuckerberg sent to other users were remotely deleted from users’ inboxes, which the company claimed was part of a corporate security measure following the 2014 Sony Pictures hack. Facebook subsequently announced plans to make available the "unsend" capability "to all users in several months," and that Zuckerberg will be unable to unsend messages until such time that feature rolls out.

The public feature permits users to delete messages up to 10 minutes after the messages were sent. "On April 4, 2018, The Washington Post reported that Facebook announced "malicious actors" abused the search function to gather public profile information of "most of its 2 billion users worldwide. This sentiment was echoed in a CBS News interview with Box CEO Aaron Levie and YML CEO Ashish Toshniwal who called on Congress to regulate Facebook. On May 2, 2018, SCL Group, which owns Cambridge Analytica, was dissolved.

On May 15, 2018, The New York Times reported that Cambridge Analytica is being investigated by the FBI and the Justice Department. Under the terms of this personal information sharing, device manufacturers were able to gather information about users in order to deliver "the Facebook experience," the Times quotes a Facebook official as saying. Additionally, the report indicates that this access allowed device manufacturers to obtain data about a user’s Facebook friends, even if those friends had configured their privacy settings to deny information sharing with third parties. The same day, Facebook issued a rebuttal to the Times report indicating that the partnerships were conceived because "the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system," at a time when The smartphone market included BlackBerry’s BB10 and Windows Phone operating systems, among others.

" Facebook claimed that "contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. " We are not aware of any abuse by these companies." The distinction being made is partially semantic, as Facebook does not consider these partnerships a third party in this case. Facebook noted that changes to the platform made in April began "winding down" access to these APIs, and that 22 of the partnerships had already been ended. On June 5, 2018, The Washington Post and The New York Times reported that the Chinese device manufacturers Huawei, Lenovo, Oppo, and TCL were granted access to user data under this program.

On July 2, 2018, The Washington Post reported that the US Securities and Exchange Commission, Federal Trade Commission, and Federal Bureau of Investigation have joined the Department of Justice inquiry into the Facebook/Cambridge Analytica data scandal. In a statement to CNET, Facebook indicated that "We’ve provided public testimony, answered questions, and pledged to continue our assistance as their work continues." On July 11th, the Wall Street Journal reported that the SEC is separately investigating if Facebook adequately warned investors in a timely manner about the possible misuse and improper collection of user data. The same day, the UK assessed a ￡500,000 fine to Facebook, the maximum permitted by law, over its role in the data scandal. On July 3, 2018, Facebook acknowledged a "bug" unblocked people that users has blocked between May 29 and June 5.

It allowed users to access the list of members for private Facebook groups. The fallout from a confluence of factors in the Facebook data privacy scandal has come to bear in the last week of July 2018. The following day, Facebook suffered the worst single-day market value decrease for a public company in the US, dropping $120 billion, or 19%. On August 22, 2018, Facebook removed Facebook-owned security app Onavo from the App Store, for violating privacy rules.

Data collected through the Onavo app is shared with Facebook. On September 6, 2018, a spokesperson indicated that Joseph Chancellor was no longer employed by Facebook. Chancellor was a co-director of Global Science Research, the firm which improperly provided user data to Cambridge Analytica. On September 26, 2018, WhatsApp co-founder Brian Acton stated in an interview with Forbes that "I sold my users’ privacy" as a result of the messaging app being sold to Facebook in 2014 for $22 billion.

On September 28, 2018, Facebook disclosed details of a security breach that affected 50 million users. The vulnerability originated from the "view as" feature which can be used to let users see what their profiles look like to other people. Attackers devised a way to export "access tokens," which could be used to gain control of other users’ accounts. On October 25, 2018, Facebook was fined ￡500,000 by the UK’s Information Commissioner’s Office for its role in the Cambridge Analytica scandal.

The fine is the maximum amount permitted by the Data Protection Act 1998. A Facebook spokesperson told ZDNet that the company "respectfully disagreed," and has filed for an appeal. The same day, Vice published a report indicating that Facebook’s advertiser disclosure policy was trivial to abuse. Reporters from Vice submitted advertisements for approval attributed to Mike Pence, DNC Chairman Tom Perez, and Islamic State, which were approved by Facebook.

On October 30, 2018, Vice published a second report in which it claimed that it successfully applied to purchase advertisements attributed to all 100 sitting US Senators, indicating that Facebook had yet to fix the problem reported in the previous week. On November 14, 2018, the New York Times published an exposé on the Facebook data privacy scandal, citing interviews of more than 50 people, including current and former Facebook executives and employees. In the Spring of 2016, a security expert employed by Facebook informed Chief Security Officer Alex Stamos of Russian hackers "probing Facebook accounts for people connected to the presidential campaigns," which Stamos, in turn, informed general counsel Colin Stretch. A group called "Project P" was assembled by Zuckerberg and Sandberg to study false news on Facebook.

By January 2017, this group "pressed to issue a public paper" about their findings, but was stopped by board members and Facebook vice president of global public policy Joel Kaplan, who had formerly worked in former US President George W. Following comments critical of Facebook by Apple CEO Tim Cook, a spate of articles critical of Apple and Google began appearing on NTK Network, an organization which shares an office and staff with Definers. Other articles appeared on the website downplaying the Russians’ use of Facebook. On November 25, 2018, the founder of Six4Three, on a business trip to London, was compelled by Parliament to hand over documents relating to Facebook. Six4Three obtained these documents during the discovery process relating to an app developed by the startup that used image recognition to identify photos of women in bikinis shared on Facebook users’ friends’ pages.

Facebook entered into whitelisting agreements with Lyft, Airbnb, Bumble, and Netflix, among others, allowing those groups full access to friends' data after Graph API v1 was discontinued. "According to Collins, "increasing revenues from major app developers was one of the key drivers behind the Platform 3.0 changes at Facebook. "Data reciprocity between Facebook and app developers was a central focus for the release of Platform v3, with Zuckerberg discussing charging developers for access to API access for friend lists. Internal discussions of changes to the Facebook Android app acknowledge that requesting permissions to collect calls and texts sent by the user would be controversial, with one project manager stating it was "a pretty high-risk thing to do from a PR perspective.

Facebook used data collected through Onavo, a VPN service the company acquired in 2013, to survey the use of mobile apps on smartphones. Collins contends that "the files show evidence of Facebook taking aggressive positions against apps, with the consequence that denying them access to data led to the failure of that business." Documents disclosed specifically indicate Facebook revoked API access to video sharing service Vine. The Photo API bug affected people who use Facebook to log in to third-party services. "On December 18, 2018, The New York Times reported on special data sharing agreements that " business partners from its usual privacy rules, naming Microsoft’s Bing search engine, Netflix, Spotify, Amazon, and Yahoo as partners in the report.

Partners were capable of accessing data including friend lists and private messages, "despite public statements it had stopped that type of sharing years earlier." Facebook claimed the data sharing was about "helping people," and that this was not done without user consent. On January 17, 2019, Facebook disclosed that it removed hundreds of pages and accounts controlled by Russian propaganda organization Sputnik, including accounts posing as politicians from primarily Eastern European countries. On January 29, 2019, a TechCrunch report uncovered the "Facebook Research" program, which paid users aged 13 to 35 to receive up to $20 per month to install a VPN application similar to Onavo that allowed Facebook to gather practically all information about how phones were used. On iOS, this was distributed using Apple’s Developer Enterprise Program, for which Apple briefly revoked Facebook’s certificate as a result of the controversy.

"Facebook initially indicated that "less than 5% of the people who chose to participate in this market research program were teens," and on March 1, 2019, amended the statement to "about 18 percent. On February 7, 2019, the German antitrust office ruled that Facebook must obtain consent before collecting data on non-Facebook members, following a three-year investigation. On February 20, 2019, Facebook added new location controls to its Android app that allows users to limit background data collection when the app is not in use. The same day, ZDNet reported that Microsoft’s Edge browser contained a secret whitelist allowing Facebook to run Adobe Flash, bypassing the click-to-play policy that other websites are subject to for Flash objects over 398298 pixels.

On March 6, 2019, Zuckerberg announced a plan to rebuild services around encryption and privacy, "over the next few years." As part of these changes, Facebook will make messages between Facebook, Instagram, and WhatsApp interoperable. On March 22, 2019, a court filing by the attorney general of Washington DC alleged that Facebook knew about the Cambridge Analytica scandal months prior to the first public reports in December 2015. Facebook claimed that employees knew of rumors relating to Cambridge Analytica, but the claims relate to a "different incident" than the main scandal, and insisted that the company did not mislead anyone about the timeline of the scandal. Facebook is seeking to have the case filed in Washington DC dismissed, as well as to seal a document filed in that case.

On April 3, 2019, over 540 million Facebook-related records were found on two improperly protected AWS servers. The data was collected by Cultura Colectiva, a Mexico-based online media platform, using Facebook APIs. Amazon deactivated the associated account at Facebook’s request. "On April 15, 2019, it was discovered that Oculus, a company owned by Facebook, shipped VR headsets with internal etchings including text such as "Big Brother is Watching.

On April 18, 2019, Facebook disclosed the "unintentional" harvesting of email contacts belonging to approximately 1.5 million users over the course of three years. Affected users were asked to provide email address credentials to verify their identity. "On April 30, 2019, at Facebook’s F8 developer conference, the company unveiled plans to overhaul Messenger and re-orient Facebook to prioritize Groups instead of the timeline view, with Zuckerberg declaring "The future is private. On May 9, 2019, Facebook co-founder Chris Hughes called for Facebook to be broken up by government regulators, in an editorial in The New York Times.

On May 24, 2019, a report from Motherboard claimed "multiple" staff members of Snapchat used internal tools to spy on users. On July 8, 2019, Apple co-founder Steve Wozniak warned users to get off of Facebook. On July 18, 2019, lawmakers in a House Committee on Financial Services hearing expressed mistrust of Facebook’s Libra cryptocurrency plan due to its "pattern of failing to keep consumer data private." Lawmakers had previously issued a letter to Facebook requesting the company pause development of the project. Facebook agreed to conduct an overhaul of its consumer privacy practices as part of the settlement.

Access to friend data by Sony and Facebook was "immediately" restricted as part of this settlement, according to CNET. Separately, the FTC settled with Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix, "restricting how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected." The FTC announced a lawsuit against Cambridge Analytica the same day. Also on July 24, 2019, Netflix released "The Great Hack," a documentary about the Cambridge Analytica scandal. In early July 2020, Facebook admitted to sharing user data with an estimated 5,000 third-party developers after its access to that data was supposed to expire. The hearing didn’t touch on Facebook’s data privacy scandal and was instead focused on Facebook’s purchase of Instagram and WhatsApp, as well as its treatment of other competing services.

What are the key companies involved in the Facebook data privacy scandal?

In addition to Facebook, these are the companies connected to this data privacy story. SCL Group (formerly Strategic Communication Laboratories) is at the center of the privacy scandal, though it has operated primarily through subsidiaries. Nominally, SCL was a behavioral research/strategic communication company based in the UK. The company was dissolved on May 1, 2018.

Cambridge Analytica and SCL USA are offshoots of SCL Group, primarily operating in the US. Registration documentation indicates the pair formally came into existence in 2013. As with SCL Group, the pair was dissolved on May 1, 2018. Global Science Research was a market research firm based in the UK from 2014 to 2017. It was the originator of the thisisyourdigitiallife app. The personal data derived from the app (if not the app itself) was sold to Cambridge Analytica for use in campaign messaging.

Emerdata is the functional successor to SCL and Cambridge Analytica. It was founded in August 2017, with registration documents listing several people associated with SCL and Cambridge Analytica, as well as the same address as that of SCL Group’s London headquarters. AggregateIQ is a Canadian consulting and technology company founded in 2013. The company produced Ripon, the software platform for Cambridge Analytica’s political campaign work, which leaked publicly after being discovered in an unprotected GitLab bucket.

Cubeyou is a US-based data analytics firm that also operated surveys on Facebook, and worked with Cambridge University from 2013 to 2015. It was suspended from Facebook in April 2018 following a CNBC report. Six4Three was a US-based startup that created an app that used image recognition to identify photos of women in bikinis shared on Facebook users’ friends’ pages. The company sued Facebook in April 2015, when the app became inoperable after access to this data was revoked when the original version of Facebook’s Graph API was discontinued.

Onavo is an analytics company that develops mobile apps. They created Onavo Extend and Onavo Protect, which are VPN services for data protection and security, respectively. Facebook purchased the company in October 2013. Data from Onavo is used by Facebook to track the usage of non-Facebook apps on smartphones.

The Internet Research Agency is a St. Petersburg-based organization with ties to Russian intelligence services. The organization engages in politically-charged manipulation across English-language social media, including Facebook.

How have Facebook and Mark Zuckerberg responded to the data privacy scandal?

Each time Facebook finds itself embroiled in a privacy scandal, the general playbook seems to be the same: Mark Zuckerberg delivers an apology, with oft-recycled lines, such as “this was a big mistake,” or “I know we can do better. ” Despite repeated controversies regarding Facebook`s handling of personal data, it has continued to gain new users. On March 16, 2018,

Facebook announced that SCL and Cambridge Analytica had been banned from the platform. The announcement indicated, correctly, that “Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time,” and passing the information to a third party was against the platform policies.

On March 21, 2018, Mark Zuckerberg posted his first public statement about the issue, stating in part that: On March 26, 2018, Facebook placed full-page ads saying: “This was a breach of trust, and I`m sorry we didn`t do more at the time. In a blog post on April 4, 2018, Facebook announced a series of changes to data handling practices and API access capabilities. On April 10, 2018, Facebook announced the launch of its data abuse bug bounty program. While Facebook has an existing security bug bounty program, this is targeted specifically to prevent malicious users from engaging in data harvesting.

On May 14, 2018, “around 200” apps were banned from Facebook as part of an investigation into if companies have abused APIs to harvest personal information. On May 22, 2018, Mark Zuckerberg testified, briefly, before the European Parliament about the data privacy scandal and Cambridge Analytica.

What is the 2016 US presidential election connection to the Facebook data privacy scandal?

In December 2015, The Guardian broke the story of Cambridge Analytica being contracted by Ted Cruz’s campaign for the Republican Presidential Primary. Despite Cambridge Analytica CEO Alexander Nix’s claim in an interview with TechRepublic that the company is “fundamentally politically agnostic and an apolitical organization,” the primary financier of the Cruz campaign is Cambridge Analytica co-founder Robert Mercer, who donated $11 million to a pro-Cruz Super PAC. Following Cruz’s withdrawal from the campaign in May 2016, the Mercer family began supporting Donald Trump.

In January 2016, Facebook COO Sheryl Sandberg told investors that the election was “a big deal in terms of ad spend,” and that through “using Facebook and Instagram ads you can target by congressional district, you can target by interest, you can target by demographics or any combination of those.”

In October 2017, Facebook announced changes to its advertising platform, requiring identity and location verification and prior authorization in order to run electoral advertising. In the wake of the fallout from the data privacy scandal, further restrictions were added in April 2018, making “issue ads” regarding topics of current interest similarly restricted.

In secretly recorded conversations by an undercover team from Channel 4 News, Cambridge Analytica’s Nix claimed the firm was behind the “defeat crooked Hillary” advertising campaign, adding, “We just put information into the bloodstream of the internet and then watch it grow, give it a little push every now and again over time to watch it take shape,” and that “this stuff infiltrates the online community, but with no branding, so it’s unattributable, untrackable.” The same exposé quotes Chief Data Officer Alex Tayler as saying, “When you think about the fact that Donald Trump lost the popular vote by 3 million votes but won the electoral college vote, that’s down to the data and the research.”

What is the Brexit tie-in to the Facebook data privacy scandal?

AggregateIQ was retained by Nigel Farage’s Vote Leave organization in the Brexit campaign, and both The Guardian and BBC claim that the Canadian company is connected to Cambridge Analytica and its parent organization SCL Group. UpGuard, the organization that found a public GitLab instance with code from AggregateIQ, has extensively detailed its connection to Cambridge Analytica and its involvement in Brexit campaigning. Additionally, The Guardian quotes Wylie as saying the company “was set up as a Canadian entity for people who wanted to work on SCL projects who didn’t want to move to London.”

Conclusion

Understandably, minimizing costs and maximizing revenue are the key goals of any successful company in a market economy. Because of growing technological advances in data science, businesses are adapting at a rapid pace in order to optimize corporate profits. Data analysis tactics and predictive modeling algorithms that drive the modern economy, therefore, are here to stay. Along with big data, however, comes the issue of the invasion of privacy. That is why the government must protect consumer rights and take action on data privacy. The United States lags behind other countries in data privacy policies with no comprehensive, enforceable law that specifically addresses data collection and usage on the Internet. To facilitate national coverage and eliminate discrepancies between state laws, the federal government should enact data privacy legislation to protect personal data from potential abuse. As lawmakers begin to formulate policy, they must value the importance of data privacy for individual users. A delicate balance should be reached between the data privacy of the individual consumer and the industry`s ability to exact a profit from providing services to the consumer. A simple protocol to include is mandating that companies provide a visible, understandable disclaimer—separate from the terms of service agreement—disclosing this information. Because legislative development is a lengthy process, American consumers should educate themselves today on the potential dangers of personal data misusage and take appropriate action. Social media companies as well as other Internet companies can offer simple guidance for consumers to make more informed choices.

References

1. Billings v. Atkins, 489 S.W.2d 858, 860 (Tex. 1973)
2. Blass, J. (2019). Algorithmic Advertising Discrimination. Northwestern University LawReview, 114(2), 415–467.
3. Cakebread, C. (2017, November 15). You're not alone, no one reads terms of service agreements.
4. Retrieved from https://www.businessinsider.com/deloitte-study-91-percent-agree-terms of-service-without-reading-2017-11
5. Cate, F. H. (2006). The Failure of Fair Information Practice Principles . In Consumer Protectionin the Age of the Information Economy. doi: https://doi.org/10.4324/9781315573717
6. Corbin, K. (2019, March 28). HUD Is Suing Facebook For Housing Discrimination. Retrieved from https://www.forbes.com/sites/kennethcorbin/2019/03/28/hud-suing-facebook-for housing-discrimination/#6fb10ef67547
7. de Luce, I. (2019, October 4). 10 companies that spent more than $1 billion in ads so you'd buy their products. Retrieved from https://www.businessinsider.com/10-biggest-advertising spenders-in-the-us-2015-7
8. Federal Trade Commission. (2019, September 4). Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children's Privacy Law. Retrieved from https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-payrecord-170-million-alleged-violations
9. Fontana, F. (2018, March 29). Lawsuits Against Facebook Over Data Privacy Issues Are Piling Up. Retrieved from https://www.thestreet.com/technology/everyone-who-is-suing facebook-for-cambridge-analytica-1453621328
10. Funk, T. (2012). Facebook Advertising. In Advanced Social Media Marketing: How to Lead,
11. Launch, and Manage a Successful Social Media Program (pp. 75–101). Apress L. P.
12. Golbeck, J., & Mauriello, M. L. (2016). User perception of Facebook app data access: A comparison of methods and privacy concerns. Future Internet, 8(9). doi: 10.3390/fi8020009
13. González, E. M., & Vizcaíno-Laorga, R. (2018). Technophobic Dystopias: A Theoretical Approximation to the Communication Technology Limits Related to Privacy From the Google Glass Case and Audiovisual Fiction. Journal of Information Policy, 8, 296–313. doi: 10.5325/jinfopoli.8.2018.0296
14. Henriquez, M. (2019, December 5). The Top 12 Data Breaches of 2019. Retrieved from https://www.securitymagazine.com/articles/91366-the-top-12-data-breaches-of-2019
15. Hoffower, H. (2020, January 29). 9 mind-blowing facts that show just how wealthy Facebook CEO Mark Zuckerberg really is. Retrieved from https://www.businessinsider.com/how-rich-is-mark-zuckerberg-net-worth-mind-blowing-facts-2019-5
16. Huang, Y., Hui, S., Inman, J. J., & Suher, J. (2013). The effect of in-store travel distance on unplanned purchase: Applications to mobile promotion strategies. Journal of Marketing, 77(2), 1–16. doi: https://doi.org/10.1509/jm.11.0436
17. International Comparative Legal Guides. (2019, March 7). Data Protection Laws and Regulations. Retrieved from https://iclg.com/practice-areas/data-protection-laws-andregulations/usa
18. Janjigian, L. (2016, August 23). Facebook can guess your political preferences - here's how to see how it's categorized you. Retrieved from https://www.businessinsider.com/facebookcan-guess-your-political-preferences-2016-829
19. Johanssen, J. (2018). Gaming–playing on social media: Using the psychoanalytic concept of “playing” to theorize user labour on Facebook. Information, Communication & Society, 21(9), 1204–1218. doi: 10.1080/1369118x.2018.1450433
20. Macaraeg, M. J. (2017). From atoms to bits: Personal data privacy and security in the information society. Ateneo Law Journal, 62(1), 223–258.
21. Macrotrends. (n.d.). Facebook Net Worth 2009-2019. Retrieved April 25, 2020, from https://www.macrotrends.net/stocks/charts/FB/facebook/net-worth
22. Malgieri, G., & Custers, B. (2018). Pricing privacy – The right to know the value of your personal data. Computer Law & Security Review, 34(2), 289–303. doi:10.1016/j.clsr.2017.08.006
23. Matz, S. C., Menges, J. I., Stillwell, D. J., & Schwartz, H. A. (2019). Predicting individual-level income from Facebook profiles. Plos One,14(3). doi: https://doi.org/10.1371/journal.pone.0214369
24. Nyoni, P., & Velempini, M. (2018). Privacy and user awareness on Facebook. South AfricanJournalof Science, 114(5), 27–31. doi: 10.17159/sajs.2018/20170103
25. Pence, H. E. (2015). Will big data mean the end of privacy? Journal of Educational Technology Systems, 44(2), 253–267. doi: 10.1177/0047239515617146
26. Perez, S., & Whittaker, Z. (2018, September 28). Everything you need to know about Facebook'sdata breach affecting 50M users.Retrieved from https://techcrunch.com/2018/09/28/everything-you-need-to-know-about-facebooks-databreach-affecting-50m-users/
27. Pew Research Center. (2019, June 12). Mobile Fact Sheet. Retrieved from https://www.pewresearch.org/internet/fact-sheet/mobile/30
28. Reyes, M. S. (2019, April 26). Scandals and teen dropoff weren't enough to stop Facebook's growth. Retrieved from https://www.businessinsider.com/facebook-grew-monthly-average-users-in-q1-2019-4
29. Rojas, N. (2018, June 5). The New Rules on Social Media, Privacy and Data Protection. Retrieved from https://topdogsocialmedia.com/privacy-and-data-protection/
30. Sobers, R. (2020, March 29). 107 Must-Know Data Breach Statistics for 2020. Retrieved from https://www.varonis.com/blog/data-breach-statistics/
31. Solon, O. (2018, April 19). How Europe's “breakthrough” privacy law takes on Facebook and Google. Retrieved from https://www.theguardian.com/technology/2018/apr/19/gdpr-facebook-google-amazon-data-privacy-regulation
32. Solove, D. J., & Schwartz, P. M. (2018). Information Privacy Law (6th ed.). New York: Wolters Kluwer Law & Business.
33. Spangler, T. (2019, November 22). YouTube Creators Worried and Confused Over New KidVideo COPPA Rules, Potential Fines. Retrieved from https://variety.com/2019/digital/news/youtube-coppa-rules-children-videos-fines-1203413642/
34. Stewart, L. (2019). Big data discrimination: Maintaining protection of individual privacy without disincentivizing businesses' use of biometric data to enhance security. Boston College Law Review, 60(1), 349–386.
35. Sweney, M. (2019, July 8). BA faces ￡183m fine over passenger data breach. Retrieved from https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-britishairways
36. Tschider, C. A. (2015). Experimenting with privacy: Driving efficiency through a state-informed federal data breach notification and data protection law.
37. Tulane Journal of Technology &Intellectual Property, 18, 45–81.
38. Waldman, A. E. (2016). Privacy, sharing, and trust: The Facebook study. Case
39. Western ReserveLaw Review, 67(1), 193–233.
40. Williams, M., Nurse, J. R., & Creese, S. (2019). Smartwatch games: Encouraging privacy- protective behaviour in a longitudinal study. Computers in Human Behavior, 99, 38–54.doi: 10.1016/j.chb.2019.04.026
41. Winder, D. (2019, August 20). Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019. Retrieved from https://www.forbes.com/sites/daveywinder/2019/08/20/databreaches-expose-41-billion-records-in-first-six-months-of- 2019/#789602f9bd54
42. Young, A. L., & Quan-Haase, A. (2013). Privacy protection strategies on Facebook. Information, Communication & Society, 16(4), 479–500. doi:https://dx.doi.org/10.1080/1369118X.2013.777757
43. Zharova, A. K., & Elin, V. M. (2017). The use of big data: A Russian perspective of personal data security. Computer Law & Security Review, 33(4), 482–501. doi: 10.1016/j.clsr.2017.03.025