Facebook and Cambridge Analytica: Insights for Cyber Security and Privacy
Satyamoorthy Kabilan
Senior Executive Partner at Gartner | Strategic Advisor & Network Builder | Innovation & Transformation Leader | Security & Resilience Expert |
The revelations around the use of Facebook data by Cambridge Analytica have been making headlines around the globe. Today, Mark Zuckerberg released a statement on how Cambridge Analytica were able to harvest the details of millions of Facebook users. A lot has been said in the press but it is worth emphasizing three key insights that cyber security and privacy practitioners should take note of.
It was not a data breach
Many of the headlines called this incident a data breach, which implies some form of unauthorized access of data. In actual fact, the Facebook user data, according to Mark Zuckerberg's statement, was acquired within the rules imposed by Facebook. Basically, a researcher created a personality quiz app within Facebook that not only gathered data about those who used the app, but also gathered data about all of their friends, covering tens of millions of users. The good news is that Facebook claims to have clamped down on apps like this with some changes the company made in 2014. The bad news is that the data had already been harvested by then, eventually making its way to Cambridge Analytica. Where there may be some issue as to whether this incident should be classified as a breach or not may be around the retention of the Facebook data by Cambridge Analytica, who claim to have deleted it. This was not a traditional data breach in my view as the data was acquired in an authorized manner. It may well be a breach of trust as Mark Zuckerberg stated. It does not make it any less disturbing though.
Harvesting data through social media platforms is pretty common
The term "data is the new oil" has been touted a lot because of data's value and the insights that can be derived from it. And almost every organization is prospecting for this new oil, especially if it can provide them with insights about their current customers and help expand their customer base in the future. The use of third party apps to access user information on social media is not unusual. Here's a screen shot I took from the Harvard Business Review when I tried to share one of their articles on Twitter:
Needless to say, I did not grant permission for the Harvard Business Review to read my tweets, see who I follow, update my profile or (God forbid) post on my behalf. I do not know how the Harvard Business review uses their access to Twitter profiles and other social media accounts but I would not be comfortable giving away these permissions. In a world where data and the potential insights it can generate are so valuable, it seems that almost everyone is trying to find ways to harvest more and more information about individuals. The Facebook and Cambridge Analytica case is likely to be just the tip of the iceberg. From a privacy perspective, we should all be asking why organizations should need this type of access to our social media accounts.
It was an insider threat issue
Insider threats can be defined as any entity which has privileged knowledge and/or access to an organization. It does not have to be an employee or even a person - it could be another organization such as a supplier which could become a potential insider threat. In 2016, as part of the update to my team's insider threat work, we added the supply chain to our list of potential insider threats. This included customers which had privileged access to an organization and its assets. The harvesting of data from Facebook, by an authorized third party app, fits perfectly into this category. Essentially, this was an insider threat incident, where an individual used an app, with legitimate, privileged access, to harvest data from Facebook and then provided that data to an external party (Cambridge Analytica) resulting in the outcry we see in the headlines. One of the major challenges all organizations face in today's complex environment is understanding their insider threat risk. Would anyone from Facebook have thought that a legitimate app from an academic, working within their rules, would result in a such a major insider threat incident?
Concluding Thoughts
The lawsuits are being filed and it will be interesting to see if Facebook and Cambridge Analytica face any serious consequences as a result of this incident. While there have been calls by some for users to abandon Facebook, I am not sure that this will amount to much. What will be more interesting to see is how many other organizations have been involved in harvesting data through various social media platforms and whether, as I mentioned earlier, this incident is just the tip of the iceberg.
Follow me on Twitter for more insights - @The_Fuzz74
Lawyer, Nelligan O'Brien Payne LLP: As a physician and lawyer, I bring a unique skill to support my clients: the ability to read clinical information through a legal lens.
6 年I don't have and never had a Facebook account either Gabriela. Far from missing something, I believe I have avoided hours of tedium. And I agree with the general rule: never give personal information for which the need is not obvious.
Senior Director of Global Health Systems Policy, Global Government Affairs at Medtronic
6 年Privacy is a luxury these days. I don't have Facebook and after this, I will never set up an account. The businesses that rely on Facebook to reach clients will never have me as a client. It makes me very uncomfortable when an app (including LinkedIn) requests access to your contacts and pictures. I say to this: thank you but not. This is where I draw the line. And guess what? I am surviving very well!