Privacy and the porous nature of the internet: What you need to know about the Facebook & Cambridge Analytica case.
Privacy issues are once again making headline news. Cambridge Analytica, the data analytics firm that worked for Donald Trump’s presidential campaign, are accused of obtaining Facebook user data for over 50 million people without getting their permission.
Facebook claims that it wasn’t breached and is also not at fault. It has suspended Cambridge Analytica from its service and has claimed they violated the social media giant’s terms. Facebook have now altered their terms of service to cut down on the amount of data that third parties can collect. On Monday Facebook sent auditors to the UK to try to get a handle on the Cambridge Analytica story. The ICO told them to stand down and that it was applying for a warrant to investigate the claims. If the accusations prove to be accurate both companies could be in for some serious trouble.
So how did Cambridge Analytica get 50 million people’s data?
Facebook offers a wealth of tools for developers one of which is “Facebook Login”. This lets people login to some websites using their Facebook credentials. Easy, and you never have to remember a load of passwords right? Well when you use Facebook Login you grant the developer access to some information on your Facebook profile, such as friends, email, name & town of residence. This is exactly what happened with an app called “thisisyourdigitallife” which was created by Dr Kogan, a professor at Cambridge University. Over 270,000 people used Facebook Login to create accounts on the app and back in 2015 Facebook allowed app developers to collect information on your Facebook friends too. So that 270,000 quickly turned into 50 million. Although the initial 270,000 people opted in to share their own information,their friends did not consent, yet their data was still collected by Dr Kogan’s app.
Christopher Wylie, who worked with Dr Kogan to obtain the data, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”
Things became somewhat problematic when Dr Kogan then shared that data with Cambridge Analytica. Facebook claims this was in contravention of the terms of service, and Mr Stamos, Facebook’s chief security officer, tweeted that the professor “did not break into any systems, bypass any technical controls, or use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach'".
Another of his tweets can be seen below. He has since deleted all the tweets made in defence of Facebook.
The Times found that Cambridge Analytica’s data for “roughly 30 million [people] contained enough information, including places of residence, that the company could match users to other records and build psychographic profiles.” For those who don't know, "psychographic" refers to a buyer's "habits, hobbies, spending habits and values"
This all happened just as Facebook intended for it to happen. The Guardian states that: “All of this data collection followed the company’s rules and guidelines. Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals”.
The problem with data sharing
The problem is really that Facebook gives a lot of trust to the developers wishing to use its features.
Facebook is not alone in this type of data sharing. Platforms such as iOS and Android allow developers to collect your contact lists with permission and Twitter and LinkedIn have a feature similar to Facebook Login. Not to mention the all powerful Google.
PayPal
Recently PayPal released a list of all the third parties with whom it shares your personal data with. There are over 600! The list can be found here: https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list?mc_cid=e92eca172c&mc_eid=828caddd2a
The Erosion Of Privacy
This is yet another story highlighting the erosion of privacy. Typically erosion comes about either through malice or negligence (the company entrusted with your data sells it without permission or is negligent when it comes to protecting it) or from your actions (you yourself pass your data to a trustworthy company, who then passes it on again and again all with consent but eventually your data is everywhere).
Once you put information out there you lose control of it. It is a one-way process, you can’t get it back. As a society we are happy with this because we have traded our privacy for convenience and added functionality. This is where AI comes in. Machine learning needs data and lots of it. So the more data you “feed” it the better and more accurate it gets and the better our user experience gets. We can live in a world where everything is customised for us, just like in the film Minority Report.
We all know that if something is free you are the product. This is certainly true for most social media platforms. Your data is the real product.
I, along with many other security professionals, believe that the loss of privacy may now be inevitable but that does not mean that we have lost all control. By making sure we only pass our data to responsible, trustworthy companies with incentives aligned to our own we can still encourage responsible corporate behaviour but we may have to accept some loss of convenience for this.
Perhaps we should accept the erosion of privacy and instead work on educating people to be as secure as possible in the post-privacy world. Maybe the GDPR will help in this respect. We will wait and see what the ICO’s response to this Facebook case is.
For the Guardian story on the Cambridge Analytica Files: https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher-wylie-faceook-nix-bannon-trump?mc_cid=e92eca172c&mc_eid=828caddd2a
Lisa Forte,
Partner, Red Goat Cyber Security.
Privacy lawyer and IT architect
6 年Many thanks for the Paypal reference, Lisa! Actually I hadn't seen this when I recently blogged arguing why it's better to do exactly what PP happens to have done, rather than put such detailed disclosure into static notifications. I can feel another blog analyzing those contents coming on (not to criticize PP, just as an example to consider strategic implications of such disclosures) Please note PP's inferable public position on GDPR is prima facie ambiguous, in saying that it's compliant with Lux law: but arguably this is a distinction without a difference.
--
6 年Yes in this world nothing became flawless for many days because it's an I Q competition. Facebook CEO what try to do that I don't know. But I am more than sure that this kind of thing ( data leak out) will happen again. WITHOUT THE GOOD WILL & HONESTY OF HUMAN NOTHING IN THIS WORLD BECAME FLAWLESS FOR EVER. Law, can't do anything about any kind of mass problem. Who see whom. An infectious disease never protected by medicine (law), there is a need of vaccine ( formula & theory). And that vaccine also may have to change by seeing the nature & environment . Govt. of various countries also start to feel it that what thought & what happen after implementing a new thing.
Yep....
Shareholder and Board member
7 年I am not a FB fan and I use it in a very minimalistic way. But I can’t understand all this fuss. FB has given all of us, free of charge, software which can be used to chat, be in touch with relatives, find new friends, be connected with things which interest us, find something new we did not know and so on. It gives us ample possibility to hide our data and keep it private, to levels we decide. We all know that data is valuable, this is why we had market researches, while phone books with addresses were used to locate people to call at awful times to sell something. Since millennia, we are either merchant or merchandise, and often we are both. So, after for ten and more years we have chatted, corresponded, exchanged political opinions, insulted and been insulted by perfectly unknown people, and so on and on and on, we cry because “our data has been stolen”?? Honestly, I find hypocrite and a bit dumb. You Lisa very rightly state: “As a society we are happy with this because we have traded our privacy for convenience and added functionality.” So be it: if I don’t want my private data to be used, I should not post it for everyone to see. As simple as that
A multi award-winning Strategic Operations, R&D, Innovation, Cost, Procurement & Supply Chain, Product, Fleet, M&A, Risk, Estate, Asset & Facilities Management professional, at K M Group, a multi award-winning business.
7 年No doubt pulling a Data Subject Access Report from Facebook's Trading Facias will prove enlightening and possibly quite disturbing.