Introduction
In the latest in the data leak controversy, Cambridge Analytica has been accused of breach of data with inappropriate usage of Facebook data, privacy breaches and psychological manipulation.
Cambridge Analytica systematically and knowingly ran campaigns based on psychological and personality profiles mined from the Facebook data in 2017. The firm has been accused of harvesting private information from the Facebook profiles of over 50 million users without their permission, making it the largest data breach in the history. This information was revealed by a former employee and founder Christopher Wylie to the Observer and the New York Times. Wylie explained how he worked with Aleksandr Kogan, an academic from Cambridge University, to obtain this data and exploit users.
The misuse of data may have allowed the company to build a psychological profile of a large proportion of the American electorate targeting them with specific marketing material and targeted ads, thereby swaying the results of 2016 presidential elections.
Criticality
Most people do not think about the data they share via social media, banking and other large corporate and government, as there is a general level of trust that there are adequate laws and protections, and that by and large there is nothing to worry about, as organizations are assumed to be ethical. While there are growing levels of distrust across the community, taking proper security measures is critical in slowing the decay.
This criticality of the context is not the data issue, but the way data was used. Cambridge used the data records of 50 Million Americans to have a premeditated psychological influence by false Facebook ‘advertising.’ Posts were targeted at potential voters precisely targeting their vulnerabilities.
A data breach is when someone who is not authorized to handle specific information obtains access to that information. It’s a non-trivial failure of the security measures a responsible company or reasonable individuals would have in place. It implies wrongdoing, it implies malice, it implies a victim/attacker relationship.
But when data is harvested and used with the unknowing opt-in of thousands of people, that’s not a breach. There are no hackers here; just people who knew how to use freely-given personal data to manipulate not very technically astute people to some political end.
Data breaches are being revealed for years now. Interestingly, no one hacked into Facebook’s servers exploiting a bug, like hackers stole the personal data of more than 140 million people from Equifax. No one tricked Facebook users into giving away their passwords and then stole their data, like Russian hackers broke into the email accounts through phishing emails.
Facebooks has become a massive data collection machine with 2.2 billion active users, but almost having no guardrails on how they are used. Facebook allowed a third-party to implement an application for the sole purpose of gathering user’s data. Furthermore, Facebook is aware about this issue for more than two years, and only now they acknowledging their mistakes once it has been made public.
The Facebook story rang a similar tune to a story from September about Tinder harvesting user data as well. Judith Duportail requested Tinder to send all of the personal data they have stored for her. They sent back 800 pages containing her deepest, darkest secrets, things she didn’t even know she preferred. It is another perfect example of how social media apps will harvest any personal data they can to sell and make a profit.
Big data breaches are unsettling given the power tech titans now exercise. How to rein them in is a huge challenge. A good example is Facebook, that offers its service free, but people then entrust it with every detail of their lives. It’s a myth that users own the data and content they post on Facebook, and control how it’s shared. The reality differs. Facebook will flog the data to enrich itself, which the Cambdrige Analytica case clearly demonstrates.
Road Ahead
In this context, the laws like GDPR may play a good role. The users can request any large service provider in the world (who has any connection with the EU whatsoever which is everyone) to obliterate your data forever and they must oblige. Or you can request your data to be handed to you in a “portable” format that you can take with you.
Beyond GDPR there is more that the consumer needs to take control of. In the case of Facebook, this is limiting what 3rd party apps have access to. And this can be confusing with apps constantly “complaining” that they will not work properly without access to body sensors, contacts or the camera. And the user needs to ultimately start with a point of zero-trust—turn off all access—and then test for themselves how the app behaves and then gradually turn on permissions as needed.
It is not in reality but hitting the easy button will have consequences of the “analytica” kind. And then we will act outraged when it happens.
We are in a journey where the privacy boundaries are going to be constantly tested. Expecting the platform vendors to suddenly start doing the “morally” right thing is too naïve. Consumers need to be savvier and assume extreme ownership of their own data. GDPR provides the framework, it is our duty to exercise it.
Stay safe, secure and do due diligence before making your personal data public through social media.