Mark Zuckerberg's Facebook platform is reeling this week as news broke of data harvesting by firm Cambridge Analytica (CA). The user data of over 50 million American citizens was collected by CA, who worked with Donald Trump's election campaign in 2016.
How did they do it?
Facebook users who filled out a quiz through a third-party app on Facebook, CA researchers were able to build intricate psychometric profiles based on the user's 'likes' and interests. By consenting to have a third party app access their profile, friends and likes - these researchers were able to glean information from the profiles of the user's friends.
This method was a replication used by psychology (psychometric) researchers at Cambridge University. It is thought CA replicated this research method themselves, even with 'likes' being made private by Facebook 2012.
How was this able to happen?
CA was only capable of soliciting this data thanks to a loophole in Facebook's API which enables third-party developers to collect data not only from users of their apps, but from all of the people in those users’ friends network on Facebook. This access came with the stipulation that such data couldn’t be marketed or sold — a rule CA promptly violated. (Source: Vox.com)
How was the information used?
This information was used to build user profiles, and fed in to the targeting propaganda in the lead up to the USA election. Furthermore, this information was used and shared by CA's parent company Strategic Communication Laboratories (SCL).
The result of this data would produce sponsored (pro-Trump) Facebook posts which were only visible to users with certain profiles. A known example of this is a video targeted at African-Americans where Hillary Clinton referred to black men as predators. This is just one of 175, 000 ad variants that Trump's team tested.
What are the issues here?
- That CA / SCL violated Facebook's Terms and Conditions through their research / information sourcing activities.
- The data collected was transferred and shared without express consent.
- could the sharing of information (if leaked) be reasonably perceived to cause harm to the individual
- Facebook was aware of, and did not inform the affected individuals of these activities.
Has a data breach occurred?
Based on the information available, a data breach of some description has occured. Several factors contribute to this - although users gave consent for the Facebook app to access their personal profile data for the purposes of the 'quiz' / app function, CA used this data for marketing purposes. This violated Facebook's Terms and Conditions and several major pieces of international privacy legislation. Although data was not breached in a traditional sense, there has been significant issues and misuses of personal, private data without permission by CA.
The Australian Notifiable Data Breach laws and the European General Data Protection Regulations deal with eligible / personal data breaches. Some of criteria to determine whether a breach has occurred would be:
- Has there been an unauthorised access or disclosure of personal information?
- Could the disclosure of this personal information (reasonably or forseeably) cause serious (physical, economic, or psychological) harm to the people affected?
- Were the individuals affected aware their personal data was being collected?
- Was this information sourced and disclosed to third parties consentually?
Based on the available If this incident had occured in Australia, would have breached at least 5 of the Australian Privacy Principles (APPs) under the Australian Privacy Act 1988 (Cth); which relate to:
- The collection of solicited (APP 3) and unsolicited (APP 4) personal information
- The notification of the collection of information (APP 5)
- Use of disclosure of personal information (APP 6)
- (Disclosure of information for) direct marketing (APP 7)
- The security of personal information (APP 11)
- Access to personal information (APP 12)
Penalty: starting at $350 000 AUD, up to $2 100 000
Furthermore, from this activity violates up to 7 (similar) articles of the forthcoming *GDPR:
- Notification of the collection of personal data (Article 13)
- Right of access by the data subject (Article 15)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- The right to object (Article 21)
- The general principle for transfers (Article 44)
- Transfers subject to appropriate safeguards (Article 46)
Penalty: €20 000 000 or 4% of annual turnover, whichever is higher
*due to be enforced from May 2018
Why is Facebook in trouble?
Facebook could face harsh legal penalties for having knowledge of this incident and not reporting it to the proper authority. However the breach of trust has reached far enough to have users condemn and/or abandon the billion dollar platform. The perceived lack of consideration for its users was shown in it's inability (the intention is undetermined) to report this unauthorised access and use of personal data for private political purposes. This issue will raise some heavy questions regarding online data security and ethical sourcing of data on social media for all businesses.
Probax recommends approaching your local governing authority to find out how the Notifiable Data Breach Act or General Data Protection Laws apply specifically to your business.