27 March 2018

The Facebook breach makes it clear: data must be regulated

Roger McNamee and Sandy Parakilas

‘The big data companies are opaque to consumers and regulators alike, so few people understand the risks and companies can often hide data breaches for a long time.’ The Observer reported on Saturday that Cambridge Analytica acquired 50m Facebook profiles from a researcher in 2014. This appears to have been among the most consequential data breaches in history, with an impact that may rival the breach of financial records from Equifax. There are many problematic aspects to this. It appears the information was harvested by a researcher who collected data not only on the 270,000 or so users who Facebook said took his survey but also on their friends, who knew nothing about the survey, and then passed it to Cambridge Analytica in violation of Facebook’s terms of service. There are questions now over whether the data was destroyed.

Facebook waited more than two years before revealing what the Observer described as “unprecedented data harvesting”.

Facebook did not notify the affected users, as may be required by its 2011 consent decree with the Federal Trade Commission (FTC).

Cambridge Analytica appears to have used the profiles to develop techniques for influencing voters.

The company has denied wrongdoing, saying “no data from [the researcher] was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign”. But there are questions over whether the Trump campaign appears nonetheless to have gained an advantage in the election from the data.

The Observer report contradicts Cambridge Analytica’s chief executive, who said the company did not have Facebook data. Facebook waited more than two years after they discovered the breach before suspending Cambridge Analytica from its platform. The New York Times reported that at least some of the data is still available on the internet.

Cambridge Analytica has denied inappropriate use of Facebook user profiles, but a former employee who is now a whistleblower has emphatically contradicted that claim.

Facebook now has 2.1bn active users, 1.4bn of whom use the site every day. As a social networking platform, it enables people to share ideas, photos and life events with friends, which collectively gives Facebook the highest-resolution image of every user of any media company, with an emphasis on emotions.

For advertisers, Facebook is exceptional for its ability to target more than half of all the people in every developed market and the power it gives to advertisers. On Facebook, advertisers can buy the equivalent of the Super Bowl audience – or any other audience – any day of the year.

Five years ago, researchers hypothesized that Facebook algorithms could be used to predict things like product and political preferences from just a handful of “likes”. Those researchers were concerned about the privacy implications, in part because the default Facebook setting for likes was “public”.

Cambridge Analytica thought it could transform US politics by exploiting that insight.

It was not just the user's profile data that was harvested, but also that of their friends, none of whom were notified 

With the 2016 election cycle fast approaching, Cambridge Analytica did not have time to create its own custom profiles. So it went to researcher Aleksandr Kogan, who created a Facebook app that paid users to take a personality test.

There were problems with this arrangement. First, Kogan did not have permission from Facebook to use the data he gathered for commercial purposes, which best characterizes his Cambridge Analytica relationship. Second, the app not only harvested user profile data – which could be compared with the results of the personality test – but also the user profile data of each test taker’s friends, none of whom were notified.

Was any of this illegal? Facebook may be liable for a data breach, which may create legal problems under state law. The attorney general of Massachusetts has announced an investigation. Cambridge Analytica may face charges that it broke US election laws by employing people who were neither US citizens nor green card holders on a US presidential election campaign. Both may be subject to action by the FTC. Or perhaps not.

We live in a world of big data, where companies get rich off our personal information with few constraints and almost no supervision. Companies offer us free applications that are convenient, useful and fun in exchange for perpetual rights to the data they can harvest from our actions online (and sometimes offline).

The big data companies are opaque to consumers and regulators alike, so few people understand the risks and companies can often hide data breaches for a long time. US law provides very little privacy protection, leaving consumers with little or no recourse when they are harmed.

It is past time that the US recognize that data is too important to be unregulated. Equifax has yet to face significant consequences, despite losing control of the financial data of most adult Americans. Is that appropriate? Will Facebook face consequences for the data it lost to Cambridge Analytica? Will Cambridge Analytica or the Trump campaign be held to account?

No comments: