As Americans continue to grapple with the unprecedented events of the 2016 election, Facebook and social media have, once again, become a focus of attention. On Saturday, both the New York Times and the Observer reported that Cambridge Analytica, a data analysis firm, had acquired and exploited data from more than 50 million Facebook users to target voters for Trump’s campaign. The Massachusetts attorney general’s office and the UK’s Information Commission have both announced plans to investigate, according to Reuters. Initial reports suggest that the data breach was among the largest in Facebook’s history.
However, Facebook is adamantly refusing to acknowledge that the data collection constitutes a “breach,” a term that comes with legal baggage and liability. But this assertion only supports a broader point made by former National Security Council director Joshua A. Geltzer, writing for Wired, a week before the Cambridge Analytica revelations. Referring in particular to Russian manipulation, ISIS recruiting, and Airbnb racism, Geltzer argues that such malevolent use of social media is not, in fact, an anomaly or “manipulation” of these platforms, as some have said. Instead, he writes, it represents “bad actors” using platforms for exactly what they were designed to do. Social media is the perfect tool for those interested in collecting personal data and influencing people, whether it’s advertisers, Russian manipulators, or Trump’s 2016 campaign. Facebook’s assertion serves only to emphasize how this view also can be applied to Cambridge Analytica’s data collection.
According to the Observer, Cambridge Analytica had harvested the data without permission in early 2014, as part of an effort to create software that could predict and influence voting patterns. Some of the revelations came from whistleblower Christopher Wylie, one of the firm’s founders, who also worked to acquire the data.
According to Wylie:
“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on.”
Through an app called thisisyourdigitallife, the firm paid hundreds of thousands of users to take a personality test and allow their data to be collected for “academic” work. But more disturbingly, the app gathered information from each user’s Facebook friends as well.
Before long, the surveys had collected data from tens of millions of Facebook users this way. Trump’s campaign hired Cambridge Analytica in June of 2016, paying them more than 6.2 million. Trump campaign officials have said their voter data came from the Republican National Committee and other Republican organizations, rather than from Cambridge Analytica. Trump’s 2020 reelection campaign manager, Brad Parscale, said the firm played a minor role in the 2016 campaign.
However, in a hidden camera exposé by Britain’s Channel 4, Cambridge Analytica CEO Alexander Nix and two other executives from the company were recorded bragging about their pivotal role in the 2016 campaign. Nix said to an undercover reporter, who posed as a political consultant:
“We did all the research, all the data, all the analytics, all the targeting, we ran all the digital campaign, the television campaign and our data informed all the strategy,” adding that he had met Donald Trump “many times.”
“We just put information into the bloodstream of the Internet and then watch it grow, give it a little push every now and again over time to watch it take shape. And so this stuff infiltrates the online community, but with no branding, so it’s unattributable, untrackable.”
Facebook suspended Cambridge Analytica and its parent company when the news broke. However, crucially, Facebook said the app developer had acquired the data “in a legitimate way and through the proper channels that governed all developers on Facebook at that time.” According to their statement, the only wrongdoing was passing the information to a third party – Wylie and Cambridge Analytica. Facebook said the app itself was suspended in 2015, and that they had demanded the developer verify that the data had been destroyed.
Despite news reports referring to the incident as one of the largest social media data breaches ever, Facebook is arguing that this is a “completely false” characterization, emphasizing that “people knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
Yet, much of the data was taken from the friends of the app’s users, who were totally unaware of their data being collected. Users were not notified at any point, as required by Facebook’s 2011 agreement with the Federal Trade Commission (FTC), in the event of a breach. This is likely why Facebook is being so careful to argue that the incident does not represent a “data breach.”
It’s still unclear how much of this incident represents illegal activity. Massachusetts is looking into whether Facebook is accountable for a data breach under state law, and Cambridge Analytica may be liable for breaking presidential election laws prohibiting individuals who were neither US citizens nor green card holders.
Yet, with the #DeleteFacebook hashtag spreading on Twitter, it’s clear that the breach constitutes a violation of privacy for many users, regardless of its legality. Hopefully, this will point Americans toward a long overdue public conversation on the need for regulation of big data on social media, and the way it is collected and shared. As it stands now, privacy protections under US law are quite limited. Regulation surrounding this kind of activity is minimal. Despite the uproar over the Equifax breach, the company has, so far, seen few repercussions for a breach that affected the financial data of nearly 150 million people.
In response to the scandal, Facebook has already changed its terms of service to prevent app developers from harvesting data from friends of users. This is a commendable move. But relying on industries to self-regulate how this data is handled has already led to incidents such as this one, and many others before it. As it stands, as long as companies disclose what they plan to collect in their privacy policies, they are largely free to do as they please. Yet, these policies are invariably very long and filled with legal jargon – if any consumers are regularly reading these policies, it is certainly very few. Such a system has made a mockery of the entire notion of informed consent. Even if one company, such as Facebook, takes a more progressive approach to protecting data, what about other platforms?
In Europe, the General Data Protection Regulation (GDPR) will soon become law in every EU nation. Companies that want to gather consumer data will need to acquire consent for each individual data collection practice. Users will have the right to find out what data companies have collected from them. In the event of a data breach, companies will need to inform consumers within 72 hours.
Similar laws would be a great starting point for the US. Practices like those used by Cambridge Analytica should be prohibited entirely. Companies should not be allowed to hold on to data indefinitely, and some data should be protected entirely. So far, political support for such legislation has been scarce in the US. But perhaps a scandal such as the current Cambridge Analytica controversy could tip the scales in favor of such protections.