By: +David Herron; Date: March 20, 2018
Last weekend it was revealed that Cambridge Analytica and the SCL Group schemed to ..er.. steal may be the correct word .. data from tens or hundreds of millions of Facebook users. Funded by the Mercer Family for manipulating the public to a hard-line-right-wing political agenda, Cambridge Analytica's efforts were used for manipulating the 2016 US Elections, and the company may be at work manipulating other elections. The technology used by the company involves collecting vast amounts of user preferences data, into a big database, and applying modern Big Data algorithms and Machine Learning algorithms to then know how to target personalized advertising directly at individual Facebook users. It's one thing to use this to sell more soap or tobacco, it's yet another thing when the aim is electing political leaders.
Facebook now has a huge target painted on its chest, with politicians and others aiming anger and regulatory oversight at Facebook.
The issue here for Techsparx readers is a big warning -- when we play those silly games on social media networks, pay close attention to the access being requested. What Cambridge Analytica did is create viral games that then collected data from not only the Facebook profile of the person who played the game, but all their friends, and all their likes, and postings, and everything else.
Some details are in our previous reporting: Cambridge Analytica illegally kept a massive trove user data from Facebook, worked with Russians
Bottom line is that a data science nerd and political activist -- Christopher Wylie -- found himself at Cambridge University working on a PhD in targeting "fashion trend forecasting". He'd also worked for the Lib Dems party in Great Britain on a "targeting platform" to use in their political efforts.
Wylie developed the idea of harvesting Facebook user profile data to gather data about personal preferences. With that personal preference data they're able to identify -- for example -- triggers, that you can send person A messages about immigration, and person B messages about marijuana, and each are likely to respond to those messages and not other messages.
The technique used involved luring folks to play games. In the process, the folks were sent through an OAuth authentication, during which they were presented with a screen describing the level of access requested to their Facebook user profile data. Lots of companies use these techniques -- in the case of Cambridge Analytica, they used the collected data to drive targeting of political messages where other companies instead target advertising messages. To compound matters Cambridge Analytica broke Facebooks rules for collecting and exchanging data with other companies.
That is - Cambridge Analytica hired others to do the data collection, and those others then sold the collected data to Cambridge Analytica. That's against Facebook's rules.
The bigger question is whether it's appropriate for Facebook to be providing such data to 3rd parties.
THAT is what I think is the backlash against Facebook. The situation is being described as a data leak from Facebook.
Yes, it's a case where a large amount of data was collected from Facebook. But it did not involve breaking into Facebooks systems for unauthorized access. In this case, Facebook authorized the access, and the data was retrieved from Facebooks normal API's.
The question we need to be asking is --- What's appropriate protections must Facebook follow with the data it collects from us?
A constraint on this question is that Facebook does not charge us a fee to use their service. Somehow Facebook must pay for its business. And it does so by offering an advertising service with incredibly detailed user marketing. Anyone who has placed advertising on Facebook knows the level of granular detail that is available.
The detailed demographic targeting available on Facebook comes from Facebook having a large staff of data scientists and artificial intelligence experts who are analyzing what we do on the Facebook platform.
As the adage goes --- If you don't pay for the service then YOU are the product.
That is, Facebook offers us a free service, and then sells our information to the highest bidder.
Facebook’s Role in Data Misuse Sets Off Storms on Two Continents Politicians in the USA and Great Britain are calling for greater scrutiny of Facebook, and for Facebook CEO Mark Zuckerberg to appear before Congress.
Facebook’s rules for accessing user data lured more than just Cambridge Analytica Lots of companies are accessing Facebooks data on us all. They're using that data for a variety of purposes.
FTC opens investigation into Facebook after Cambridge Analytica scrapes millions of users’ personal information In November 2011, Facebook and the Federal Trade Commission (FTC) ended an investigation into whether Facebook deceived users about the privacy protections they are afforded on the site. To end that investigation, Facebook agreed to some terms. The FTC press release below shows a concern about whether Facebook adequately informs its users, and whether Facebooks actual practices matched what it told the users.
Cambridge Analytica: Facebook 'being investigated by FTC' Various investigations into Facebook in both USA and Great Britain
#DeleteFacebook trends in response to Cambridge Analytica A part of the backlash against Facebook is a user revolt.
Cambridge University asks Facebook for evidence about role of academic A Moldovan/Russian academic at Cambridge Univ played a key role in gathering data from Facebook.qwqw
Facebook settlement with the Federal Trade Commission
Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises
November 29, 2011
The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established.
The FTC's eight-count complaint against Facebook is part of the agency's ongoing effort to make sure companies live up to the privacy promises they make to American consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, Chairman of the FTC. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
- The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.
Facebook's privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.
The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 30, 2011 after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: The Commission issues an administrative complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter.