Lessons learned from The Cambridge Analytica / Facebook scandal

Monday, June 25, 2018

Lessons learned from The Cambridge Analytica / Facebook scandal

It has been now some time that the Cambridge Analytica / Facebook scandal was first revealed on March 17, 2018 by The Guardian and the New York Times. Much has been written in the press since then about this scandal. Since then, Cambridge Analytica has closed its business, Facebook lost billions of market value and Mark Zuckerberg was summoned to appear in the US senate and the European Parliament to answer all kinds of questions about this case and about general privacy aspects of Facebook.
Part of the reason that the situation has exploded into the scandal is that it might have influenced, in a so-far unknown way, the 2016 American Elections, and also the Brexit vote. Facebook suspended Canadian data firm AgreggateIQ from its platform, due to its involvement with Cambridge Analytica. Nobody knows yet whether this scandal finally will be the explosion of the privacy time bomb with profound impact on the data industry, or, whether some time after the storm, everybody forgets about it and life goes on like before.

capitol hill in washington DC
Figure 1. The 2016 US Presidential elections were intertwined with Cambridge Analytica

But what is it exactly that happened and why has it become such a large scandal? And is what has happened exceptional? Or are similar things happening all the time, but they go by unnoticed?

In this post, we will analyse step by step what has happened and then compare this to how the Obama administration used Facebook during his 2012 campaign. We leave it then to the reader to make up his or her mind.

The steps leading to the scandal have been amply described, so we will just summarize it here.

·      In 2013, Cambridge University researcher Aleksandr Kogan and his company Global Science Research created an app that asked users questions to establish their psychological profile. The app also asked permission to access the users’ Facebook information including that of their friends. About 300000 users reportedly agreed to use the app in return for a small economic compensation. Through those 300000 opted-in users, Kogan got access to information of tens of millions of users. Using data science, the 300000 users allowed for establishing a relation between Facebook data and psychological profiles, which was then extrapolated to the tens of millions of users. Those profiles could then be used for “political advertising” or for influencing voting behavior.

·      Kogan reportedly sold the profiles of those tens of millions of users to Cambridge Analytica.

·      Trump’s campaign team hired the services of Cambridge Analytica to launch targeted Facebook ads to influence the voting behaviour for Americans against Clinton and in favour of Trump.

·      On March 2018, Whistleblower Christopher Wylie, former employee of Cambridge Analytica revealed to The Guardian and the New York Times about the activity of Cambridge Analytica and how they got access to the psychological profiles of tens of millions of American citizens, which were then used for the US elections.Two other events are important in understanding what has happened and what went wrong.

·      In 2014, Facebook changed its API so that consent of individual users did not extent anymore to their friends. That is, a user could still give consent for apps to access his or her personal information, but not for the information of their friends. However, Facebook did not apply this policy retroactively.

·      In 2015, through a publication of the Guardian, Facebook learned about the Kogan/Cambridge Analytica relation for political influencing through Senator Ted Cruz’ campaign against Trump in the elections for the republican candidate for the 2016 US elections. Based on this publication, Facebook asked Kogan and Cambridge Analytica to delete the data as it violated their T&Cs. Facebook claimed that both Kogan and Cambridge Analytica certified that the data had been deleted.

iPhone with facebook application zoomed in
Figure 2. Tech stocks including Facebook's, took a hit after the scandal came to light

What did Facebook do wrong?

In my opinion, Facebook made two mistakes:

1.     The fact that, through their API, they not only gave access, after an opt-in, to a specific user’s information, but also to the information of their friends. It now seems strange that one person can give permission to access the personal Facebook data of 300 other persons, even if those 300 persons are “friends”. In a world where “privacy was no longer a social norm” this may have seemed normal, but now we know it is not. Notice that this phenomenon is something that is coming back in the GDPR with the “right to data portability” as we will see later in this post.

2.     When Facebook learned about the data transfer from Kogan to Cambridge Analytica through The Guardian10, and asked both parties to delete all data, they did not sufficiently check whether this had been done. They were satisfied with a letter stating that and did not require more serious measurements.

Where was the violation of the law?

The real violation of the law has been in Kogan transferring the data to Cambridge Analytica, and thereby violating the terms and conditions of the Facebook API.

Facebook and Obama’s re-election in 2012

While through this scandal and all the issues around Fake News the use of Facebook for influencing important world events is now questioned, Obama was praised for using Facebook and social media for his re-election campaign in 2012. However, while there are some differences – in the end, Obama didn’t violate the law – there are many commonalities.

People who wanted to contribute to Obama’s re-election were encouraged to organize and/or notify all their activities through logging in on the Obama website or using Obama’s campaign App, using Facebook connect. This would result in the person consenting to inject his or her personal Facebook data (home location, date of birth, interests, network of friends) into a central Obama campaign, along with all the personal data of their friends. Once stored in the central Obama database, all this data was then combined with other voting data available, so Obama could send targeted political adds to people who they believed could be mobilised to vote for Obama.

While Obama was transparent to encourage people to log in onto the campaign website, or use the App, with Facebook connect, it remains to be seen whether the volunteering individuals were aware of what happened to their personal data, let alone to the personal data of their friends.

Obama exploited the same Facebook API as Kogan, which at that time was publicly available for any developer. Not Obama nor the press anticipated the far-reaching impact this action had on people’s privacy. Another question is whether they should have realized this… But the press praised Obama for pioneering a successful digital-first presidential campaign. But -as we have seen- while for Trump’s election the data used, was obtained illegally, for Obama’s re-election, the data was obtained in a legal way, complying with the T&Cs of Facebook’s API.

Both campaign teams then used the Facebook ad platform to send targeted messages to clusters of voters. But there is also a difference in how Facebook was used. Using all the profiling information, Obama sent political adds on Facebook to clusters of people who the algorithms thought could be mobilised to vote for Obama, and many messages were sent by the supporters themselves. The Trump campaign team distributed targeted stories on Facebook to mobilise potential voters, but also distributed stories to discredit the opponent, Clinton, and sometimes those stories were claimed to be untrue (Fake News).

The table below summarizes the commonalities and differences between the use of Facebook in the Obama and Trump campaign.


Data
Obama campaign
Trump campaign
 Comments
Consent for use in election
Through Obama App, or login on campaign website with Facebook Connect

 No consent for this usage, but for scientific research


Access to
 Individual & friends’ data
 Individual & friends’ data
 Both Obama and Trump exploited Facebook’s Open Graph API
Usage through Facebook’s Ad platform
 Centrally designed political ads and volunteering user messages.
Centrally designed political ads and, reportedly, stories to discredit Clinton
 There is debate on whether Cambridge Analytica spread “Fake News” to influence the elections.


Lessons we should learn from this

As said, some are considering that we are living on a privacy time-bomb.  Could this scandal be that bomb that will change the data industry forever? No one yet knows. On the positive side, this scandal has helped that people and societies have become more aware of the use of personal data for advertising; even though this particular scandal is related to political advertising, the techniques are similar for general online advertising. The lesson for people is that we must be more careful when granting consent for personal data usage to companies whose services are for free: “If You're Not Paying For It, You Become The Product”.

Another lesson we can learn is that people should not be able to give consent for usage of data of the people they communicate with. Only if both agree, consent should be considered given.  This is however easier said than done. For example, the GDPR gives citizens a new right to “data portability”, where a user can ask any of her or his service providers for a copy of personal data or can ask to transfer (port) that data to another organization. But what happens when third users are included in this personal data? A bank transaction always includes an origin and destination user/organization. Likewise, a telephone communication includes a caller (the user) and a callee (the destination). Is it allowed to port data on/about the “destination”? Or in Facebook, if I port my Facebook data to Linkedin, should I be allowed to convert my “friends” into “connections”? Or should the destinations (receiver of transaction, callee, friends, etc) be anonymized? Or asked for consent? The Information Commissioner’s Office of the UK gives some advice, but this is not enough in case data portability will happen massively.


Keep up to date with all things LUCA! check out our website, and don't forget to follow us on TwitterLinkedIn and YouTube.

No comments:

Post a Comment