Facebook data: how far has it leaked?
The Cambridge Analytica affair may be Facebook’s biggest data scandal yet, but it won’t be the last. Stewart Mitchell investigates
THE FACEBOOK DATA scandal could be the tip of the iceberg, according to privacy experts, who warn that the social network’s willingness to hand over users’ data will result in further leaks.
In an investigation led by news organisations, researchers discovered that psychoanalytical influencer Cambridge Analytica had gained access to huge swathes of Facebook users’ data, which was originally collected by a personality testing app on the social network.
That information was sold to Cambridge Analytica, who allegedly used it to target voters who might be sympathetic to Donald Trump.
According to experts, the fact that Facebook allows app developers to access so much data makes scandals inevitable. “What Cambridge Analytica is doing is just what you can do with this kind of a system and what you can do with Facebook’s way of collecting, generating and providing data,” said Paul Bernal, a lecturer at the University of East Anglia’s School of Law.
Developers and partners can gain access to user data through their apps or the “Log in with Facebook” tool, with the system relying on them to act responsibly and not pass on data. “If we think that Cambridge Analytica is the only company that has realised this, I think we’re probably pipedreaming,” said Bernal. “I think there is almost certainly a whole lot more going on and this story might inspire copycats. I suspect there will be more things leaked and the potential for the future is much bigger.”
Ask and you shall receive
At the heart of the problem is the way Facebook shares data with partners and developers through its API.
Partners can garner basic data through the Facebook login process or can request more data permissions through their own apps, whether they’re games, personality tests or quizzes that seek personal data in exchange for participation.
Depending on user settings and permissions, developers can access swathes of data, and Facebook is effectively relying on third-party partners to use it responsibly.
“Don’t sell, license or purchase any data obtained from us or our services,” the company states in its terms and conditions. “Don’t transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker.”
Facebook says it has changed its policies since the data was harvested, but experts question the impact of those changes and believe that app developers are allowed to play fast and loose with collected data
“An app developer makes an account and uses the APIs as they see fit, ignoring the pages of terms and conditions that somewhere say ‘please don’t be naughty’,” said Fennel Aurora, a consultant with F-Secure. “They continue doing this for as long as it takes for someone outside the company to notice and make a big enough fuss that they are cut off. “Cambridge Analytica has been in the news since before Brexit for clearly unethical behaviour using Facebook data, yet faced no consequences until this blew up. Meanwhile, it still has that data and the machine learning algorithms trained on that data, which it can then use in a ‘new’ company with a new account and a new app.”
Facebook declined to answer our questions on what changes had been made to the data third parties collect.
Not a data breach
Facebook explained that Cambridge Analytica had gained access to the
If we think that Cambridge Analytica is the only company that has realised this, I think we’re pipe-dreaming
information in a way that breached its terms, not its systems. “This was unequivocally not a data breach,” it said in a statement. “People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. No systems were infiltrated.”
The data came to Cambridge Analytica via Aleksandr Kogan, a psychology professor at the University of Cambridge who collected data on 270,000 people who had logged into his app through the Facebook API. Because of the way data sharing was set up, Kogan gained access to details of those 270,000 users’ friends – bringing the total number of accounts harvested to 50 million.
According to privacy experts, the environment that allows mass data slurping is unlikely to change while the industry remains lucrative. Only stricter rules and enforcement might stop the rot. “Unfortunately there seems to be very little appetite, either in these companies or in governments, to change this situation,” said Aurora.
“There is some glimmer of hope with the EU’s GDPR going into effect in May, because there are potential serious fines that could be applied to Facebook and others. Until there are severe financial penalties for allowing abuse of their platforms, enforcement efforts will probably continue to look like window dressing.
“It is baked into the business model of gathering the maximum of data about the maximum of people and selling targeted use of that data to the maximum people. And that business model is far too profitable to stop.”
Political pressure
The case has sparked fresh calls for Facebook to be more transparent, with officials accusing the company of misleading MPs about what data it shares and under what circumstances.
The chairman of a committee looking into the company’s role in fake news demanded answers as these latest reports contradicted Facebook’s earlier statements about data use. “Data has been taken from Facebook users without their consent, and was then processed by a third party and used to support their campaigns,” said Damian Collins, chair of the Digital, Culture, Media and Sport Committee. “Facebook knew about this, and the involvement of Cambridge Analytica with it, and deliberately avoided answering straight questions from the Committee about it.”
Research from Mozilla also shows that Facebook isn’t alone: mobile apps, web advertisers and Twitter also amass personal details that could be used to influence users.