Facebook Update: 87 Million Affected By Its Data Breach With Cambridge Analytica. Considerations For All Consumers
Wednesday, April 04, 2018
Facebook.com has dominated the news during the past three weeks. The news media have reported about many issues, but there are more -- whether or not you use Facebook. Things began about mid-March, when Bloomberg reported:
"Yes, Cambridge Analytica... violated rules when it obtained information from some 50 million Facebook profiles... the data came from someone who didn’t hack the system: a professor who originally told Facebook he wanted it for academic purposes. He set up a personality quiz using tools that let people log in with their Facebook accounts, then asked them to sign over access to their friend lists and likes before using the app. The 270,000 users of that app and their friend networks opened up private data on 50 million people... All of that was allowed under Facebook’s rules, until the professor handed the information off to a third party... "
So, an authorized user shared members' sensitive information with unauthorized users. Facebook confirmed these details on March 16:
"We are suspending Strategic Communication Laboratories (SCL), including their political data analytics firm, Cambridge Analytica (CA), from Facebook... In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/CA, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.
Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked... When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. CA, Kogan and Wylie all certified to us that they destroyed the data... Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted..."
So, data that should have been deleted wasn't. Then, Facebook relied upon certifications from entities that had lied previously. Not good. Then, Facebook posted this addendum on March 17:
"The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."
Why the rush to deny a breach? It seems wise to complete a thorough investigation before making such a claim. In the 11+ years I've written this blog, whenever unauthorized persons access data they shouldn't have, it's a breach. You can read about plenty of similar incidents where credit reporting agencies sold sensitive consumer data to ID-theft services and/or data brokers, who then re-sold that information to criminals and fraudsters. Seems like a breach to me.
Facebook announced on March 19th that it had hired a digital forensics firm:
"... Stroz Friedberg, to conduct a comprehensive audit of Cambridge Analytica (CA). CA has agreed to comply and afford the firm complete access to their servers and systems. We have approached the other parties involved — Christopher Wylie and Aleksandr Kogan — and asked them to submit to an audit as well. Mr. Kogan has given his verbal agreement to do so. Mr. Wylie thus far has declined. This is part of a comprehensive internal and external review that we are conducting to determine the accuracy of the claims that the Facebook data in question still exists... Independent forensic auditors from Stroz Friedberg were on site at CA’s London office this evening. At the request of the UK Information Commissioner’s Office, which has announced it is pursuing a warrant to conduct its own on-site investigation, the Stroz Friedberg auditors stood down."
That's a good start. An audit would determine or not data which perpetrators said was destroyed, actually had been destroyed. However, Facebook seems to have built a leaky system which allows data harvesting:
"Hundreds of millions of Facebook users are likely to have had their private information harvested by companies that exploited the same terms as the firm that collected data and passed it on to CA, according to a new whistleblower. Sandy Parakilas, the platform operations manager at Facebook responsible for policing data breaches by third-party software developers between 2011 and 2012, told the Guardian he warned senior executives at the company that its lax approach to data protection risked a major breach..."
Reportedly, Parakilas added that Facebook, "did not use its enforcement mechanisms, including audits of external developers, to ensure data was not being misused." Not good. The incident makes one wonder what other developers, corporate, and academic users have violated Facebook's rules: shared sensitive Facebook members' data they shouldn't have.
Facebook announced on March 21st that it will, 1) investigate all apps that had access to large amounts of information and conduct full audits of any apps with suspicious activity; 2) inform users affected by apps that have misused their data; 3) disable an app's access to a member's information if that member hasn't used the app within the last three months; 4) change Login to "reduce the data that an app can request without app review to include only name, profile photo and email address;" 5) encourage members to manage the apps they use; and reward users who find vulnerabilities.
Those actions seem good, but too little too late. Facebook needs to do more... perhaps, revise its Terms Of Use to include large fines for violators of its data security rules. Meanwhile, there has been plenty of news about CA. The Guardian UK reported on March 19:
"The company at the centre of the Facebook data breach boasted of using honey traps, fake news campaigns and operations with ex-spies to swing election campaigns around the world, a new investigation reveals. Executives from Cambridge Analytica spoke to undercover reporters from Channel 4 News about the dark arts used by the company to help clients, which included entrapping rival candidates in fake bribery stings and hiring prostitutes to seduce them."
Geez. After these news reports surfaced, CA's board suspended Alexander Nix, its CEO, pending an internal investigation. So, besides Facebook's failure to secure sensitive members' information, another key issue seems to be the misuse of social media data by a company that openly brags about unethical, and perhaps illegal, behavior.
What else might be happening? The Intercept explained on March 30th that CA:
"... has marketed itself as classifying voters using five personality traits known as OCEAN — Openness, Conscientiousness, Extroversion, Agreeableness, and Neuroticism — the same model used by University of Cambridge researchers for in-house, non-commercial research. The question of whether OCEAN made a difference in the presidential election remains unanswered. Some have argued that big data analytics is a magic bullet for drilling into the psychology of individual voters; others are more skeptical. The predictive power of Facebook likes is not in dispute. A 2013 study by three of Kogan’s former colleagues at the University of Cambridge showed that likes alone could predict race with 95 percent accuracy and political party with 85 percent accuracy. Less clear is their power as a tool for targeted persuasion; CA has claimed that OCEAN scores can be used to drive voter and consumer behavior through “microtargeting,” meaning narrowly tailored messages..."
So, while experts disagree about the effectiveness of data analytics with political campaigns, it seems wise to assume that the practice will continue with improvements. Data analytics fueled by social media input means political campaigns can bypass traditional news media outlets to distribute information and disinformation. That highlights the need for Facebook (and other social media) to improve their data security and compliance audits.
While the UK Information Commissioner's Office aggressively investigates CA, things seem to move at a much slower pace in the USA. TechCrunch reported on April 4th:
"... Facebook’s founder Mark Zuckerberg believes North America users of his platform deserve a lower data protection standard than people everywhere else in the world. In a phone interview with Reuters yesterday Mark Zuckerberg declined to commit to universally implementing changes to the platform that are necessary to comply with the European Union’s incoming General Data Protection Regulation (GDPR). Rather, he said the company was working on a version of the law that would bring some European privacy guarantees worldwide — declining to specify to the reporter which parts of the law would not extend worldwide... Facebook’s leadership has previously implied the product changes it’s making to comply with GDPR’s incoming data protection standard would be extended globally..."
Do users in the USA want weaker data protections than users in other countries? I think not. I don't. Read for yourself the April 4th announcement by Facebook about changes to its terms of service and data policy. It didn't mention specific countries or regions; who gets what and where. Not good.
Mark Zuckerberg apologized and defended his company in a March 21st post:
"I want to share an update on the Cambridge Analytica situation -- including the steps we've already taken and our next steps to address this important issue. We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it... This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that... at the end of the day I'm responsible for what happens on our platform. I'm serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward."
Nice sounding words, but actions speak louder. Wired magazine said:
"Zuckerberg didn't mention in his Facebook post why it took him five days to respond to the scandal... The groundswell of outrage and attention following these revelations has been greater than anything Facebook predicted—or has experienced in its long history of data privacy scandals. By Monday, its stock price nosedived. On Tuesday, Facebook shareholders filed a lawsuit against the company in San Francisco, alleging that Facebook made "materially false and misleading statements" that led to significant losses this week. Meanwhile, in Washington, a bipartisan group of senators called on Zuckerberg to testify before the Senate Judiciary Committee. And the Federal Trade Commission also opened an investigation into whether Facebook had violated a 2011 consent decree, which required the company to notify users when their data was obtained by unauthorized sources."
Frankly, Zuckerberg has lost credibility with me. Why? Facebook's history suggests it can't (or won't) protect users' data it collects. Some of its privacy snafus: settlement of a lawsuit resulting from alleged privacy abuses by its Beacon advertising program, changed members' ad settings without notice nor consent, an advertising platform which allegedly facilitates abuses of older workers, health and privacy concerns about a new service for children ages 6 to 13, transparency concerns about political ads, and new lawsuits about the company's advertising platform. Plus, Zuckerberg made promises in January to clean up the service's advertising. Now, we have yet another apology.
In a press release this afternoon, Facebook revised upward the number affected by the Facebook/CA breach from 50 to 87 million persons. Most, about 70.6 million, are in the United States. The breakdown by country:
So, what should consumers do?
You have options. If you use Facebook, see these instructions by Consumer Reports to deactivate or delete your account. Some people I know simply stopped using Facebook, but left their accounts active. That doesn't seem wise. A better approach is to adjust the privacy settings on your Facebook account to get as much privacy and protections as possible.
Facebook has a new tool for members to review and disable, in bulk, all of the apps with access to their data. Follow these handy step-by-step instructions by Mashable. And, users should also disable the Facebook API platform for their account. If you use the Firefox web browser, then install the new Facebook Container new add-on specifically designed to prevent Facebook from tracking you. Don't use Firefox? You might try the Privacy Badger add-on instead. I've used it happily for years.
Of course, you should submit feedback directly to Facebook demanding that it extend GDPR privacy protections to your country, too. And, wise online users always read the terms and conditions of all Facebook quizzes before taking them.
Don't use Facebook? There are considerations for you, too; especially if you use a different social networking site (or app). Reportedly, Mark Zuckerberg, the CEO of Facebook, will testify before the U.S. Congress on April 11th. His upcoming testimony will be worth monitoring for everyone. Why? The outcome may prod Congress to act by passing new laws giving consumers in the USA data security and privacy protections equal to what's available in the United Kingdom. And, there may be demands for Cambridge Analytica executives to testify before Congress, too.
Or, consumers may demand stronger, faster action by the U.S. Federal Trade Commission (FTC), which announced on March 26th:
"The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act. Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices."
An "open non-public investigation?" Either the investigation is public, or it isn't. Hopefully, an attorney will explain. And, that announcement read like weak tea. I expect more. Much more.
USA citizens may want stronger data security laws, especially if Facebook's solutions are less than satisfactory, it refuses to provide protections equal to those in the United Kingdom, or if it backtracks later on its promises. Thoughts? Comments?
An interesting read which I recommend:
Facebook Is Not The Problem. Lax Privacy Rules Are
https://mobile.nytimes.com/2018/04/01/opinion/facebook-lax-privacy-rules.html
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, April 04, 2018 at 06:41 PM
I’ve a few things to say. First, this statement is either outright false or misleading:
"The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, . . .”
The users of Facebook beyond the initial 270,000 did not, as a matter of meaningful and informed consent, give their consent to share their information with either Professor Kogan, Mr. Wylie, or Cambridge Analytica (CA). What, in fact, happened is that because of the way that Facebook worked, those initial 270,000 users had the power to allow Wylie, CA, and Kogan to collect the personal data of those among their friends and then more data from those friends of friends and so on. Whether or not Facebook’s terms of service and its incorporated privacy agreement (Terms of Service) purports to give users the power to expose their friends’ information or not, that is not meaningful the consent of those friends, who did not consent to use Kogan’s app, to share their information with Kogan, CA, Wylie or anyone else. So the legal question is whether Facebook’s Terms of Service even expressly purport to permit one of its user (User A) to expose the information of another of its users (User B) to any third party without User B’s consent. And if Facebook’s Terms of Service do purport to permit User A to do that, can that be deemed to be User B’s consent to have his information so shared with third parties?
Clearly if Facebook’s Terms of Service don’t purport to give User A the authority to share User B’s information, it can’t be said that User B consented to sharing his information with a third party. But even if Facebook’s Terms of Service did purport to give User A the authority to share or expose or disclose User B’s information to third parties, that would probably still fail to be meaningful consent. In the context of a consumer transaction, to hold that User B’s assent to terms that result in an unforeseeable concatenation of events to result in the repercussion of his information being shared with third parties, who Facebook admits violated its own rules, makes a mockery of the concept of informed consent by deeming that a consumer, User B, consented to an unforeseeable event, the sharing of his information with CA and/or Mr. Wiley based on the unforeseen and unknown act of User A, when that act of sharing violated Facebook’s rules and, thus, should never have happened. Therefore, there was no consent to the sharing of Facebook’s users information beyond the initial 270,000 users who arguably consented to use Professor Kogan’s app. That means at least 85 million of Facebook’s users minus circa 270,000 did not consent to sharing their information with CA and/or Mr. Wylie, no matter what Facebook’s Terms of Service provided.
The next error that Facebook is peddling and which it should have the expertise to know is quite likely false is that any audit of Professor Kogan, CA, and/or Mr. Wylie’s computers will reveal much of anything useful. Depending on the level of skill of those erasing either of their computers, all that will be seen is either an address space in memory, which at best will indicate that something was stored their at one time but which won’t give any information on what was stored at that address or what became of it. That is what I think is most likely outcome of the audit.
The other possibility is that there is encrypted data sitting on any of those computers that can’t be broken without destroying the data. But, of course, that would result in the insistence of the U.K. government that those in control of the computers decrypt that information, which is why this outcome is unlikely.
But what this means is that the information of those 85 million Facebook users has been transferred elsewhere well beyond Facebook or any government’s reach, and the computers that the U.K. government is searching will at best show just an empty memory address, assuming that the U.K. will have access to the memory of those computers that was used when the information of those 85 million Facebook users’ was being processed and stored.
And while I haven’t read the New York Time’s report, supra, those who know me know that for at least twenty years, I have argued that the problem isn’t any particular instance of social media, Internet commerce, or any particular use of the Internet but is the business model that misappropriate users’ information in exchange for internet firms’ goods and services and that the law has from the earliest days of the popular Internet failed to recognize that the information which users create as they use the Internet is their property, their copyrighted expression, and should require the users’ license for its collection and use their information, and—given the disparity in bargaining power in favor of Internet firms over consumers and the necessity of many of the goods and services provided on the Internet and/or or the inability to obtain services on terms on the Internet that don’t require consumers’ to waive their rights to privacy and/or their property rights in their information—at least consumers’ transactions on the Internet must be regulated to compensate for that disparity in bargaining power, supra, and to preserve consumers’ right to privacy and their property rights in the information that they create as they use the Internet. Nothing less than that will do to solve this problem that the greed of Silicon Valley and its ilk have visited upon us, which is destroying our dignity, privacy, civility, and our democracy.
Posted by: Chanson de Roland | Wednesday, April 04, 2018 at 11:02 PM
The New York Times posted a video explaining what happened:
https://www.nytimes.com/2018/04/08/us/facebook-users-data-harvested-cambridge-analytica.html
This may help some consumers understand the relationships between various entities involved in this privacy and data security failure: Facebook, researcher Aleksandr Kogan, Qualtrics, and Cambridge Analytica. The accompanying article also describes several Facebook users duped by the quiz.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, April 09, 2018 at 09:33 AM