You may have heard of the breach. A researcher created an app that mined the personal data (education, workplace, relationship status) of 270 thousand Facebook users. The users ‘consented’ to sharing their personal information but did not know how the data would be used or that their friends’ data would also be compromised.

The researcher, Aleksandr Kogan, sold this data to Cambridge Analytica, a firm that aims to influence voters by creating psychological profiles of potential voters and preying on their hopes and fears. Ignoring for a moment Cambridge Analytica’s ethically-loose and possibly ineffective practice, what else is wrong with this picture?

⦾ Facebook’s policy prohibits the sale of user data to third parties

⦾ Ideally, an individual’s actions (downloading Kogan’s app) shouldn’t compromise their social network (4+ million users were exposed to the breach without having used Kogan’s app)

⦾ The ‘consent’ of the 270 thousand users was fictive because they weren’t explicitly aware of how their data would be used

Who Shall Hang?

Kogan insists that acquiring and selling the data of Facebook users to third parties was common practice. He wonders why users did not read his terms of service which “clearly stated” that the acquired data could be sold. In the same breath, he reveals that he did not read Facebook’s terms of services (because who does that) which prohibit the sale of user data and thus override Kogan’s terms. 

Despite knowing of the Cambridge Analytica mess as early as 2015, Facebook has been lax in taking even minimal responsibility for the breach (this might have looked like ensuring data access by explicit consent alone and enforcing existing policies). 

Founder and CEO Mark Zuckerberg has been reassuring users of their data privacy since 2004. Earlier users recall him singing the same song even as subsequently leaked messages show him offering access to user data. Zuckerberg’s ability to say the right thing in the face of public disapproval, with weak to zero follow-through, means we cannot stake our right to privacy on his word alone.

Regulating Data

If you’ve been receiving seven hundred thousand privacy policy updates from companies you’re subscribed to, thank the EU’s General Data Protection Regulation (GDPR) now or later in May when it goes into effect. The regulation specifies that:

⦾ Terms of services (those things no one reads and companies rely on to extract hazy consent) must be plain and clear.

⦾ Users can request their data from organizations, and ask that it be erased.

⦾ Organizations must design operations with data privacy as a forethought and report unresolved breaches within 72 hours.

⦾ Failing to comply, organizations will be fined the greater of 20 million euros or 4 percent of their latest annual revenue. (Facebook would be fined $1.6 Billion in case of another breach).

Defining data protection as a fundamental right, consent as informed, ongoing, and revocable as well as sanctions for non-compliance is a step in the right direction.

Breaching Institutions

Before we call it a happy ending, let’s circle back to Cambridge Analytica. 

CA is among a handful of ‘image management’ firms (see: Harris Media) that attempt to influence political action, sometimes with misinformation. While all countries are vulnerable to misinformation, those with weaker institutions may see more compromised than just their citizen’s data. In Kenya, Harris Media is said to have campaigned for Uhuru Kenyatta using the country’s history of tribal conflict to sow discord (claims denied). 

CA is allegedly funded by Robert Mercer, a hedge-fund billionaire who financed Trump’s presidential campaign, Breitbart News et cetera. Each dollar buys Mercer the potential to shape the world in his image: anti-Muslim, hostile to government, and irreverent of truth.