By Sascha Matuszak
Much of the web-surfing world is now aware of Cambridge Analytica (CA), the UK-based data firm that helped influence global politics by leveraging data contained within the virtual profiles of millions of real human beings. The company is implicated in a major data privacy breach involving millions of Facebook users. After The Guardian published their bombshell report, featuring former CA employee and whistleblower, Christopher Wylie, UK and US regulators launched investigations, Facebook stock price dropped by as much as $70 billion, and at least one head has rolled: the CEO of Cambridge Analytica, Christopher Nix, who was suspended early last week.
The data in question came primarily from Facebook profiles, an estimated 50 million of them, slurped up via a third-party app created by Cambridge professor, Aleksandr Kogan. Kogan used Amazon’s MTurk service to pay people who took his survey, which also extracted their Facebook profiles, as well as the profiles of all their Facebook friends. Kogan then allegedly sold this data to CA for $800,000 through his company, Global Science Research (GSR). That data, as well as the profiling techniques developed by young coders like Christopher Wylie and his team, allegedly helped CA develop solutions and target messaging for several campaigns, such as Brexit, Kenya’s presidential election, and the Trump Campaign.
The revelations include videotaped conversations in which Nix boasts about CA’s ability to leverage personal data, in-depth reporting on the money and personnel behind CA and sister corporation SLC Group Limited, email correspondence between Facebook and CA regarding data breaches, and the inner workings of political campaigns using big data analytics to help win elections.
The UK Information Commissioner’s Office obtained a search warrant for CA’s London office – but not before CA was able to cart away boxes of files—and Christopher Wylie has agreed to testify before both the US Congress and the UK Parliament. Mark Zuckerberg has also come under fire for his company’s lax approach toward protecting Facebook users from this massive data breach, a breach that’s led to #DeleteFacebook trending across social media platforms. Zuckerberg has also been was summoned by the House Energy and Commerce Committee to testify on Capitol Hill, a group of Facebook investors filed a class action suit following a precipitous drop in the company’s stock price, and the Federal Trade Commission announced on Monday that it was investigating Facebook’s data privacy practices.
Tip of the Iceberg
For Facebook users and casual observers of the Internet, this may come as a shocking surprise. The truth, however, is that selling data is Facebook’s business model, and they’ve been selling data to the highest bidder for many years. The Cambridge Analytica scandal is only the tip of the iceberg. Some questions currently being asked are, what are the limits of a private corporation’s Terms of Service (ToS), and did Amazon and Facebook exceed them? What are the consequences of violating a ToS? What are the primary legal claims here, both in terms of civil and criminal liability? The US has, among other regulations, the Stored Communications Act and the “hacking” statute (18 U.S.C. Section 1030), which could come into play, as well as privacy torts and laws governing breach-of-contract. Who will be held liable, and under what laws?
“I think that, importantly, many of these claims could be sidestepped by the agreements entered by users with Facebook,” said Mark Lanterman, chief technology officer for Minnesota-based Computer Forensic Services. “By all reports, Facebook shared the info with the academic according to their own policies and pursuant to its agreements with users. Really, there is no clear answer to whether Facebook is to blame civilly or criminally, but we will see what happens in the courts.”
The answers the courts provide to these questions will have far-reaching implications for any company in the world that deals with data privacy, as well as the millions of people whose data is currently stored, managed, and shared somewhere in the cloud.