Facebook data protection fail shows need for GDPR

Concept of leaky software, data with a tap sticking out
istock_posteriori_aw
Share this content

Stewart Twynham examines the fallout from the Facebook data protection debacle and looks at how future cases may be treated under the incoming GDPR rules.

The Information Commissioner is seeking a warrant to search Cambridge Analytica's offices and gather information following allegations that they harvested personal data from over 50 million Facebook accounts.

The UK business suspended its CEO Alexander Nix on Tuesday after Channel 4 aired a news report showing Nix claiming to have run the digital campaign for US President Donald Trump's election team. Christopher Wylie, former research director of Cambridge Analytica, has already handed a dossier over to the Information Commissioner to support his allegations that data from Facebook was used to influence the outcome of the US election.

Wylie's allegations centre on a Facebook quiz app written by Cambridge University researcher Aleksandr Kogan, which calculated a psychometric profile for each user. Cambridge Analytica allegedly used these profiles to understand the kinds of marketing messages that individuals would be susceptible to and then created targeted adverts that played on those susceptibilities during the Trump campaign.

Weaknesses in the way Facebook's privacy settings worked at the time allowed the app to capture not just information about the user who installed the app, but all of their friends as well, depending on their privacy settings.

Facebook allowed Kogan to collect vast amounts of data. Each of the 320,000 people that took the quiz between June and August 2014 were not only adding themselves to the database but an average of 160 Facebook friends along with them. Reports suggest that Facebook did query this large outflow of data with Kogan but accepted assurances that it was for "research purposes". The 50 million or so records that Kogan collected were then sold on to Cambridge Analytica in a commercial arrangement.

Data protection implications

UK Information Commissioner Elizabeth Denham has said that the agency is investigating the circumstances in which Facebook user data may have been illegally acquired and used.

“It’s part of our ongoing investigation into the use of data analytics for political purposes, which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analysing people’s personal information to micro-target voters," Denham said. "It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy.”

Damian Collins, the chairman of the Commons inquiry into fake news, has accused Facebook of misleading the committee. In a letter to Facebook CEO Zuckerberg, Collins accused Facebook of giving answers "misleading to the Committee" at a previous hearing which asked whether information had been taken without users' consent. Facebook has always tried to maintain that it is merely a platform for others to use and that it is nothing more than a neutral observer.

Cambridge Analytica’s now suspended CEO has already appeared before a panel of MPs, informing them back in February that they don't work with Facebook and don't have any data from them.

Based on what the Guardian alleges, there appears little doubt that the UK's current Data Protection Act (DPA) has been breached - but only UK firm Cambridge Analytica appears to be in the ICO's spotlight.

Facebook user data appears to have been collected unfairly whilst data of connected friends was collected entirely without consent. This data was sold on without consent, subsequently processed without consent and the data subjects were treated unfairly because they were kept in the dark whilst they were subsequently targeted using the information gleaned from them.

Documents from Wylie also appear to show that Facebook was fully aware of the data breach - in terms of their access control weaknesses, the fact that data had been harvested and the fact that the data had been sold on - but did little to protect or inform users other than sending out a form to Cambridge Analytica requesting they confirm that the data had been deleted.

Time for the GDPR

Despite an obvious breach taking place, a lack of joined-up thinking from the UK's 20-year-old DPA has allowed this investigation to rumble on for more than a year before events were eventually overtaken by press revelations.

The case is the clearest example yet that the outgoing Data Protection Act has reached the end of its life. This is a global data scandal involving a large foreign corporation, an unconventional data breach, sophisticated processing technologies, and parties who have simply shrugged their shoulders and denied everything. Unlike the DPA, the GDPR has a global reach - each business would be classed as data controller, and as such would carry their own clear responsibilities for data protection.

Facebook would no longer be able to hide behind blanket terms of service packed with legal jargon. Consent would need to be specific, informed and freely given. Rules on fairness and transparency would require that users are in no doubt about what is happening to their data, with terms explained in plain, age-appropriate language, and any breach which impacts users' rights and freedoms would require them to notify both the ICO (within 72 hours) and its users.

From the point of view of Aleksandr Kogan and Cambridge Analytica, they were involved in high-risk data processing using new technologies that would need to be fully assessed and all processing documented under the GDPR. This makes investigation easier. The ICO would not be limited to seeking a warrant to seize data in the face of denials from the firms, but could simply ask to see the accompanying paper trail, the lack of which would be an automatic breach of the GDPR.

 

The GDPR becomes law on 25th May 2018. Read more articles and reader questions on AccountingWEB’s specific GDPR tag page.

About Stewart Twynham

About Stewart Twynham

Stewart Twynham is an experienced information security expert and AccountingWEB contributor. He recently founded the independent cyber-security consultancy Brandfire (https://brnd.fr/) to help businesses in Scotland tackle these issues.

Replies

Please login or register to join the discussion.

avatar
23rd Mar 2018 12:11

Facebook may have a case to answer but why the heck the originator's of GDPR feel the need to drag in to this mess a small company who doesn't pass on individual data but just happens to have a CCTV camera for security is beyond me.

BTW - given all the data companies are having to provide who is going to ensure that this is safely held? After all public bodies are notoriously unreliable at anything to do with IT....

Thanks (0)
avatar
to rememberscarborough
27th Mar 2018 01:07

Most small businesses process personal data - supplier records, customer records, online payments, employee data - and GDPR is about making sure that all of this is processed lawfully, fairly and transparently.

CCTV can present serious privacy issues even under the old Data Protection Act - if anything it's one of the easier areas to look at under the GDPR because so much relevant guidance has already been produced.

Thanks (1)
avatar
to rememberscarborough
27th Mar 2018 07:09

Here is an example of the ICO's code of practice for CCTV - this is written with the DPA in mind but the principles all hold true for the GDPR. Because CCTV relies on legitimate interest, it will need to pass certain tests to be valid, but this document looks at many different scenarios to help you through that process.
https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-p...

The main changes you will need to consider for the GDPR:
- Greater transparency - making sure you provide sufficient information
- A potential increase in the records you keep - depending on how much data you are recording
- Handling additional data subject rights including Subject Access Requests
- Keeping your recordings secure and handling mandatory breach notifications

Expect the ICO to update the guidelines soon. I hope that helps!

Thanks (1)