Stewart Twynham examines the fallout from the Facebook data protection debacle and looks at how future cases may be treated under the incoming GDPR rules.
The Information Commissioner is seeking a warrant to search Cambridge Analytica's offices and gather information following allegations that they harvested personal data from over 50 million Facebook accounts.
The UK business suspended its CEO Alexander Nix on Tuesday after Channel 4 aired a news report showing Nix claiming to have run the digital campaign for US President Donald Trump's election team. Christopher Wylie, former research director of Cambridge Analytica, has already handed a dossier over to the Information Commissioner to support his allegations that data from Facebook was used to influence the outcome of the US election.
Wylie's allegations centre on a Facebook quiz app written by Cambridge University researcher Aleksandr Kogan, which calculated a psychometric profile for each user. Cambridge Analytica allegedly used these profiles to understand the kinds of marketing messages that individuals would be susceptible to and then created targeted adverts that played on those susceptibilities during the Trump campaign.
Weaknesses in the way Facebook's privacy settings worked at the time allowed the app to capture not just information about the user who installed the app, but all of their friends as well, depending on their privacy settings.
Facebook allowed Kogan to collect vast amounts of data. Each of the 320,000 people that took the quiz between June and August 2014 were not only adding themselves to the database but an average of 160 Facebook friends along with them. Reports suggest that Facebook did query this large outflow of data with Kogan but accepted assurances that it was for "research purposes". The 50 million or so records that Kogan collected were then sold on to Cambridge Analytica in a commercial arrangement.
Data protection implications
UK Information Commissioner Elizabeth Denham has said that the agency is investigating the circumstances in which Facebook user data may have been illegally acquired and used.
“It’s part of our ongoing investigation into the use of data analytics for political purposes, which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analysing people’s personal information to micro-target voters," Denham said. "It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy.”
Damian Collins, the chairman of the Commons inquiry into fake news, has accused Facebook of misleading the committee. In a letter to Facebook CEO Zuckerberg, Collins accused Facebook of giving answers "misleading to the Committee" at a previous hearing which asked whether information had been taken without users' consent. Facebook has always tried to maintain that it is merely a platform for others to use and that it is nothing more than a neutral observer.
Cambridge Analytica’s now suspended CEO has already appeared before a panel of MPs, informing them back in February that they don't work with Facebook and don't have any data from them.
Based on what the Guardian alleges, there appears little doubt that the UK's current Data Protection Act (DPA) has been breached - but only UK firm Cambridge Analytica appears to be in the ICO's spotlight.
Facebook user data appears to have been collected unfairly whilst data of connected friends was collected entirely without consent. This data was sold on without consent, subsequently processed without consent and the data subjects were treated unfairly because they were kept in the dark whilst they were subsequently targeted using the information gleaned from them.
Documents from Wylie also appear to show that Facebook was fully aware of the data breach - in terms of their access control weaknesses, the fact that data had been harvested and the fact that the data had been sold on - but did little to protect or inform users other than sending out a form to Cambridge Analytica requesting they confirm that the data had been deleted.
Time for the GDPR
Despite an obvious breach taking place, a lack of joined-up thinking from the UK's 20-year-old DPA has allowed this investigation to rumble on for more than a year before events were eventually overtaken by press revelations.
The case is the clearest example yet that the outgoing Data Protection Act has reached the end of its life. This is a global data scandal involving a large foreign corporation, an unconventional data breach, sophisticated processing technologies, and parties who have simply shrugged their shoulders and denied everything. Unlike the DPA, the GDPR has a global reach - each business would be classed as data controller, and as such would carry their own clear responsibilities for data protection.
Facebook would no longer be able to hide behind blanket terms of service packed with legal jargon. Consent would need to be specific, informed and freely given. Rules on fairness and transparency would require that users are in no doubt about what is happening to their data, with terms explained in plain, age-appropriate language, and any breach which impacts users' rights and freedoms would require them to notify both the ICO (within 72 hours) and its users.
From the point of view of Aleksandr Kogan and Cambridge Analytica, they were involved in high-risk data processing using new technologies that would need to be fully assessed and all processing documented under the GDPR. This makes investigation easier. The ICO would not be limited to seeking a warrant to seize data in the face of denials from the firms, but could simply ask to see the accompanying paper trail, the lack of which would be an automatic breach of the GDPR.
The GDPR becomes law on 25th May 2018. Read more articles and reader questions on AccountingWEB’s specific GDPR tag page.
About Stewart Twynham
Stewart Twynham is an experienced information security expert and AccountingWEB contributor. He recently founded the independent cyber-security consultancy Brandfire (https://brnd.fr/) to help businesses in Scotland tackle these issues.