Facebook: Cambridge Analytica scandal not a data breach
20 March 2018 | 0
The controversial political and information consultancy Cambridge Analytica has had an order made against it by the UK Information Commissioner’s Office for its premises to be searched.
The order came after a Channel4 News exposé of the firm and its alleged use of deep investigative techniques, entrapment and manipulation.
The firm was already the subject of much negative attention as it had emerged that it had misused the personal data of more than 50 million US Facebook users during the 2016 presidential election in the United States.
In the Channel4 News report, Cambridge Analytica employees, and its CEO Alexander Nix, were shown on camera talking about the use of honeytraps, sex workers and investigations by former intelligence officers to gather material with which to influence elections for clients.
The exposé saw reporters pose as representatives of a wealthy Sri Lankan family who purported to be looking for information on political opponents there in upcoming elections.
At the centre of the story, is whisteblower Chris Wylie, who told the UK newspaper Observer: “We exploited Facebook to harvest millions of people’s profiles and built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on”.
Wylie claims to be the architect of the system that Trump campaign advisor Steve Bannon used that saw Trump win the 2016 presidential election.
Facebook has confirmed that data was harvested, and that it knew as early as 2015 that it had occurred in 2014. The company has denied that the incident was a data breach, saying that the data gathered was given by users who had signed up for an application, but that the data was subsequently misused.
“Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” said Facebook in a statement.
The statement added:
“Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.”
“Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies. When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.”
According to Jonathan Compton, partner, UK law firm DMH Stallard, “there is no duty on Facebook to tell its users (even those users effected) that their data has been ‘harvested’. I make it clear that, in full compliance with UK data protection laws, Facebook had no legal obligation either to notify the UK Information Commissioner, nor its users.”
However, the UK Information Commissioner Elizabeth Denham has commented, “A full understanding of the facts, data flows and data uses is imperative for my ongoing investigation. This includes any new information, statements or evidence that have come to light in recent days.”
“Our investigation into the use of personal data for political campaigns, includes the acquisition and use of Facebook data by SCL, Doctor Kogan and Cambridge Analytica.”
“This is a complex and far reaching investigation for my office and any criminal or civil enforcement actions arising from it will be pursued vigorously,” said Dunham.
Compton adds, “Interestingly, it is understood that Facebook’s UK legal advisers have written to the Observer stating that the Observer has made “false and defamatory” comment and has reserved Facebook’s legal position.”
There have been calls here on Helen Dixon, the Data Protection Commissioner, to investigate the matter further to see if European users of Facebook were similarly affected, or whether such techniques were used to leverage their data.
“Under the DPA [UK Data Protection Act 1998] in its current form there are protections afforded to individuals and their personal data,” Compton pointed out. “The issue is enforcement. If there is no current obligation to report breaches, then wrong-doing can go unnoticed. Further, even under the new GDPR, if the UKIC has to apply for a warrant, the opportunity in the delay is given to those in breach of data protection rules to cover their tracks. Finally, if potential ‘wrong-doers’ (for want of a better word) can use the law of Libel to silence whistle-blowers, then ‘Houston, we have a problem’.
The Irish data protection commissioner does not require a search order to enter a premises and request documentation.
Cambridge Analytica has said in a statement:
“The Channel 4 News report contained conversations between Cambridge Analytica senior executives and an undercover reporter posing as a Sri Lankan businessman. The report is edited and scripted to grossly misrepresent the nature of those conversations and how the company conducts its business.”