Last week saw an uprise against Facebook on the back of its alleged involvement with Cambridge Analytica after a whistle-blower uncovered private data harvesting reveals on Channel 4.
As a consequence, Alexander Nix, the CEO of Cambridge Analytica has had to step down and explain the situation to the press and the public. Facebook and the UK government have been, under warrant, searching the CA premises, and the end result so far is that people’s privacy and the future of data sharing on Facebook is in doubt.
In this week’s Your Thoughts Lawyer Monthly asks experts: What was your reaction to the news CA were being investigated, that Zuckerberg has been called into the inquiry, millions of Facebook profiles were harvested for the sake of using data to influence elections? What side of the story are you most invested in? What are the legal ramifications of the company’s actions, or of Facebook’s?
Evgeny Chereshnev, CEO, Biolink.Tech:
It doesn’t matter what this data leakage would have proven or not proven. The point is that there was always the opportunity, and possibility, that certain data would be extracted from Facebook by hackers or third party providers that we, the users, were not aware of. It has been said that it’s data taken from Facebook without the users’ consent. This is both true and not true. If you read the licence agreement, when you sign up to Facebook, you would understand that you have absolutely no rights when it comes to your data; your information, what you post and how information is gathered about you. Facebook can analyse and use this data any way it wants.
I am actually very happy this has happened, as it shows just how severe and significant the problem is. Firstly, if there is a database, it only has two states – already hacked or will be hacked – that is simply the fate of all centralised user databases. We have to embrace blockchain and diversified, distributed way of dealing with data.
Secondly, we need to totally rethink the way we approach data – our digital trail and DDNA (digital DNA). Privacy of personal data MUST become a constitutional right that everyone has from birth. Data is there forever, and it should be illegal to take it from users. It goes back to the age old question – what is self? Who owns it and what needs to be co-owned by third parties for self to coexist in the society that we live in? For example, a healthcare system needs access to my vital health records in order to administer the right treatment, but they don’t need to own that data. We should own our own self.
In that sense, the EU is the closest to doing the right thing, but there is always room for improvement, even when GDPR comes into effect.
William Haig, Associate, Taylor Vinters:
The bulk of the recent stories about Cambridge Analytica, parent company SCL and their alleged ties to the Trump and Brexit campaigns was not news in itself: stories have been circulating for months about billionaires, political strategists and power-brokers joining forces with data scientists to target key demographics in both elections. However, it is the link between those rumours and another highly plausible hypothesis: that data-hungry social networking giants may have (unwittingly or otherwise) facilitated third parties’ exploitation of our personal data (it being uncontroversial that they themselves continue to exploit it with our knowing consent), which has kept the headline-writers busy.
The tool in question, Facebook’s “Friends Permission” feature, is alleged to have allowed app developers to harvest not only the personal data of the app user (who gives their consent to this when they start using the app) but also the data of their wider network of “friends”. Whilst the “friends” had also given their consent to this, it was in general terms, buried in Facebook’s terms of service. The feature was removed from Facebook in 2014, but not before a number of developers are said to have obtained vast stores of personal data relating to tens of millions of users. A tranche of this data appears to have been acquired by Cambridge Analytica and used for their campaigns targeted at voters in the US election and the Brexit referendum.
Facebook has commissioned a data audit into Kogan and Cambridge Analytica. Separately, the UK’s Information Commissioner has sought a warrant to enter Cambridge Analytica’s offices and conduct their own audit of the company’s systems and records.
The recent developments are extremely timely, as they come just over two months before the implementation date of the General Data Protection Regulation (“GDPR”), which will strengthen the regulations around how data can be processed. The Information Commissioner’s Office (ICO) has already flexed its muscles in respect of Cambridge Analytica, and we anticipate a thorough investigation. The possibility of penalties and/or prosecutions cannot be ruled out.
Those concerned about a knee-jerk reaction affecting the wider industry should take urgent legal advice on the compliance of their data gathering, processing and retention policies and procedures, and their rights and obligations should they receive an information notice from the ICO. The story also increases the chances of a backlash from the public against data collection and analytics. Data scientists, whose work is crucial for bioinformatics, medical research and disease control, as well as for financial and behavioural modelling, can mitigate the risk by ensuring they adopt best practice and demonstrate that they are doing so. Our commercial technology and commercial disputes teams have considerable expertise in this area and can advise on GDPR compliance in general and on specific issues raised by the Cambridge Analytica story.
Liam McMonagle, Commercial Partner, Thorntons Solicitors:
In many ways it is surprising this has received such little attention until now given that the Cambridge Analytica data ‘breach’ at the centre of the scandal occurred several years ago and was carried out in accordance with privacy standards which were published at the time. Facebook knew about it, and plugged the vulnerability by limiting the data that could be shared with Facebook Platform apps to exclude information about friends. At the time such data sharing was permitted so the ‘breach’ appears to be more about the subsequent retention of the information and its use for wider purposes than those for which it was originally gathered. We still don’t know how extensive the data sharing actually was or how much data was shared back then which is still in use now.
It’s also obvious that lots of people have very little idea what companies such as Facebook and others do with their personal data and how it is used. The increased transparency required by GDPR should go some way to improve this.
However, it does appear there is a risk we are going to replace vague and general descriptions about ‘using data to improve our products’ and the like with information overload. This will leave the average user no more informed and require significant investment of time to fully understand what is going on – an investment most people will choose not to make. Even as a professional practising in this area it is difficult to find and then clearly interpret much of the privacy information on certain key websites.
For me, the interesting implications of this in the long term will be the impact on data-intensive businesses. Users have to take responsibility for understanding what information they share on Facebook, Google and other platforms and that the use of those platforms does require a degree of data sharing. Some people will care more about that than others. But many organisations have traditionally had a culture of regarding data protection and privacy laws as compliance hurdles to be ‘got round’ or negotiated rather than designed into business process and genuinely valued and protected.
There is also a far wider issue beyond the consumer protection or transactional analysis of data protection. Are there certain uses of information which, through their potential to have manipulative or disruptive effects on societies, are not adequately constrained even with GDPR?
David Northmore, VP EMEA, MarkLogic:
Meeting the consent requirements will be one of—if not the—toughest parts of complying with GDPR, the General Data Protection Regulation.
Security is only one aspect of data governance. This was a breach. It may not have been a security breach, but it was a policy breach and a breach of trust. It’s a cold comfort that this was not caused by a direct hack of their systems and hopefully this case will spur a wider discussion of how organizations and those associated with them collect, manage and govern this type of data.
Data governance means applying policy to data—knowing and controlling what data you have, where it sits, who touches it, who changes it and when, etc. Governance is an increasing challenge for companies, organizations and even governments as more and more data is collected. That kind of thing is exactly what EU regulators are taking aim at with GDPR.
On the flip side, for Cambridge Analytica or any company today, it’s not enough to just throw-up and claim plausible deniability. Northmore added, “Not knowing or caring where your data comes from is a governance issue. This data was allegedly used for voter influence campaigns. Was it fit for that purpose? Fit for purpose means more than just “is it possible to use this data to make these decisions accurately” it also means “is it legal, ethical, and within our policy? Just because you can doesn’t mean you should.
Chris Moses, Senior Operations Manager, Blackstone Consultancy:
In the days in which we are routinely informed that Putin’s state sponsored hackers and trolls are messing with western democracy through digital manipulation, I don’t think that the Cambridge Analytica furore is unexpected or a surprise to anyone. From experience and operational knowledge, you could argue it’s an ‘active measure’ by the Russians to provide a smokescreen to remove the Salisbury poisoning off the front-page. However, aside from that speculation of rogue data companies and Machiavellian political tactics, we need to understand exactly what has happened. In brief, Cambridge Analytica were responsible for an online quiz that harvested the entrants and, subsequently, their network friends’ data unknowingly. This data was manipulated and used, according to the Cambridge Analytica executives bragging on camera, to effectively create PR strategies, including Donald Trump’s election campaign and others.
It could be argued, Facebook is complicit in the misuse of data or, at best, has been used as a patsy by Cambridge Analytica to garner the information. I am not sure which is worse, but the damage to its reputation, and share price, is going to be huge either way and the fallout will be spectacular. It will be interesting to understand how many individuals have cancelled or deactivated their Facebook accounts since the story hit the headlines. How many sponsors and advertisers have stopped doing business with Facebook?
Have any laws been broken? I think it’s definitely too early to tell, US Electoral Law seems to have been broken or bent enough to matter at first glance, but at the moment it’s difficult to separate the wheat from the chaff in regard to the information being published. Data Protection Laws appear to have been completely ignored and, in the UK, it was interesting to see the Information Commissioners Office (ICO) getting its first real outing and raiding the CA offices in London. I think these are photos that we are going to see a lot more of in the next six months with the ICO flexing its muscles at the start of the enforcement of the EU’s General Data Protection Regulation (GDPR) on 28 May 2018.
Interestingly, another major electoral event, the BREXIT referendum is being caught up in the store as well with the Prime Minister being asked to explain what impact, if any, Cambridge Analytica had on the BREXIT campaign? My initial thoughts are that there is more to come in regard to the use of the data taken from Facebook, from Zuckerberg’s future to yet another attack on the Trump’s presidency and onto the BREXIT campaign, so let’s keep watching and see where it takes us.
If you have thoughts on this, please feel free to comment below and let us know Your Thoughts.