Euro Security Watch with Mathew J. Schwartz

Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Facebook: Day of Reckoning, or Back to Business as Usual?

Social Media Users' Profiles Get Used Against Them
Facebook: Day of Reckoning, or Back to Business as Usual?
Mark Zuckerberg, CEO and chairman of Facebook (Photo: Facebook)

The unfolding story of Cambridge Analytica, which shows how personal information on millions of consumers was obtained via Facebook, demonstrates the degree to which our personal data can be weaponized against us (see Probes Begin as Facebook Slammed by Data Leak Blowback).

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

Increasingly, innocuous-looking uses of data appear to have massive ramifications when viewed at scale or subjected to data scientists' algorithms.

Early this year, app and website developer Strava - "the social network for athletes" - landed in hot water after publishing a global heat map revealing its users' well-traveled routes, including a secret CIA annex at the airport in Mogadishu, Somalia (see Feel the Heat: Strava 'Big Data' Maps Sensitive Locations).

In recent days, Facebook has been in the spotlight over reports that up to 60 million of its users' personal details were obtained by Cambridge Analytica, a data-analysis firm that worked with the Trump campaign in 2016 and was founded by Stephen Bannon and Robert Mercer, a wealthy Republican donor. The reports suggest that people's psychological details were surreptitiously used to better target them with messages designed to alter or amplify their political views.

Reports emerged over the weekend in the Observer and The New York Times that Aleksandr Kogan, a lecturer in the psychology department at Cambridge University, created a personality test app that he used to amass personal data for Facebook users, as well as their friends, in part via a Facebook API, in apparent compliance with Facebook's terms of service for academic researchers.

But the reports say that a firm created by Kogan, called Global Science Research firm, reportedly worked with Cambridge Analytica, which is owned by SCL Group, to pay the test takers, and then gathered and used their data for non-academic purposes.

Semantic 'Breach' Debate

In response to the reports, Facebook said it suspended Cambridge Analytica and Kogan last week, and it went on a semantic defensive.

"This was unequivocally not a data breach," tweeted Andrew Bosworth, a top Facebook executive. "No systems were infiltrated, no passwords or information were stolen or hacked."

Similarly, Alex Stamos, Facebook's outgoing chief of security, in a series of now-deleted tweets, argued that the company hadn't been breached, but rather that researchers had been able to grab users' friends' information, which Facebook no longer allows.

"Data breach" is a nebulous term that generally refers to information having been directly stolen or exposed from an organization's systems or records. In this case, the information appears to have been obtained in a manner that Facebook approved for academic research, but the group that obtained the information violated those terms when it resold the information to third parties.

Facebook has also attempted to highlight its compliance with the voluntary policies it has created. "We remain committed to vigorously enforcing our policies to protect people's information," it says in a statement.

In other words: "Please don't regulate us."

In the bigger picture, Brian Wieser, an analyst at research and investment firm Pivotal Research, says this saga is another sign of "systemic problems" at Facebook.

Facebook's lack of notification to users that their information had been used in an unapproved manner could run afoul of U.K. and other European privacy laws, as well as data breach notification laws in place in 48 states across the U.S.

Cambridge Analytica continues to deny any wrongdoing.

Reminder: Facebook Sells Users' Data

Zeynep Tufekci (@zeynep), an associate professor at the School of Information and Library Science at the University of North Carolina, says how Facebook is attempting to debate this issue is damning.

"In Turkish there is a saying: when the apology is more revealing of a wrong," she tweets. "Maybe there's something wrong with all this enormous data surveillance machinery, huh."

Probes Underway

Facebook is now facing intense and increasing scrutiny from regulators and lawmakers, including an investigation launched by Britain's privacy watchdog, the Information Commissioner's Office, which is seeking a warrant to search the offices of Cambridge Analytica.

"Our investigation into the use of personal data for political campaigns includes the acquisition and use of Facebook data by SCL, Doctor Kogan and Cambridge Analytica," Elizabeth Denham, the information commissioner for the U.K., says in a Monday statement. "This is a complex and far-reaching investigation for my office and any criminal or civil enforcement actions arising from it will be pursued vigorously."

The EU's justice chief, Věra Jourová, has lauded the ICO's investigation. She says she expects "companies to take more responsibility when handling our personal data" and says she'll raise the Facebook and Cambridge Analytica matter with U.S. government officials during a trip to the U.S. scheduled for this week. Her team has also scheduled a meeting with Facebook executives.

Zuckerberg's Date With Lawmakers

Last month, the CEO of Cambridge Analytica, Alexander Nix, told Parliament's Digital, Culture, Media and Sport Committee that his firm had received no data from GSR, in what now appear to be false statements, says MP Damian Collins, who heads the committee.

Collins says he will call on Nix to testify. He also wants answers from Facebook executives. "It is not acceptable that they have previously sent witnesses who seek to avoid asking difficult questions by claiming not to know the answers. This also creates a false reassurance that Facebook's stated policies are always robust and effectively policed."

Over the weekend, some U.S. senators, including Amy Klobuchar, D-Minn., and Jeff Flake, R-Ariz., called for Facebook CEO Mark Zuckerberg to testify before the Senate (see Facebook Attempts to Explain Data Leak, Denies 'Breach').

On Monday, Sen. Ron Wyden, D-Ore., wrote Zuckerberg with a list of questions about the company's activities, including whether it knows of any other third-party information gathering of the type practiced by Kogan.

"The troubling reporting on the ease with which Cambridge Analytica was able to exploit Facebook's default privacy settings for profit and political gain throws into question not only the prudence and desirability of Facebook's business practices and the dangers of monetizing consumers' private information, but also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information," Wyden writes. "With little oversight - and no meaningful intervention from Facebook - Cambridge Analytica was able to use Facebook-developed and marketed tools to weaponize detailed psychological profiles against tens of millions of Americans."

US Regulatory Outlook

In theory, U.S. lawmakers could subject Facebook and others to greater regulatory scrutiny by passing privacy laws designed to better protect consumers, on the order of the EU's General Data Protection Regulation. GDPR, which will be enforced beginning May 25, will potentially lead to massive fines for organizations worldwide that run afoul of EU privacy laws.

In reality, many members of the Republican-dominated Congress have repeatedly emphasized that they don't want to see any such regulations - not even as basic as a national data breach notification law. They have repeated that message in the wake of onerous data breach notification delays by Uber and after the Equifax breach, which resulted in the exposure of personal information, including Social Security numbers, for most adults in the U.S. (See Cynic's Guide to the Equifax Breach: Nothing Will Change)

Hence despite Facebook being used as a vehicle to gather and weaponize psychological profiles for millions of individuals, not to mention being used as an information warfare platform, it seems unlikely that the company will face any long-term repercussions from this unfolding saga, at least in the U.S.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.