User beware: why Facebook’s data problems go much deeper than Cambridge Analytica
Facebook last week suspended the Trump campaign’s data consultant, Cambridge Analytica, for scraping the data of potentially millions of users without their consent.
But thousands of other developers, including the makers of games such as FarmVille and the dating app Tinder, as well as political consultants from Barack Obama’s 2012 presidential campaign, also siphoned huge amounts of data about users and their friends, developing deep understandings of people’s relationships and preferences.
Cambridge Analytica – unlike other firms that access Facebook’s user data – broke Facebook’s rules by obtaining the data under the pretence of academic use.
Zuckerberg loses US$4.9b as Facebook shares drop in data storm
But experts familiar with Facebook’s systems and policies say that the greater problem was that the rules for accessing the social network’s information trove were so loose in the first place.
Facebook chief executive Mark Zuckerberg in 2007 invited outside developers to build their businesses off Facebook’s data, giving them ready access to the friend lists, “likes” and affinities that connect millions of Facebook users. Practically any engineer who could persuade a Facebook user to download an app or to sign into a website using Facebook’s popular “login through Facebook” feature would have been able to access not only the profile, behaviour and location of that Facebook user but also that of all the user’s Facebook friends, developers said.
Such information can be extremely valuable to marketers and political campaigns for tailoring messages, ads and fundraising pitches. As long as the developers didn’t misrepresent themselves, Facebook allowed the data to be stored on developers’ databases in perpetuity.
Facebook changed its policy in 2015 after concerns about misuse of data by third parties and a shift in strategy tied to its relationships with developers.
The question of what Facebook permitted – and how everyday users understood those permissions – is under a new spotlight in the wake of the Cambridge revelations.
On Monday, Facebook said it will audit Cambridge Analytica to determine whether the company had deleted the data it took inappropriately.
Cambridge Analytica did not respond to requests for comment Monday. Over the weekend, the firm said it “fully complies with Facebook’s terms of service.”
US congressional calls for Facebook officials to testify on Capitol Hill grew louder and more bipartisan Monday as lawmakers demanded that the tech giant explain how Cambridge Analytica obtained its data. The increasingly sharp and personal tenor of the requests, many of which sought an appearance by Zuckerberg, raised the odds of a fresh round of potentially contentious hearings – after Facebook defended itself in fall hearings about Russian manipulation of its site connected to the 2016 election.
“While Facebook has pledged to enforce its policies to protect people’s information, questions remain as to whether those policies are sufficient and whether Congress should take action to protect people’s private information,” Senators Amy Klobuchar, a Democrat, and Republican John Neely Kennedy wrote in a joint letter to Senator Chuck Grassley, the Republican chairman of the Senate Judiciary Committee.
A spokesman for Grassley said the senator had not decided whether to hold a hearing.
Facebook’s shares closed down 6.8 per cent on Monday, at their lowest price in several weeks.
Cambridge Analytica obtained the data through a psychological testing app, called Thisisyourdigitallife, that offered personality predictions and billed itself on Facebook as “a research app used by psychologists.” Facebook said 270,000 people downloaded the app. That allowed the collection of data on 50 million “friends,” The New York Times and The Observer of London have reported.
“Facebook made it easy for app developers to collect users’ friends’ data,” said Nick Soman, an entrepreneur who collected the locations of Facebook users’ friends to enhance his social app LikeBright, which no longer exists.
Facebook did not conduct an audit of Cambridge Analytica in 2015 when the violations were first discovered, according to Facebook. Instead, it asked Cambridge, the psychologists and an affiliate company to promise it would delete the ill-gotten information.
“The model was to build and grow and figure out monetisation,” said Sandy Parakilas, a former Facebook operations manager who oversaw developers’ privacy practices until 2012. “Protecting users did not fit into that.”