Cambridge Analytica, Facebook & GDPR

Uploaded on 2018-04-11 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, TECHNOLOGY-Key Areas-Social Media

Since Donald Trump’s surprise victory in the 2016 US presidential election, claims and counter-claims have been swirling around about what might have tipped the poll in his favour. Two factors have been the focus of repeated discussion, fake news and targeting of ads.

A Department of Culture, Media and Sport select committee has recently been taking evidence about the first of these. But reports in The Guardian and C4 televison news have brought the second activity into its fresh focus.

According to a former employee of Cambridge Analytica, Christopher Wylie, the company did collect data on Facebook users and use it to target political ads, despite the denials made by its founder, Alexander Nix, including during evidence given to the DCMS committee in February.

Facebook has responded by suspending the accounts of Strategic Communication Laboratories, the parent company of Cambridge Analytica, and Wylie.

It has denied that the incident constitutes a data breach, states that data subjects gave their consent and that it was an academic researcher, Aleksandr Kogan, who violated the terms of a license under which he was given permission to run an app on Facebook by sharing the data collected.

The DCMS has announced that it will call back Nix and Facebook to explain their earlier statements that no personal information was involved in this activity.

What has happened to the Facebook Data?

Kogan applied for and was granted a license to operate an app, thisisyourdigitallife, on Facebook. Users were asked to take a personality test whose purpose was to capture likes as part of a psychographic modelling exercise to identify how predictive these are of other behaviours, such as political affiliation and voting intention.

This type of exercise is a relatively common practice, it underpins The University of Cambridge Psychometric Centre’s Magic Sauce profiling system, for example, because of the scale of Facebook’s user base and the visibility it provides into preferences.

Some 270,000 Facebook users downloaded the app. As part of the data collection it involved, their friends who had privacy settings that allowed for data sharing were also included in a data set said to involve up to 50 million individuals. Wylie alleges that the raw data from this app was passed by Kogan to Cambridge Analytica, in breach of the license he was granted.

Facebook was aware of this in 2015 and demanded that all copies be destroyed. In the wake of the DCMS hearing, the incident has gained fresh momentum and new questions are being asked about who knew about the data sharing, when it happened and whether the personal information involved was actually used and subsequently deleted.

What does the Data Protection Act say about this?

Cambridge Analytica is a UK-based company which has brought the Information Commissioner’s Office into the picture. Crucially, much will depend on whether any UK citizen’s data is involved.

Given the global footprint of Facebook, even if the app was aimed at US voters, it is possible that some of the data covers British subjects, potentially as friends of those direct downloaders.

If this is the case, then any data collected is covered by the existing Data Protection Act. Two key principles are involved:

Use for a limited, specifically-stated purpose: The ICO will want to be satisfied that any UK citizens who downloaded the app were made aware of the purpose for which it would be used. If the data collection notice only mentioned academic research and not political profiling or data sharing, this would be a breach of the DPA. Facebook states that data sharing was not part of the terms and conditions of the license it granted.

Protection of sensitive information, such as political opinions: Any information that is potentially sensitive, such as a user’s political opinions, has to meet high standards for the basis on which it will be processed. An academic researcher could claim legitimate interest provided they meet strict conditions - any additional usage would require consent. Facebook says users of the thisisyourdigitallife app provided this.

What would happen under the General Data Protection Regulation?

As the app was launched in 2015, it is covered by the DPA. But if it were to be in use after 25th May of this year, then GDPR would apply.

Transparency, definition of purpose and granularity of consent are all much tougher under the GDPR Regulation.

The distinction between data controllers and data processors is also less, which would play an important part in any investigation into who directly accessed and controlled app data, including whether Facebook was a first-party controller.

Penalties for breaches of GDPR are substantial, sharing personal information and using it beyond the stated purpose would be likely to incur a €20 million or 4% of global turnover fine.

Why does this matter?

There are three critical dimensions to the Cambridge Analytica data issue. The first is for UK data subjects who may have had their sensitive personal information shared without their consent. The ICO will focus on establishing this in order to decide whether it has jurisdiction.

The second is for the fake news investigation being carried out by DCMS (which the ICO has also been asked to engage with). It is recalling Nix and Facebook to challenge evidence they provided in February about personal information sharing by Kogan with Cambridge Analytica.

With Facebook now stating it knew this had happened back in 2015, it is likely to come under significant pressure about subsequent statements.

But there is a third group that needs to take a close look at its data collection practices, including consent notices and data sharing. Competitions, quizzes and games are common techniques deployed by affiliates as data capture mechanisms.

In 2015, the ICO wrote to 1,000 companies in this sector asking about the basis for their data processing. In the wake of this weekend’s Cambridge Analytica revelations, it may just decide to take another look.

DataIQ

You Might Also Read: 

Data Protection Officer's Guide To The GDPR Galaxy:

Facebook’s Influence On UK Politics:

 

« Criminal Web-Injects Can Steal Cryptocurrency
How to Access the Dark Web Anonymously »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

Gatewatcher

Gatewatcher

Gatewatcher is a digital breach detection platform targeting crafted attacks and protecting organizations against advanced cyber threats.

Global Station for Big Data & Cybersecurity (GSB)

Global Station for Big Data & Cybersecurity (GSB)

GSB is an interdisciplinary research hub to cover big data, information networks, and cybersecurity.

Somansa

Somansa

Somansa is a global leader in Data Security and Compliance solutions designed to protect valuable company information from leakage and help meet regulatory compliance requirements.

Cognni

Cognni

Cognni (formerly Shieldox) will make your InfoSec think like a human, right out of the box, so you can focus on the bigger picture, keeping the information flow safe.

Optra Security

Optra Security

Optra Security specializes in information security with a focus on Application Security.

Polyrize

Polyrize

The Polyrize continuous authorization platform for SaaS and IaaS stops tomorrow's public cloud cyber threats, today.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

Solidified

Solidified

Solidified is the largest audit platform for smart contracts. Our community has the highest concentration of top Blockchain security specialists and best-in-class code auditors.

CONCORDIA

CONCORDIA

Concordia is a Cybersecurity Competence Network with leading research, technology, and competences to build the European Secure, Resilient and Trusted Ecosystem.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

Whistic

Whistic

Whistic is a cloud-based platform that uses a unique approach to address the challenges of third-party risk management.

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance combines insurance expertise with cybersecurity and data talent to deliver clear, effective solutions to protect you for the cyberrisks of today—and tomorrow.

CyberXpert

CyberXpert

CyberXpert is your cybersecurity partner for the public and private sector in Belgium.

Digital Twin Consortium (DTC)

Digital Twin Consortium (DTC)

Digital Twin Consortium is a global ecosystem of users who are driving best practices for digital twin usage and defining requirements for new digital twin standards.