The Cambridge Analytica Case Is A Red Herring

Facebook is being hammered for allowing the data firm Cambridge Analytica to acquire 50 million user profiles in the US, which it may or may not have used to help the Trump campaign. But the outrage misses the target: There's nothing Cambridge Analytica could have done that Facebook itself doesn't offer political clients.

Here, in a nutshell, is the CA scandal

In 2014, Aleksandr Kogan, an academic of Russian origin at Cambridge University in the UK, built a Facebook app that paid hundreds of thousands of users to take a psychological test.

Apart from their test results, the users also shared the data of their Facebook friends with the app. Kogan sold the resulting database to CA, which Facebook considers a violation of its policies: The app was not allowed to use the data for commercial purposes.

Carol Cadwalladr and Emma Graham-Harrison, writing for the UK publication Observer, quoted former CA employee Christopher Wylie as saying the firm "broke Facebook" on behalf of Stephen Bannon, the ideologue and manager behind the Trump campaign.

It didn't escape keen observers that if the Trump campaign used Facebook user data harvested through an app, it did no more than Barack Obama's 2012 data-heavy re-election campaign.

It's not documented exactly how Obama's team gathered oodles of data on potential supporters, but a deep dive into the tech side of that campaign by Sasha Issenberg mentioned how "'targeted sharing' protocols mined an Obama backer’s Facebook network in search of friends the campaign wanted to register, mobilise, or persuade."

To do this, the protocols would need to use the same feature of the Facebook platform for developers, discontinued in 2015, that allowed apps access to a user's friends' profiles, with the user's consent, as Facebook invariably points out.

Let's face it: Users are routinely tricked to obtain such consent. Tech companies make giving it, or agreeing to complex terms of service, look like a low-engagement decision.

"Is it okay if we look at your friends' info?" they ask.

"Sure, why not? I want to take this nifty psychological test," we answer.

Afterward, only Facebook itself is interested in the legal minutiae of what permissions it gave to which developers. As far as everyone else is concerned, it doesn't matter whether an app gets the data for research purposes or for straight-up political ones. Average users worry more about convenience than privacy.

The relevant question, however, is what a campaign can actually do with the data?

CA's supposedly sinister skill is that it can use the Facebook profile information to build psychological profiles that reveal a person's propensity to vote for a certain party or candidate. When matched against electoral registers, targeted appeals are possible.

But no one should take the psychological profile stuff at face value. No academic work exists to link personality traits, especially those gleaned from the sketchy and often false information on Facebook profiles, definitively to political choices.

There is, however, research showing that values or even genetic factors trump traits. It's not even clear how traits affect political behavior, such as the tendency to vote and donate to campaigns: Some researchers, for example, have found a negative relationship between emotional stability and these measures; others have found a positive one.

This is not to say Facebook data, including data on a user's friends, can't be useful to campaigns.

The Obama campaign actually asked its active supporters to contact six specific friends suggested by the algorithm. So people reached million others, and, according to data from the campaign, 20 percent of the million actually did something like registering to vote.

But did the Trump campaign need CA and the data it acquired from Kogan to do this kind of outreach in 2016? Likely not. Facebook cut off the friends’ functionality for app developers because it wanted to control its own offering to clients interested in micro-targeting.

There's plenty of evidence that Brad Parscale, who ran the digital side of Trump's campaign, worked closely with Facebook.

Using the platform's "Lookalike Audiences," he could find people who resemble known Trump supporters. Facebook also has the capacity to target ads to the friends of people who have "liked" a page, a Trump campaign page, for example.

Targeting messages to millions of specific people without going directly through Facebook is messier and probably more expensive than using the social platform's own tools. All Facebook requires for access to its data trove is a reasonable fee.

Whether CA could add anything meaningful to Facebook's effort is unclear. Its previous client, the unsuccessful presidential campaign of Senator Ted Cruz, has said it didn't deliver on all its promises.

Some studies have shown that Facebook ads can work quite well for businesses. If they also worked for Trump, the CA story is a red herring:

It's Facebook's own data collection and the tools it makes available to clients that should be the target of scrutiny and perhaps regulation, both from a privacy perspective and for the sake of political transparency.

Information- Management:

You Might Also Read: 

Facebook’s Influence On UK Politics:

 

« Inside the Big Business Of Cyber Crime
Using GDPR Compliance To Excel At CRM »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Ascentor

Ascentor

Ascentor specialises in independent information and cyber security consultancy. We’re experienced industry experts, providing cyber security services since 2004.

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

National Institute of Standards & Technology (NIST) - USA

National Institute of Standards & Technology (NIST) - USA

NIST is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Areas covered include IT and cybersecurity.

Research Institute in Science of Cyber Security (RISCS)

Research Institute in Science of Cyber Security (RISCS)

RISCS is focused on giving organisations more evidence, to allow them to make better decisions, aiding to the development of cybersecurity as a science.

PlainID

PlainID

PlainID provides IAM teams with a simple and intuitive means to control their organization’s entire authorization process.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

ReconaSense

ReconaSense

ReconaSense helps protect people, assets, buildings and cities with its next-gen access control and converged physical security intelligence platform.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Pixm

Pixm

Pixm’s computer vision based approach offers a truly unique and effective means to protect organizations from web-based phishing attacks.

Activu

Activu

Activu makes any information visible, collaborative, and proactive for people tasked with monitoring critical operations including network security.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

Raman Power Technologies

Raman Power Technologies

Raman Power Technologies focus on bringing value and solving business challenges through the delivery of modern IT services and solutions including cybersecurity.

CybersCool Defcon

CybersCool Defcon

CybersCool is committed to educate and train, re-skill and up-skill the current workforce of various industries and businesses in the knowledge and know-how of cybersecurity.

GeoComply

GeoComply

GeoComply provides fraud prevention and cybersecurity solutions that detect location fraud and help verify a user's true digital identity.

Relatech

Relatech

Relatech is a Digital Enabler Solution Knowledge (D.E.S.K.) Company that offers digital services and solutions dedicated to the digital transformation of businesses.

Sonar

Sonar

AI generated or written by humans, Sonar’s Clean Code Solutions cover your code quality needs, improving code reliability, maintainability, and security.