Aussies sue Facebook over Cambridge Analytica scandal

Facebook might have thought the headaches of the Cambridge Analytica scandal were firmly in the rear-view mirror, but the Australian Information Commissioner has different ideas.

After 311,127 Australians got caught in the data harvesting saga, the Australian Information Commissioner has finally got to the point where it believes legal action is appropriate. As the This is Your Digital Life app mislead the user as to how the data collected was being used, the Commissioner believes Facebook and Cambridge Analytica are in breach of the Privacy Act, 1988.

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed. Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.

“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

In disclosing the personal information of 311,127 Australian users to Cambridge Analytica, the Australian Information Commissioner believes Facebook to be violation of Australian Privacy Principle 6. This is due to the fact many of the users did not download the app themselves, therefore did not consent. It is also alleged Facebook protect its users’ personal information from unauthorised disclosure, violating Australian Privacy Principle 11.

While it is not a new revelation, the Australian Information Commissioner is holding Facebook accountable on transparency grounds. The maximum penalty for breach of Australian privacy laws is $1.7 million for each violation.

Although this is unlikely to be welcome news in the Facebook offices, it is of course not the first fine the social media giant has had to deal with in regard to Cambridge Analytica. In the UK, the Information Commissioner’s Office (ICO) fired a £500,000 fine at Facebook, while it took a record $5 billion settlement with the Federal Trade Commission (FTC) to resolve a government investigation into its privacy practices.

Facebook starts taking data guardian role seriously

Facebook needs to get back in the good books of both regulators and the general public sharpish, and it seems it is taking a machete to the developer ecosystem to do so.

As part of the agreement with the Federal Trade Commission, Facebook has promised to create a more comprehensive oversight model for the development and implementation of apps on its platform, and it does seem to be taking its responsibility seriously this time around. Whether this prevents a repeat of the Cambridge Analytica scandal which kicked-off the privacy debate remains to be seen, though it is making the right noises.

“Our App Developer Investigation is by no means finished,” said Ime Archibong, VP of Product Partnerships.

“But there is meaningful progress to report so far. To date, this investigation has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.”

Although it is very difficult to figure out how many app developers and applications there are actually on the Facebook platform at any single point, Archibong has stated that 400 developers have been deemed to be breaking the rules. These 400 are responsible for the ‘tens of thousands’ of apps which have been suspended.

While this is a promising start from the social media giant, it will have to do a lot more. We struggle to believe the number of suspect app developers is as low as 400. There might be 400 in London, but worldwide it is going to be a number which is monstrously larger.

This is where Facebook will struggle to be the perfect guardian of our digital lives. With the number of developers and apps unthinkable it will never be able to protect us from every bad actor. Whether best effort is good enough for the critics remains to be seen.

Dating back to March 2018, this is a saga which Facebook cannot shake-off. The general public, politicians and regulators were all enraged by what can only be described as gross negligence from the social media giant. Rules were in place, though there were not nearly comprehensive enough and rarely were bad actors put to the sword and held accountable.

This is what Facebook has to prove to its critics; it is a company which is responsible and can act as an effective guardian of the user’s personal information. It is currently being judged in court of public opinion, a very difficult place to make any progress when the masses are baying for blood.

Although the Cambridge Analytica scandal is only part of the problem, it was the incident which turned the tides against the technology industry. Along with other privacy scandals and debatable business practices, Silicon Valley is being placed under the microscope and it is not working out well. Best case scenario for the likes of Facebook and Google is stricter regulation, though the worst outcome could see acquisitions reversed in the pursuit of increased competition and diluted influence at these companies.

This Facebook investigation is looking to identify the developers who are most likely to break the rules, though there are stricter guidelines being put in place. Archibong is suggesting many of the quiz apps which plague the platform will be banned moving forward, as many will be judged to collect too much information when measured against the value which they offer. Moving forward, these developers shouldn’t be able to get away with it.

This in itself is the problem; Facebook was asleep at the wheel. It created a valuable product and then started to count the cash. It didn’t evolve the rules as the platform grew into an entirely different proposition and it didn’t keep an eye on whether app developers were breaking the basic rules which it had in place anyway.

If Facebook’s quest continues on its current trajectory, the developer ecosystem might have to work a bit harder to access personal information. Apps with very limited functionality and value will not be granted access to the same treasure troves, while the team will also have to prove collecting personal information will improve experience for the user.

Another interesting point which was raised in the commitment is an annual review. Archibong is suggesting every app will be assessed on a yearly basis, and those who do not respond effectively to the audits will be temporarily suspended or banned.

It remains to be seen whether Facebook is doing enough to keep critics happy, though there is no such thing as being heavy-handed here. Facebook will have to take the strictest approach, over compensating even, to ensure it regains the trust and credibility it threw away through inaction.

DCMS calls out Facebook for stretching the truth

Facebook might have thought the worst of the Cambridge Analytica affair was behind it, but the UK Government is questioning whether it was entirely truthful with evidence presented to a parliamentary committee.

In a letter written to Sir Nick Clegg, Facebook’s VP of Global Affairs and Communications, Facebook is being asked to clarify discrepancies between testimonies it gave to the UK’s investigation into the scandal and evidence which was presented to the Security and Exchange Committee’s own investigation. The letter very politely and appropriately asks for clarification on statements made which seem to contradict.

“Further to our letter dated 17 July 2019, we would also like to raise several concerns considering recent charges made against Facebook by the US Securities and Exchange Commission on Wednesday 24 July,” the letter reads.

“The SEC Complaint seemingly directly contradicts written and oral evidence we received from Facebook representatives over the course of our enquiry into ‘Disinformation and fake news’ on several points raised below, and we request clarity on these issues.”

The letter itself was penned by Damien Collins, the Conservative MP for Folkestone and Hythe and Chair of the Digital, Culture, Media and Sport Committee. The evidence in question refers to testimonies given to the Committee by CTO Mike Schroepfer, Head of UK Public Policy Rebecca Stimson and VP of Privacy Solutions Lord Richard Allan, during DCMS investigations in 2018.

As Facebook is repairing its reputation across the world, attempting to regain trust and credibility in the eyes of the consumer, the last thing it needs is to be accused of lying to the UK Government.

The letter itself asks for clarity on three areas. Firstly, when Facebook executives were made aware of the abuse from Cambridge Analytica. Secondly, how the misuse of data was handled internally. And finally, communication between senior executives.

On the first point, Schroepfer and Lord Allan insisted the team was only made aware to the abuses through the article which exposed Cambridge Analytica published in the Guardian. That said, evidence presented to the SEC suggests internal concerns and complaints were raised in 2015, months before the article exposed the abuses.

On the continued abuse, Facebook executives suggested Cambridge Analytica had confirmed the deletion of the data in 2016, though it wasn’t until 2018 that executives were made aware the data was still be utilised. Evidence presented to the SEC contradicts these testimonies given to Collins and the other members of the DCMS Committee, as employees had on-going concerns through the intervening years thanks to Cambridge Analytica marketing materials.

Finally, evidence submitted to the Committee by Lord Allan and Stimson suggest CEO Mark Zuckerberg was not made aware of the continued abuse until 2018. However, Schroepfer has stated Zuckerberg was the primary decision maker for any privacy issues. If both statements are to be believed, there has been a systematic failure in dealing with privacy issues and policies. Collins questions why Zuckerberg and senior management were not made aware of these issues until the reports emerged in the press.

Although many assumed Facebook executives were not being entirely truthful when giving evidence, perhaps choosing to hold-back certain snippets of information, it might appear the social media giant has been caught trying to be too clever for its own good.

This is not a good headline for Facebook. It has shown little respect to the UK Government during the Cambridge Analytica saga, and these revelations just rub salt into the wounds. At a time where it is attempting to justify its existence and prove it can be a trustworthy guardian of user’s personal information, this letter shakes the foundations of credibility once again.

Facebook is said to be shopping for a security company

The social network giant Facebook is speculated to be close to acquiring a cybersecurity company to shore up its of data protection capability.

In the wake of a massive security breach, when 29 million users’ data were compromised, Facebook is desperately scrambling for a quick and effective solution. As it emerges, one way of doing so, in addition to working with the FBI, is shopping. The Information reported that according to four separate sources, Facebook has approached several unidentified cybersecurity companies for acquisition. One source told the online technology publication that a deal with one of the target companies could be reached before the end of the year.

A professional security solution sourced from outside could help refresh Facebook’s internal measures that might have overlooked vulnerabilities. The leak in late September, which initially was thought to have affected up to 50 million users, resulted from a coding loophole in the “View As” feature, which was attacked by an unknown party disguised as a 3rd-party marketing company. Facebook later clarified that about 30 million users actually had their access tokens stolen, but the attackers failed to gather information on 1 million of them.

On top of the technical expertise to be acquired, a high-profile purchase of a security company would also improve the perception that Facebook is serious about safeguarding user data. The company’s reputation has been repeatedly battered since the Cambridge Analytica scandal, prompting it to go more aggressive with its PR strategy. After recruiting a high calibre ex-politician to its team, adding a professional security solution to its toolkit would do no harm.


Brexit data contravention lands Facebook a £500,000 fine

The Information Commissioner’s Office (ICO), UK’s data protection regulator, intends to fine Facebook half a million pounds for its failure to safeguard user data in the run-up to the country’s referendum to leave the EU in 2016.

After more than a year’s investigation, the ICO’s progress report published today (11 July) determined that Facebook breached Data Protection Act 1998 by lacking transparency “and security issues relating to the harvesting of data”. Facebook is due to present its case in front of the ICO later this month.

We asked Facebook for a comment and got this from Erin Egan, its Chief Privacy Officer: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

In addition to penalising Facebook with the highest possible sum in its jurisdiction, ICO has also undertaken actions against a string of parties suspected of having involved in irregularities during the campaign:

  • Enforcement Notice to cooperate with investigation was sent to SCL Elections, affiliated with Cambridge Analyica, and steps are being take to bring criminal charges against SCL Elections for its failure to implement the Enforcement Notice;
  • Warning letters were sent to 11 political parties on their ways of buying and using voter data. Audits are planned for later this year;
  • Enforcement Notice was sent to the Canadian data analytics firm AggregateIQ (AIQ) demanding it to stop possessing UK voters’ data, in cooperation with the Canadian authorities;
  • Investigation into both the Leave and Remain campaigns are ongoing;
  • An audit on Cambridge University’s policy and process will be conducted. A recommendation to Universities UK was issued demanding the education institutions to be more vigilant on the usage of personal data gathered for academic research purposes vs. academics’ private commercial interest.

In a certain sense, Facebook was fortunate with timing. Had the new GDPR been in place before the referendum, the ICO would have the authority to handout a ticket of up to €20 million (£17 million).

Zuckerberg threatened with summons next time he enters UK

Damian Collins, Chair of the Digital, Culture, Media and Sport select committee, has given Facebook CEO Mark Zuckerberg two choices; testify voluntarily or we’ll issue a formal summons next time you enter British jurisdiction.

The letter follows evidence given by Facebook CTO Mike Schroepfer to the select committee last week, which has been deemed unsatisfactory by the lawmakers. Attached to the letter was also a list of 39 questions Schroepfer was unable to answer, as the select committee attempts to get to the bottom of the Cambridge Analytica scandal.

“Following reports he [Zuckerberg] will be giving evidence to the European Parliament in May, we would like Mr Zuckerberg to come to London during his European trip,” the letter reads. “We would like the session here to take place by 24 May.

“It is worth noting that, while Mr Zuckerberg does not normally come under the jurisdiction of the UK Parliament, he will do so next time he enters the country. We hope that he will respond positively to our request, but if not the Committee will resolve to issue a formal summons for him to appear when he is next in the UK.”

Zuckerberg now has until May 11 to respond, and to show that he is not directly snubbing the UK government. Collins and his cronies might have had their egos dented when Zuckerberg sent one of his deputies to answer their questions, but the flexing of legislative muscles is almost surely going to gain the attention of the Facebook CEO. Zuckerberg might be almost allergic to face-to-face discussions, however ignoring this letter could escalate into somewhat of a PR disaster for the social media giant.

In terms of the unanswered questions, you do have to feel sorry for Schroepfer. The MPs have condemned the executive for not having the answers, but as Schroepfer mentioned several times during the briefing, he came prepared to answer questions specifically on the Cambridge Analytica scandal. This was what was requested of him. He was also very honest with the Committee; when he was not certain he said he would get back to them.

On several occasions, Collins asked Schroepfer to guess at an answer when he did not know, to which Schroepfer refused. What Collins was going to achieve through asking for a guess is beyond us. It seemed the MP was attempting to lure the executive into making inaccurate statements. Schroepfer did well to resist and acted completely appropriately, even if the MPs didn’t, almost mocking him on occasion. It was more of an immature chest-beating exercise to belittle a US executive than a useful inquiry.

There were several questions which Schroepfer should have been able to answer, those which were focused on the scandal, but some were not. And it wasn’t like Collins was asking for information which is easily available. For example, Schroepfer is unlikely to know what percentage of websites on the internet users are tracked by Facebook. Collins is talking about every website on the internet; it isn’t absurd for Schroepfer not to know the answer this question. You can have a look at the full letter and questions below.

Zuckerberg should respond positively to this letter otherwise there is a risk of the situation escalating. It might prove to be a humbling and embarrassing experience for the CEO, as we imagine the MPs will have their sights set on patronising and demeaning him as much as possible as punishment for the earlier snub, but damage limitation is never a simple task.


FTC set to get in Facebook’s face, and its books

The US Federal Trade Commission has announced it is formally investigating Facebook’s privacy practices, which is unlikely to end well.

This was pretty inevitable given the spectacular amount of press surrounding the Cambridge Analytica stories. While it can be reasonably argued that it’s pretty naïve to be all shocked when you find out a social media company has been exploiting the personal data you willingly give it for profit, this scandal seems to have broken the dam on pent-up concerns about data privacy.

Again, that was bound to happen sooner or later. The rules on personal data have been made up on the fly because we’ve only had social media for a decade or two. It’s quite possible that Facebook has done nothing wrong in the legal sense but the world is now asking whether or not it should have been allowed to play so fast and loose with our digital identities regardless.

“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers,” said Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection. “Foremost among these tools is enforcement action against companies that fail to honour their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act.

“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

The implication there is that Facebook made some specific vows to the FTC that it may have violated. Even if it hasn’t, this kind of non-public investigation (and surely there will be leaks) will allow the FTC to dig around as much as it wants. Since the origin of this story was the relatively benign matter of exploiting a loophole and then selling that data on, it seems improbable that further such transgressions won’t be uncovered.

This news alone has spanked the Facebook share price down another few percent, just as it’s trying to recover from its latest PR challenge. Over the weekend there was widespread reporting that Facebook has been gathering the details of Android users’ contacts details, including phone numbers and text messages. A BBC journalist was taken aback to find his entire contact list among the files presented to him when he downloaded all the data Facebook has on him.

Facebook felt moved to defend itself on this specific count, insisting it has not been logging people’s call and text history without their permission. Apparently that is an opt-in feature for people using Messenger or Facebook Lite on Android, that you can opt out of whenever you want. Facebook also insisted it doesn’t collect the content of calls or texts and doesn’t sell any of this stuff on. Incidentally your correspondent doesn’t seem to have opted into this feature.

The fact that Facebook is having to defend an opt-in feature that has been in place since 2015 shows how much this story has changed the rules of the game. People have become hyper-aware of how freely they agreed to surrender information to Facebook and are retrospectively indignant. Unless Facebook successfully addresses this sentiment its share price will probably continue to fall.

Facebook kicked out of Cambridge Analytica offices by UK government agency

Facebook seems to have missed its opportunity to get a handle on the Cambridge Analytica situation, having been told to stay out of its offices by the UK ICO.

Digital forensics firm Stroz Friedberg was hired by Facebook yesterday ‘to conduct a comprehensive audit of Cambridge Analytica,’ according to a Facebook announcement. Apparently CA was happy to give FB full access to its servers and systems but the UK Information Commissioners Office, which is ‘sponsored by the governmental department for Digital, Culture, Media and Sport, apparently had other ideas.

“On 7 March, my office issued a Demand for Access to records and data in the hands of Cambridge Analytica,” said Information Commissioner Elizabeth Denham. “Cambridge Analytica has not responded by the deadline provided; therefore, we are seeking a warrant to obtain information and access to systems and evidence related to our investigation.

“On 19 March, Facebook announced that it will stand down its search of Cambridge Analytica’s premises at our request. Such a search would potentially compromise a regulatory investigation.”

It’s not known how long FB, via its proxies, had access to CA’s files and how much investigating it managed to do, but being kicked out by the ICO is presumably a major inconvenience. One of FB’s major priorities must be to demonstrate that it did everything possible to ensure the data reportedly passed on by Kogan to CA was destroyed, and therefore minimise its liability for the subsequent outcry. Christopher Wylie, the main source for the scoops, has made it clear that he has no intention of helping FB out on this.

For the time being the main fork of the story seems to be focusing on how shocking it is that politicians will do anything they can to win elections. UK’s Channel 4 seems to be part of the choreography designed to extract maximum mileage from this angle and secured a hidden camera scoop of CA execs boasting about all the underhand tactics they can help out with. You can see the full video report below.

Plenty of other commentators have reflected on how utterly unsurprising it is, both that FB seeks to monetise the data it is given by us as effectively as possible, and that politicians might seek to use that data to influence the electorate in their favour. But for the time being outcry is the order of the day and we can expect all manner of opportunists to exploit the opportunity to kick FB and CA while they’re down.

Meanwhile the other narrative fork concerning data privacy, is fermenting nicely in the background. FB’s VP of AR/VR has issued a public Q&A apparently designed to address some of the questions arising from the story. One of the points he makes is that it’s no longer possible to extract data about friends of people who have signed up to have their data harvested.

The NYT is reporting that FB’s Chief Information Security Officer – Alex Stamos – is leaving the company due to disagreements about how to handle this sort of thing, and FB’s shares fell 7% yesterday. There seems little doubt that this affair is going to lead to a lot more scrutiny of the social media business model and it will be interesting to see what kind of long-term remedies remain standing once the dust has settled.