The Cambridge Analytica incident demystified

As noted in article after article after article, many of the questions directed to Zuckerburg from the Senate Judiciary Committee underscore a broad lack of understanding about the fundamentals of social media networks and how advertising is conducted through Facebook. The appearance at Capitol Hill resulted in a surge of online discussions fueled by heresay and misconceptions. Here are some of my insights based on those discussions and some of the questions coming from the hearing:

1. There wasn't a hack, but inadequate data sharing policies were exploited

Here's the story: Aleksandr Kogan (Wikipedia) is a Cambridge University academic who developed a 'Test Your Personality' app called thisisyourdigitallife for academic purposes that went viral on Facebook. It was by using this app that users gave explicit permission for the app to access their data. Kogan shortly thereafter began an enterprise called Global Science Research under which Kogan transferred ownership of the app and was republished to Facebook for Developers in 2014 with new terms and conditions that highlighted its transition from academic to commercial use (Cambridge University). It was through Kogan's app that Cambridge Analytica paid for and acquired their foundational dataset. The firm funded Kogan to run several data harvesting campaigns that collected 270,000 users - all of whom agreed to the terms of service and used the viral app (TechCrunch). So how did 270,000 profiles turn into 50,000,000 profiles worth of data?

Rewind back to 2014, Facebook API had a feature called 'friends permissions' that freely empowered third-party developers to collect the status updates, check-ins, location, interests and more of the friends of app users. While Facebook depreciated this feature a year later, Kogan had already collected data on 270,000 users and second-degree friends, resulting in over 50 million profiles in a massive, multi-point database (TechCrunch). This was a four-year ticking time bomb of poor privacy enforcement in the making.

2. Cambridge Analytica is one of hundreds of companies probing for vulnerabilities

Facebook with its two billion monthly active users presents itself as a huge target for unethical companies and individuals who are willing to game the system for business advantages. While Facebook is constantly fortifying their privacy protections and updating their Terms of Service, malicious actors are finding new and unique ways to exploit advertiser and developer functionality on Facebook.

An ethical research team from Northeastern University recently reported an exploit in Facebook Ads Manager:

[The exploit] could infer attributes of an individual included in an uploaded Custom Audience ... using the estimated reach reporting available in the advertising interface ... it would be possible to infer each of the 1,200 or so targeting attributes

Given the daily attack Facebook's systems are under - and the ever-increasing sophistication of attacks (think about the recent credit reporting data breaches), I'd say Facebook is performing an unprecedented job protecting personally identifiable information. So if Cambridge Analytica is one of hundreds of companies doing the same exact thing, then why the big to-do? The controversy - and there's a lot of it! Most of those topics I'd rather not get into detail on, but I can't wait for the documentary.

3. Facebook doesn't sell your data to third parties

As its broadest level, Facebook's business model is elegant. Facebook's social network will always be free for users because the company produces revenue by charging advertisers. They do not sell user data to advertisers. Instead, they ask advertisers who they would like their ad delivered to. Advertisers provide Facebook with their preferred audience, and Facebook handles the rest.

In the recent past, Facebook incorporated third-party data sets into Audience Targeting to empower advertisers to more acutely target the people who are likely to transact with their business. Using these data sets typically incurred a fee from Facebook to the advertiser - typically a percentage of the ad spend - to help pay for the use of the data set. Going forward, in support of user privacy, third party data will no longer be used. But advertisers will still be able to reach their audience on the platform.

It is through this marketing relationship that the platform remains free for use.

4. Facebook isn't listening to everything you say

It really isn't. This article on Wired by Antonio Garcia Martinez breaks down the infeasibility of a constantly-listening social network from the perspective of data and network bandwidth. Take it from him. He invented Facebook's ad machine.

What about the messages I write through Facebook Messenger or WhatsApp? While Facebook may check photos and links in private messages to ensure no illegal content is being passed across the network, the answer is No. Not those either.

5. Given all this, it's still important to practice self-censorship

Social networks provide great privacy controls to help you curate what gets seen by the public eye and what doesn't. But at the end of the day strong privacy starts with personal responsibility. Curate the content you make available about yourself on social media. You are the guardian of your own data. Make sure to stay informed, set your boundaries, and respect your brand by advocating good content control.

Cover Photo by Matthew Henry on Unsplash