Scrutiny falls on Facebook following reports of data harvesting for Trump campaign

I think user education is the key...


"Hundreds of thousands of users were paid to take a standard personality test and consented to share their data for academic use"


Although it says "for academic use", how many users would have genuinely dropped out if it wasn't for academic researh? Not many in my opinion

I would genuinely be interested if the new GDPR regulations have any impact on this or not. The problem is that it is not entirely clear what the end users are consenting to and how their PII might be used by the data collector or other 3rd parties.

John Haith‍ Agreed, often with these types of things it is more effort to withdraw then to sign up. However I'm not sure it was all about education as they harvested the details of the users Facebook friends as well, so even those who do know better were affected as well

Gordon Shorten‍ The GDPR regulations don't come into law until May so I'm not sure it affects this case, but is likely to affect similar cases in future. That said, if the allegations are correct, the companies involved didn't seem that bothered about the current data protection rules so not sure GDPR would've worried them 

Does anyone know the specific details on what Facebook data was actually leaked? I haven't found an article yet that explains exactly what was unwittingly shared

John Haith‍ I did a quick search and couldn't find any specifics either... which possibly makes the whole thing even more mysterious!



During my search, I came across this article from Channel 4 News - they are said to have involved themselves in 200 elections around the world - meaning the issue is a lot bigger than just the US election and the Brexit referendum 


Should we really be shocked that so many democratic elections have been compromised by this? What can be done to prevent this?

I'm always torn on issues like this. From a cyber security perspective, I am naturally concerned with any data breach. However, I do think the press are very quick to scandalise cyber stories. Looking at this from a regular user perspective, if all they have managed to harvest is a list of peoples' Facebook friends (for example), is that really a major concern? Aside from it being morally wrong, of course. After all, it's not like they've actually gone out of their way to hack into individual accounts. Case in point, a local radio presenter said this morning "I don't care, they haven't influence me at all"


....Having said that, could this actually be the real issue? People don't always realise what they're signing up for and the risks involved (large or small). That's why I believe this all boils down to user education so individuals can make an informed decision. There's no way I would have taken the personality test, regardless of whether it was for academic purposes or not


Interesting subject

Hello John Haith‍ 


Your post was an interesting read. I like the fact that you put a balanced argument somewhat.


I am in the mindset that any "personal" data that a user puts on a Social Media site, is no longer "personal" data. The user has given that data to the world. Despite best efforts made with privacy settings, if friends' privacy settings are not up to the same level, then the user has is still giving their data out. The user accepts this when they sign up to Facebook. Except for this being ethically wrong, all these apps done was take that data that the user agreed for them to use.


The following is a quote from Facebook's Terms page- [1]"Statement of Rights and Responsibilities", Facebook, 2018. [Online]. Available: https://www.facebook.com/legal/terms. [Accessed: 23- Mar- 2018].

Sharing your content and information

You own all of the content and information that you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:

1. For content that is covered by intellectual property rights, such as photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide licence to use any IP content that you post on or in connection with Facebook (IP Licence). This IP Licence ends when you delete your IP content or your account, unless your content has been shared with others and they have not deleted it.

• When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).

• When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you.  We require applications to respect your privacy, and your agreement with that application will control how the application can use, store and transfer that content and information.  (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform page.)

• When you publish content or information using the Public setting, it means that you are allowing everyone, including people not on Facebook, to access and use that information, and to associate it with you (i.e. your name and profile picture).

• We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use your feedback or suggestions without any obligation to compensate you for them (just as you have no obligation to offer them).

 

Also the following:

Protecting other people's rights

We respect other people's rights and expect you to do the same.

1. You will not post content or take any action on Facebook that infringes or violates someone else's rights or otherwise violates the law.

• We can remove any content or information that you post on Facebook if we believe that it violates this Statement or our policies, including our Community Standards, or where we are permitted or required to do so by law.

• We provide you with tools to help you protect your intellectual property rights. To learn more, visit our How to Report Claims of Intellectual Property Infringement page.

• If we remove your content for infringing someone else's copyright, and you believe we've removed it by mistake, we will provide you with an opportunity to appeal.

• If you repeatedly infringe other people's intellectual property rights, we will disable your account when appropriate.

• You will not use our copyrights or Trademarks or any confusingly similar marks, except as expressly permitted by our Brand Usage Guidelines or with our prior written permission.

• If you collect information from users, you will: obtain their consent, make it clear that you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.

• You will not post anyone's identification documents or sensitive financial information on Facebook.

• You will not tag users or send email invitations to non-users without their consent. Facebook offers social reporting tools to enable users to provide feedback about tagging.

The bold would apply to the content owners of the apps, therefore, some blame has been removed from Facebook.


Granted, I get that one of the main issues regarding this case, and others like it, has something to do with the friends of friends feature. Those friends of friends are somewhat unknowingly being caught up in this data harvest, therefore their data is being used unethically. I would not go as far as to say illegaly, as they gave that data on Social Media, complying with the terms. I suppose this strays into that grey line of whether or not data you put on Facebook, or other Social Media sites is still classified as "Personal" data. Is it Personal if you put it out for the world to see? I suppose Facebook could do more, of course they could. However, it is like you say, it is down to user education and informed decisions. Not only that, users actually reading Terms and Conditions and small print, instead of being upset and complaining when they think that their rights have been breached, when actually, they agreed 5 years ago when they opted to open a social media profile.


Again, covering user education, and perhaps Facebook changing the way they work (which would be a difficult move, as this is really down to privacy settings of friends), even if you have privacy settings on your profile that hides everything from somebody who is not a friend, or friend of a friend, some of that content can still be viewed. Just because your page is private, does not mean that your friends' profiles are. Using search tools such as those found on Intel Techniques, which only perform tasks you can do manually, you can view content that you may think is hidden. Likes, friends of friends, photos of friends, photos tagged in, videos liked, etc., etc. Surely this is the only data that can be harvested on Facebook, and any other info you put on there such as birthdays, mobile numbers, addresses, etc. If you put that info on, and public, more fool you.


As mentioned above though, and to reinforce the terms, the user agrees to this.


Quote from the Data Policy page - Data Policy", Facebook, 2018. [Online]. Available: https://www.facebook.com/about/privacy/. [Accessed: 23- Mar- 2018].

Apps, websites and third-party integrations on or using our Services.

When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share. For example, when you play a game with your Facebook friends or use the Facebook Comment or Share button on a website, the game developer or website may get information about your activities in the game or receive a comment or link that you share from their website on Facebook. In addition, when you download or use such third-party services, they can access your public profile, which includes your username or user ID, your age range and country/language, your list of friends, as well as any information that you share with them. Information collected by these apps, websites or integrated services is subject to their own terms and policies. 

Learn more about how you can control the information about you that you or others share with these apps and websites.

Who is really at fault? The Social Media platform for not making clear enough how content you provide, and data you share will be used, despite it being in the "small print"? The user for not reading that small print, terms and conditions, and any privacy policies provided, prior to registering and sharing? Or finally, media and news for, as you say, turn stories into scandals just for the ratings. Scaring users into thinking all their life history is now for sale on that magic cloud in the sky called the internet.


That's my thoughts anyway.

Excellent analysis, Richard Bloxam-Rose‍. I think you've pretty much hit the nail on the head with everything you've said. The media love a story like this because they know it causes widespread panic (regardless of the actual level of risk from the security breach)


Just to be clear, I am security focused and I'm certainly not condoning the actions of Facebook or Cambridge Analytics because I don't know the full details, but I don't like scaremongering either :)

Looking at further developments on this topic, and the news reports coming out - including those of Facebook. Do you think the #DeleteFacebook is a fair campaign?


I know Facebook has acknowledged that they could have done more to protect against data being used in such a way, however, referring back to their Terms and Conditions, as well as their Data Policy, as quoted beneath, is the fault still with users, or Facebook? Could Facebook have changed the way they allow their data to be used? Should users be so upset, considering they put the information on Facebook under those Terms and Conditions that 3rd Party organisations hold the responsibility?


I know there is a big problem here, but I am failing to see why Facebook is being bashed so hard in this. All they do is provide a platform for people to give away all their life details, and leaves the privacy settings up to them. The terms could be changed - fine, however, users signed up "agreeing & accepting" those.


Opinions?

It certainly is an interesting topic, Richard Bloxam-Rose‍


The problem with lengthy and boring T&C's is hardly anyone reads them. Users know this, and so do the companies. So who's at fault? Do companies see this as an opportunity to slip things in under the radar? Or do users understand the risks (deep down) but simply can't be bothered to read the full details? Probably a bit of both in my opinion


Personally, I think #deletefacebook is overkill. Too many people enjoy Facebook and it's become a part of their daily lives - they aren't going to ditch it that quickly