Facebook has come under fire in recent weeks through massive data privacy leaks that affected 87 million users and potentially influenced the outcome of the 2016 U.S. election.

Originally reported by the New York Times and The Guardian news outlets, Cambridge Analytica, a London-based data mining and analytics firm, collected information from users who took a pop quiz through an app named “thisisyourdigitallife.” The data was obtained by Aleksandr Kogan, a Cambridge psychology professor, for use by affiliate firm Strategic Communication Laboratories (SCL), directly violating Facebook’s terms of service.

The pop quiz promised users that it would predict aspects of their personalities. Although hundreds of thousands of users took the pop quiz, information was also collected from their Facebook contacts despite having never taken the pop quiz.

Cambridge Analytica and SCL ran data operations for Donald Trump’s campaign and are widely credited to have helped him target users on Facebook more effectively than Democrat rival Hillary Clinton. The pop quiz provided information such as content users liked, information about their friends and the cities they lived in.

Eunoia Technologies, a data harvesting firm, also received this information alongside SCL.

Facebook’s security policy prohibits app developers from giving away or selling user information; the platform learned of this data privacy breach in 2016 and took steps to remove the app from FB while suspending SCL and Cambridge Analytica.

These companies were also asked to destroy any of the data collected through this app and Cambridge Analytica released a statement after learning of the breach of Facebook’s terms of service.

Federal Trade Commission Conducting Facebook Investigation

Facebook worked with the U.S. Federal Trade Commission to draft a privacy decree in 2011 protecting its users from sharing data through other apps without informing users. The consent decree required that Facebook conduct audits of the platforms privacy practices every two years and prevented the company from misleading users about the privacy of their personal information.

The FTC released a statement confirming an investigation into Facebook’s data privacy practices.

“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements,” said Tom Pahl, acting director of the Commission’s Bureau of Consumer Protection. “Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Zuckerberg’s Testimony at Congressional Hearing

In response to this breach and the influence on the presidential election, Facebook CEO Mark Zuckerberg testified for 10 hours during this week’s congressional hearings about Facebook’s privacy practices.

Members at the hearing asked why the FTC was not informed immediately after Facebook learned of the privacy breach.

“In retrospect it was a mistake. We should have and I wish we had notified and told people then,” Zuckerberg said. “I don’t believe that we necessarily had a legal obligation to do so. I think that it was the right thing to have done.”

Viewers who tuned in expecting a bloodbath may have left disappointed as Zuckerberg explained to congressional members how the platform operates with developers and advertisers.

Zuckerberg explained that Facebook acts as a broker to target ads to audiences the advertiser would like to reach without providing them raw data. App developers such as the one who built the personality app have access to that raw data but are required to ask permission from the platform first.

In response to why Facebook allows apps to access so much information, Zuckerberg said, “I think the mistake we made is viewing our responsibility as just building tools, rather than viewing our whole responsibility as making sure those tools were used for good.”

The hearing is expected to produce conversations as to producing more laws in the digital space to protect users and how their private information is distributed in a largely unregulated market.

Republican senator Chuck Grassley, chairman of the Senate Judiciary Committee, said in his opening remarks, “These events have ignited a larger discussion on consumers’ expectations and the future of data privacy in society.”

Chairman of the House Energy and Commerce Committee, Greg Walden, told reporters at Reuters that he would like to discuss holding similar hearings with other technology executives.

“This is a wake-up call to Silicon Valley and the tech community that if you let these things get out of hand, having grown up in a very lightly regulated environment, you could end up with a lot more regulation than you seek,” he said.

Actions Facebook is Taking After Zuckerberg Testifies at Congressional Hearing

Zuckerberg mentioned that some type of regulation would be necessary but declined to comment as to if Facebook would support future legislation or regulation.

Facebook is currently taking several actions to prevent a similar incident from occurring in the future including:

  • Safeguarding the platform
  • Investigating other apps
  • Creating better controls and technology to prevent abuse
  • Removing fake accounts and pages produced by spammers
  • Hiring 15,000 people for security and content review
  • Strengthening advertising practices through transparency and page verification
  • Sharing information and cooperating with governments

Other Online Marketers Abused User Data Privacy

While the Cambridge Analytica scandal is the largest data privacy breach in Facebook’s history, other online marketers have abused the system in similar ways as written by Alexandria Samuel on The Verge:

“If Facebook’s generous access to friend data was known to many marketers and software developers, so was the tactic of disguising data grabs as fun apps, pages, or quizzes,” she wrote.

The article cites many references to marketers and the tactics they used to gain data from users on the platform, but Sam Weston, a communication consultant in digital marketing and market research, said “We were all conscious that friend data was accessible. I don’t think that anybody had perspective on the potential consequences until it was slotted into this news story, where the consequence may have been the election of Donald Trump.”

“It is actually stunning to think, with the clarity that perspective brings, that you could stand up the kind of ridiculous quiz or survey that they did and then walk away with psychographic profiles on 50 million Americans. Even for someone who worked in the field, [the Cambridge Analytica story] was a moment that gave you real pause to reflect on the business that we walked away from, but that was a massive part of the industry for a long time,” he continued later in the article.

Latest Facebook Security Breach

Facebook succumbed to a security issue on Tuesday, Sept. 25 that affected the accounts of nearly 50 million FB users.

The security breach stemmed from a vulnerability in Facebook’s code for the “View As” feature, which is normally used to let people see what their profile looks like to another user.

“This allowed them[the cyber-attackers]  to steal Facebook access tokens which they could then use to take over people’s accounts,” Guy Rosen, VP of Facebook’s Product Management, wrote in a news release.  “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook has fixed this vulnerability and informed law enforcement of the cyber-attack. Facebook also reset the access tokens of the 50 million accounts that were affected by the vulnerability, resulting in many users being signed out of their accounts, as well as reset the access tokens of 40 million other accounts that were looked up using the “View As” feature within the past year.

Laz’s Thoughts on Facebook Data Privacy Breach

My personal thoughts on the matter are mixed. Facebook has been on the decline as users abandon the platform due to algorithm changes and less time spent on the site. Fake news has been a prevalent issue as it’s easily distributed on Facebook, prompting the platform to try adopting and ultimately abandon the use of an Explore Feed and Downvote Feature.

This latest scandal is just one of many, the latest being the Equifax or allegations surrounding Vero’s CEO. There’s also a lot of animosity and tension still surrounding the 2016 presidential election, hurting Facebook’s public image further.

Like Alexandria wrote in her piece to The Verge, the use of developer apps to get information from users isn’t much of a secret. If you aren’t paying for the service, then a platform or app is either taking your information and selling it to third parties for profit or displaying advertisements to make revenue.

Among negative reception regarding algorithm changes, one of the biggest drawing points to Vero was the purported security of the app and no ads displayed as users would eventually pay to use the platform.

While I’m highly vested in this PR nightmare for Facebook, I’m not surprised to hear that user data is being sold to third parties for a myriad of purposes. The only reason this blew up in the way that it did is from the Russian controversy in the elections and Facebook distributing data that may have helped Donald Trump win the presidency.

I’m interested to see if this will pave the way for new legislation and regulations that will protect user information in a vastly unregulated and unchartered market, but this may be a learning lesson to perform our due diligence in understanding how social media platforms are accessing and distributing our data to API developers and advertisers.