What the Facebook-Cambridge Analytica Data Leak Teaches us About Ethics And Privacy It should serve as a cautionary tale to marketers on the importance of being transparent with consumers about how their information is used

Each day, millions of people log in to Facebook, which has become almost like a digital extension of our real, tangible selves. A social networking platform with 2.2 billion active monthly users, Facebook is huge enough to be an entire country in itself. In fact, much like a country, it is made up of several different individuals and communities. More importantly, though, like any other country, it also needs revenue to run on.

As one of the world's largest advertising platforms, Facebook serves as a marketing channel for both major global brands, as well as small local businesses, who rely on the vast amount of data the social platform allows them to access, to ultimately help them connect with millions of consumers across geographies and demographics. The actual number of active advertisers on Facebook, as per the latest announcement, is around 6 million and growing rapidly, as is the number of users on the platform. From products and services to political ideology, these advertisers try to sell millions of different things to consumers each day through the platform, all with the help of a few algorithms. But how they do it is something most of us seldom stop to think about.

Facebook and Cambridge Analytica: What the "Big' Data Breach Was All About

We have all at some time provided some basic information about ourselves on social networking platforms. It could be as harmless as your birthday, your schooling experience, or maybe even your work experience, or any other bit of personal information, from your favorite pizza topping to details about your life partner. We also know that apps like Facebook, which we use on our smartphones and computers, have access to our data, because we give it to them when we click on that little "Accept' button on the installation page. But what that access entails, and what it shouldn't, is essentially in the hands of those who build the app with the user having little say in the matter. In such a case, all one can do is rely on the ethics and discretion of the company and trust it to keep your information safe.

However, in a rude shock to billions of people around the world, on March 16, 2018, news broke out that more than 50 million Facebook user profiles had been leaked to a UK-based political data analytics provider, Cambridge Analytica. Here's the incident in brief:

Aleksandr Kogan, a University of Cambridge professor was collecting data about users on Facebook as part of his research and developed a mobile application called "This is your Digital Life' that allowed Cambridge Analytica to collect personal details of more than 50 million Facebook users. What Cambridge Analytica previously had done on several other occasions was collect data from Facebook and Twitter (which is perfectly legal) and purchased an array of other data points — about television preferences, airline travel, shopping habits, church attendance, what books you buy, what magazines you subscribe to — from third-party organizations and so-called data brokers. All of this data was then collectively used for the purpose of "behaviouralmicrotargeting" — which in simple terms would mean individualised advertising.

But the information collected was then allegedly used to sway the public in favor of then-presidential candidate Donald Trump. However, people working on Trump's campaign quickly disregarded Cambridge Analytica's role in the election, claiming that the Republican National Campaign was the primary source of voter data, and "any claims that voter data from any other source played a key role in the victory are false." Nevertheless, the incident has sparked a lot of questions about who did what, and when. The reports were referred as a 'data breach', and in response to the same, Paul Grewal, the Deputy General Counsel for Facebook stated that it being called a "data breach' was completely false. Their key argument was that users who were signing up on Kogan's application gave their consent and that no passwords were acquired by hacking, nor were any systems infiltrated.

That people gave their consent to Kogan's application, 'This is your Digital Life' for access to some of their data is technically true, and not illegal. But while the Facebook databases were not hacked by any external source, the fact remains that a huge amount of data came from the Facebook friends of those who signed up for the app. What's even more distressing is the fact that while the app users' friends did not give consent for their data to be accessed, even the ones who signed up weren't ever notified that their data might be shared with a third party.

The lessons

What this incident can be expected to do is finally get Facebook, and its competitors, to engage in a healthy conversation on issues like ethics, privacy, and transparency. Moreover, it should serve as a cautionary tale to marketers on the importance of being transparent with consumers about how their information is used. At the same time, governments around the world must introduce stricter laws and governance policies for the access and use of consumer data.

GDPR: A potential cyber security solution

GDPR stands for General Data Protection Regulation, and according to Wikipedia, it is "a regulation in EU law on data protection and privacy for all individuals within the European Union." Simply put, the GDPR once implemented, will ensure that an individual consumer's data is stored and managed in a regulated manner. What does it mean? Although, the definition may state that it is a regulation that applies to all individuals within the European Union, the new data privacy law will affect any company that operates in the EU or even processes the data of any EU nationals. Pick any of the current online channels like Google, YouTube, Skype, or even some prominent e-commerce portals, the rule ensures that their privacy policy should offer thorough clarity on what data the website has captured, when it is captured, what it will be used for, and details about any third parties (if involved).

The process of requesting the details of a user, and the option for a user to request that their data be permanently deleted, also make for key elements of the policy. As a business owner, the rule banks on a valid point that companies need to understand that personal data is not theirs but that of the users. Like a bank holding a consumer's money, they will only be able to hold data, with the possibility of letting the users examine it, or take it back when they please.

At this point in the global digital revolution, the Facebook-Cambridge Analytica incident is a reminder that our current data breach notification laws must be amended to encompass personal data obtained through social engineering as a recognised form of data breach. That would not necessarily mean that companies would be under obligation to report every personal data leak. Rather, they will have to employ stricter measures to prevent manipulation techniques from gaining access to personal information; and if such techniques are occasionally successful, they must notify users and consumers in due course, and that appropriate legal action is authorised to ensure compliance.