Facebook Under Fire Over the Data Mining of App Data Drew Wilson | March 20, 2018 Facebook and Cambridge Analytica is making a lot of headlines over data mining practices. Governments are investigating as well. Many people are getting a lot of headlines these days regarding Cambridge Analytica mining Facebook data to potentially sway elections. The media erupted with the news over the weekend when new first hit. In one example, the CBC reported the following: A Canadian data analytics expert says he wanted to expose a “problematic” invasion of privacy when he sounded the alarm and alleged a data company he helped found misused personal information from millions of Facebook users while working for Donald Trump’s 2016 U.S. presidential campaign. In an interview with The National’s Adrienne Arsenault, Christopher Wylie said he was tasked with “psychological profiling” while working at Cambridge Analytica and was able to pull data from users through apps that required the use of Facebook. “They would fill out psychological surveys and then that app would then go and pull all of of their Facebook data,” said the 28-year-old from B.C. Of course, data mining of such information isn’t exactly new. As a way of earning some extra cash, some app developers get users to sign an agreement to allow developers to sell the information to third party source. For privacy experts, this is one of the bigger concerns surrounding Facebook because use of apps combined with public information can be mined and handed over to marketers. So, it really wasn’t a matter of if, but when this information would be used by political organizations. Again, that is nothing new because political organizations routinely conduct polls and analyze data gleaned from things like statistics Canada to boost the effectiveness of messaging to potential voters. So, perhaps the real question is, was all the information used in the data mining activities lawfully obtained? That really depends on what user agreements were agreed to and when. That is destined to be a tough question to answer because most people don’t read the agreements before installing their apps. Of course, the nuances of all of this is apparently lost on a number of media outlets who were all to eager to label this as either a data breach or a data leak. “U.S. Republican lawmakers concerned by Facebook data leak” reads a Reuters headline. “Data leak ‘another indication of systemic problems at Facebook’ so sell the stock, analyst says” reads a CNBC headline. The Guardian wrote, “No 10 ‘very concerned’ over Facebook data breach by Cambridge Analytica” Of course, it seems few clued in to the fact that this may not actually be a data leak or a data breach at all. Motherboard, to their credit, did point this fact out. So, one question one may have is what is actually a data breach or a data leak? Put into simple terms, a data leak is when information not meant to be made public by an organization is exposed. Meanwhile, a data breach is typically when a third party gains unauthorized access to data. In facet, we here at Freezenet have two great examples of both very recently. Late last week, MGM Company had a database backup being stored on a public cloud website. As a result of that, 1.3 million peoples personal information was exposed to the public. So, that is a great example of a data leak. Over the weekend, we reported on St. Peter’s Surgery & Endoscopy Center having 135,000 records of their patients exposed because a third party gained unauthorized access to a database. That is an example of a data breach. Another thing worth pointing out is the scope of what was mined. Reportedly, as many as 50 million profiles may have been affected by this. This sounds like a large number, but there are many breaches and leaks that make this alleged “leak” or “breach” minuscule by comparison. Back in January, we reported on the Aadhaar data breach which exposed biometric information to anyone wiling to pay 500 rupees. The number of people exposed in that one? 1 billion people. That isn’t even the largest in history that we are aware of. The largest data leak or breach that we are aware of in terms of total numbers is last years Yahoo! data breach. That affected 3 billion accounts. Of course, who could forget the 145 million person data breach from Equifax? That’s close to three times the number of accounts. So, in terms of both quality and quantity of data being lost, there are breaches and leaks that are technically much more worrisome. This is, of course, not to say that what is going on doesn’t merit attention, however, it is useful to apply a little context before we get ahead of ourselves. In fact, there are those who are treating the Facebook data mining seriously even if data mining isn’t really anything new for Facebook. Canada’s privacy commissioner is looking into the incident. From IT World Canada: Privacy Commissioner of Canada Daniel Therrien issued a statement to CTV News and other media yesterday saying that it plans to reach out to Facebook regarding the misuse of its data by a third-party firm. In the Privacy Commissioner’s statement, Therrien points out that Canada’s privacy law that applies to the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA), doesn’t apply to political parties. “Ultimately, our goal is to ensure that the privacy rights of Canadian Facebook users are protected,” he says. Meanwhile in Australia, the Information and Privacy Commissioner is also looking into the issue. From ZDNet: With news of Cambridge Analytica using the information of 50 million Facebook users to help Donald Trump’s 2016 presidential campaign emerging this week, Australia’s Information and Privacy Commissioner Timothy Pilgrim has announced he is looking into whether any personal information of Australians was involved. In a statement on Tuesday, Pilgrim said the Office of the Australian Information Commissioner (OAIC) is aware of the reports stating users’ Facebook profile information was acquired and used without authorisation and is “making inquiries” with Facebook on the matter. “I will consider Facebook’s response and whether any further regulatory action is required,” Pilgrim wrote. “The Privacy Act 1988 confers a range of privacy regulatory powers which include powers to investigate an alleged interference with privacy and enforcement powers ranging from less serious to more serious regulatory action, including powers to accept an enforceable undertaking, make a determination, or apply to the court for a civil penalty order for a breach of a civil penalty provision.” In the US, the Federal Trace Commission is also considering a probe into Facebook activity. From the BBC: The US Federal Trade Commission is reported to be investigating Facebook after allegations that 50 million users’ private information was misused by a political consultancy firm. Cambridge Analytica (CA), hired by the Trump campaign in the 2016 US election, has been accused of taking the personal data unknown to users. CA head Alexander Nix has now been suspended by the company board. The move came amid allegations the firm may have broken US electoral law. CA, which is based in London, denies any wrongdoing. Also, it seems the UK is on board with demanding answers from Facebook. From Euronews: LONDON — The U.K.’s information and data privacy regulator is investigating whether Facebook responded “robustly” to reports that political data firm Cambridge Analytica gained access to data on 50 million of its users. “We are looking at whether or not Facebook secured and safeguarded personal information on the platform and whether when they found out about the loss of the data, whether they acted robustly and whether or not people were informed,” Information Commissioner Elizabeth Denham told the BBC on Tuesday morning. Denham first demanded access to the data held by Cambridge Analytica on March 7, the Information Commissioner’s Office said in a statement. The company didn’t respond by the deadline given and on Monday evening Denham announced that the ICO is seeking a warrant for the information. She did not say when regulators had started looking into Facebook. Perhaps the most depressing aspect of all of this is the fact that so few seemingly cared about data leaks and breaches where credit cards, passwords, and other pieces of information could be used by identity thieves to directly hurt individuals. Yet, when information is allegedly used by the Trump campaign via Facebook to influence elections, it elicits a seemingly international response at an overwhelming volume level. The thing is, if users technically gave consent to use their information and if such a contract is legal, it’s going to be extremely difficult for either Facebook or Cambridge Analytica to suffer any consequences. It doesn’t necessarily make the situation right, but that is the system that has been set up thanks to years of borderline apathy towards personal information. Probably the biggest shock is the fact that this news of data mining on Facebook is shocking to so many people in the first place. A silver lining to all of this is that there may be a very real possibility that maybe this incident will finally get people concerned and interested in protecting their personal information. There’s no garentee’s, but at the very least, personal privacy online is finally back to the forefront of everyone’s minds again. We can only hope this will cause real substantial change to privacy laws instead of letting it all slip back into obscurity many people consider simple paranoia or something to be less than concerned about. Drew Wilson on Twitter: @icecube85 and Google+.