The Big Lesson For Businesses in the Facebook Scandal
Facebook is the latest highly recognizable company to make headlines for a data scandal with a staggering number attached. This time, it’s the profile data of 50 87 million users that was given without their consent to a third party who used their data to influence an election. In the cannon of major data breaches—Equifax, Target, Anthem, etc.—Facebook’s is a unique case with its own set of takeaways for businesses.
What Exactly Happened with Facebook and Cambridge Analytica?
I recently went on WTNH’s Good Morning Connecticut with Halloran & Sage Partner Jay Arcata to unpack this issue. As Jay pointed out, the Facebook situation is certainly at least akin to a data breach in that data was used in a way that users did not agree to (Mark Zuckerberg called it a “breach of trust”).
However, unlike other major breaches in recent headlines, Facebook wasn’t hacked. The social network knowingly gave the data to a partner company, Cambridge Analytica. The data was collected and used in a way that violates Facebook’s terms of service, but the company willingly allowed the data to be collected. In this case, some 270,000 users took an online quiz that not only provided access to their data, but also that of all of their friends (accounting for the 87 million users touched in the breach). Facebook stopped this practice of allowing users to hand over their friends’ data before the Cambridge Analytica story broke, but the damage is done.
What Businesses Can Learn From This
At its heart, this is a story about a partnership gone wrong. Facebook’s business is data, primarily allowing advertisers to use it for targeting. This should have been a run-of-the-mill transaction for them with Cambridge Analytica, but the way they structured the partnership in allowing such free reign for partners on the platform left themselves open to a huge issue.
No matter what business you’re in, essentially all businesses have data these days, whether its patient records for medical practices, orders and specs for manufactures, client and property information for real estate firms, or just plain old financial information from customers. This data is almost always shared in some capacity. How it’s shared may not even come to mind at first because online service providers are so pervasive for businesses. Does a third party vendor help you manage your records? Process payments? Track leads and maintain contacts? Then your data is being shared.
We’ve seen third-party breaches with companies like HBO, who famously leaked an episode of Game of Thrones through a partner. Ensuring that your vendors have robust cybersecurity is paramount. The Facebook scandal shows us that you have to go further and examine the nature of the partnerships your company has. Do you need to be sharing all of the data you’re sharing with third parties? Would there be a way to consolidate it or limit it so that it would be less damaging if leaked? Do you have explicit terms with your partners about how they’re allowed to use your data?
A New Kind of Phishing Attack
Since time always flies when you’re on TV, Jay and I took a moment in the green room after our interview on WTNH to reflect on the main thing we wished we had the chance to talk about.
Jay wished we had the time to explore the legal and economic implications of the story. Indeed, these are playing out now as the FTC investigates Facebook and Zuckerberg recently testified before Congress. In light of this scandal, hopefully we will find a way to enact sensible rules that protects consumers and our democracy without hindering the growth of the data sector.
For me, a fascinating concept that didn’t make it into the interview is the idea that the Facebook scandal essentially reveals a new kind of phishing attack. Phishing, of course, is when a hacker sends a fraudulent email in hopes that the recipient will be tricked into giving up their password. These emails are quite sophisticated now, including “spear phishing” attacks in which the phishing email is customized for the recipient.
Remember, the Facebook breach hinges on an online quiz. We’ve all seen these apparently harmless quizzes which purport to tell you which member of the X-Men or the Sex in the City cast you most resemble. We usually rush through the permissions screen that asks for approval for the application to access your data. Sometimes, the app actually needs a bit of data to complete its function—maybe it needs access to your profile photo to tell you if your mustache looks more like Chester A. Arthur or Burt Reynolds.
More often than not, however, the app asks for access to all sorts of information it does not need, except to fulfill its hidden purpose of mining your data (although Facebook has limited this practice recently). Not unlike an email attempting to glean a password to hack your accounts, these apps trick you into giving access to your data which, through manipulation, is then essentially used to hack your vote or some other underhanded purpose.
What Can I Do To Limit My Exposure to This Kind of Breach?
In addition to businesses taking a close look at how they share data with partners, at the end of our interview, Jay and I offered some general tips for people to consider for their personal protection.
- Jay suggested writing your Congressperson and asking them to work with technology companies to find sensible regulation of the digital economy
- Just as companies sharing client data increases risk, consider how your personal accounts are linked and limit logging into other services with your Facebook account, convenient though it may be
- When entering information into a service like Facebook, understand that that data will be seen by many other entities behind-the-scenes—not just your connections on the site
WTNH Good Morning Connecticut Interview Transcript
You can watch the segment here or at the top of the post.
JOCELYN: The Federal Trade Commission investigating Facebook after its partner organization, Cambridge Analytica, violated the social media giant’s terms of service and collecting user data on 50 million people. Questions remain about whether this was a data breach and if any laws were broken.
Here to explain this controversial situation from two different standpoints, our local cyber security experts, Jay Arcata of Halloran & Sage LLP, and Jonathan Stone, COO of the Kelser Corporation. It’s great to have you both with us.
So, let’s set the stage for everybody. It’s been on the news for quite some time now, but basically, what happened?
JAY: Well, what happened was Cambridge Analytica is a British-based data analytics and political advisory firm. What they did was they captured the data of 50 million Facebook users; some of it with their permission, most of it without, and they were able to sell that data to political organizations to basically form psychological and voter profiles for each of these users to use then, obviously, for the candidates’ benefit.
JOCELYN: Jonathan, how did they do that?
JON: So, they did it through an application that Facebook users voluntarily chose to use. They signed in with their Facebook credentials and they answered a series of questions that helped to develop a personality profile for them. Then, through Facebook’s interface, they were able to look at data for all of the people who used the application’s friends. So that’s how the number got so big, and that was an intentional Facebook feature.
JOCELYN: Okay. Well, now, I believe a couple years ago Facebook signed this consent agreement with FTC over its privacy agreement. So, what happened here? Did they really break the law?
JAY: Well, it’s an interesting issue. I mean, Facebook has couched this as a breach of trust and not a data breach. Experts are sort of on the fence. The problem is we have a lack of cyber security and privacy laws on a federal basis in this country. So, to say that they broke the law, it’s sort of a gray area. They may have violated the terms of the FTC agreement, and that’s certainly being investigated now by both the FTC and the states’ attorneys general.
JOCELYN: Absolutely. And he, Zuckerberg, is going to testify before Congress, I believe, April 10th. So, Jonathan, what can people do? I mean, they feel like their trust has been broken. So, what can folks do to prevent this from happening? And can they really prevent this from happening?
JON: So, I don’t think they can really prevent this kind of thing from happening. I think legislation is an important part of the solution to the problem. But there are a few simple things people can do to lessen the risk.
The first one is really being careful with things that ask you to sign in with Facebook credentials. That’s a way to really link your Facebook identity with your identity in another place. All of a sudden, all kinds of information can be put together about you.
Filling out online profiles – how much detail do you really need to provide? What’s required versus optional? Keep the details about yourself online to a minimum.
Then for social platforms in general, do you really need to be sharing all your details on all of them all the time? So just limit what you post and where you post it.
JOCELYN: And to both of you, is there such a thing as privacy on the internet?
JON: No. (Laughter.)
JAY: No, not really.
JOCELYN: No, right?
JAY: I mean, it’s the balance. We have these freedoms and we’ve chosen to really largely not regulate them up till now. So, it’s going to be up to us as a country to decide what that balance is and how much freedom we want with development and the technology industry and fostering these great apps that we use versus what we’re willing to put out there.
JOCELYN: Right. So, we should all just be aware that, yes, your privacy is likely not going to – well, is going to be likely violated here, so --
JON: Yeah. Or at least less than it is in the real world, certainly.
JOCELYN: Exactly. Thank you both for joining us.
JON: Thank you.
JOCELYN: And it is a complex issue, but I think you’ve actually explained it very well for everybody. Appreciate it.