Breaking Down The Cambridge Analytica Kerfuffle

This business with Cambridge Analytica is kind of a mess which makes distilling what’s really going on a challenge. Below I’ve included answers to some key questions to help you make sense of what’s going on.

Was it a Hack or a Leak?

Neither. At the time the data was collected, third-party developers could collect data from users who granted access to the application (as well as data from their friends). The data was transferred from Global Science Research (led by Aleksandr Kogan) to Cambridge Analytica, a violation of Facebook’s terms. The API was updated in 2015 to prevent this type of data collection going forward; however, Facebook did not have the ability to delete the data that was already collected by third parties. Facebook asked the Kogan & Cambridge Analytica to delete the data, though it seems this did not happen.

Is This Unique to Facebook?

No. Recently, Grindr experienced a similar issue when a security flaw with a third-party app was discovered. The app was built on the back of Grindr with the purpose of showing users who blocked them on the platform. However, this application left user location data vulnerable, even if users had set their location to private within the Grindr app.

How was the Data Collected?

server room with modern communication and server equipment

The application was called “This Is Your Digital Life” and included a personality test. Users opted-in to provide their information when they accessed the app. Users could also give applications access to their friend’s data without getting permission from their friends. As mentioned above, Facebook has since changed the Open Graph API to limit third-parties from receiving users’ friend data without permission.

Which Data Points can be Collected?

Facebook collects at least 98 data points that can be used for ad targeting as well as “like” and click behaviors on the platform and traffic behavior on external sites collected through placement of the Facebook pixel.

Did the Obama Campaign Break the Same Rules?

The Obama campaign was praised for their use of social media ads and microtargeting. The campaign accessed user data in the same way “This Is Your Digital Life” did. Key differences come down to the ethics of how the data was collected:

  1. The Obama app was clearly being used for political purposes while “This Is Your Digital Life” was disguised as a personality test and did not mention it would be used for political purposes.
  2. The data collected by Kogan was transferred to Cambridge Analytica; against Facebook’s terms. The Obama campaign did not sell or transfer data collected by their app.
  3. Through Amazon Turk, Kogan and Cambridge Analytica paid Facebook users from the United States to grant access to the application and take the quiz.

For further insight, I recommend episode 160 of the Techdirt Podcast, featuring Catherine Bracy who worked on the Obama campaign app:

Why was There Such a Strong Reaction?

There seem to be many factors swirling in this perfect storm of sorts. I think one piece of the reaction is related to users passively accepting permissions without giving second thought to the data being collected and how it could be used (because that information is, more-or-less, hidden by Facebook). Given that Facebook is a massively popular platform, this realization carried a lot more weight and bred serious mistrust with a service that, for many, is omnipresent in their daily lives.

Another factor that seems to have amplified the reaction is the political nature. Considering this whole affair is tied to the campaign of a divisive political figure, there is a lot more fuel to the fire. The sensitive nature and the constant media conversation around the current administration make the Cambridge Analytica Facebook blunder much more visible in the public discourse. In keeping all factors of the Cambridge Analytica data scandal constant, minus anything to do with a political campaign, it’s likely there would have been significantly less coverage and probably no senate hearing. Facebook users would likely have been less concerned with their privacy if the data collected and transferred wasn’t smack dab in the middle of such a massive political conversation.

Is Facebook Going to Introduce a Paid Model?

Probably not. In the Facebook senate hearing, Senator Johnson asked just that to which Zuckerberg said:

“Senator, I’m not sure exactly how — how it would work for it to be monetized by the person directly. In general, where — we believe that the ads model is the right one for us because it aligns with our social mission of trying to connect everyone and bring the world closer together.”

What Should Facebook Do?

GRAHAM: Okay. It says, “The terms govern your use of Facebook and the products, features, apps, services, technologies, software we offer — Facebook’s products or products — except where we expressly state that separate terms, and not these, apply. I’m a lawyer. I have no idea what that means. But, when you look at terms of service, this is what you get. Do you think the average consumer understands what they’re signing up for?
ZUCKERBERG: I don’t think that the average person likely reads that whole document.

Zuckerberg says what I feel is a popular practice and perception. The public, on average, is not reading (and thus not comprehending) the legalese that exists to well, let’s just say it, cover Facebook’s butt.

If Facebook wants to combat the confusion and distrust users have with the platform, it needs to be significantly more transparent. Instead of hiding privacy settings and ads explainers the platform should put a clear call-out at the top of the news feed or at the top of the left or right columns, leading users to information regarding their privacy settings and how their data is used. Privacy and data-related changes to terms of use should also be communicated clearly. Facebook also needs to increase transparency and speed of notification when it comes to data abuse. It seems Twitter has taken stock of all this and, just this morning, I received a full page pop-up notification about updates to their Terms and Privacy Policy:


If Facebook wants to increase transparency and create an understanding among users about how ads work, they’re going to need to be more overt with how they present the information.

Have We Already Seen Changes?

After the story broke, Facebook rolled out a series of changes including the limitation of third-party data from sources including Acxiom, Epsilon Management, and Oracle Data Cloud to target users. For large pages, Facebook will also be requiring verification. The platform also supports the proposed Honest Ads act, which implements disclosure requirements for online political advertising.

Another consequence of this affair is regulation from third-party tech. Mozilla Firefox released an extension that blogs Facebook from collecting user data across websites where the Facebook pixel is present.

Some of these updates could be beneficial, while others seem to be made as a gesture to quell public outcry without solving any real problem.

Should We Expect Additional Government Regulation?

The short answer is yes. In the hearing, when asked if he embraces regulation, Zuckerberg replied “I think the real question, as the Internet becomes more important in people’s lives, is what is the right regulation, not whether there should be or not.”

Unfortunately, there seems to be a track record of tech regulation with good intent, yet seriously flawed execution that ends up making things worse. Take the recent case of SESTA (Stop Enabling Sex Traffickers Act/FOSTA (Fight Online Sex Trafficking Act).

Trigger warning: sexual assault – if you’re sensitive to this, I recommend skipping to the next section.

SESTA/FOSTA is its own complicated situation that, if I were to truly do it justice, would require another blog post about the length of this one. Fortunately, TechDirt has done a great job covering it over the years so I’m going to distill it below into some key points for illustration purposes:

The Setup

  • In 1996, the Communications Decency Act (CDA) was passed.
  • Provision 230 (A.K.A. CDA 230) states “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another content provider.” Essentially, platforms users can publish speech are not liable for the speech that users post.
  • Backpage is was an online classified ads website.
  • Sex workers posted ads on Backpage.
  • Posting on Backpage gave sex workers a safe buffer from street work, allowing them to screen clients and trade blacklists.
  • “Craigslist erotic services reduced the female homicide rate by 17.4 percent.”
  • There were cases of sex traffickers advertising on Backpage.
  • Victims of sex trafficking are often homeless or runaway children.
  • Backpage and has been used to track down criminals.

The “Solution” with Good Intentions

  • People affected by sex trafficking incidents on Backpage worked with lawmakers to target the platform and circumnavigate CDA 230, resulting in SESTA/FOSTA.
  • The language behind SESTA/FOSTA goes beyond sex trafficking and affects the sex work industry in general.
  • With SESTA/FOSTA, websites are held liable in cases of abuse.

The Outcome/Consequences of SESTA/FOSTA

  • Craigslist recently shut down the personals section.
  • Backpage was shut down and the FBI raided co-founder Michael Lacey’s home.
  • With these websites being shut down and self-censoring to avoid future lawsuits and criminal charges, sex workers can’t screen clients or maintain a steady income off the streets.
  • Already, according to a sex worker interviewed by the podcast Reply All, thirteen people have gone missing, two were found dead, two were sexually assaulted at gunpoint, and one committed suicide.
  • Sex trafficking criminals are also going underground making it more difficult to track offenders, working against the overall intent of SESTA/FOSTA. With these sites gone, it could be much harder to identify offenders and rescue victims.
  • These acts did nothing to combat the underlying factors that lead to the child homelessness that sex traffickers prey on.

The Kickers

  • Two previous cases have set a precedent that suggests SESTA wasn’t even needed to remove Backpage’s CDA 230 protections.
  • Facebook came out in support of SESTA/FOSTA which is a platform potentially subject to sex trafficking-related abuse.

And, again, that’s just a distillation. There’s a LOT of information and conversation around SESTA/FOSTA to digest and make sense of just as there is with the Cambridge Analytica situation. Therefore, it’s incredibly important that legislators and tech companies do not rush legislation through simply to quell public outcry. Instead, they should take the necessary time to thoughtfully draft productive legislation that will address root issues and avoid unintended consequences. But, given the track record of government and tech, it might be a bumpy, unproductive road.

Bonus Question: Is Facebook Listening to Me?

“No” was Zuckerberg’s verbatim response when asked if “Facebook use[s] audio obtained from mobile devices to enrich personal information about its users.” This was also debunked by the podcast Reply All in episode 109 “Is Facebook Spying on You?” This question might seem silly, but it does highlight the public’s paranoia surrounding data collection by tech companies as well as the lack of understanding around how these companies work. I don’t say this in condescension to those who are confused and concerned, rather I want to emphasize how confusing it is and that companies, like Facebook, don’t do a good job making it easy to understand. Instead, Facebook’s lack of transparency over the years bred uncertainty and confusion to the point of inspiring, what Zuckerberg himself referred to as, a conspiracy theory.

What’s To Come?

This whole ordeal is complex, to say the least. It’s a crucial conversation and growing moment for Facebook. It will be fascinating to watch what unfolds and what additional reveals are in store as I’m sure there are a few more to come. Tech companies have a responsibility to provide users with clarity on how their data is being collected and utilized. Advertisers have a responsibility to exercise ethical practices when handling and using data. Users have a responsibility to protect their own data by being careful with the information they choose to publish online. It’s good to have this conversation on data privacy out in the air and, hopefully, the results will be productive and beneficial for social media channels, their users, and the marketing companies that provide them with the revenue to operate as free platforms.

Ignite Social Media