"Facebook and the Cambridge Analytica Data Scandal

In mid-March 2018, The Guardian and The New York Times published the Facebook-Cambridge Analytica (CA) major data scandal when they revealed that CA had collected the personal information of 87 million Facebook users. The newspapers outlined how the data of these Facebook users were obtained by CA. The Guardian referred to the data misuse as a breach but Facebook disagreed. A Facebook executive stated that no systems were infiltrated, and no passwords or information were stolen or hacked. The Facebook-Cambridge Analytica (CA) scandal involved the collection and subsequent use of personally identifiable information on 87 million Facebook users. The timeline of the incident is useful in understanding what happened. In April 2010, Facebook deployed software called Open Graph that enabled external developers to contact Facebook users and request permission to access their personal data and to access their Facebook friends' personal data as well. If the user accepted, these developers could access a user's name, gender, location, birthday, education, political preferences, relationship status, religious views, online chat status, and more. With additional permissions, external developers could access a user's private messages. In 2013, Cambridge University academician, Aleksandr Kogan, and his company Global Science Research developed a personality-quiz app called "This Is Your Digital Life." The app prompted users to answer questions for a psychological profile. Almost 300,000 Facebook users installed Kogan's app on their accounts. As with any Facebook developer at the time, Kogan could access personal data about those users and their Facebook friends (with appropriate permissions from users themselves). Furthermore, Kogan's app collected that personal information and loaded it into a private database instead of immediately deleting it. Kogan then provided that database, containing information about 87 million Facebook users, to the voter-profiling company Cambridge Analytica. CA used the data to develop 30 million "psychographic" profiles about voters. In 2014, Facebook changed its rules to limit a developer's access to user data. This change was made to ensure that a third-party could not access a user's friends' data without gaining permission first. However, the rule changes were not retroactive and Kogan did not delete the data thought to have been improperly acquired. In late 2015, reports suggested that U.S. Senator Ted Cruz's presidential campaign was using psychological data based on research on millions of Facebook users. In response to the reporting, Facebook said that when it learned about the data leaks, it tried to ban Kogan's app and legally pressured both Kogan and CA to remove the data they had improperly collected. Facebook claimed that both Kogan and CA certified that they had deleted the data. In 2016, Donald Trump's presidential campaign invested heavily in Facebook ads, helped by CA. In August 2018, questions were still being hotly debated about Facebook's role in the 2016 elections. Many questions have focused on Facebook's News Feed and the role it played in magnifying Russian propaganda and other hoaxes. Lawmakers have also criticized the company's lax sale of political advertisements, with some buyers literally paying with Russian rubles. Political ads are not regulated as closely online as they are on television or radio. After the Facebook-Cambridge Analytica scandal was revealed, Facebook began instituting a series of changes to repair the damage. The company banned Canadian firm, AggregateIQ, and Italian firm, CubeYou, from the Facebook platform following indications that the two companies had improperly accessed user data. Facebook also restricted who could place political advertisements, or issue ads, on its platform to "authorized advertisers" who have had their identity and location confirmed by the platform. For authorization, advertisers had to provide Facebook with a government-issued ID and a physical mailing address. Furthermore, each issue ad had to be labelled with a marker identifying it as "Political Ad," with information displayed beside the ad that showed who paid for it. Facebook began working with outside groups to develop criteria for what was considered a political ad. The move intended to prevent or limit "bad actors" who try to interfere with foreign elections, likely in response to the discovery that 470 fake Russian Facebook accounts spent about US $100,000 on roughly 3,000 ads on the platform during the 2016 U.S. presidential election. In March 2018, the U.S. Federal Trade Commission (FTC; www.ftc.gov) announced that it was investigating Facebook for possible violations of the firm's 2011 agreement with the FTC. At that time, the FTC charged that Facebook had deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement required Facebook to provide consumers with clear and prominent notice and obtain their express consent before their information was shared beyond the privacy settings that the consumers established. A single violation of Facebook's 2011 agreement with the FTC could carry a fine up to US $40,000. Thus, for continuing misuses of consumer data, in July 2019, the FTC approved a fine that was estimated to total about US $5 billion, which at the time of writing (November 2019) was waiting for approval from the U.S. Justice Department. In March 2018, Cambridge Analytica and its parent company SCL Elections instigated insolvency proceedings and closed. The question is: What happens with the data that the firms had collected? In July 2018, the UK's Information Commissioner fined Facebook 500,000 for breaking data protection laws following an investigation into the Cambridge Analytica scandal. The investigation found that Facebook had contravened UK law by failing to protect people's data and that the company had also failed to be transparent about how personal data were being used by others. Facebook did have an opportunity to respond before a final decision was made. The scandal took place before the European Union's GDPR (General Data Protection Regulation) came into force on May 25, 2018, or Facebook would have faced a multi-million-dollar fine. In addition, the United Kingdom announced its intent to bring a criminal prosecution against SCL Elections Ltd., the parent company of Cambridge Analytica, for failing to adequately respond to an enforcement notice issued in May 2018. In an accompanying report, the UK data regulator has made recommendations for how the government can improve transparency around online campaigning and the political use of personal data. In August 2018, lawyers for a group of UK residents whose Facebook data was collected by CA filed a class-action suit against Facebook, which resulted in a fine of 500,000, the maximum fine under the privacy legislation then in force in the United Kingdom. Since 2007, Facebook has changed its rules about how much data apps can access. However, over that time, how many developers followed Facebook's rules? How many acted like Kogan did, storing the data and creating their own private databases? Where are those data now, and who has them? If all those private user data are as powerful as Cambridge Analytica has said they were, what have they been used to do?"

1. Discuss the ethics of the companies involved in this case.

2. Discuss how privacy legislation such as PIPEDA can help address the issues raised in this case.