Sophos Cloud Optix
It’s the hot story right now in Europe…
…no, we’re not talking about the news that France just dumped neighbours Belgium out of the World Series with a 1-0 victory. [Surely you mean the World Cup? – Ed.]
We’re talking about the widepspread media coverage that the UK Information Commissioner’s Office (ICO) intends to fine Facebook £500,000 (about $660,000) over the Cambridge Analytica fiasco:
[The ICO intends] to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998.
Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.
The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.
Cambridge Analytica (CA) – in cased you missed the saga as it uncoiled itself earlier this year – was a web analytics company started by a group of researchers with connections to Cambridge University in the UK.
Put web analytics together with the word Cambridge and you get the cool-sounding name Cambridge Analytica.
What seems to have started as some sort of academic research project soon morphed into a commercial enterprise that allowed participants to take psychometric tests via a Facebook app.
(Facebook apps are essentially plugins for the Facebook platform rather than applications in the traditional sense.)
The sneaky? bait-and-switchy? sleight-of-hand? devious? obvious-with-hindsight? why was anyone surprised? [delete as inappropriate] trick employed in the CA app was that the app explicitly asked you to give it access to account data that wasn’t available by default.
Notably, Cambridge Analytica acquired access to your profile, including a list of all your friends.
That means not only that the app learned a lot about you, but could associate your own “psychometric profile” with your friends – even if they disapproved of psychometric tests; even if they’d never have agreed themselves; indeed, even if they’d never heard of Cambridge Analytica.
As we explained back in March 2018:
You might well question how 270,000 people signing up for a Facebook personality quiz blossomed into a potential data breach affecting 50 million users [now 87 million users] – nearly 25% of potential US voters.
[…] The app scraped not just test-takers’ private profile data, but also that of their friends. Facebook didn’t disallow such behavior from apps at the time, but such data harvesting was allowed only to improve user experience in the app, not to be sold or used for advertising.
Facebook ultimately kicked CA off its platform, but not before a global brouhaha had erupted over whether the social networking giant ought to have done more to make sure that app developers stuck to both the letter and the spirit of Facebook’s own rules.
The ICO certainly seems to think Facebook could have, and should have, done more to stop Cambridge Analytica getting away with its industrial-scale data harvesting – thus the fine.
What next?
Would the ICO have hit Facebook harder if it could?
The ICO’s own announcement makes a point of mentioning that, even though current GDPR rules could in theory have led to a very much bigger fine, “due to the timing of certain incidents in this investigation, civil monetary penalties have to be issued under the previous legislation, the Data Protection Act 1998.”
The maximum financial penalty in civil cases under pre-GDPR laws is £500,000 – and that’s the amount the ICO chose.
Will Facebook pay up?
The ICO’s “fine” is currently only a Notice of Intent, so Facebook still has the right of reply.
Will we all be more careful with apps and plugins in future?
Let’s hope so – remember our simple rule: IF IN DOUBT, DON’T GIVE IT OUT.
ARE YOU COLLECTING TOO MUCH? LEARN MORE: LISTEN TO OUR GDPR PODCAST
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
Yes! This is all we need! Another ICO that people doesnt understand.
Sadly with a penalty like that, Facebook may as well be staring down the barrel of a mosquito.
Even if you multiplied the fine tenfold or even a hundredfold it would not be as harmful as the reputation damage caused by penalties like this. And this reputation damage is having an effect – look at how often recently that Facebook have been in front of legislators to answer questions. The outcry being caused by events like this is even causing other technology companies to explicitly restrict social media applications tracking activities (see https://nakedsecurity.sophos.com/2018/06/06/apple-says-no-to-facebooks-tracking/).
From the ICO’s point of view this is not a competition, and they have not ‘won’.
To the ICO educating and changing behaviour of organisations so that they DO NOT need to get fined is a true win. The much larger stick that the new GDPR penalties allow will be a ‘win’ if they never have reason to use it.
And whilst it is great entertainment to vilify Facebook let us all look to our own glass houses before throwing too many stones. A lot of the GDPR is based on basic ethical principals that nearly every organisation either chose not to apply of their own accord, or were to lazy to apply without outside threat.
That said, there is a difference between lazy ethics and an apparent complete blatant disregard of ethics.