Facebook users were duped by Cambridge Analytica, FTC rules

Oh, what a tangled web Cambridge Analytica wove: the US Federal Trade Commission (FTC) on Friday ruled that the infamous and now bankrupt data analytics and consulting company practiced to deceive Facebook users in order to suck up their data

…all the better to tickle your inner demons, my dears.

Cambridge Analytica is, or was, a voter-profiling company that was used during both the Trump and Brexit campaigns. In March 2018, whistleblowers – former employees and contractors, including Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data – said that they had used Facebook to harvest millions of people’s profiles and built models to exploit what they found out about those users in order to “target their inner demons.”

Wylie:

That was the basis the entire company was built on.

In its opinion, issued on 25 November, the FTC also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-US Privacy Shield: a pact that allows US technology companies to legally transfer EU citizens’ personal information across the Atlantic in compliance with EU data protection requirements.

The FTC’s complaint alleged that Cambridge Analytica let its Privacy Shield certification lapse, then didn’t bother to tell the US Department of Commerce that it would continue to apply the data pact’s protections for the personally identifiable information (PII) that it collected while it was participating.

The FTC had sued Cambridge Analytica in July 2019, alleging that it, and its then-CEO Alexander Nix and app developer Aleksandr Kogan, deceived consumers, lying to them about not collecting any PII from Facebook users who were asked to answer survey questions and share some of their Facebook profile data.

Kogan developed a Facebook application called the GSRApp, better known as the “thisisyourdigitallife” app. It asked users to answer personality and other questions, and it collected information such as their – and their friends’ – likes of public Facebook pages.

Nix and Kogan settled. By-then-dead Cambridge Analytica didn’t respond to the complaint or to a motion submitted for summary judgment of the allegations.

Delete the data and don’t do it again

In its Final Order, the FTC prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the Privacy Shield pact and other similar regulatory or standard-setting organizations.

It’s also required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information, and has to delete the PII that it collected through the GSRApp/thisisyourdigitallife.

But who’s left at Cambridge Analytica to carry out those data-deleting orders? The firm is currently filing for bankruptcy: a process it embarked on soon after the data debacle was first uncovered.

At the time, newspapers classified it as “one of the largest data leaks in the social network’s history” – one that allowed the data analytics firm to “exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.”

That was no breach; it was business as usual

Facebook at the time called that classification complete rot: the notion that there was a data breach was “completely false,” it said, and promptly blamed the victims for “[choosing] to sign up to [Kogan’s] app,” with “everyone involved [having given] their consent.”

People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

Well, Facebook was spot-on when it claimed that the data wasn’t filched in a “breach” given that, according to whistleblowers, a fake news inquiry in the UK and private staff emails, it basically amounted to Facebook having turned a blind eye to Cambridge Analytica and other developers scraping away its users’ data.

Facebook was wrong in blaming the victims, however, the FTC said – as in, $5b worth of wrong. In July 2019, the FTC wrist-slapped Facebook $5b over its alleged, repeated use of “deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.