In the process of downloading a personality test app called 'thisisyourdigitallife' in 2014 and 2015, Facebook users consented to provide the app with access to profile information belonging to themselves and their friends.
This included information such as names, mail addresses, email addresses, interests, phone numbers and affiliations both political and religious, including based on what a user had 'liked' on Facebook. All so that customers could receive personality predictions through what was marketed as a psychologists' research tool.
Some years later the effects of these few mouse clicks by only 270,000 app users have proven exponential. In a testament to the power of Facebook 'friendship', the profile information of approximately 87 million Facebook users – including around 310,000 Australians – was revealed to the app and through it, to political consultancy Cambridge Analytica.
On 17 April 2018, former Cambridge Analytica business director Brittany Kaiser told Congress that 'thisisyourdigitallife' was only one of a number of apps from which Cambridge Analytica acquired users' personal information. This suggests the data of many more than 87 million Facebook users may have been accessed in similar circumstances.
Facebook seems to have conceded this itself on 26 April 2018, when it made a filing with the Securities and Exchange Commission stating its expectation that it would discover more instances of 'misuse of user data or other undesirable activity by third parties'.
Misuse of personal information
Of the millions of names disclosed in one form or another throughout this saga, the disclosure to and use by Cambridge Analytica of user information has garnered particular attention.
On 26 March 2018, the US Federal Trade Commission (FTC) stated that it was conducting a 'non-public investigation' into 'the privacy practices of Facebook'. The FTC had learned that the creator and owner of 'thisisyourdigitallife', Russian Aleksandr Kogan, had collected the information about users and their friends that it gathered via Global Science Research (GSR), a start-up co-owned by Kogan. GSR sold this information to political consultancy Cambridge Analytica without users' permission and in breach of Facebook's rules, which prohibit app developers from sharing information received when a user logs in to the app through their Facebook account with other firms.
The personality characteristics of users were then allegedly identified to target campaign messages to particular Facebook profiles in the lead-up to the 2016 US presidential election. Cambridge Analytica was hired by Trump's campaign to run data operations as part of his election run. This involved providing advice on targeting ads to particular voters, the location of campaign stops, and the content of speeches.
Facebook discovered that its users' data had been misused in this way in 2015, but at that time did not notify the FTC or affected users. While it claims that both Cambridge Analytica and Kogan 'certified' that the information had been deleted, this appears not to have happened in any comprehensive sense.
In the US
The legal implications of any breach of Facebook's rules becomes clearer in light of commitments it made in 2011. In 2011 the FTC charged Facebook with unfair or deceptive acts or practices in or affecting commerce after the company told users their data was only given to third party applications to the extent needed for these applications to function. In fact, these applications could access nearly all of a user's personal information.
Facebook settled these charges under a consent decree, which included the conditions that it obtain users' approval before changing how it shared their data, obtain their consent before it shared their data with third parties, and review its privacy practices periodically.
The question is – did Facebook breach the consent decree when it allowed Kogan to harvest personal information and subsequently failed to verify that Cambridge Analytica had deleted the personal information after discovering its misuse and requesting its deletion?
During his testimony to the US Congress, Facebook CEO Mark Zuckerberg defended his company by stating it did not willingly share users' information without their consent to Cambridge Analytica. Rather, Kogan breached Facebook's terms by deceiving it and improperly selling data it claimed to be collecting for 'academic purposes'.
If the FTC finds a breach of the decree (after its potentially years-long investigation), Facebook could be liable to a $40,000 per violation, per day penalty.
The Notifiable Data Breaches scheme recently introduced as Part IIIC of the Australian Privacy Act 1998 (Cth) (Privacy Act) imposes obligations on entities with respect to the personal information they hold.
The scheme applies where there has been unauthorised access to or disclosure of personal information which would, according to a reasonable person, be likely to result in serious harm to any of the individuals to whom it relates.
If an entity is aware of reasonable grounds to believe there has been an eligible data breach it must notify the Information Commissioner (Commissioner) and, if practicable, the individuals to whom the information relates and/or who are at risk from the breach (or must publicise the notification). You can find out more about the scheme in our interview with the Commissioner here.
Shortly after the Cambridge Analytica incident broke headlines, Australia's acting Commissioner Angelene Falk announced an investigation into whether Facebook had breached the Privacy Act. Its failure to protect user data and to inform affected individuals might constitute such a breach.
More broadly, Ms Falk has pointed to the incident as a 'timely reminder to all organisations of the value of good privacy practice to Australians'. It comes in the context of general increased regulatory scrutiny on digital platform providers such as Facebook and Google, as heralded by the ACCC's December 2017 announcement of an inquiry into whether these providers are adversely affecting competition in the media and advertising services markets.
Is self-regulation a possibility?
Since the advent of the Cambridge Analytica incident Facebook has made a number of changes to its own privacy controls, including giving users the ability to delete any information from their timeline or profile so that Facebook can no longer collect and use it, and by centralising and simplifying user access to privacy settings. As Facebook puts it, it has reacted to what '[p]eople have told us [about how] information about privacy, security, and ads should be much easier to find'. Users now also have easy access to a list of apps which can access their data
Facebook has also introduced a 'Data Abuse Bounty' designed to reward those who report data misuse by app developers, and has committed to verifying those who manage pages with a significant number of followers.
Further, only authorised advertisers (those that provide confirmation of their identity and location) will be able to perform 'issue' advertising on its platform. Issue advertising aims to change the opinion or view of the target regarding a particular problem. While electoral advertising will not be subject to the same rule, ads for both electoral and issue advertising will need to show the words 'Political Ad' in the top left corner.
Facebook has even stated that it will perform a 'full audit' of apps which had access to significant portions of information pre-2014 and will ban the apps in question and disclose misuse to any affected users.
However, whether these steps will forestall regulatory or enforcement action by corporate and privacy regulators – in the US, Australia, Europe and elsewhere – remains to be seen.