Firstpost 23 Mar 2018

Mark Zuckerberg may have addressed the Cambridge Analytica issue, but nothing changes unless we take data protection seriously 

by Nimish Sawant

The Facebook - Cambridge Analytica controversy has been in the news this entire week. Facebook CEO Mark Zuckerberg, after staying silent for close to five days, finally spoke up admitting that Facebook had indeed made a mistake.

In his Facebook status, Zuckerberg said, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there’s more to do, and we need to step up and do it.”

This was then followed up with steps Facebook will be taking to tackle the issue from spreading further. Some of the measures taken include investigation of all the apps which have access to large amounts of information before the 2015 lockdown (on sharing friends data) and conducting a full audit of any app which was found to be misusing the data. Developers who play loose with Facebook data will also be banned from the platform and users affected by this will be informed by Facebook. Another action involves removing developer access to your data if you haven’t used the app for more than three months.

But did Zuckerberg address all the questions?

While all the measures Zuckerberg announced, sound great, he still left many questions unanswered. Principal research analyst with Gartner, Siddharth Deshpande feels there are unanswered questions related to both processes as well as technical changes to the way user data is handled.

“If Facebook knew in 2015 that Aleksandr Kogan had shared data of ‘tens of millions’ of users with Cambridge Analytica, why was this not disclosed to users or regulators? What process related changes is Facebook going to institute that will restore customers trust?” questions Deshpande.

Facebook, by its own admission, had come to realise that Cambridge Analytica had illegally acquired data. So back in 2015, Facebook requested it to delete the user data, and based just on Cambridge Analytica’s word, Facebook trusted that the data was deleted. Last week when The Guardian, New York Times came knocking on Facebook’s doors, alleging that Cambridge Analytica still was using Facebook user data, Facebook banned it along with Global Science Research’s Alexsandr Kogan (the original developer who sold Facebook data) and former Cambridge Analytica researcher and whistle-blower Christopher Wylie’s Facebook accounts. Had it not been for The Guardian and NYT, who knows how long this racket would have continued.

Global Science Research (GSR)’s Kogan was conducting personality tests on Facebook which allowed him access to user and their friends’ data. This data which was supposed to remain with Kogan, was bought by Cambridge Analytica to created psychometric profiles of users, who could then be targetted with ads during the US presidential elections.

Nayantara Ranganathan, programme manager, Freedom of Expression at the Internet Democracy Project, feels that GSR is not really the main problem as Zuckerberg made it out to be.

“Fact remains that Facebook continues to collect massive amounts of granular data and there’s no reason to trust Facebook with it, while auditing and restricting access to data for other apps. Having said that, Facebook cannot be expected to reign itself in: there’s a need for a data protection framework to regulate data collection, storage and use, and not rely purely on privacy self-management and consent,” says Ranganathan.

Data protection laws are non-existent in India

So while Facebook has promised a lot of things, nothing much really changes for regular users. There have been murmurs of #deletefacebook, but we all know that too many Indians are hooked on to Facebook. According to Statista, India has around 250 million Facebook users (20 million more than the US). Also deleting Facebook will not solve anything, as Anirudh has wonderfully explained in this piece.

“Facebook disciplining third-party apps for breach of trust does not change the fact that data extraction is at the heart of business models of most apps and services, including Facebook’s. It already comes too late, but regulation around data collection is essential,” says Ranganathan.

According to technology expert and former journalist, Prasanto K Roy, two big data privacy-related events — the Facebook - Cambridge Analytica episode in the US and UK and the commencement of the General Data Protection Regulation (GDPR) in the EU from May onwards — should have a positive impact on data privacy debates in India.

“With today’s global concerns on privacy, especially on citizen data being used outside the country, the wiggle room to have wildly different frameworks for different geographies will go down. I believe things will improve in terms of reasonably consistent policies, globally, even if some places (especially EU) will be way ahead of the curve,” said Roy. He believes internet companies will be forced to rethink the way they handle data privacy issues and it will also open the doors to India getting a lot of global best practices when it comes to data protection.

Who knows how many Cambridge Analytica-type businesses are out there?

Facebook banned Cambridge Analytica because it learned that it was using Facebook data illegally. The fact that so far, Facebook operated on faith with it developers is a bit unnerving. How many third-party apps might still have gone ahead and sold Facebook data to the highest bidder? That we cannot truly know.

A more recent report on The Guardian interviewed Sandy Parakilas who was the former platform operations manager at Facebook looking after data breaches by third-party software developers between 2011 and 2012. According to Parakilas, Facebook senior executives were warned about its lax approach to data protection and how that was a matter of concern. There was also no way of knowing what developers did with the Facebook data, but Parakilas said that Facebook could have prevented this from happening. However, when he tried highlighting the issue, his suggestions were shot down. Wylie too mentioned in an interview with Channel 4 that he had tried reaching out to Facebook with his findings, but he didn’t get any response.

Deshpande expressed concerns at the technical ways in which Facebook handles user data. “What technical controls is Facebook planning to put in place, to monitor whether developers will actually be responsible with the user data they extract from the platform? Getting developers to sign contracts and take more explicit consent from users is great, but what monitoring and remediation mechanisms will Facebook put in place to detect unintentional and intentional misuse of user data?” asked Deshpande.

This will be particularly important in a country like India, where Facebook still has a huge scope to grow.

Manipulating gullible voters during elections

The major question mark was around the way Cambridge Analytica used Facebook data to manipulate voters in the US. Wylie spoke about how the Trump campaign used the data to create sort of culture war. “Steve (Bannon) wanted weapons for his culture war and we offered him a way to accomplish what he wanted to do, which was to change the culture of America,” said Wylie.

With the Lok Sabha elections coming up in 2019, the Facebook - Cambridge Analytica case has already got into the mainstream discussion where political parties have started bickering about Cambridge Analytica and its election tactics.

But according to Ranganathan, manipulating gullible voters through social media will continue. “Facebook has a large role to play, but even imagining there are drastic changes to the Newsfeed algorithm, there is always propaganda spread through WhatsApp, for example. It’s a harder problem to address if you also want a continued implementation of end-to-end encryption in WhatsApp,” she says.

Roy thinks that social media manipulation of audiences is inevitable in the run-up to modern-day elections, powered by fake news.

“Multi-pronged efforts are needed to fight these epidemics: fake-news-buster sites and initiatives, as well as efforts by the internet and social media majors especially Google, Facebook (including WhatsApp) and Twitter to flag and warn against fake news or even text or videos that have been repeatedly forwarded,” says Roy.

In an interview with CNN, Zuckerberg said that Facebook is committed to upholding the integrity of elections around the world and that includes India.

“What’s clear is that in 2016 we were not as on top of a number of issues as we should have been, whether it was Russian interference or fake news. The reality here is that this isn’t rocket science, I mean there’s a lot of hard work that we need to do to make it harder for nation-states like Russia to do election interference, to make it so that trolls and other folks can’t spread fake news,” said Zuckerberg.

For now, we have no option but to take Zuckerberg’s word for it. But it will be interesting to see how Facebook’s data protection policies will change after GDPR comes into play from May onwards in the EU.

Originally published in Firstpost.