As the story about Cambridge Analytica’s shady use of Facebook data plays out in press coverage, accurately characterizing the “breach” or “leak” of user information is important.
To many, those terms probably imply private information was hacked or stolen. In fact, Cambridge Analytica obtained data that Facebook’s rules allowed third parties to access, but did so under false pretenses and then exploited it for political purposes.
Working with the firm, Cambridge University psychology professor Aleksandr Kogan developed a personality test app, “thisisyourdigitallife,” granting him access to the profile data of anybody who used it, reportedly around 270,000 people. Per the New York Times’ reporting, “All he divulged to Facebook, and to users in fine print, was that he was collecting information for academic purposes, the social network said. It did not verify his claim.”
At the time, if a user downloaded an app like Kogan’s, Facebook allowed third parties to access the information of those users’ friends as well, which ultimately enabled Cambridge Analytica to develop “psychographic profiles” for approximately 30 million people. The firm then sold its services to political campaigns, including Donald Trump’s.
This has formed the basis of Facebook’s self-defense in recent days, arguing Cambridge Analytica perpetrated a “serious abuse” of the company’s rules, but “No systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent,” said Facebook vice president and general counsel Paul Grewal in a statement on Saturday. “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
That may be true, but that doesn’t mean it’s okay. For a lot of concerned users, the scandal probably boils down to two bad actors: (1) a massive social network that eagerly found ways to sell their information without ensuring its proper use; and (2) a data firm that exploited that eagerness, and then cleverly violated Facebook’s rules to harvest their data.
All this makes Facebook’s task of rebuilding trust with users who rely on the company to protect their information nothing short of monumental.
