Facebook under fire over privacy controls after 50m records harvested for US election

UK firm got permission to look at under 300,000 records but that turned into 50m according to reports that Facebook will have to answer

The question as to what is legitimate access to personal data by technology companies has been raised by the harvesting of 50m Facebook records by UK data analytics firm Cambridge Analytica. Its data mining was used to help influence the result of the 2016 US election.

TechMarketView analyst Martin Courtney said: “The social media giant’s privacy settings have long been disparaged as complex and opaque, but the publicity generated by whistle-blower Christopher Wylie [who previously worked at Cambridge Analytica] could prove the most damaging criticism yet directed at it’s approach to content sharing.”

Courtney said: “Exploiting people’s private information to win votes is a particularly sensitive issue in the US amidst FBI investigations into alleged Russian interference, and Facebook chief executive Mark Zuckerberg is in an uncomfortable position.”

Cambridge Analytica is already the subject of ongoing investigations into how it obtained and used Facebook’s data, not only in the US, but also in the UK, amidst suspicions that the UK company may have misled a parliamentary enquiry last month. There is also speculation that Cambridge Analytica used the same tactics to identify, profile and target political ads at Brexit voters.

Courtney added: “We’re not sure any of this can be classified as a data breach, leak or hack. The information gathered by Cambridge Analytica [owned by London-headquartered Strategic Communication Laboratories] appears to have been freely given by around 270,0000 Facebook users via the myPersonality app, although not millions of their Facebook ‘friends’.”

Courtney said the “big questions” are whether Facebook’s rules did enough to explicitly restrict or prevent that from happening, whilst ensuring informed consent was obtained, and whether the data still exists. “A major lawsuit seem inevitable”, said Courtney.

Tighter rules on obtaining informed consent for specific types of data collection and processing it in the digital world is what the European Union’s forthcoming General Data Protection Regulation is designed to deliver. That law comes into effect on 28 May 2018. But it obviously won’t apply to US citizens.

Javvad Malik, security advocate at data security and management vendor AlienVault, said: “The use of 50m Facebook user profiles by Cambridge Analytica isn’t technically a breach in the conventional sense, because systems weren’t broken into, nor were any technical controls bypassed. Rather, it is a case of a legitimate API functionality being used in a way that violated the [Facebook] ToS (terms of service) by pulling in excessive amounts of data.