Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Are You Surprised That Facebook Data Is Influencing US Elections?

DZone's Guide to

Are You Surprised That Facebook Data Is Influencing US Elections?

In this post, we take a look at the news around the data leak that has so many upset, and what it means for the state of data security.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

I read the news that a furor was erupting regarding Facebook and Cambridge Analytica with a feeling that it was the proof of the inevitable. Let's take a quick walk through the story in case you were too busy on your weekend doing something more interesting than reading newspapers online.

Cambridge Analytica is a data analytics company. Their clients include, "in the U.K, the MOD, and the FCO, and in the United States, all the ‘coms’, so NorthCom, Safcom, State Department, Pentagon and various ‘three letter agencies’ and so forth," according to CEO Alexander Nix. 

They've worked for over 25 election campaigns but the one that has sparked the most furor is their work for the Trump campaign. According to The New York Times and The Observer and numerous whistleblowers, Professor Aleksandr Kogan, founder of Global Science Research (GSR), administered a personality analysis app, thisisyourdigitallife, designed for academic purposes. Through this 270,000 people gave the app permission to access data via Facebook on themselves and their friends, exposing a network of 50 million people to GSR.

The problem is that this data was then passed on to Cambridge Analytica, who allegedly then used it to build a system that could profile individual US voters, to target them with personalized political advertisements. 

What’s the Value of the Data?

Cambridge Analytica claims they can predict not just voters’ voting intentions and preferences, but also their personality types through a notion they call “psychographics.” This is a form of predictive analysis that they claim enabled the Trump campaign to cluster potential voters into ‘buckets’ of people with a similar worldview who could then be targeted with bespoke advertisements.

Image title

Email shared by whistleblower Christopher Wylie

Cambridge Analytica is owned by hedge fund billionaire Robert Mercer, and at the time of the breach was headed by Trump’s key adviser Steve Bannon. 

Is it True?

Alexander Nix, the chief executive of Cambridge Analytica, and other officials have repeatedly denied obtaining or using Facebook data, most recently during a parliamentary hearing last month. But in a statement to The Times, the company acknowledged that it had acquired the data, though it blamed Mr. Kogan for violating Facebook’s rules and said it had deleted the information as soon as it learned of the problem two years ago.

I saw Alexander Nix address an audience in Lviv, Ukraine with his talk, "From Mad Men to Math Men.” He spoke of leveraging behaviouristic analysis, the OCEAN scale of personality traits, and Big Data to produce customized messages which different groups of people are willing to hear and respond to.

You can see a similar version here:


During the talk, he claimed:

"When we joined Trump there were only 30 full-time employees in contrast to Clinton with over 800 ft employees. Through our work with Ben Carson and Ted Cruz, we'd built an entire technological infrastructure which we were able to hand over to the Trump team; we were thus contracted as an end-to-end technology provider."

Image title

Diagram shared IT Arena, Lviv (2017)

Part of this was an ability to identify swaying or malleable voters. For example, one of Nix's examples centered around Wisconsin, a traditionally safe Democrat seat:

“The Clinton campaign never visited them once in the entire election, but we were able to use data to identify many voters that could be influenced to vote for the Trump campaign."

So Is Facebook to Blame?

Facebook claimed recently that they verified the leak and — without publicly acknowledging it — sought to secure the information. They claimed the data had been destroyed. Facebook denies that the harvesting of tens of millions of profiles by GSR and Cambridge Analytica was a data breach. It said in a statement that Kogan “gained access to this information in a legitimate way and through the proper channels” but “did not subsequently abide by our rules” because he passed the information on to third parties. Notably the company's CEO and COO have been silent (for years) on the issue.

So in short, data was fraudulently obtained, used in breach of contract and without user permission to develop campaign outreach to sway the same users' votes, again without the users' knowledge. And the company and Facebook allegedly lied to investigators. 

Let's Get Real

I said earlier, I am not surprised about this data breach in the slightest. While the blanket T&Cs you sign up to when joining Facebook and other social media sites do not allow for third parties to data mine information and then sell the results for political and financial gain, there are few examples where people read the T&C in the first place. As I've discussed previously, most people are largely immune to the realities of privacy when it comes to getting the use of a service for free. 

Let's bear in mind most social media users do a pretty good job depleting their own privacy: they tag places they regularly visit, take pictures of their children in school uniforms and share their sleep and running schedules. They make political statements online and indicate attendance at political events. People even mark when they are on holidays (and their homes are presumably vacant).

When you add in internet browsers, email, loyalty cards, online maps, sat nav and wearables, things start getting a bit murkier. The reality is that while yes, you can certainly opt out of social media use, you risk being out of the loop of social events, business contacts through LinkedIn connections, family photos, and event planning. 

We can expect the GDPR in Europe to make social media more strict when it comes to privacy violations but they rely on the processing of complaints of breeches, a determination (which could take forever and would be presumably applicable only to the EU) and then, the ruling of sufficient gravity to create a precedent - it's not like companies don't have big pockets.

Privacy is not guaranteed through social media. I predict in the future that we'll see the introduction of a payment platform for social media users who demand anonymity as an absolute. Think of it as a second-tier system for those who pay more; maybe there are also other benefits (or at least temptations for people to surrender their privacy?). But, at the moment, the truth is, if you're not paying for something, you're not the customer; you're the product being sold.

Update: After writing my first draft, I received an email that the Electronic Frontiers Foundation has published instructions on how to change your Facebook settings, to opt out of Platform API sharing. 

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
data privacy ,gdpr ,cambridge analytica ,security ,data security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}