Demetrios Christou (Partner) and Eva Lu (Lawyer) at Thomson Geer consider the recent developments from the Facebook and Cambridge Analytica revelations.
What started as a simple personality quiz has resulted in Facebook being investigated by regulators around the world, including our own, and has landed Mark Zuckerberg, its CEO, in front of the US Congress to face questions on Facebook’s data privacy practices.
So what happened, what was the fallout, what do our privacy laws say and at the end of the day, why should we care?
The details about what happened first came to light in March when reporters from The Observer published a story following a year-long investigation into Cambridge Analytica’s involvement in the US elections. Keep in mind that the details about what happened are still evolving and a lot about what we know comes from the conflicting accounts of the parties involved.
While this story begins with a simple personality quiz, the details surrounding the revelations are far more complex.
In 2014, Cambridge University researcher Aleksandr Kogan, through his company Global Science Research (GSR) developed a Facebook app called “thisisyourdigitallife”. The app was downloaded by around 270,000 users and each user was paid $1 – $2 to take the app’s personality test.
GSR used the app to collect personal information about those users purportedly for “academic purposes”. As well as collecting information on each user, GSR also collected information about each user’s Facebook friends, leading to the accumulation of a data pool, which according to Facebook, affected up to 87 million people. While users of the app will likely have given consent to the collection and use of their personal information, the friends of those users would not have had the opportunity to consent to their personal information being collected or shared in this way.
The app collected the data through Facebook’s first iteration of its Graph API. This is essentially a Facebook tool that was made available to third party app developers giving them access to a vast amount of data about Facebook users and their friends. The first version of the tool was made available to developers in 2010. Facebook started to phase it out in April 2014 until it was completely closed in 2015 after Facebook saw problems with the amount of data available through the tool.  A second iteration was implemented which was more restrictive in the data it made available.
GSR reportedly supplied the data from the app to Cambridge Analytica and SCL Elections (SCL), the parent company of Cambridge Analytica at the time. Facebook’s policy at the relevant times only allowed the collection of a user’s friends’ personal information through the Graph API to improve user experience on the platform. It did not allow it to be used or shared for advertising purposes.
In 2015, after discovering the enormous amount of data that had been collected using the “thisisyourdigitallife” app, Facebook removed the app from its platform and demanded certification from GSR, and all parties that GSR had given the data to, that the data had been destroyed. In response Cambridge Analytica certified that it had destroyed the data in question. Apparently Facebook did not pursue the issue any further at that stage.
On 16 March 2018 Facebook announced that it was suspending Cambridge Analytica and the SCL Group from its platform for failing to delete all the data it had received in 2015 from GSR as it had certified. This action was purportedly taken after Facebook became aware of upcoming news stories from The New York Times and The Observer. On 21 March 2018, CEO Mark Zuckerberg released a public statement on his Facebook page laying out the time line of events leading up to the revelations.
Cambridge Analytica has strongly denied all allegations and agreed to a forensic audit by an independent third party. Cambridge Analytica in its 9 April 2018 press release states that GSR “licensed the data to us, which they legally obtained via a tool provided by Facebook.” In the same press release, Cambridge Analytica claimed that the data of only 30 million people was licensed from GSR. It noted that although it was involved in the Trump campaign, it did not use any of the data obtained from GSR. It also claimed that all data, including derivatives, was deleted when requested by Facebook.
What was the fallout?
Irrespective of what actually happened, the fallout was immediate. Facebook’s shares fell within days of its announcement, wiping a total of $100 billion from its market value. The hashtag #DeleteFacebook appeared more than 10,000 times on Twitter within a two-hour period on the following Wednesday. Facebook is now facing investigations from regulators around the world. Lawsuits have been filed against Facebook and Cambridge Analytica by investors and individual users. Both Cambridge Analytica and SCL have since announced that they will be closing down.
In response to the reporting on the revelations, Zuckerberg took out full page ads in newspapers in the UK and US apologising for Facebook’s role and testified before a two-day US Congress inquiry. For Facebook, the backlash has been focused on its failure to police activities on its own platform and its lack of responsibility over the use of its user data. Facebook has since announced sweeping changes to many of its APIs. It has disabled a form of advertising targeting called Partner Categories. It has also undertaken significant overhauls of its privacy and security measures, including by making efforts to give users more control over those features and provide users with a tool to find, download and delete their Facebook data.
What do our privacy laws say?
The acting Privacy Commissioner announced that it has opened a formal investigation into Facebook, following confirmation from Facebook that the information of over 300,000 Australian users may have been acquired and used without authorisation. The investigation will consider whether Facebook has breached the Privacy Act 1988 (Cth) (Privacy Act), which regulates the way organisations collect, use, handle and disclose personal information.
Under the Privacy Act, an organisation must collect personal information only by lawful and fair means and only from the individual unless it is unreasonable or impracticable to do so. The organisation also has an obligation to notify individuals that it has collected personal information about an individual. There is little doubt that the personal information of friends of the users that downloaded the “thisisyourdigitallife” app was collected by GSR without any direct consent by the friends of those users.
When it comes to use or disclosure, if an organisation holds personal information about an individual that was collected for a particular purpose, then the organisation must not use or disclose the information for another purpose unless the individual consents, or if an exception applies, such as if the individual would reasonably expect the use or disclose for another purpose and that purpose related to the original purpose.
Cambridge Analytica has laid the blame on GSR from whom it licensed the data. It claims its contract with GSR stipulated that GSR should seek informed consents from those users for use of the data. Cambridge Analytica also denies the data was ever used for advertising or political purposes during the Trump campaign. It is difficult to know how the data of these 87 million users was used, however, this may become clearer if Cambridge Analytica complies with an enforcement notice served on it by the UK Information Commissioner’s Office (ICO).  The ICO’s notice requested information about where it received data and how it used data about a US voter in a test case that may see more US citizens seek access to the data Cambridge Analytica holds about them.
However it was Facebook, through its Graph API, that disclosed the personal information of those users that downloaded the app and the personal information of their friends. The Privacy Commissioner’s investigations will no doubt look into whether Facebook took appropriate measures to notify or procure informed consent from individuals about how their personal information could be disclosed to and used by those third parties through these tools.
Under the Privacy Act if an organisation holds personal information, the organisation must take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These obligations are central to the allegations that Facebook has breached our privacy laws. Irrespective of what GSR or Cambridge Analytica did with the information, Facebook had a clear obligation to protect the information of its users and subsequently to alert its users and recover the information once it discovered the breach. While Facebook took steps in 2015 to limit the data available through its Graph API, it will be interesting to see the results of the Privacy Commissioner’s investigations in this regard.
Why should we care?
Does it matter whether or not Cambridge Analytica has deleted all the data? There are arguments that the data GSR collected can never really be deleted when the models built from the data seem to still be circulating and are being developed further. However, this is irrelevant when considering whether there were breaches at the time of the collection, use or disclosure.
Is it possible that the micro-targeting techniques deployed using the GSR data significantly helped Trump win the election in 2016? Cambridge Analytica has denied that it used the data during the Trump campaign. That aside, there is limited evidence that proves micro-targeting actually works and its effectiveness has been questioned by marketers and advertisers.
Even so, political profiling is nothing new. Researchers and academics have surveyed and profiled voters for decades. However, this time the data was purportedly taken without consent and the vast amounts of data means GSR could create psychographic profiles of millions of users, which were much more detailed than the demographic profiles which have previously been used in voter profiling. Although whether this is true or not is not 100% clear either.
Finally, is it that surprising that Facebook has allowed third parties to access and continues to allow them to access the personal information of its users? After all, this is fundamentally Facebook’s business model and Facebook has been selling user data to advertisers for years. Recent pieces on “I downloaded all the data Facebook has on me” provides some eye opening insights into just how much data is able to be collected through the use of platforms like Facebook.
But these are not likely to be the biggest concerns that consumers will have about Facebook, GSR or Cambridge Analytica. This is not a question about micro-targeting and how micro-targeting can manipulate elections to undermine the democratic process. This is not a question of how much personal information is out there or who is using it and how.
Instead the biggest concern that consumers are now likely to have in light of these revelations is how much control has been relinquished over how their personal information is used and disclosed.
The Facebook Graph API was a revolution at the time in large-scale data collection because it allowed user data to be made much more economically available to third parties. It literally converted users and their likes, shares, connections, locations, updates and extended social networks into “objects” that app developers could request and take out of Facebook. It is not difficult to regard users’ data as a “product” when the Facebook Graph API refers to those data points as being “objects” when it makes those data points available for use by app developers.
One of the most revealing moments from the US Congressional hearings was Mark Zuckerberg’s response to Senator Hatch’s question of “… how do you sustain a business model in which users don’t pay for your service?” – “Senator, we run ads.” While targeted advertising is the direct source of Facebook’s income, attributing to 98% of its revenue, the targeted advertising purchased by advertisers is only effective because of the data that consumers freely share with Facebook.
In light of this, if consumers consider themselves from the perspective of a supplier of a product (i.e. their data) and not a consumer of a ‘free’ service, then they might begin to consider what sort of returns and protections they should demand for the products they supply and consider the possibility of taking that product away if their demands are not met. Perhaps one of those demands could be more control over their personal information.
Facebook’s recent privacy setting changes appear to provide further protections, but the devil is in the detail. Facebook gives users control over what they actively choose to post or share, but users have no control over what is passively shared about them, or the information third parties can query and extract through various Facebook tools. Facebook continues to retain all control over the design and operation of their APIs. Facebook also appears to be making plans to change its terms of service in May so that 1.5 billion of its members, including those in Australia, will not fall under Europe’s new General Data Protection Regulation.
Whether all this results in a reduction in the use of platforms like Facebook is unlikely, but as we have seen following the reporting on the revelations, the loss of the public’s trust in an organisation can have far reaching consequences beyond the direct legal implications.
The Facebook and Cambridge Analytica revelations have highlighted the extent to which the personal information of individuals can be used and the true price that consumers pay for the use of ‘free’ services. It will be interesting to see what findings come out of the acting Privacy Commissioner’s investigation into Facebook, Cambridge Analytica’s response to the ICO’s enforcement notice and whether the revelations will have any impact on the current Australian Competition and Consumer Commission inquiry into digital platforms. But more importantly, what steps, if any, Facebook and other data gathering platforms will take to improve their information handling practices in light of the longer term public response to such findings.
For a list of all references, please click here.