Loose privacy controls helped Facebook build a $557 billion social media empire. But company insiders say that the threat of Facebook users’ personal data falling into the wrong hands didn’t recede with the Cambridge Analytica scandal.
One Facebook app developer who is testing the limits of how much personal information Facebook users are willing to give up, told Business Insider anonymously that the social media giant is “massively underplaying” the risk of another data leak equal to the Cambridge Analytica scandal.
Facebook and its founder Mark Zuckerberg came under fire in April when news of how Cambridge Analytica, a UK-based data mining firm with ties to former Trump adviser Steve Bannon, acquired the data of an estimated 87 million Facebook users. The firm used the data along with major cash donations from U.S. Republicans to steer opinions and votes to far-right politicians and causes.
Although The Guardian first reported on Cambridge Analytica’s acquisition of Facebook data and the way U.S. politicians were using the info in December 2015, the public’s response never amounted to a whimper until more than two years later.
With the election of Donald Trump and the U.K.’s Brexit vote in the bag, more information came to light about how Facebook’s privacy policies enabled Cambridge Analytica to power political causes. The publicity and subsequent public outcry landed Mr. Zuckerberg a seat before the Senate commerce and judiciary committees, which grilled him on privacy policies, data mining, regulations, and Cambridge Analytica in a marathon five-hour hearing.
Cambridge Analytica: Just the Beginning
But despite Mr. Zuckerberg’s assurances that the company is tightening its controls of user data, Facebook data leaks likely haven’t ended with Cambridge Analytica.
According to the Business Insider, the app developer it interviewed says that there are thousands of apps like “This Is Your Digital Life,” the app developed by Aleksandr Kogan, who collected the Facebook user data of an estimated 87 million people and sold it to Cambridge Analytica.
Facebook permitted apps to collect not just the data of the users who used the apps, but their friends’ data as well. This policy remained in place between 2007 and 2014, allowing thousands of apps to collect data from millions of app users and their friends. Allowing apps to collect data on users and all their friends opened the data-collection floodgates. Mr. Kogan’s app is a case in point. The 270,000 people who installed and used the app opened the door for Mr. Kogan to access the data of tens of millions of users.
Where all that data went, what it included, and how it’s being used is anybody’s guess. It’s more than unlikely that Facebook can prevent other companies from buying and selling user data once that data lands in the hands of second and third parties.
Last month Facebook announced it had suspended 200 app developers for suspected misuse of user data, but suspension is all Facebook can really do. The data is still out there and suspended app developers can reincarnate under new identities.
According to Business Insider’s source, when Facebook does find an app developer that is misusing user data, it can be difficult or impossible for Facebook to follow up with them if they are using shadow profiles and other fictitious information to mask their identity.
Useless Terms of Service
One of Facebook’s key defense strategies in the Facebook debacle has been to pin the blame on Mr. Kogan, the “This Is Your Digital Life” developer. Facebook accused Mr. Kogan of violating its developer terms and conditions, which prohibit app developers from collecting user data for commercial gain and handing it over to other firms or interests.
However, Mr. Kogan turned the accusation around on Facebook, claiming Facebook never vetted his own terms and conditions. When testifying before British legislators last month, Mr. Kogain stated:
“This is the remarkable thing about the experience of an app developer on Facebook. You can change the name, you can change the description, you can change the terms of service, and you just save changes. There is no obvious review process. We had a terms of service up on the Facebook platform — linked to the Facebook platform — that said we could transfer and sell data for at least a year and a half, and nothing was ever mentioned. It was only in the wake of the Guardian article that they came knocking.”
Business Insider’s app developer source said the extent of Facebook’s review of developer policies was to check for a valid URL to those policies. The social media giant did not review the actual content, even if those policies were “one or two lines of nonsense.” As Business Insider’s source indicates, this flawed approach to privacy effectively allows app developers to create their own rules about how the acquired data is used.
Sandy Parakilas, a former operations manager at Facebook’s California headquarters, emerged as a whistleblower in 2012 when he warned that Facebook’s developer platform posed a serious data-security threat because there were few controls in place that let Facebook see what third parties were doing with the data they were collecting.
Mr. Parakilas, who spearheaded Facebook’s efforts to fix privacy problems on its developer platform ahead of the company’s 2012 initial public offering, gave central testimony about the Cambridge Analytica scandal in the U.S. congressional hearings as well as in other hearings in the U.K. and European Union.
“What I saw from the inside was a company that prioritized data collection from its users over protecting them from abuse,” Mr. Parakilas wrote in an op-ed for The New York Times last year.
According to Mr. Parakilas, “Facebook knows what you look like, your location, who your friends are, your interests, if you’re in a relationship or not, and what other pages you look at on the web.”
With this data, advertisers can target more than a billion Facebook users in multiple countries every day. And, while many Facebook users are aware that they are allowing advertisers to target them for specific purposes, very few likely suspect their data could be sold to data mining companies like Cambridge Analytica and used for other purposes.
“Remember the age of Farmville and Candy Crush?” Mr. Patkilas asks. “The premise was simple: Users agreed to give game developers access to their data in exchange for free use of addictive games.” But what the app developer does with that data is out of Facebook’s and its users’ control.
National Security Threat
On June 3, The New York Times disclosed data-sharing agreements Facebook forged with companies such as Amazon, Apple, Blackberry, and Samsung in addition to at least four Chinese electronics manufacturers.
According to the report, “The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo and TCL.”
Alarmingly, Huawei’s close ties to China’s Communist Party are not new, but that didn’t stop Facebook from sharing data with the company.
Virginia Senator Mark Warner express his concerns about Facebook’s data-sharing agreements with the company, saying “I look forward to learning more about how Facebook ensured that information about their users was not sent to Chinese servers.”