Why no one should be surprised by the Facebook / Cambridge Analytica “breach”

As I’m someone who is concerned about privacy and the invasiveness of technology in our lives, you might be startled by my response to the alleged “data breach” in the Facebook / Cambridge Analytica saga.

My reaction: “It’s not a breach if data was supplied with consent!”

Of course, the important word is “if”.

How often have we seen our friends post on their Facebook profile the results of some new personality test, IQ test, or super addictive free game? In the (very few) cases I might click through to see more, I then get a consent form, more or less saying that “App XYZ requests access to your Contacts, Photos, Posts, Messages, First Born Child and Bank Account.”

So I was confused about why people were calling it a breach.

Of course, further details are coming to light, and Facebook is currently under FTC investigation. It may emerge that there were legal violations. But from a purely technical viewpoint, I don’t consider it a technical breach. Harvesting data is what Facebook and many other companies do – it’s their business model. Here, profile data was scraped by one or more apps, and consent was provided by users who voluntarily used those apps, and this happened within the technological limits and boundaries in place.

But morally, was it a breach? That’s a different question…

Let’s say that I’m person “A”, and my friend is person “B”, the app developer is “C”, and Facebook is “D”. Let’s say I shared private messages and photos with “B” on Facebook.

If “B”, my friend, clicks “Agree” to use an app from “C”, then that’s complicit acknowledgement that the user is happy for his or her own data to be accessible to some unknown 3rd party – which is a very brave move in my view to share your life with someone (or more likely, a company) that you’ve never met. One has to assume that it will be downloaded, mined and stored, even if the original Facebook account is deleted. (Note: GDPR Article 17 will be very welcome.)

I think it’s fair enough; “B” provides that consent to “C”, so the data is fair game.

But how far should consent extend?

As person “A”, I didn’t consent to “C” taking a copy of all messages that I had sent to “B”, or having access to my posts and photos. I have given them to “B”, not “C”. So does “B” have a right to then give copies of that data to “C”? And does “D” have the right to facilitate it?

This raises numerous legal questions, and with laws varying worldwide I’m sure there’ll be different answers.

As a technologist, I really want everyone to realise something.

Facebook is not your friend. It’s a money-making machine, and it makes money by collecting and commercially exploiting your data. No one should be surprised when that data can be used to manipulate our thoughts.

Nor are 3rd party app developers your friend. Especially if the app is free, they’re probably making money by commercially exploiting your data.

Further, data that is posted to Facebook is voluntarily provided by its users. Facebook never forced anyone to use its service or to upload information to it. Every time you visit Facebook, it knows your IP address and connection time. It knows what links you click on, it knows your behaviours, preferences, interests. It’s Big Brother.

Facebook doesn’t force anyone to upload photos or comment on posts. Facebook doesn’t force anyone to use 3rd party apps, or to click on a consent button to share that information with others. It’s voluntary.

It really should come as no surprise to anyone that the data is scraped, harvested, mined, analysed, stored, and can be used to manipulate you.

And once data is “out there”, you have to be prepared for the consequences, good and bad.

It’s not the advertising that I think we should be worried about. It’s all the unintended consequences that should be concerning.

Let’s take an example. Say you’re an avid user of social media, and you also happen to enjoy posting your holiday photos and getting likes and positive comments from your friends. Maybe you’re even careless enough to post photos of your airline boarding passes. Your photos probably contain geo-tags of your location and the date/time of the photo (as Paris Hilton found out when she unknowingly tweeted her home address). This means you’re giving Facebook a history of your movements – information that users know will be used by Facebook and other parties that you consent to share your information with.

But it’s not just Facebook or app developers that can use the data. Let’s say a clever cyber stalker befriends you with a fake account… then suddenly they can see your photos too. And when they see you’re on holidays, they know you’re not at home. That’s very useful information for a thief. (Just ask Paris Hilton.)

With awareness of how our data can be used, I hope individuals can better protect themselves from these situations.

I strongly believe that the only way to have privacy in the age of the cloud is to do several things:

1. Firstly, recognise that using cloud services can easily leak your data – even if legally they shouldn’t. A technological malfunction, like a bug in the cloud provider’s systems, can cause a data breach, or a hacker can compromise your cloud account or a friend’s cloud account. Be careful what information you put out there, and with whom you share it. In the worst case, private data can be made public, as the nude celebrity photo incident revealed.
2. Take control over your own data by using client-side encryption (sometimes called end-to-end encryption). That’s the only guaranteed way to have privacy because you control your own key.
3. Delete unnecessary data in the cloud when it’s no longer relevant. Hopefully over time the data will be deleted off the cloud provider’s systems, and future leaks will be prevented.
4. Pay for data hosting and use only companies with clearly stated data handling procedures. And avoid companies that provide free services. At the end of the day, you can either pay with money, or you pay with your privacy.

If you want complete privacy, you don’t have to live in a cave. Just encrypt everything and keep your keys private. You can still enjoy a lot of the benefits of the cloud, but without the drawbacks. Some good encryption products featuring client-side or end-to-end encryption are:

  • ScramFS and ScramExplorer for encrypted file storage
  • Wire for encrypted instant messaging
  • GPG for encrypted email

Let’s all stay safe.