"We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on," said whistleblower Christopher Wylie.
The app was initially used to make hundreds of thousands of Facebook users take personality tests and to agree to share their data for academic purposes. However, the app not only collected their data on Facebook, but also collected data belonging to their Facebook friends, thereby extending its reach to millions of users.
"We are investigating the circumstances in which Facebook data may have been illegally acquired and used. It's part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analysing people's personal information to micro-target voters," said Information Commissioner Elizabeth Denham.
Will it impact how businesses use Facebook data?
The revelation has exposed how personal data on Facebook could be obtained by businesses or analytics firms and exploited for political or other purposes. The fact that Facebook didn't inform affected users about the breach even after discovering it would be a blatant violation of privacy-centric laws such as GDPR which will place a premium on consumer rights and privacy over business interests.
In an email to SC Magazine UK, Evgeny Chereshnev, CEO at Biolink.Tech, said that he is glad that Cambridge Analytica's data collection practices have become public as it shows people just how severe and significant the problem is.
"We need to totally rethink the way we approach data - our digital trail and DDNA (digital DNA). Privacy of personal data MUST become a constitutional right that everyone has from birth. Data is there forever, and it should be illegal to take it from users... In that sense, the EU is the closest to doing the right thing, but there is always room for improvement, even when GDPR comes into effect," he said.
Because of its data collection practices, Cambridge Analytica has attracted not only the attention of the Information Commissioner's Office, but also the US Massachusetts Attorney General Maura Healey who said that US citizens need immediate answers from Facebook and Cambridge Analytica about their role during the presidential election.
Considering how personal data of millions of people was used without their consent, authorities across the world will seek to ensure that the practice is brought to an end. Consequently businesses will need to be very careful about collecting and analysing personal data of customers, especially with regard to consent.
However, according to Lee Munson, security researcher at Comparitech.com, the way data was collected by Cambridge Analytica was not necessarily a breach as the firm only used software to collect data that was already in the public domain. Facebook could also be let off the hook as the company would not have handed over any data itself to the analytics firm.
Munson says that this loophole could be exploited by many other firms and businesses looking to collect and analyse personal data of millions of Facebook users. They could create their own specialised tools to harvest Facebook data of millions without having to obtain informed consent from such users.
"Facebook changed the way their APIs worked, in order to stop apps from accessing friends' profiles, back in 2015. Businesses won't change the way they collect, store, or use Facebook data unless Facebook decides to introduce further limits on what information can be obtained via their API," said Andy Patel, security advisor at F-Secure.
Were Cambridge Analytica's data collection practices normal?
According to Chereshnev, many people will think that businesses and analytics firms are taking their data from Facebook without their consent. However, this may not be true as many businesses design their privacy terms in such a way that customers hardly have any rights once they agree to usage terms.
"If you read the licence agreement, when you sign up to Facebook, you would understand that you have absolutely no rights when it comes to your data; your information, what you post and how information is gathered about you. Facebook can analyse and use this data any way it wants," he said.
Keeping this fact in mind, Sean Sullivan, security advisor at F-Secure, says that Facebook users should not share their personal information such as phone numbers and places of work on their profiles as these could be shared by their Facebook friends with third parties. They should also curate their setting to prevent their friends from sharing their personal information and should periodically revisit their account advertisement settings.
"Once it [GDPR] is in place, firms will have to consider the question of informed consent before using any personal data, whether collected directly or indirectly and the whole landscape will change forever. Until then, and even afterwards, consumers need to take control of their own privacy and question everything they put online, especially on sites like Facebook whose entire business model is based around its users being the product it markets," Munson added.
"Cambridge Analytica had/has access to the same information as anyone else using Facebook for business purposes. Other firms are most certainly harvesting data in a similar manner in order to more accurately target their own marketing campaigns," Patel added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout