Data protection leaders respond angrily to Cambridge Analytica scandal

20 Mar 2018

Image: VectorCorner/Shutterstock

Almost every facet of government and business has felt the powerful shockwaves unleashed following the Cambridge Analytica revelations of mass manipulation.

One of the biggest news stories from the past week was Microsoft calling on white-hat hackers to test its software to the limit. It will pay anyone who can find new speculative execution vulnerabilities – similar to Meltdown or Spectre – up to $250,000 as part of a new bug bounty program.

Meanwhile, the US government said it was now pointing the finger of blame for the infrastructure cyber-weapon Dragonfly squarely at hackers working for the Russian government.

“After obtaining access, the Russian government cyber-actors conducted network reconnaissance, moved laterally and collected information pertaining to industrial control systems,” the FBI and the US Department of Homeland Security said.

But now, on to the news of Cambridge Analytica, a story that does not look like it will be going away any time soon.

Cambridge Analytica admitted gross misconduct

As many as 50m Facebook users have been implicated in what could be one of the biggest scandals of the year. Secret footage obtained by undercover journalists for Channel 4 in the UK showed senior members of the company Cambridge Analytica seemingly admitting to the use of illegal tactics – both online and offline – to swing elections.

The footage released as part of the investigation shows the company’s chief executive, Alexander Nix, speaking to who he believes is a wealthy Sri Lankan person looking to have enormous political influence in their country.

At the meeting, Nix contradicted his other executives from a previous meeting who said that the company did not engage in dirty tricks to sway influence. Nix went so far as to say that a possible option would be to implicate a rival in a sex scandal.

“Deep digging is interesting but, you know, equally effective can be just to go and speak to the incumbents and to offer them a deal that’s too good to be true and make sure that that’s video-recorded. You know, these sort of tactics are very effective, instantly having video evidence of corruption.”

While saying these ideas were hypothetical, the footage shows Nix admitting that the company spends a considerable amount of time hiding its tracks from any wrongdoing by using a variety of differently named front groups.

Irish Data Protection Commissioner demands access

From a data protection standpoint, the fact that the personal information of largely US-based Facebook users – including emails, contracts and bank transfers – was used by the company has been one of the biggest and most damning revelations from this exposé.

With the Facebook international headquarters in Dublin, Ireland’s Office of the Data Protection Commissioner (ODPC) has said it is speaking with Facebook Ireland over the fallout of what access third-party apps had to user data.

“The Irish DPC is following up with Facebook Ireland in relation to what forms of active oversight of app developers and third parties that utilise their platform is in place, with a view to ensuring it is effective,” the ODPC said.

It remains to be seen in the long run what role the ODPC will play in this ongoing story, as the location of the Facebook HQ means Ireland has a major role to play in current and future European investigations.

UK information commissioner faces off to Facebook

Canadian data analyst and former employee Christopher Wylie provided considerable evidence to The Observer newspaper that initially broke the story and has since passed on the details to the UK’s National Crime Agency’s cybercrime unit and the Information Commissioner’s Office (ICO).

The latter has reacted angrily to the news and is now seeking an urgent warrant to search the London headquarters of Cambridge Analytica for information relating to the allegations, while pressuring Facebook to call off its own audit.

Incredibly, the ICO arrived at the company’s offices on Monday (19 March) to find that cybersecurity auditors hired by Facebook were also trying to enter the office, and told them to leave before prejudicing the state investigation.

Facebook has since said it would no longer seek access, but the chair of the culture select committee, Damian Collins, expressed his alarm: “The concern would have been, were they removing information or evidence which could have been vital to the investigation? It’s right they stood down but it’s astonishing they were there in the first place.”

Scandal widens Stateside

In the US, anger over this news has spread like wildfire, with a number of US senators calling for the CEOs of the major Silicon Valley companies, including Facebook, to be brought before the state for questioning.

A letter written by Democrat Amy Klobuchar and Republican John Kennedy said: “A hearing with the CEOs would allow the committee to learn what is being done to protect Americans’ data and limit abuse of the platforms, as well as to assess what measures should be taken before the next elections.”

Connecticut attorney general George Jepsen also said he was going to launch an investigation specifically with Facebook regarding the information obtained from the 50m profiles.

Facebook’s role

Facebook’s response to all of this has been limited, with one official statement from the company saying that it was “moving aggressively to determine the accuracy of these claims”, all while founder and figurehead Mark Zuckerberg remains silent.

Speaking of silence, the company has suspended Wylie from accessing Facebook during the investigation, despite his role as the initial whistleblower.

Letters from 2016 provided by Wylie to The Observer showed that the company told him to destroy any data he obtained with help from Aleksandr Kogan, who provided the original information in 2014.

All of this has hit Facebook at its financial core, with news that $36bn has been knocked off the company’s valuation. One of its former platform operations managers, Sandy Parakilas, has said to The Guardian that harvesting data was not just limited to Cambridge Analytica and was an “utterly horrifying” practice.

When asked whether Facebook really controlled the data on its platform at the time, he said: “Zero. Absolutely none. Once the data left Facebook servers, there was not any control and there was no insight into what was going on.”

He also claimed that an executive at Facebook advised him against looking too much into how the data was being used by these firms, effectively saying plausible deniability was the best solution.

“They felt that it was better not to know. I found that utterly shocking and horrifying,” he said.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com