As Cambridge Analytica carnage hits 87m, Facebook should apply GDPR globally

5 Apr 2018

Image: Ivan Marc/Shutterstock

As the scale of the Cambridge Analytica breach grows to 87m affected users, Facebook’s leadership will need to look at taking the strides of GDPR in Europe to a global level.

Can a new Facebook emerge from the ashes of the Cambridge Analytica affair? That was the thought that ran through my mind last night as it emerged that as many as 87m people – not the original 50m – were affected by the Cambridge Analytica data-gathering escapade.

The good news is that from Monday (9 April), you can find out if you were one of the victims.

“In total, we believe the Facebook information of up to 87m people – mostly in the US – may have been improperly shared with Cambridge Analytica by apps that they or their friends used,” Facebook CTO Mike Schroepfer wrote in a blogpost yesterday (4 April).

According to RTÉ, as many as 45,000 Irish people and 1m people in the UK may have fallen victim to the data haul after downloading the This Is Your Digital Life app, or simply by being friends with someone who installed it.

The app was created by a University of Cambridge professor called Dr Aleksandr Kogan for Cambridge Analytica in 2014 and masqueraded as a simple psychology quiz. It was a Trojan horse that spiralled from 270,000 trusting users to the 87m affected, and may have ultimately given Cambridge Analytica the insight it needed to help tip pivotal national decisions, including the election of US president Donald Trump and the Brexit vote in 2016.

Last night, Facebook rolled out a raft of new restrictions to stop third-party app developers accessing user data – but the genie is out of the bottle.

Facebook has to own up to its responsibilities for 2.2bn people

Mark Zuckerberg went silent as a deer in the headlights in the days that followed the revelations before eventually speaking up and taking out ads in UK newspapers. He apologised, promising to do better.

That ‘something better’ needs to be more than tweaks to the Open Graph or policies around third-party apps. We need a new Facebook.

A war of words or differences over what is product or who is product has emerged as companies such as Facebook and Apple, for example, appear to have different ideologies around privacy. Apple says it wants to sell you products. Facebook’s methods so far make you the product.

On one level, you could think Apple is being smug about already being on top of its General Data Protection Regulation (GDPR) obligations in Europe. But, in fact, Apple is ahead of the pack on the new regulations and embodies the spirit of what GDPR actually means on a global basis. It embodies those principles ideologically.

Last week, the company deployed new privacy settings on all iOS devices as part of a global software roll-out, with more empowering privacy features due to arrive in May ahead of GDPR.

Facebook needs to do the same. Globally.

Earlier this year, prior to the Cambridge Analytica scandal, Facebook published its privacy principles for the first time ahead of GDPR. It even went further to offer to let people choose to enable facial recognition, which had previously been unavailable in the EU. This feature will let users know if someone loads a picture of them in the frame, or it could be used as a way to prevent people impersonating others. It will either be brilliant or spooky.

Now, this all just seems another aspect of the tawdry mess that will only complicate the social network’s approach to privacy. The simple truth is that most people are only learning about data and privacy, and the engineering-led approach by Facebook, with multiple options and choices, has only served to confuse.

The reality is, technology is moving and evolving faster than most people’s ability to keep up.

If anything, Facebook will need to become an outlier and veritable beacon of perfection in the application of GDPR. The very principles of GDPR should be enshrined not only within the EU but in every geography, country or state Facebook is active in.

Facebook owes that at least to its 2.2bn active users, a good portion of whom live in countries where the privacy of citizens – indeed, the basic human needs of citizens – are often trampled upon. It is no wonder that Cambridge Analytica was in hot demand in resource-rich, poorer countries with shaky principles on democracy.

The very fact that two of the richest nations on Earth – the US and the UK – may well have had pivotal democratic events gamed by a third-party app on Facebook only shows how dangerous data has become in the wrong hands. It also makes you question how much we don’t know. What if Cambridge Analytica is just the tip of the iceberg?

On Tuesday (3 April), Mark Zuckerberg said he agreed “in spirit” with the strict new GDPR laws on privacy. However, he stopped short of committing to it as the standard for the social network across the world.

Instead, according to Reuters, Facebook was working on a version of the law that would work globally, bringing just some European privacy guarantees worldwide.

“In spirit” is not good enough. You can’t have defined protections for people in some of the richest nations on Earth and leave others with a watered-down version.

If Facebook is to recover from the Cambridge Analytica scandal, it needs to emerge as a new kind of entity that has privacy central to its ideology.

It needs to become a new company.

It needs to take GDPR and run with it on a global basis.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years