Questions and answers about Cambridge Analytica scandal, waiting for GDPR. Responsibilities, Facebook’s role, and future scenarios. How would Europe manage these cases after may 25th?

It is early to define the outcome of the Cambridge Analytica scandal. There is the reaction on the hoof of the markets, that have penalized Facebook’s share price for six days in a row (also affecting other companies, such as Google and Netflix). There is the jumble of revelations, denials and official statements of all the subjects involved. Cambridge Analytica itself, the American administration and the Facebook’s top management. But there are also the official stances of the Supervisory Authorities in the United States and Europe.

The scandal broke on March 17th, following the revelations made by Chris Wylie, a former Cambridge Analytica employee. In short, Wylie told The Observer that the company would have withdrawn from Facebook the personal data of about 50 million American citizens, without authorization. A gigantic data harvesting operation. Objective: build a voter profiling system, in order to target them with personalized advertising campaigns. (Remember microtargeting? We talked about it here).

Two days later, on March 19th, Channel 4 News released a video where Alexander Nix, CEO of Cambridge Analytica, confirms the role played by his company in electoral campaigns all over the world. A role often kept secret, through a network of sub-contractors and figureheads. In the video below (which is the result of the editing of several recordings, made between November 2017 and January 2018) Nix adds dirty details: Cambridge Analytica would have used bribes and prostitutes to frame some of its customers’ political adversaries.

Facebook’s late intervention

Curiously, Facebook had suspended Cambridge Analytica’s and its parent company SCL Group’s accounts already on March 16th. In a post signed by Paul Grewal, Facebook explains the reasons for this suspension:

«Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.».

The app Grewal is referring to is called “Thisisyourdigitallife”. It offered a personality prediction using Facebook personal data: geographic location, friendships, content consumed, “likes” and shares. The 280k users who downloaded the app did allow Kogan to access this information, but not to transfer it to third parties. Moreover, through Thisisyourdigitallife Kogan got his hands on the data of a far greater number of users. The 280k consenting users have actually transferred to the professor of Cambridge much information about their Facebook friends: the 50 million Americans the news are talking about.

Finally, Mark Zuckerberg broke his silence on March 21st on the scandal. «We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you», Facebook’s founder and CEO said in a statement posted to his page.

Nothing new?

The fact had already been known for some time. For instance, I did talk about it already in November, as part of the course”I suoni e il rumore nell’era dei big data I hold at the University of Pavia. Yet, Facebook resolves to only intervene in the wake of the tsunami that has been unleashed in these days. Moreover, the reaction of Facebook was late seems to be proven by another circumstance. Just a year ago The Intercept had revealed everything there was to know in a documented investigation.

It should be noted that, in that same post, Grewal denies that the transfer of data from Kogan to Cambridge Analytica can qualify as data breach:

«The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.»

Let’s try to put some order in this affair, as far as we know it. The profiles of responsibility that are discussed are different. Let’s analyze them one at a time, asking four basic questions.

Let’s try to shed some light on this story, for what we know. There are many actors and responsibilities involved. Le’ts analyze them one by one, asking ourselves four questions.

First question: Did Trump and his staff know?

On one hand, there are Donald Trump and his collaborators’ responsibilities during the 2016 presidential election campaign. In this case, the question is: did Trump’ team use, with the support of Cambridge Analytica, the Facebook profiles of million Americans? If we are to believe to Chris Wilie’s revelations (published by the Washington Post) the answer seems to be affirmative.

The newspaper wrote that the operation had been supervised by Stephen K. Bannon himself since 2014. It’s worth remembering that Bannon has been Trump’s campaign coordinator, the president’s chief strategist from 20 January to 18 August 2017, as well as a member of the Council for National Security from 29 January to 5 April 2017.

The harvesting of data from Facebook was intended to test the strength of specific anti-establishment messages. Messages that Trump himself later used in his campaign. You can think of the drain the swamp metaphor, which Trump pronounced dozens of times referring to his plan to solve problems in the federal government. Or you can think of the “deep state” meme, that The Donald also used several times. Cambridge Analytica’s work was therefore aimed at measuring the mobilizing potential of this type of expressions. The goal was providing material for Trump’s electoral narratives. By the way, note that FOX is releasing a new TV series entitled exactly Deep State.

Second question: did Cambridge Analytica violate the law?

The second question, maybe the most important, is: was the use of the data of Facebook users by Cambridge Analytica inappropriate or even illegal? The position of the British company is becoming more and more difficult. In U.K. the Information Commissioner Elizabeth Denham opened an investigation procedure.

But the situation has become hard even on the other side of the Atlantic the climate. According to what was revealed by former employees, the members of the Cambridge Analytica board had been informed by their lawyers that those activities were illegal. Meanwhile, the Justice Department special advisor, Robert S. Mueller III, asked for the emails of the Cambridge Analytica employees who worked for Trump as part of the Russiagate investigation in the 2016 presidential election. was released by the Wall Street Journal on last March 15.

Third question: was Facebook an accomplice?

And let’s get to Facebook’s role. Mark Zuckerberg’s company denies any involvement and actually considers itself injured party. However, things are not that easy. Even if no direct connivance with Cambridge Analytica emerged, we would be facing a case of sensational (and guilty) superficiality. What did Facebook do to prevent data leakage? What checks did you activate? We intend, obviously, preventive controls. No measures were taken after the disaster.

Also not counting another crucial point: until today Facebook’s defense line was centered on the fact that the 280k users of Thisisyourdigitallife gave their consent to the processing of personal data. However, as mentioned, the leaked information involves a much greater number of American citizens. Actually, we are talking, of about 50 million users.

For this reason, on March 20, the Federal Trade Commission opened an investigation against Facebook. The intention is to verify if the company violated the agreements signed with the same FTC in 2011 or not. These agreements commit Facebook to requesting consent from users before their data is shared outside the established privacy settings.

Fourth question: what if that happens in Europe tomorrow?

Imagine that in the future Facebook is to make an equally sensational mistake against European citizens, allowing the leakage of personal data for the benefit of third parties (Cambridge Analytica or others). Also Suppose, that it is going to happen after May 25, 2018, when the General Data Protection Regulation (GDPR) is in place for all the member countries of the European Union.

Well, what tools does GDPR offer to prevent situations like the one we are witnessing?

The first thing to remember is that the GDPR gives European authorities a very wide jurisdiction. It will also be possible to penalize companies based outside the European borders, whenever the rights of personal data protection of an EU citizen are violated. Furthermore, the European board of supervisors will have actual, not just advisory, powers. And, unlike today, national guarantors will be able to coordinate with European colleagues to carry out their inspections.

GDPR: adequate measures and data breach

But there is one more important point, which lies in overcoming the concept of “minimum protection measures”. The GDPR replaces it with the concept of “adequate protection measures”. This means that all organizations (not just Facebook) will have to prove that they have done everything that was appropriate to be compliant.

Furthermore, there is the GDPR part related to data breach cases, that is, in case of unauthorized accesses to sensitive data. This is one of the most significant changes introduced by the new regulation. A company such as Facebook will be obliged to provide the Supervisor, within 24 hours of the discovery of the event, with the minimum information necessary to allow an initial assessment of the violation. Furthermore, within three days, it will have to complete the documentation with all the information required by law.

Zuckerberg forewarned is forearmed?