Cambridge Analytica is a London, UK–based federal, data analytics, promoting, and consulting firm, which is involved in illegally sourcing Facebook data and utilizing it to determine a variation of federal crusades. These crusades constitute those of American Senator Ted Cruz and likewise of Donald Trump as well as the Leave-EU Brexit campaign, occurring in the United Kingdom’s resignation from the EU. Cambridge Analytica has offices in London, New York, and Washington DC. 

The Facebook–Cambridge Analytica data scandal was a major disgrace in spring 2018 where Cambridge Analytica collected the private data of millions of people’s Facebook profiles without their approval and handled it for Political Advertising. It has been defined as watershed flash in the country’s understanding of private data and hastened a 17% fall in Facebook’s cut-rate and summons for stronger law of tech firm’s use of private data.

Background Information

In 2014 many of us might have taken a survey which looked alike survey of varied things which has included not just the user’s personally identifiable information/ data, but also the user’s Facebook friend’s data with the company that worked for the President Trump’s 2016 campaign. This is where the research firm Cambridge Analytica came into the picture, CA partnered with the UK research academic Aleksandr Kogan who was using Facebook for research purposes. The survey Kogan had formulated was been sent to 3L Americans which looked innocuous and included over 100 personality traits that allow surveyees to agree or disagree with. But there is a catch, surveyee’s need to log in or signup to Facebook to take the survey, which gave Kogan access to the user’s profile, birth date, location, and most importantly user’s Facebook likes. Kogan combined the survey outcomes/ results with the user’s Facebook data to develop a psychometric model which is a sort of personality profile. Kogan then combined the survey data with voter records and sent the data to CA. CA claimed that this survey’s outcomes combined with that of personal traits of varied users and models were a key to how they profiled a user and their psychoneurosis and other susceptible traits. Not just that, Kogan and CA even procured the user’s Facebook friend’s data by utilizing the same profile model. In just a few months, two lakh twenty thousand people took part in Kogan’s survey and data of up to 87 Million Facebook user’s profile data was harvested, which is close to one-quarter of all US Facebook users. The motive was to use the procured data to target users/surveyees with political messaging which helps trumps campaign strategy, but the campaign disagreed with it. Kogan’s work was for academic research but Kogan shared the formulated data with CA, which is a violation of Facebook’s policy. Upon this violation, Facebook’s CEO Mark Zuckerberg said it is not a data breach because no passwords were stolen nor any of the systems were infiltrated but there was a breach of contravention amid Facebook and its users. The following investigation was taken up by the US federal trade commission.

Facebook Data Breach

The illegitimate procurement of personally Identifiable data by CA was first disclosed in December 2015 by Harry Davies, a journalist for The Guardian. Harry reported that CA was functioning for US Senator Ted Cruz using data procured from millions of user’s Facebook accounts without their approval. Facebook disapproved to comment on the story other than to say it was examining and investigating. Additional reports go around within the Swiss publication “Das Magazin” by Hannes Grasseger and Mikael Krogerus, Carole Cadwalladr in “The Guardian”, and Mattathias Schwartz in “The Intercept” in the months of December 2016, February 2017, March 2017 respectively. Facebook disapproved to clarify on the affirm in any of the articles.

The scandal finally exploded in March 2018 with the exposure of a conspirator, an ex-Cambridge Analytica employee Christopher Wylie. Christopher was an unidentified source for an article in 2017 in The observer by Cadwalladr, titled “The Great British Brexit Robbery”. This report went vigorous but was disapproved in some quarters, prompting skeptical reply in The Newyork Times among others. Cadwalladr Jane worked with Wylie for a year to persuade him to come forward like a conspirator, who later brought in channel 4 News in the UK and The New York Times due to licit warning against The Guardian and The Observer by CA. The three news organizations publicized concurrently on March 17, 2018, and caused an enormous communal whoop, and which affected more than $100 billion was clocked off Facebook’s retail funding in days. Senators in the US and UK called for answers from Facebook CEO Mark Zuckerberg. The scandal later led Mark Zuckerberg to agree, and testify in front of the United States Congress.

Case Summary

Strategic Communication Laboratories group the parent company of CA was a private British behavioral and strategic research communication firm. In the US and other countries, SCL generated public scandal typically over its subsidiary CA, by procuring data through data mining, data analysis on its public with the association of an academic researcher named Aleksandr Kogan who was told to develop an app called “This is your digital life” and alongside he was told to formulate a survey on the behavioral patterns of users which he has procured from the social media users of Facebook, and meant to utilize the data without the approval of Facebook nor the user’s of Facebook for electoral/ political purposes as the data was detail enough to create a profile which implied which kind of advertisement would be most efficient to influence a distinct person in a distinct location for the federal event. Based on results, the information would then be precisely targeted to key audience associations to alter behavior in accordance with the intent of SCL’s client, which led to a breach of trust amid Facebook and its users.

Outcome

As a result, the Facebook CEO was asked for the explanation and there was a fall of 17%in share price and was asked to impose strict regulations on the privacy of the user’s personal data. Later, the users were notified about the access granted by them for different applications to be revoked and analyzed in the settings alongside there audit trials on breach investigation. Meanwhile, Facebook promised to develop an app to force delete all the Facebook web search data by its users.

Over the earlier several months, Cambridge Analytica has been the name of numerous unfounded allegations and, despite the firms attempting to improve the record, has been reviled for activities that are not only legal but also widely accepted as a standard component of online promotion in both the federal and industrial areas.

Cambridge Analytica hired a third-party auditor, Julian Malins, to investigate the accusations of wrongdoing. The firm said that the investigation resolved that the allegations were not “carried out by the facts.” Notwithstanding Cambridge Analytica’s consistent reliance that its employees have performed ethically and legally, which view is now fully approved by Mr. Malin’s statement, the offense of media coverage has driven away implicitly all of the Company’s clients and suppliers. As a result, On may 1st 2018 it has been settled that it is no longer viable to remain running the Firm, which left Cambridge Analytica with no practical option for placing the Firm into government.

Changes in Policy/General Data Protection Regulation

General Data Protection Regulation, which went into impact 25 May 2018, plans logical data security laws over Europe. It pertains to all firms that prepare private data about people in the EU, notwithstanding where the firm is based. Processing is interpreted broadly and points to anything correlated to private data, including how a firm manages and succeeds data, such as settling, saving, utilizing and damaging data.

While many of the laws of this regulation build on EU data protection laws, the GDPR has a broader scope, more determined rules, and ample fines. For example, it needs a higher model of approval for utilizing some sorts of data and expands the rights that people have for obtaining and shifting their data. Crash to comply with the GDPR can succeed in notable penalties, up to four percent of global year-long income for several violations or infringements.

Coming to the policy changes with regard to data accessible by others and even the developers only upon granting permissions and stricter data settings and a research tool to scrutinize the search.

Conclusion

Nevertheless how many ever changes or updations are done to specific applications, the user of that particular platform should be aware of what kind of personal data and what kind of applications he/she should grant permissions to. Alongside, keeping a check i.e reviewing the account activity, revoking the access of illicit applications, and checking its settings at regular time intervals are important to keep their data safe, and being aware of the consequences the breach can impact on them.

Author: Komati Monika, Intern at Legal Desire (2020)

Monika Komati is a persistent, detail-oriented cyber forensic analyst and cybersecurity enthusiast with 6 months of experience with Telangana State Forensic Science Laboratory. Her background covers digital forensics, forensic audit, vulnerability management, threat intelligence, malware analysis, and cyber incident response. She is experienced in developing System Security Plans implementing NIST Framework as well as utilizing all six steps of the Risk Management Framework