Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign. Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm. To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data. This calls into question how consumer information is shared with other entities, particularly when consent was not provided.
Social Media & GDPR
This revelation has called into question how social media sights harvest the personal information from their platforms. As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.” This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.). A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20. Such access provides a criminal to a compromised individual’s contact list to target other individuals. According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00. After initially denying the claim, Facebook acknowledged the breach and promised to take action.
It should be noted that this is not the first time a politician’s campaign has leveraged social media data to understand the electorate. According to one source, in 2012, the Obama campaign encouraged supporters to download an Obama 2012 Facebook app that, when activated, let the campaign collect Facebook data both on users and their friends. What’s more, per the article, the campaign could deliver carefully targeted campaign messages disguised as messages from friends to millions of Facebook users. While there is a difference between how the apps were delivered (the users that downloaded the Cambridge Analytica app were informed that the information would be use for academic purposes), the intent and purpose were the same.
The aftermath of this discovery calls into question whether or not the United States will adopt similar protection and privacy rights as those afforded to European citizens under the General Data Protection Regulation (GDPR). Under the new law set to go into effect May 2018, citizens are empowered to have significant control on how organizations use, process, and store their information. Additionally, the GDPR enables individuals the right “to be forgotten” – a measure by which any individual can request an organization to delete or remove their data from their systems, with exception in specific instances such as healthcare information. The GDPR forces organizations to comply or else not do business, an approach that puts consumers above the organizations that they patron.
GDPR Compliance in the US
The United States needs to enforce similar mandates, as well. For too long have individuals’ information and data been shared or sold to other entities seeking to target them with advertisements, physical and digital junk mail, and unsolicited phone calls. Such information in the wrong hands serves criminals, as well as unsavory companies willing to sell their own services to the highest bidder. This is a practice that must stop in an effort to curb data breaches that continue to expose millions and millions of records and needlessly expose people to the types of influence and persuasion that has been observed in our election system.
All U.S. organizations – especially the multitude of social media platforms that are used by the global community – need to protect the data of its consumers or risk suffering severe economic repercussions. The mandatory implementation of security standards (e.g., those that the National Institute of Technology and Standards develop) that can be supervised by a government body like the FTC needs to be in place to ensure that the procedures are in place, as well as the appropriate consequences, to hold these parties responsible for failure to comply. We can’t expect organizations – no matter how much they say otherwise – to do the right thing. They must be shown what that is, how to do it, and ultimately be held accountable to the fullest extent of the law.
This is a guest post written by Emilio Iasiello