On Facebook, Cambridge Analytica And Data Privacy [in Indonesia]
I don’t think I should repeat all the news going on about the “data privacy breach” going on at Facebook, with the name Cambridge Analytica attached to it. But for those not following the news closely, this is my take on it:
- psychology professor Dr Alesandr Kogan built an app, “thisisyourdigitallife” which basically grabbed user data, but still within Facebook TOS
- He then gave it over to SCL/Cambridge Analytica, which Facebook TOS clearly states is in violation
- SCL/Cambridge Analytica then proceeded to use that data, 50 million user accounts in all, to create voter profiles and create hypertargeted ads and bots to influence the 2016 US Presidential election
So now people are calling for #deleteFacebook, even one of the founders of Whatsapp, which sold to Facebook for, well, a lot of Lambos.
Sorry, am I missing anything?
First of all, Facebook, for all its stringent TOS, is not the police force. They actively enforce the TOS whenever possible (read: whenever it can be automated) but when people break the TOS, it’s not really breaking any law. How should Facebook react? The most extreme act they can do is suspend the partner in question and do a data audit. The extent of such data audits are also limited as they probably can only check the partner in question, not other external parties, since this already falls under the purview of law enforcement (not corporate enforcement).
Let me try to look at this from another angle: credit card user data in Indonesia.
It’s common knowledge now that if you have a credit card from bank A, there is a high possibility that you will get calls from bank A offering non-collateral loans at least once a week, but also from bank B or bank C, even from insurance company D. I even got calls from random companies offering vague “trading opportunities” that couldn’t be explained by phone, and they have to meet us.
Shouldn’t there be a data privacy rule that prevents bank A sharing information to others? Because that’s what has obviously has happened. But it has happened — every call I get (before I block the number) I usually ask, “where did you get my number?” and they give me some vague answer like “the office database” or “credit card database”. It stems from an identifiable source (also them calling me with my first and middle name is telling, as my middle name is not printed on my business card).
So why isn’t anybody calling for #deletecreditcardcompanies? Or at least, call for a class action lawsuit? There’s an obvious data breach going on.
Back to the Facebook fiasco.
My company uses the Facebook data access in question, which is basically an API for Facebook app developers to create apps on top of Facebook, to provide additional value for its users. The TOS is pretty clear that any data obtained cannot be transferred to another party, not even another app developed by the same company. It functions as an information layer to enrich whatever experience we want to deliver to the Facebook user, or at least that’s how Facebook wants it to be.
We use the data to compile a data snapshot of participants of an event — demographic ranges, interest/likes ranges, to how active they were at the event (current record is 200 photos by one person at a week-long event), but never any of the personal data obtained through the Facebook data stream (this we obtain through other ways with the user’s consent, as they are the ones inputting the data).
A marketer’s dream is of course, through one click of a button, obtain user data so rich they can create highly targeted ads to their intended market, creating higher conversion rates for every marketing dollar spent. And this is exactly what SCL/Cambridge Analytica did — except that they did not do it with data they obtained themselves. But it also serves as a morbid example of the potential of personal data used for ad targeting.
Anyway, back to the data breach — say you lent your friend a set of files through a USB thumb drive, saying he should not copy it to anyone else. How powerful can you be in safeguarding the data you just lent to your friend, apart from being annoyingly specific on the rules and probably checking your friend’s computer to see if he copied the files? Not to mention, the files contain the data of other people which should only be used for business between you and him, which he used for other purposes.
Yes of course Facebook is at fault. But what good deleting Facebook do? And the extent of the data breach and how it was used to spend Facebook Ad dollars — how would Facebook know it was an abuse to private data unless they knew how and where to look? Data patterns are always present and viewable, but the conclusions aren’t always as apparent unless in hindsight.
I’m not saying we let Facebook off the hook. I’m saying we should understand the problem in depth and see what we can do about it — starting with, being completely aware to whom you are giving your personal data to. Or even giving personal data at all. Because, abuse of private data is not just happening at Facebook. My blocked numbers list is a witness to that.