Why The Cambridge Analytica Investigation Is Relevant to Any Facebook User
Facebook promotes itself as a way of staying connected to the people and subjects you care about. But what if that person – and that subject – is you? And what if you don’t know that you’re being followed, monitored, studied… and influenced as a result?
Today, most of us are aware that Facebook collects our data and essentially sells it to marketers internally, via Facebook ads. This allows brands to analyze audiences and carefully target ads to specific interest groups or types of people on the platform.
Until recently, though, what most people didn’t realize was that other companies were finding ways to get in on the action, too. The most prolific of these was Cambridge Analytica, which was recruited to help get Donald Trump elected President in 2016 and to promote the UK Brexit movement’s Leave.EU campaign.
Both of these efforts were, of course, successful. But Since 2017, it has become increasingly apparent that the company used illegal, covert means to collect user data on behalf of its customers – and that Facebook was also partially responsible for letting it happen.
What is Cambridge Analytica?
Or rather, what was Cambridge Analytica. Spoiler alert: the company shut down in 2018 as a result of the fallout from the Facebook scandal, as we’ll get onto a little later.
But back in 2016, Cambridge Analytica was still a political consulting firm that specialized in political data analysis. A subsidiary of the British strategic comms company SCL, it was led by CEO Alexander Nix and Steve Bannon, who would later become one of Trump’s closest political advisers before being fired in a dramatic fall from grace in 2017 (but that’s another story). Bannon secured the funding to launch Cambridge Analytica from billionaire father-and-daughter conservative mega-donors Rebekah and Robert Mercer, with Bannon himself becoming the company’s vice president.
Cambridge Analytica’s controversial approach was to collect huge swathes of information about individual people (or what it calls “data points”) in order to build personality profiles of types of voters or groups, which can then be used by private clients to target their ads through psychographic targeting.
Wait… What’s Psychographic Targeting?
I’m glad you asked. In marketing, “psychographic data” refers to any kind of information about a person that helps you understand what makes them tick. Basically, things that tell you about their goals, values, belief systems and so on.
Marketers love this stuff because it takes them well beyond standard demographics. By “demographics”, I mean core facts about a person, like age, gender, profession, where they live, marital status, whether they have kids and so on.
For example, on paper, it might look like two white Texan working moms in their 40s have a lot in common, but of course, it’s entirely possible that they are completely different people with wildly different worldviews. An evangelical Christian mother who is fervently pro-Trump and supports the NRA, for example, probably doesn’t see the world in the same way as one who takes her kids with her on Feminist marches, is trying to go vegan for environmental reasons and campaigns for Alexandria Ocasio-Cortez in her spare time.
Once you consider all the myriad variations and subtleties and combinations of viewpoints that exist in between them, you begin to see how limited demographic information really is to marketers. The point of psychographic data is to go beyond the obvious by looking for clues in people’s online behavior that tell you who they really are or how they really think.
That’s all well and good when you’re just trying to sell dishwasher tablets, but it gets a lot more sinister when this approach crosses over into political communications. If you actively seek people out that think a certain way, design ads that draw on their specific fears, underlying belief systems and prejudices, and then ensure that only these people see your messages, this can be extremely damaging.
Not only does it give you a way to exploit beliefs that may be unfounded, it also creates an “echo chamber” around your messaging. The only people who see your ads already believe in what you’re saying, so there’s no one to challenge it. This creates the illusion that everyone is on board with your message, with little debate or nuance. No wonder the political campaigns of the past five years or so have been so spectacularly divisive, all around the world.
All of which leads us back to the entity that helped bring all this to the fore: Cambridge Analytica and its parent company, SCL.
What Caused the Scandal?
SCL already had a shady reputation for political meddling long before it set up Cambridge Analytica. The company had been involved in 25 electoral and political campaigns stretching back to 1994, mostly in the developing world, and rebranded itself in 2005 as a specialist in “psychological warfare”. Its website boasted of influencing the outcome of elections in countries as diverse as The Philippines, South Africa, India, and Ukraine.
But while SCL was happy to work with politicians and militaries abroad to help them manipulate public opinion and shape voter behavior, their tacticians were rather more squeamish about doing this for domestic campaigns. As Nix told journalist Sasha Issenberg in 2015, “It’s difficult to ask people in their own country to work on a campaign they don’t support.”
Perhaps if they’d stuck to this policy, the scandal wouldn’t have broken at all. But Cambridge Analytica, which operated in the US and the UK, was created to monitor US political campaigns and then the pro-Brexit Leave.EU campaign. Both of these were much too close to home for the staff members who eventually blew the whistle on what went on at Cambridge Analytica.
Cambridge Analytica and the 2016 US Election
Here’s where things get really murky. During the 2016 election, Bannon reached out to the Trump campaign to see if they could work together – and Cambridge Analytica was hired.
Cambridge Analytica’s selling point was that they had amassed so many data points on so many American citizens that they could build incredibly defined psychographic profiles and targeted ad campaigns. These would help the Republicans to adapt their ads to different types of people, appealing to their personality types, fears, and attitudes.
The question was: how did they get hold of all that information in the first place?
Well, according to a string of employees at the company, they hijacked it. Data scientists harvested the profiles of millions of US Facebook users, using their personal, private information to build complex psychological and political profiles that could be used for psychographic marketing campaigns.
In fact, Cambridge Analytica has been accused of secretly storing and using data on up to 87 million Facebook users without their permission.
How Did They Manage THAT?
Here’s how it worked. A researcher called Alexsandr Kogan working at Cambridge University’s Psychometrics Center built a third-party app called “This Is Your Digital Life”, structured around a quiz format. When people downloaded it, they also shared their personal data, “likes”, newsfeed, timeline, friend lists, posts and in some cases their personal messages with the app.
Initially, this was simply used for research purposes; Kogan even had ethical approval from the university for his study. The problem came when Cambridge Analytica got their hands on the app. Despite the fact that fewer than 300,000 people actually downloaded it, Cambridge Analytica was able to harvest data on tens of millions of people. That’s because the app could collect information on anyone you were friends with, too.
Think about it for a second: how many Facebook friends do you have? A few hundred? A thousand? If any of those had people downloaded the app, there’s a strong chance that Cambridge Analytica would have been able to get to some of your data, too. And if you’d used the app, you could inadvertently have shared private information about all those people in your network without having a clue. You can see how a few hundred thousand downloads ballooned into tens of millions of people, pretty fast.
Meanwhile, data scientists back at Cambridge Analytica HQ were busy mining all that information about you and your Facebook friends, including articles you shared, groups you joined and things you said in posts or private messages. All of this was to build a picture of what kind of person you are. The team would then use these insights and clues to build personality profiles that would shape the way political ads would be targeted at you in the future.
So Where Does Facebook Come Into This?
As we’ve seen, this whole strategy relied entirely on Facebook. The app exploited a loophole in Facebook’s API that allowed it to harvest data from friends of the people who took the quiz. These people certainly hadn’t given their permission, even if the initial person who downloaded the app had given theirs.
Facebook did, in its defense, ban the sale of any data collected by third-party apps on the site. This didn’t stop Cambridge Analytica, though. The plan all along was to sell this information to their clients to help them run psychographic-targeting political campaigns.
For this reason, a lot of people were more angry with Facebook than with Cambridge Analytica. After all, they’d entrusted their personal information to Facebook, so wasn’t it Facebook’s responsibility to ensure this wouldn’t get handed over to an external company without their knowledge?
At the time, Facebook apologized for the breach and promised to tighten privacy rules to prevent such a thing from ever happening again. A month after Cambridge Analytica’s actions came to light, Facebook made changes to its developer APIs (i.e. the things that control how apps interact with Facebook data). This was supposed to limit the volume of data that developers could scrape from Facebook accounts, but as I’ll talk about in a moment, there have been multiple breaches since.
In April 2018, Facebook CEO Mark Zuckerberg also announced that Facebook would implement GDPR rules across the board for all its users, not just those based in the EU. These regulations demand that websites and apps get explicit or implicit permission from users every time their data is used for a new purpose, and remove any data they have stored on a person once this purpose is complete.
Despite all this, some employees from the social media platform’s privacy team at the time claimed that, internally, there was a battle between their department and those tasked with monetizing the site. Facebook wasn’t genuinely interested in protecting its users’ privacy on the site, they said, because its entire revenue-generation model was based on collecting detailed information about users and selling this to help them create more targeted and effective advertising campaigns.
But These Companies Were Investigated, Right?
Thankfully, yes. There have been a string of media and government investigations into the actions both of Cambridge Analytica and Facebook.
The Cambridge Analytica Investigation
In 2017, the UK public broadcaster Channel 4 led an in-depth undercover investigation into Cambridge Analytica.
Claiming to represent Sri Lankan political candidates, an undercover reporter approached Cambridge Analytica as a potential customer. During the course of this meeting, CEO Alexander Nix described some tactics the company would use for opposition research and to discredit rivals, including manufacturing sex scandals, bribery stings and honey traps using prostitutes.
With regards to the US presidential election, Nix boasted that Cambridge Analytica had run all the digital communications for the Trump campaign. He also implied that the company helped to facilitate a coordinated election strategy between Trump and the PAC funding his activities, which is illegal, although Cambridge Analytica later denied this was the case.
Investigations into Facebook
In light of all the evidence that had come forward, The Federal Trade Commission in the US launched an extensive investigation into Facebook’s role in the breach. The commission concluded that the company was indeed responsible for violations of its users’ privacy and handed CEO Mark Zuckerberg a whopping $5 billion fine.
Facebook also negotiated a 20-year agreement with the FTC over how it would proceed, including more stringent guidelines for how it would handle privacy leaks in the future. Part of these guidelines require that Facebook submits any new products and services it creates to a third party to review privacy issues and other potential oversights.
However, last year, the State of California launched a separate, ongoing investigation into Facebook’s privacy practices. In fact, the Attorney General has issued 19 interrogatories and 6 document requests over the past 18 months… and Facebook has failed to respond to any of them. This includes a subpoena (which has been ignored) for documents relating to Cambridge Analytica, suggesting that there might well be more information about the improper use of data that Facebook is keen to keep quiet.
What Was the Outcome?
Cambridge Analytica, thankfully, is no more. It closed down in May 2018, along with its disgraced parent group, SCL.
Facebook, on the other hand, is more profitable than ever – without having made serious or significant changes to how it operates.
A year has gone by since the scandal broke and the company is yet to clean up its act. This month, Facebook admitted that around 100 developers have accessed data in ways that should have been prevented, including by gathering names and profile pictures from Facebook groups without users’ permission. Meanwhile, despite the much-publicized API changes, data leaks continue to happen all the time.
What’s more, Facebook is already in trouble with the FTC again. The company is now being investigated for antitrust violations and many analysts expect it to face legal action next year.
Among the apps that were banned altogether was one called myPersonality, which reportedly refused to comply with an audit into data management, while sharing information with various companies and researchers, despite limited protections for the original data holders.
Facebook is also suing Rankwave, a South Korean data analytics firm that refused to comply with its investigation. It has filed legal action against LionMobi and JediMobi, both of which made money by infecting user phones with malware using apps shared through Facebook, and against two people who harvested Facebook user data using a quiz app.
What Does the Cambridge Analytica Investigation Mean for Users?
Ultimately, what it boils down to is this: you can’t rely on Facebook, or indeed any social network, to keep your personal information private.
Whether the social media network exploits your data themselves or a third party finds a way to do it, someone out there is figuring out how to harvest your information. It’s simply too valuable a source of political and psychographic insights for marketing companies and strategists to ignore.
As a result, you need to think extremely carefully about what you want the world to know about you.
What the Cambridge Analytica scandal brought to the fore, too, is that your privacy doesn’t only depend on your own actions, but those of your entire extended network. Even if you’re the kind of person who obsessively reads every word in a privacy agreement online, someone else’s cavalier attitude could have leaked your data to a third party. It’s a bit of a wakeup call to anyone on social media.
Finally, the Cambridge Analytica scandal brought to life the oft-cited warning that if you’re not paying for something it means you’re the product. Facebook is free because it sells you to advertisers – or your data, at least.
How To Keep Yourself Safe and Protect Your Privacy
With all this in mind, let’s take a look at some of the ways you can strengthen your privacy while using Facebook.
Make Your Facebook Profile Private
This is particularly important if your profile lists personal information like your birthday and hometown, because that’s the kind of thing a fraudster can collect about you in order to commit identity theft. In fact, even if your profile is set to private, it’s worth reconsidering what information you share about yourself, just in case it gets into the wrong hands.
Which brings us to…
Limit Your Number of Facebook Friends
That might sound harsh, but every single person you’re connected to represents a potential privacy breach, after all. Do you really want to trust them all to keep your data safe? Also, if you get send requests from people you don’t know, there’s a strong chance that these are bots or scammers anyway. Only accept the ones you trust.
Think Carefully About What Groups You Join
The same goes for joining Facebook groups or liking Pages. There are plenty of people out there who lack integrity and are looking for ways to scoop up data however they can. If you join a group, your name, photo and any publicly available information about you will be available to everyone in it – and potentially to any third-party apps they have installed.
Beware of Third-Party Apps and Games
Don’t Click “OK” to Everything
No one has time to read every word in every privacy agreement, but don’t just blindly agree to everything that pops up.
When you open a third-party app connected to Facebook, or use Facebook to sign in to another app, you get a window that says something like “This app wants to access the following from your Facebook profile…” Take a second to scan this list and uncheck anything you don’t want shared.
Use a VPN
Another concern when using Facebook is the fact that the site tracks your IP address and location, and can also monitor your broader web usage and online activity in general. Most of the time that’s not going to cause you much of a problem, but it’s still a privacy issue.
There may also be specific reasons that a company or government agency wants to track you in particular. Just this month, two former employees of Twitter were charged with using their positions to spy for the Saudi Arabian government. Among other things, the pair in question were reporting back on the IP addresses used by individuals critical of the regime when they signed into Twitter, helping to track down their locations.
Using a VPN helps you to conceal your identity and location when you’re online by masking your IP address behind a random one allocated by the VPN itself. This doesn’t completely protect your privacy – at least, not unless your Facebook profile is also anonymous – but it does at least make it harder for anyone, including Facebook, to track your whereabouts.
In some parts of the world, of course, you might have to install VPN to access Facebook at all. The site is blocked in China, Iran, Pakistan, Sri Lanka, Tajikistan and North Korea. That means you’ll need a VPN that’s capable of unblocking Facebook, as well as one that encrypts your connection from end to end. We recommend these VPN providers for use with Facebook.
Let’s be blunt: if you’re using Facebook, you are taking a gamble with your internet privacy. There’s only so much you can do to mitigate that. As we’ve discussed here, there will always be a dodgy developer out there, looking for a way to get to your data. Meanwhile, Facebook has hardly put its users’ minds at rest that it cares sincerely about their privacy or security.
At the same time, social media has become such a common means of staying in touch and interacting with each other that it’s nearly impossible to avoid completely. Over a billion people around the world use Facebook and the numbers are still going up. The chances are that you’ll decide to keep using it, too.
But if you do, take precautions. Remember that anything you share about yourself can and will be commodified in some way or another. Simply put, never put something on Facebook that you don’t want to get sold. Because it just might.