The Low Cost of Election Tampering
Misusing personal data costs less than US$ 60 per user worldwide and a piffling 65 cents in Britain, hardly an incentive for social networks to take privacy seriously.
By Zsuzsa Detrekői
The blatant misuse of personal data by Cambridge Analytica (CA), a British consultancy specializing in using behavioral sciences and predictive data analytics to provide targeted advertising and other data-related services, is already common knowledge. Netflix made a documentary about it.
CA folded in 2018 after only five years in business. Facebook, the social media where CA harvested the data from, was fined. Regulators prided themselves on imposing record-breaking fines on Facebook.
But what was the actual cost of this massive data breach with unprecedented consequences for the political process in so many countries? The short answer: less than 10% of Facebook’s annual revenues and less than US$ 60 per affected user.
In the Regulator’s Eye
CA worked in different areas ranging from food to security research to counter-narcotics. It served both corporate and political clients, including the U.S. government and army. The company has become known for the role it played in the political elections market as it had been increasingly using the behavior change methodology to influence elections. The company is known for its influence in political campaigns in a variety of countries ranging from Malaysia to Lithuania to Romania to a raft of African nations including Kenya, Ghana and Nigeria.
It is particularly famed for its work in Trinidad and Tobago, a tiny dual-island Caribbean nation where it exploited the political apathy among young black voters to such a degree that it tilted the electoral balance in favor of the majority-Indian United National Congress (UNC) party.
But CA is first and foremost infamous for using data of millions of people without their consent in Donald Trump’s 2016 presidential bid and Brexit’s Leave EU campaign, both successful.
To achieve all that, CA used data from Facebook. From 2006 to 2015, an app called ThisIsYourDigitalLife used a survey to collect behavioral information from Facebook users and their friends who did not change certain privacy settings to prevent misuse of data. Approximately 270,000 people took the survey. Through them and their non-consenting friends, Facebook provided data of roughly 87 million users to CA, information that was then used in the Trump and Brexit campaigns.
Regulators had already stepped in. In 2012, the U.S. Federal Trade Commission (FTC) Facebook with eight separate privacy-related violations, accusing the company, among other things, for making deceptive claims about consumers’ ability to control the privacy of their personal data. The regulator alleged that Facebook allowed users to choose settings that supposedly limited access to their information only to “friends” without adequately informing users that another setting allowed the same information to be shared with developers of apps that those friends used.
To settle that case, in 2012, Facebook agreed to an order that prohibited Facebook from misinforming their users about the privacy and security of their information and the extent to which it shares personal data. The same order required Facebook to implement a reasonable privacy program.
But following the CA-related revelations after the 2016 Brexit referendum and U.S. elections, investigations from both the FTC and U.K. Information Commissioner’s Office (ICO) unearthed big problems.
Violations, Settlements, Fines
The investigations found that Facebook repeatedly violated the earlier settlement provisions in various ways. For example, Facebook launched a few new rubrics with buzzy names such as “Privacy Shortcuts” and “Privacy Checkup” whose aim was purportedly to help users manage who had access to their data.
FTC found that even if users chose the most restrictive data-use settings, the newly introduced tools allowed Facebook to make their data, including information about the news they watch and books they read, their relationship details, religious and political views and work history, accessible to companies that developed apps used by the users’ friends.
Furthermore, Facebook continued to give certain developers access to the “friends”’ personal data until 2018 although the social network had announced in 2014 that it no longer allowed third-party developers to collect data about the friends of app users.
Moreover, Facebook didn’t screen developers or their apps before giving them access to this massive amount of data that users had designated as private. When Facebook learned that app developers were violating the company’s terms, the enforcement action against developers was often influenced by how much advertising money developers spent on Facebook.
The FTC agreed on a new settlement, fining Facebook US$ 5bn last July and asking the company to further tweak its privacy practices and corporate structure, and change the role played by its CEO, Mark Zuckerberg, in running the company. The investigation run by ICO in Britain also in an agreement. It found that, in the case of ThisIsYourDigitalLife, Facebook had unfairly processed personal data and failed to take appropriate technical and organizational measures against unauthorized or unlawful processing of personal data in breach of Data Protection Act.
At least one million Brits had their data unfairly collected via Facebook, and very likely some of these reams of data were used in the Brexit political campaign. ICO fined Facebook a total of £500,000 (US$ 643,000) in 2018. To prevent further legal wrangling, Facebook agreed to pay and made no admission of liability. In summer 2019, Italy’s privacy regulator fined Facebook a total of €1 million for violations connected to the CA scandal, based on the fact that 57 Italians ThisIsYourDigitalLife app.
In 2018, Facebook had sales revenues of US$ 55.8bn and net earnings of US$ 22.1bn. The number of U.S. users whose data had been collected without their consent is not known. Worldwide, there were 87 million such users. In Italy more than 200,000 Italians had their information gathered without their consent through ThisIsYourDigitalLife. In the U.K., at least one million users were affected.
That puts the total regulatory cost for tampering with personal data in the CA case at roughly US$ 57.5 per user worldwide. In the U.K. and Italy, those figures are much lower, in the range of US$ 0.65 and US$ 5.5, respectively.
Add to that that the fines combined cost Facebook less than 10% of its annual revenue and less than its quarterly profit, and one can only conclude that fiddling with people’s data is still a bargain.
Zsuzsa Detrekői is a TMT lawyer and the former general counsel of a major Hungarian online content provider. Currently she is legal counsel of a major ISP in Hungary. She also provides legal support for the Association of Hungarian Content Providers. Her research area is online content and internet related regulations about what she wrote her thesis on and achieved PhD in 2016. She is a Fellow at the Center for Media, Data and Society.