So…..what’s up with Facebook?
I usually begin these posts with a historical event used to introduce the topic at hand. But social media, and Facebook specifically, is relatively new and thus, I really have no relevant historical narrative to cite. I began using the social media giant when I joined my current company. A start-up cloud software company that had grown rapidly in the IT service management space, our founder had drawn inspiration from transformative technology firms like Facebook, Google, and Amazon. The consumerization of the internet was part of our mantra and translated into our strategy. I already had a Facebook account; I just started using it.
That was 2011. Now, seven years later, both companies are public with Facebook becoming a global behemoth with competitors challenging it for the attention of younger generations. And while this post is not a compare and contrast between Facebook and the company that signs my paycheck, the recent scandals involving the social media giant speaks volumes about their different management styles, priorities, and most notably, view of themselves in the marketplace. The lesson that I hope future technical wizards take from the Facebook debacle is that a company can consider itself a transformative movement all that it wants and in the Facebook case, it is true. But transformative or not, running a business requires a skillset and an interest beyond delivering keynote addresses at the best tech conferences and traveling the globe, meeting with world leaders. Running a business requires organizing its operations such that senior executives know “what the hell is going on” when Congress starts knocking.
My first manager and mentor out of college gave me sage advice. The context was insurance but it applies here. Doug Parrott said, “Amy, you do not want anything you say, do, or write, to be published on the front page of the Wall Street Journal. That’s the goal. Always think about how readers of the WSJ could interpret your words and adjust them accordingly.” I’ve carried these words and their sentiment with me for 20 years. They apply not just to documentation but to business practices. News coverage and press releases of all the great things about a company end up in paragraphs below the fold when that same organization is embroiled in a scandal.
So with that, I ask again, “What’s up with Facebook?”
Breach or No Breach? Third Party Apps, Privacy, and Should I be Worried?
At the risk of assuming that some readers do not fully understand what the media is talking about when it uses terms like “data scraping,” I thought I would attempt to explain. Just because I work for a software company does not mean I am an expert and thus, I hope the real experts chime in with anything I might miss. But to the last question, “Should you be worried,” I respond this way: It depends. I will explain more thoroughly a bit later in this post.
First, let me attempt to explain what happened with your Facebook data and that requires that we understand what information it captures. But we should be clear and place Facebook in the context of all the other websites and applications that you use on the internet: they ALL capture and retain data about you, the consumer. In the old days, we worried about our social security numbers, passwords, credit card and bank routing numbers. While we should always pay attention to what we provide to outside parties, we’ve built walls around personal and sensitive data with encryption, masking, and storage outside of the “store” where you actually buy products. Most online stores use third parties to manage their “carts” which is the billing process. As data is transferred across the wire, it is encrypted such that would be hackers require a key (or keys in some instances) to actually read it. Can hackers find holes in the code? Of course. That is why internet security has become a booming business. Software companies like mine are constantly assessing their products for vulnerabilities; the good ones (companies that is), remediates issues quickly and notifies customers of risk.
The data that Facebook and other social media platforms (and frankly, your online shopping, web browsing, and clicking trends), capture is considered your personal tastes and preferences. Open up your Facebook profile and you will see what I mean. Obviously, there is the “about” section, along with the biographical detail, and your posts. But under profile, look at the “More” drop-down. If you have taken the time to complete some of these sections, you realize, “Wow – I told Faceook a lot!” Every group you join, every “like” you click, and every page you visit gets logged. Your posts get scanned for keywords, all done to capture, log, and retain information about you, Facebook’s customer.
Before you freak out, think about it rationally. First, Facebook is not the only internet service that does this. If you live “on the grid,” and have a cell phone and computer, then companies know something about you. And that data has helped fuel our economy for about a decade. How many times have you purchased something online and then as you read an article on your favorite website, you notice an advertisement for something that is equally of interest? That “feature” alone has fueled Barnes and Noble receipts for the last 5 years and left me with more reading material than is possible to complete before I die. We are smarter (or should be) and more aware of world events because these platforms cache our data. If you use Facebook or Twitter as a news source, then you will be served up information on a variety of topics, many of which you have chosen as a topic of interest. (Note: there is a wide line between smart and gullible. Just because a piece of information is served up to you on Facebook, it does not mean that it is true. As we saw in 2016, a lot of what Americans consumed – and believed – was demonstrably fake. That led not only to potentially destructive election results but left a large percentage of Americans with an ignorant view of real-world events).
The problem arises when other parties get this same data (your personal preferences, likes, dislikes, etc) through illegal or unapproved means. Further issues are seen when these third parties use that data for malicious intent, including Cambridge Analytica, a data and consulting firm set up by the billionaire Mercer family to supply voter analytics to Republican candidates. If a third party, using an algorithm which they claim can identify voter preferences, can use the results of that analysis to target specific voters on Facebook with advertisements that blatantly lie about a candidate or create a false narrative about another, then we have a big problem in our democratic process. When outside parties can determine that an individual is susceptible to conspiracy theories, that tells a candidate where to bucket that voter and how to communicate to them. When this is done at scale, then yes, it can skew an election. And while the machinations in our last election so far seem isolated to the Republican Party, these tricks are not partisan. They can be used for good or evil, which is why we need to understand how it happened.
How do third parties get my data?
When was the last time you downloaded an app from the Play Store (Android) or App Store (iOS) or any other online service? Remember when you were asked to create an account or login? Many times users are given the choice to log in with one of their social media accounts: Facebook, Google+, or Twitter. As soon as you click on “sign in with X,” X has access to your data according to the terms of the sending company’s terms and conditions. That newly downloaded app is called a third party app and its developers have agreed to T&Cs in return for the ability to access Facebook (Google or Twitter) data. There is also a money involved. So a minor convenience for you has resulted in a transfer of personal data – specifically, what you like and dislike.
In 2014, Facebook changed its terms and conditions to limit what these third-party apps could access. But before those changes were made, these companies were able to access not only your data but also that of your friends. So while you may have set up your privacy settings to share information about yourself to third parties, your friends may have said no. This was a huge hole in the Facebook model and one that seems to have been exploited by Cambridge Analytica. There may have been other “holes” but this one – access to friends information – was the largest.
Let’s get a few facts out of the way because the intent of this post is not to turn the Facebook scandal into more political noise. It is, however, hard to separate as it was a CA whistleblower that blew the lid off the Facebook privacy loopholes and how they were exploited by third parties during both the 2014 and 2016 American elections.
Cambridge Analytica is a spin-off data analytics firm, set up in the United States and funded by Robert Mercer. According to Christopher Wylie, the whistleblower who came forward several weeks ago, Mercer funneled a lot of money (I have heard millions) into the company in order to research Facebook data that it initially received from another party, Ph.D. candidate Michael Kosinski. Kosinski was earning his doctorate in “psychographic profiling” and had obtained data from Facebook legitimately but then shared that information with CA without Facebook’s permission. Facebook found out that its user data had been exposed in 2015 and directed Cambridge to delete it. Apparently, Cambridge Analytica in a well crafted and calculated document, told Facebook authorities, “Done. All data has been deleted.”
The fearless Millenials running Facebook never thought that a company might lie, never bothered to verify nor did they notify users that their data may have been pilfered by a data analytics firm run by Steve Bannon and Robert Mercer. Only later would the world learn that not only did Cambridge lie to Facebook about the data it supposedly deleted but according to Wylie, the ultimate objective of the CA project was to change American culture by promoting far-right Republican candidates with their extremist views. The idea, which Wylie has testified to British investigators, was to promote the far right nationalist, anti-globalist, anti-immigrant, Trumpian ideology. Using data “harvested” from Facebook, analysts could determine through complex algorithms which voters were susceptible to Trumpian messaging. Of course, there is now the suspicion or question of whether those results were given to say, the Russians, to help with their misinformation campaign or whether American political campaigns created and targeted fake information to unsuspecting and gullible Facebook users.
Additionally, Cambridge Analytica must have created its own third-party app called “thisismydigitallife” for users to download and connect to Facebook. I have only recently become aware of this app but as I understand it, CA sent a survey or quiz to Facebook users and captured their answers and results. That information was then “harvested” and used in ways outside of Facebook’s terms and conditions. FB recently announced that they had terminated their relationship with CA, specifically its third-party app. Again, I am unsure of what this did but it is possible that it was an app that allowed users to consolidate their entire inventory of online profiles, thus providing Cambridge with access to billions of bytes about personal tastes and preferences, shopping history, posting history, etc.
There is more to the Cambridge Analytica story – more apart from Facebook (at least at this time). Their CEO, Alexander Nix, was caught on video bragging about tactics they used to get candidates elected. Ukrainian prostitutes and faking fraud were two examples. And remember that professor? Kosinski? Well, he has ties to Russia as a visiting professor at the University of St. Petersburg. Because of course, Russia. Through his attorneys, Christopher Whylie is negotiating with American investigators and Congress about possible hearings. So watch for that.
But back to Facebook
Before I forget, let’s define “data scraping.” It sounds very surgical as does “harvesting.” I’d love to write a book explaining how techies come up with these terms. Data scraping, harvesting, extracting; these are all words that mean the same thing: grabbing data from one place and putting it somewhere else. And while the definition seems simple enough, the process can be a nightmare. I’ve been involved in enough one-time data conversion projects to know that what these third-party apps “harvested” was complex and massive. To be useful, the algorithms would have to be incredibly intricate with result sets made available through special software. It’s way beyond Excel.
Facebook’s current public relations nightmare is centered around its relationship to Cambridge Analytica and the steps that it did not take to ensure that data CA had obtained outside of Facebook’s terms and conditions had been deleted. The scandal has grown in the last couple of weeks because of new revelations about what Facebook knew and when, as well as the constant revisions of users, impacted. The numbers are now in the high 8 digits.
Facebook’s fall from grace is not isolated to Cambridge Analytica. If it was, then I think it would have been a scandal similar to what we have seen in other data breach situations. Target, Home Depot, Equifax, and others each had their corporate scandals. Some were handled better than others, but at most, these companies paid out huge amounts to credit bureaus and had to rebuild trust with their customers. Some executives had to testify before Congress, but by and large, there is a typical playbook for these types of operational screw ups. Follow the checklist, make sure you have good lawyers and public relations experts and you can ride out the few weeks of bad publicity.
But Facebook’s executives, specifically founder Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg could not have been more inept in their response to the controversies surrounding their company. Cambridge Analytica and the privacy issues that it exposed was just the latest in a long string of bad news for the tech goliath. Hark back to 2016 and you find evidence that FB’s executives, along with those from Twitter, were warned (by U.S. intelligence services) that their platforms were being used by foreign entities (aka – the Russians) in what was then noted as an interference campaign to sway a presidential election. Neither company took it seriously and Zuckerberg specifically went on record denying that his platform was used in that way. The public would soon learn that Facebook (and Twitter) had hundreds of accounts associated to Russians and in Facebook’s case, had sold $100,000 worth of ad space – ad space paid in Russian rubles.
Zuckerberg and Sandberg’s ongoing defense was that Facebook was not in the business of policing speech, which of course is true. However, in the case of 2016, we saw blatantly false (aka ‘fake news’) articles and stories spread across Facebook and Twitter, the result of a carefully orchestrated and calculated effort to target specific voters susceptible to believing misinformation and conspiracy theories. Ads on social media are not required by law (as ads on TV or radio) to display who paid for them, something that Zuckerberg has lobbied against. Add to this the appearance of “bots,” or automated accounts that would repost and retweet these fake stories, giving them credence, and a lot of Americans heard a lot of political noise. Facebook has now implemented new procedures to try to prevent some of this misinformation in the future, but once the genie has been let out of the bottle, it will be very difficult to get her back in.
I cannot overstate my surprise at Facebook executives’ response to this entire debacle starting with the Russian misinformation campaign. Their public statements were laced with a level of arrogance that was simply jaw-dropping. First, to deny (or disbelief) that your baby played a role in a foreign power’s misinformation campaign was bad enough, but to continue to assert that the normal rules of the road did not apply because your company was actually a ‘movement’ and not a publicly traded corporation was beyond comprehension. You can lead a movement Zuck, but you still have to do all the boring stuff like protect customer’s privacy, trust but verify.
Cambridge Analytica is not the last shoe to drop. We will continue to learn about how they and other data analytics firms used or misused data in 2014 and 2016. We can impose laws that require Facebook and Twitter to reveal who paid for an ad or the person behind a social media account, but if consumers (aka Facebook and Twitter users) are not more diligent and careful in their use of the platforms, then knowing the names of account users will mean nothing. If you are gullible enough to believe that Hillary Clinton and Jon Podesta operated a pedophile ring in the basement of a D.C. pizza shop, no amount of transparency can make you smarter. We all have to be accountable for the information we spread. “Sharing” shit for the sake of “getting it out there for the public to decide truth,” is a ridiculous excuse for spreading known lies.
To be fair, social media is still the new frontier; our laws and regulations have not yet caught up to the power of these platforms. And given our political environment, there is the general inclination away from regulation. Other countries have done it – we should too. In the meantime, double check your privacy settings and be aware of what third-party apps know about you. Supposedly, we were all to be notified today whether we were victimized by Cambridge Analytica. I suspect that most of us did have data exposed which is exactly why we should be diligent and careful about what we read online.
Finally, before you start panicking, think rationally. Keep everything in context and measure the benefits against the risks. If you are selective in what you read, forward, and share, then you control the impact of data scraping. Rather than delete accounts, become a smarter user of the internet.