Cambridge Analytica – a brief case analysis

December 2019

Omar Aldajani

The Cambridge Analytica data scandal was a major political scandal in 2018, where former employee Christopher Wiley revealed that Cambridge Analytica had harvested the personal data of millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes. Cambridge Analytica researchers were able to gather this information by exploiting a loophole in Facebooks’ API security systems. The researcher was able to gather information from the friends’ network of any user who completed an online personality test. When revealed, this information raised questions as to the responsibility of the Internet industry. This piece aims to analyze the issues that stem from a data scandal such as this one and the implications of giving your data away.

One of the main issues concerns how the data is being gathered, what its being used for and who takes responsibility when the situation turns sour. In this case, most of the blame was directed towards Facebook, requiring them to pay a record $5Billion fine in the US for deceiving users about their ability to keep personal information private. They also reached a settlement with the Securities and Exchange Commission (SEC) which included a $100Million fine. On the other hand, Cambridge Analytica were fined £15000, a victim surcharge of £170 and an additional £6000 in costs for failing to comply with an Enforcement notice. The fact that Cambridge Analytica was not found guilty of anything other than failing to comply with an Enforcement notice, raises the issue that the blame is not being shared correctly.

Another issue is the standard of security systems that are dealing with large amounts of data. For example, Facebook gathers information on peoples’ likes and dislikes, but also their geographical location and personal information. The fact that Cambridge Analytica was able to bypass Facebook’s security systems and find a loophole with which they can access user data without consent, illustrates the low standard of security being set by the industries’ leading companies and the danger of below par security measures.

Another issue this case raises is the data trade-off being accepted by users without fully understanding the implications related to their data when accepting a companies’ Terms & Conditions. The Terms & Conditions agreement is usually more than 50 pages long and filled with complicated legal jargon and terms stating that they can be changed at any time. Additionally, while users do give consent to use the information, the network would not specifically inform them who was processing the data. Tougher rules have been introduced since the 25th of May 2018, the EU’s General Data Protection Regulation (GDPR) obliges companies handling the personal data of EU citizens, regardless of where the company is located, to obtain clear and unequivocal consent for the processing of data.

As the value of data increases due to evolving into an advertising tool, we must open our eyes to what information we are willing to give away. Companies will continue to use data for targeted advertising and possibly psychographic profiling, since they are effective tools and can increase profits. However as shown above with the EU case, we can limit companies’ control of the data by pushing for stricter regulations regarding data and internet security.