The power of the Internet over our lives is unprecedented. It has pervaded every aspect of life whether online or offline and influences every decision we make. Particularly, the largest web companies like Google, Facebook, and Amazon have huge treasure troves of data on every users’ likes, dislikes, interests, fears, aspirations, habits, coordinates, political leanings, and more. This has been the focus of recent news reports about a data scandal involving Facebook and data analytics firm Cambridge Analytica. But Facebook isn’t alone in this fight to ensure the security and appropriate use of customer data — every company that has customer data should take heed as online data privacy and security is of first importance in today’s digitally connected world. Let’s analyze the incident involving the notorious Facebook scandal and take away lessons that we can apply to anyone building an app that handles their customers’ personal data.
In 2013, Aleksandr Kogan and his company Global Science Research created an app called “thisisyourdigitallife” that would give users a psychological profile of themselves. In the process, it ended up gathering personal data of the users who took the test, and their friends. Facebook allowed this kind of access to data in the drive to create more personalized in-app experiences. However, developers were misusing this data not just for developing better applications, but also to sell the data to third-party vendors like Cambridge Analytica, which was happy to use the data to analyze users and influence them using ads and other forms of online promotion.
A year later, in 2014, Facebook learned of this method of harvesting deep information about users and put in place restrictions to curb developer access to user data. However, the prime suspects of this data misuse had already taken backups and exports of the user data and now had it on their own servers. Stuck in this dilemma, all Facebook could do was to legally pressure Cambridge Analytica to delete all the user data they had in possession. While they replied saying they’d deleted all the user data they had, there was no way for Facebook to ensure this was true.
In mid-March 2018, Christopher Wylie, a former employee of Cambridge Analytica, accused the company of using data harvested from Facebook to influence the 2016 U.S. elections and the Brexit vote among other elections around the world. This set off a frenzy with political and media bigwigs crying foul over the lack of regulation around data owned by internet companies.
Along with Cambridge Analytica, other organizations that have been involved in similar activities are AggregateIQ, another political consulting firm that has worked with Cambridge Analytica, and CubeYou, which has created similar personality profiling apps aimed at collecting user data. Facebook has responded by banning these organizations from its platform.
Facebook responded by taking responsibility for the incident and took measures to communicate their stand, clarify misreporting, and stop the PR disaster at hand. With 87 million users’ data being compromised, this is no small issue, and Facebook has been right to accept its responsibility in badly managing its user data in the past. The company has felt the pressure with the #DeleteFacebook campaign gaining steam, and CEO Mark Zuckerberg having to testify before Congress.
Big questions after the Facebook scandal
The Facebook scandal has opened everyone’s eyes to the potential for use and misuse of online data. It surfaces many questions, and every organization building an app that collects user data, which is pretty much any company that builds an app today, should consider these issues carefully when planning their data privacy and security strategy.
What data does your app collect?
The most important question to ask is how much data your app collects, and how much of that data is actually essential for the app’s user experience. Facebook has always followed the route of collecting as much data about its users as it can. This is part of the broader effort to use deep learning and artificial intelligence algorithms to study user behavior at massive scale, and even influence it toward ends that benefit Facebook. This is the highest form of technical wizardry available today and every top web company is on a mission to have the most advanced AI team to get the most out of their user data. However, as seen in Facebook scandal, this can be a two-edged sword if the data is mishandled.
The best option is to gather just as much data as your app needs to perform vital tasks, and limit the amount of contextual and personal information it collects to protect both your users’ privacy and your own reputation as a company. The stakes are high — on one side there’s the lure of building the most intuitive applications that attract users, and on the other side are these privacy concerns that can bring down even the biggest company. It’s a fine balance, and you’ll be better off taking the cautious side and protecting the interests of your users and your organization in the long run.
Personalization vs. privacy
Related to the first point is the collection of data to improve the relevance of ads. With the top companies like Google and Facebook making almost all their revenue off online ads, the holy grail of online advertising is personalization. The most personally relevant ads perform best and rake in profits for the parent company. This being the case, companies stop at nothing to personalize the ads that show on their platform. Even newer companies like Snapchat use similar techniques to gather information from neighboring apps like Spotify, or even browser behavior to show more target ads to its users.
Policing third-party integrations
Third-party app integrations are essential to the functioning of any app today. This is true in the case of consumer apps like Facebook or enterprise apps like Salesforce. As the Facebook scandal clearly shows, how these integrations are set up and governed plays a huge role in the security and privacy of data. Many of the breaches that occur today can be traced to a lack of security around third-party integration. The dangers are real — the vendors can get away with mishandling of data more easily than you, the data owner. Vendors may not be equipped to enforce the same stringent security measures over the data as you can. Additionally, they may have hidden agendas that you may not predict or expect as the Cambridge Analytica-Facebook scandal case shows in classic fashion. All these reasons considered, there’s a need to police third-party integrations to ensure that vendors are responsible for how they use and access user data. You need to have in place specific policies governing the activity of vendors down to the finest details. Additionally, you need robust monitoring to find out when a vendor steps out of line. Policies without monitoring are simply rules meant to be broken, and they will be. Handing third-party app integrations is a complex effort, but is essential if you want to enforce the highest standards of security for your applications.
Transparency or avoidance?
Finally, when incidents are reported, how you respond matters. Facebook has been a slow mover in this aspect, keeping mum about the issue over a couple of years and only taking serious action after the issue snowballed into a PR disaster that affected their core user base. Quick action and communication as soon as an issue is discovered is the minimum requirement after your app has been found lacking in data security. Further, put in place measures for users to have more control and visibility into their data’s storage and use. Your users should know which third-party apps have access to their data and be able to revoke access at any time. An added bonus would be for them to export their data and store it for their record or for their own analysis so that even if they choose to delete their account, their data is their own.
The Facebook scandal is a rather unfortunate milestone in an otherwise illustrious journey from startup to one of the most powerful companies in the world. Facebook seems to have the scale and maturity to weather this storm. Not all applications may be as lucky. This is why it pays to give careful thought to how you store, share, and govern the use of users’ data in your applications. As discussed here, whether storing just enough data, monitoring vendors, or being transparent with users — there’s a lot you can do to ensure you’re never in the spot Facebook is in, firefighting against data disasters.