Data Harvesting – What Happened?
It has been widely reported that a researcher from Cambridge University, Aleksandr Kogan, used an app he built called This is Your Digital Life to harvest personal data from Facebook users. The app was a personality quiz that asked Facebook users for information about themselves. Roughly 270,000 Facebook users agreed to complete the quiz. But the app also collected the information of each these user’s Facebook friends without their knowledge. Kogan allegedly accessed the personal information of over 50 million Facebook users without their consent.
Kogan had a company called Global Science Research which had a deal to share data from the Digital Life app with Cambridge Analytica. Cambridge Analytica is a British political consulting firm which uses data mining, data brokerage, data analysis and strategic communications to influence electoral processes. It has been reported that Cambridge played a significant role in Donald Trump’s election campaign. As such, the personal information from many Facebook users was allegedly used to influence the 2016 U.S. election without the knowledge or consent of the information owners.
Why Should You Care?
Don Tapscott is one of the world’s leading authorities on the impact of technology on business and society. Although there is a perception that privacy is dead in the digital age, his position is that privacy is a fundamental right. He illustrates that our online activities enable the creation of a “virtual you”. This “virtual you” might know more about you than you do yourself because the “virtual you” compiles information like the movies you watched online, what you’ve said, goods and services you bought, over an extended period of time – information most people don’t remember. The problem becomes how the information related to the “virtual you” might be used. Tapscott uses two examples:
- One is government surveillance. It is possible you could be stopped at a border or denied boarding on a flight without knowing why, what you are accused of, or what evidence exists against you. In Tapscott’s opinion, it is wrong to assume that that governments always act in a benevolent manner.
- There is also the concern about companies like Facebook that are amassing giant assets of personal data, perhaps the greatest assets in history. And now as we have seen, one should not assume that these tech giants are building these assets with your permission or disclosing how they are using your personal information.
March 12, 2017 was the 28th birthday of the world wide web. On that day, Tim Berners-Lee, the inventor of the World Wide Web, commented we have lost control of our personal data. He observed that people are relatively willing to exchange personal data in return for free content by accepting long and confusing terms and conditions documents. He stated that our personal data is held in proprietary silos, out of sight to us, we usually have no direct control over this data, and limited to no control over when and with whom our personal data is shared. Berners-Lee also noted, we usually don’t have any way of controlling what data we don’t want to share – especially with third parties. The recent Facebook breach validates all of these concerns and it is remarkable how these concerns have evolved in less than 28 years.
Is This a Tipping Point?
The recent Facebook data harvesting incident may be a tipping point in terms of the extent to which people will share their personal data.
It is likely there will be more government regulation, similar to changes to the European Union’s General Data Protection Regulation that comes into effect on 25 May 2018.
- Companies will no longer be able to use long confusing terms and conditions full of legalese regarding consent to use personal information.
- Requests for consent will be required to be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
- Consent will need to be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
- It must be as easy to withdraw consent as it is to grant the consent.
It is important to highlight these requirements will apply to companies processing the personal data of data subjects residing in the EU, no matter where the company is located.
It is also likely we will see greater use of emerging technologies to safeguard personal information. For example, blockchain can provide the opportunity to choose if and when we will share our personal information. For more information, refer to this article from Harvard Business Review – Blockchain Could Help Us Reclaim Control of Our Personal Data.