How much should we care about Cambridge Analytica, and how much were Facebook to blame?

One of the things that’s struck me over the recent weeks has been the reaction to the recent leaks coming out of Cambridge Analytica. In my eyes, Facebook’s argument about there not having actually been a ‘data breach’ holds true; but there are still certain questions we should be asking ourselves around what digital citizenship looks like, and how much privacy can we expect in a world of ever faster processing speeds and with the barrier to entry being consistently lowered.

Back in 2016, an old colleague approached me about an idea that he was working on with a group of guys I knew. It was a social media listening tool that could be used to help political parties better scope their messaging and a ‘machine learning’ element to ensure that the lessons could be learned much faster than traditional methods. A noble aim, and nothing too out of the ordinary. A natural development from traditional manual-based process to a digitally-augmented solution. Bread & butter.

It’s worth re-articulating what these previous methods were:

I don’t think there’s many people that would object to the digitisation of these efforts, especially those that had to attend or manage what I’d imagine to be fairly tedious focus groups…

So, fast forward to the digital sphere and suddenly we’ve got a whole load of new information that can be cross-referenced to find out new causal relationships. One of the key elements of the Cambridge Analytica scandal was the way in which they could segment your political beliefs based on the things you’d ‘liked’. Frankly, in the analogue world any doorstepper who got invited into a lounge for a cup of coffee could have glanced up a bookshelf to do the same thing - still a bit creepy, but limited in depth.

After posting on Facebook a little ‘well done’ to all my connections around not having filled out the “My Digital Life” questionnaire, therefore not sharing my data with CA, I got some fairly pragmatic feedback:

"Thank God - imagine what CA could have done with the info that you'd watched "My Sister's Keeper" 5 years ago and wrote a blog post about panic buying carrots in 2013..."

Well, I can only agree with the sentiment. This is not a Facebook problem. I happily posted about “My Sister’s Keeper” on this blog a few years ago, and yes, I did panic buy carrots and that’s here too. Looking back at my internet history (for those of you wanting to waste some time and googling me), you’ll also see I posted about Sting’s concert on the night of September 11 2001. I’ve got a digital identity that’s fairly immutable - much of what I’ve posted I no longer have access to accounts to delete, and nor do I particularly want to.

Ultimately this shouldn’t be a question of about what we post up to Facebook or not. I did it in full knowledge that anything on my profile was public domain. Facebook storing a history of my private messages, yeah that’s a bit of a different question but still part-and-parcel of online life. Alternatives are available.

Do Facebook have a responsibility to their users? Possibly, but ultimately their chief responsibility is to their shareholders. Agree or disagree, they’re the facts and that the incentivisation to think about when you’re making a decision of where you put your content.

Do I think there’s a place for regulation?

The problem faced by digital organisations is in how you convert a principle (all communications that user’s believe to be private should be kept private), into an action. A great example is the Cookie Policy from the EU, designed to prevent users being tracked online. Unfortunately it’s behind the pace - at the same time we were adding disclaimers to websites, I recall being in a discussion with an advisertising company that had stood up a system of Wifi-sniffing bins that would show advertisements based on the hardware addresses of the phones going past the bin (they could work out the manufacturer and model from the MAC address, and thereby calculate a demographic per bin - crazy!). Ironically right now the new UpLink screens being thrown up around central London appear to be a more ‘snazzy’ implementation of the same thing. Data collection & profiling.

What regulation needs to do is articulate what ‘private’ should mean online. Most people I speak to are surprised when I point out the most email is completely public. It passes through server-to-server with little protection from anyone reading it. Whatsapp on the other hand at least encrypts your messages so that you at least know which parties have access to your message - you, your receipients, and Whatsapp/Facebook. My suggestion would be that services need the equivalent of the SSL ‘Secure’ seal which defines what ‘private’ really means - but I expect (in the same vein as SSL certificates) that this will cost in the short term until the innovators catch on and find a way to reduce these costs.

Cambridge Analytica did what they did, and right now there are probably hundreds, if not thousands of organisations trying to replicate their data. All Facebook did was reduce the difficult ahead that of their competition. The level of access that you can get on an individual user based on their Facebook profile is indeed significant, but by cross-referencing anything about my digital identity online you could probably come up with as significant a profile on many people. Don’t get bogged down in vitriol about the immediate tactical response, but think longer term about the right strategy to hand over the internet to the next generation of netizens.