The extraordinary revelations from the Observer/Channel 4 investigation into the practices of the digital marketing firm Cambridge Analytica have, like many a great internet controversy, produced great outrage but few answers or ways forward. People are rightly horrified at the prospect of such comprehensive personal information being used to manipulate them by the million, but also daunted by the task of correcting it.
Many among the politically or technically savvy have responded with world-weary insouciance: “this has been going on for years”; “what did you expect?”. To be fair that view does have some merit. When you break it down, it is difficult to expect that combining the advertising and PR industries with the pursuit of political power, as enabled by Silicon Valley software start-up culture, would result in anything good. Indeed, it sounds like a dependable recipe for some of the worst that humanity has to offer.
The activities of Cambridge Analytica that came to light in the last week are the inevitable consequence of an arms race of marketing and political campaign methods that is at least as old as two-party democratic structures. Digital campaigning was born in the late 90s, but the foundation that Cambridge Analytica have built on was laid in 2012 on the ‘other’ side of politics.
Tired as every political observer must be of hearing it by now, undeniably the campaign to re-elect President Barack Obama in 2012 marked a major shift in the way political campaigns were run. Perfecting the direct email mobilisation and fundraising strategies pioneered by the Howard Dean primary campaign in 2004, and combining it with the same data driven messaging techniques national retailers were using to predict pregnancies, elevated the Obama for America campaign to an unprecedented level of sophistication and capability.
About a year out from election day, the Obama campaign team realised that existing avenues were incapable of reaching the millions of possible voters below the age of 30 they needed to engage and mobilise to ensure electoral college victory. The digital team built a Facebook app, an app that exploited the same irresponsibly loose restrictions as Aleksandr Kogan used when he built thisisyourdigitallife to acquire the more than 50 million Facebook profiles that ultimately ended up in the hands of Cambridge Analytica. Software developers all over the world utilised this same method, and profited not from interactions with users who installed their apps, but by making use of the thousands upon thousands of Facebook profiles they could then access, all without any consent from the ‘owner’ (the subject) of the profile.
Profile information on every Facebook friend of every Obama supporter who installed the Facebook app became available to the campaign, enabling them to cross-reference it with any data they had acquired already. That previously acquired data included both publicly and commercially available information. If no other contact information was found, those Facebook friends of that supporter were identified as a prospective new voters. This triggered an email to the supporter who had installed the app, encouraging them to ask those friends to register to vote for Obama.
More than a million people installed the Obama 2012 app on Facebook. Over 600,000 of those supporters reached out to at least one unregistered friend when prompted. By the end of the campaign, bolstered by newly obtained data as well as traditional sign-ups, Obama for America had more than 125 million contacts in their database.
Obama for America Digital Director Teddy Goff said at the time, “I think this will wind up being the most ground-breaking piece of technology developed for this campaign.”
Four years later, a digital marketing firm retained by Donald Trump turned the whole idea on its head. Using targeted messaging informed by millions of Facebook profiles obtained indirectly to dissuade potential voters from turning out on election day, they secured victory for their candidate in what was once their opponents’ heartland. President Trump swept into the White House.
The vast trove of personal information held by Obama for America became a hugely sought-after asset following the ’12 election, sparking fierce controversy within the Democratic Party. The only option available to people in that database wishing to opt out was to click unsubscribe in an email sent from whatever lists they subsequently found themselves on. The detailed voter profile remained the property of the party, and entirely out of reach of the subject person. Obama himself carried that same attitude to individual privacy into the White House, where he oversaw more than $100 billion worth of expenditure on surveillance infrastructure during his time in office.
Full of ideas and enthusiasm from witnessing the success of Obama for America in 2012, Australian campaigners (some, like me, having studied or been embedded with the campaign) from NGOs big and small, and of course political parties, embraced big data and field campaigning for issue and election campaigns. New petitions, rarely destined to be tabled in parliament or presented to the target, appeared almost daily, for any issue you could imagine. Email contact databases ballooned, the critical first step in engaging voters online. Political parties here utilised direct access to the electoral roll itself, containing the name and address of almost every adult in the country. Exempt from the limited restrictions of the Privacy Act, party volunteers equipped with increasingly detailed portraits of voters interests and intentions knocked on carefully targeted doors in carefully targeted neighbourhoods.
It wasn’t until 2013 that issues of digital privacy were catapulted into broader public consciousness in Australia, when NSA contractor Edward Snowden blew the whistle on, amongst much more, the depth of Australian involvement in global mass surveillance. Despite the revelations that much of this spying power relied on and was derived from social media services, most opprobrium was directed at the governments of the Five Eyes nations at the centre of the scandal. Australians continued to take to new social platforms at some the highest rates on the planet.
But confidence in the tech industry has been steadily declining since then, as giants like Sony, Yahoo, and many more suffered embarrassing public data breaches. In some cases, most notably Uber, the fallout was handled disastrously, when spin doctors frantically downplayed the scale of the breach after earlier cover-up attempts were unsuccessful. The government has fared little better, from George Brandis’ hilariously inept explanation of metadata during the mandatory data retention debate, to a Medicare data breach, and then the extraordinary debacle of the Census.
The 2014 controversy around Facebook’s psychological manipulation experiment involving some 700000 users two years before flared up and died down with no lasting impact on the platform. Four years later both the public and governments around the world seem far less willing to let yet another breach of their trust slide. People are demanding more: better care from organisations that house data about them, and better oversight from governments that are supposed to protect them.
So, when it comes to fixing the biggest social network of them all, where do we even start? Is it even possible? Well-meaning efforts encouraging people to #deleteFacebook overlook the role it plays for many communities. Opting out wholesale is simply not an option for many people.
When he logged on to his own platform a week ago and read the prompt, “What’s on your mind, Mark?” Zuckerberg’s answer may well have been “pursuing a lawsuit against the publications breaking the Cambridge Analytica story”. Only after five days of ignoring calls from legislators to respond, and even missing his own staff meeting, did the Facebook CEO finally make a public statement. It was rightly condemned as too little too late, containing token concern at best, mixed with absurd wide-eyed innocence. Facebook, too, is a victim in all this, he would have you believe. Bullish statements around legal action were nowhere to be seen. Among the commitments Facebook made in the statement was a promise to tighten controls on apps access to data, an issue largely addressed by Facebook’s platform changes in 2015. Zuckerberg also assured owners of the Facebook profiles obtained by Cambridge Analytica that they would be informed. This is knowledge Facebook has had for more than 3 years and done nothing with.
For too long, Facebook has been allowed to operate with near impunity. Zuckerberg and his team ignored the warnings when the Facebook platform was opened up to allow app builders access to expansive user data like friends lists. In 2011, Facebook settled charges with the US Federal Trade Commission and signed a consent decreeafter the FTC alleged a number of instances in which Facebook did not meet its promises in regards to user privacy. Mark Zuckerberg’s comments in 2011 bear remarkable similarity to his statement this week; the company had “made a bunch of mistakes,” the security and privacy of users profiles is a priority, we will strive to do better. One of the key elements of the 2011 consent decree was a requirement to disclose to users any time their data was shared with a third party.
There was no apology in the statement Zuckerberg made on Wednesday (contrition came in a subsequent TV interview when he was pressed directly). There was no admission of failure. Perhaps because there really was no failure. As Motherboard and others have been at pains to point out, this was not a data ‘breach’. The data was originally accessed and acquired within the scope of Facebook’s practices at the time.
Hollow promises to do better are not convincing anyone this time around, thankfully. Governments all over the world are demanding real answers from Facebook, and those processes may yield some useful outcomes. The platform has two billion users, around 75% of whom use it every day. This kind of dominance must not be sustained. The structural separation of the company, the unwinding of acquisitions such as Instagram and WhatsApp, and compelling the cooperation of Facebook senior executives in government investigations are all ideas worthy of further consideration. A cursory glance at the history of the company makes it painfully obvious that Facebook is not equipped to contain, restrain or regulate itself, but it is only now that regulation seems inevitable in the US and is imminent in the European Union that Zuckerberg has publicly opened up to the possibility.
Just how far governments, especially the US, UK, Canada Australia and New Zealand governments — the Five Eyes — will go in regulating Facebook specifically and protecting privacy more broadly is an interesting question. Governments have an absolutely critical role to play, but many are coming from a position that could be very generously described as compromised. Activities like those of Cambridge Analytica are amateurish in scale and scope alongside the dragnet surveillance undertaken by spy agencies around the world. Those agencies benefit from budgets orders of magnitude higher than anything in the private sector, and are unencumbered by trivial considerations like accountability, the rule of law or public image. Publicly accessible platforms supply critical information these agencies exploit, even rely on. Political parties (not just Australian ones) routinely set much lower standards for themselves around data and privacy, and will defer to ‘national security’ concerns no matter how poorly articulated they are. In both Australia and the U.S. it was the more progressive of the major parties that oversaw the massive expansion of the surveillance state. Improvements in privacy protection legislation in Australia are going to be hard-won.
In Europe however there is much cause for optimism. The most promising development for privacy is the General Data Protection Regulation, which comes into effect on May 25, for all companies that hold data within or as a result of doing business with citizens of the European Union. Individual people will have the right to know exactly what they are providing their information for, review the information held whenever they request to, and have the right to withdraw that consent at any time they choose. Companies or organisations that use that data for a purpose other than what an individual explicitly agreed to will face penalties big enough for tech giants to notice. A third strike under GDPR will incur a fine of an astonishing 4% of total global revenue, or 20 million Euro, whichever is higher. As part of the implementation of the new regulation, consent must be actively given anew for every activity an organisation wishes to conduct utilising user data. Acceptance of previous terms and conditions, or campaign actions turned email list subscriptions, will carry no weight. Everyone is effectively starting from scratch, with the privacy and consent of individual Europeans at the core of it all. This has massive potential to disrupt the advertising networks Google and Facebook depend on for the overwhelming majority of their revenue, as EU citizens now have little incentive to make their information available for this purpose.
This standard, the primacy of individual consent, should be implemented everywhere else. Europeans don’t deserve a higher level of protection, but they are currently being far better served by their governments and social sectors. The standard goes to the very core of what privacy is: the right for people to decide for themselves what they share and who they share it with. Every organisation advocating for human rights should support this movement, but more importantly, also sustain these values themselves. Balancing the competing tension between upholding rigorous standards of individual privacy, and engaging people in numbers large enough to be effective, has been a dilemma faced by every organisation in the digital and human rights realm since digital campaigning began.
Outwardly advocating for better privacy protections while harvesting data under questionable pretences is not acceptable, real people are being negatively impacted by current loose practices. Political parties and NGOs working towards better privacy outcomes, or in human rights more broadly, must urgently get their own houses in order. There is appetite for change because of ever-deepening public suspicion of social media platforms and other tech giants. Potential supporters will quite correctly be casting a sceptical eye on anyone asking for their data and their trust while purporting to represent their interests and taking a stand for their privacy.
If supporters can’t access and assess the information held on them, or don’t have any say in how that information is used, or can’t wholly opt out of communications and activities, your organisation is at the Facebook/Analytica end of the scale. If the informed consent of the individual is not the guiding principle for your data management, you are part of the problem.
And for individuals? The entire foundation of the internet in the past decade has heavily swung towards surveillance capitalism. Undoing that is a massive undertaking. In the interim, while it’s hard to avoid, there are productive steps you can take. Stop using Google Chrome and start using Mozilla Firefox with DuckDuckGo. Install adblockers on every device. Use Signal not WhatsApp. Maybe ditch Gmail and fork out a few bucks for an email service designed to deliver your messages not advertising (I like Runbox). If you can’t #deleteFacebook, tweak your settings to lock down your profile as much as possible, while maintaining the minimum function you can handle.
And never forget that until the major overhaul we’re fighting for comes to pass, we users are not Facebook’s customers. Nor are we Google’s customers. We remain, as ever, the product.
Originally published in Green Agenda.