INFO5301 Data Privacy and General Data Protection Regulation
profile of users (the OCEAN acronym stands for openness, conscientiousness, extraversion,
agreeableness, and neuroticism).
To take the quiz, Facebook users are required to add this app to their Facebook account. This
allows the creator of the app to access to profile information and user history for the user
taking the quiz, as well as all of the friends that the user has on Facebook. This data includes
all of the items that users and their friends have liked on Facebook.
In December 2015, Facebook learned for the first time that the data set that Aleksandr Kogan
generated with the thisisyourdigitiallife app was shared with Cambridge Analytica. Facebook
founder and CEO Mark Zuckerberg claims "we immediately banned Kogan’s app from our
platform, and demanded that Kogan and Cambridge Analytica formally certify that they
had deleted all improperly acquired data. They provided these certifications." However,
according to the interview between former employee of Cambridge Analytica with The
Guardian and The New York Times, the company did not do so.
Cambridge Analytica used the data to provide analytical assistance to the 2016 presidential
campaigns of Ted Cruz and Donald Trump. Cambridge Analytica was also widely accused
of interfering with the Brexit referendum, although the official investigation recognised that
the company was not involved "beyond some initial enquiries" and that "no significant
breaches" actually took place.
2.2 What Facebook did wrong?
Another useful reference: What Went Wrong? Facebook and ’Sharing’ Data with Cambridge
Analytica.
URL: https://cacm.acm.org/blogs/blog-cacm/226442-what-went-wrong-facebook-and-sharing-
data-with-cambridge-analytica/fulltext
Answer: There were number of failures:
1. First there’s Facebook’s failure to design its systems to protect user privacy. Indeed,
the company’s aim was quite the opposite. Facebook believed that "every app could
be social." That meant giving broad access not only to a user’s data, but also to that of
his "friends." In 2013, Cambridge University researcher Aleksandr Kogan paid 270,000
Facebook users to take a personality quiz. Doing so gave Kogan’s app the ability to
"scrape" information from their profiles. In those days, Facebook’s platform permitted
the app not only to access the quiz takers’ profiles and "scrape" information from them;
the social network also allowed apps to do the same to the profiles of the quiz takers’
"friends"—all 50 million of them.
2. Then there’s Facebook’s failure to take serious legal action after the company became
aware that the data of those 50 million Facebook users had been provided to Cam-
bridge Analytica. This data transference violated Kogan’s agreement with Facebook
in acquiring the data in the first place. But when Facebook found out, its action was to
request that Cambridge Analytica certify they had destroyed the user files; the Silicon
Valley company did not ensure that Cambridge Analytica had done so. As we know,
Cambridge Analytica had not complied. Facebook’s failure to ensure that the files had
been destroyed was failure number 2.
3. Finally, there’s Facebook’s failure to inform the 50 million users whose data was taken.
There was a breach of contract here, between Kogan and Facebook. But there was also
Information Security Management Page 4of 6