In light of the recent scandal, we worked with our global team to delve into the issue and its potential impact on the industry. For further reading, our Managing Director @SuzSha spoke to AdNews about the debacle. If you have questions or would like to chat further, reach out to us here or on Twitter @wearesocialau

What happened?

On the 18th of March, both The New York Times and The Guardian UK published reports alleging Cambridge Analytica harvested the Facebook profiles of 50 million users unlawfully in order to hypertarget voters in US and UK elections and political activities. More recently, the firm has worked to convince voters to vote for Trump in the 2016 US presidential election, as well as to vote leave in the UK European Referendum campaign.

As a result of this, Facebook has met with massive criticism from consumers and politicians. People are calling for Facebook to answer questions about the so-called “leak,” and there has been a movement for people and brands to delete their Facebook pages. Furthermore, Facebook and Mark Zuckerberg have been called upon to appear before both Congress and the UK Parliament to answer questions about this data and how it was used to influence the elections.

As a consequence of this and the negative coverage, the share price of Facebook has declined significantly (approx. 18% as of 28th March).

What was unethical / unlawful?

Cambridge Analytica allegedly built up the consumer insights pool legitimately through a personality predictions survey and app on Facebook called 'thisisyourdigitallife.' As part of the program, the research team paid 27,000 individuals a small fee to take a personality quiz and download the app, which scraped private information and data from their profiles. However, after giving the app permission, it also accessed the information and data of all their friends on Facebook.

This was done using the first version of Facebook Graph’s API (a developer, or app-level, interface used to understand and access people’s social lives), which allowed apps, through its extended permissions, to “request a huge range of users’ friends' info without much friction or communicating the reason(s) for providing consent. Once authorised with a single prompt, v1.0 app could potentially remain in the background collecting and processing people’s data — and that of their entire friend network — for years.

Using the API in this way wasn’t against Facebook’s policies, at the time, and it was done by a significant number of data companies, and Facebook was very well aware of that. The legal issue with this is that, although the apps obtained consent to collect and use the original user’s personal information, no consent was given from their friends. “This means that the debate stemming from use of the term “breach,” while not accurate from a systems-level computer security standpoint, is arguably legally correct in regards to the lack of informed consent by the “data subjects.” Meaning before the mass collection, processing, and re-sharing of users friends’ personal information.

This version of the API was launched in April 2010. It was announced that it would shut down at f8 in April 2014 and officially close on April 30, 2015. Reasons stated at the time by Facebook for this change was to “put people first” and “give users more control of their data."

What Facebook is doing about it

  • Facebook has banned Cambridge Analytica and its parent company SCL from the platform
  • Facebook has hired an independent forensic investigation firm to conduct an audit of Cambridge Analytica, which it said the firm had agreed to comply with
  • Curtailing data given to apps: By default, developers using Facebook Login will now receive only a user’s name, profile photo, and email address when someone signs in through Facebook. Further information, such as their Facebook posts, will require the developer to receive permission from Facebook
  • Additionally, Facebook will now cut off apps’ access to an account’s data when that person hasn’t used the app for three months
  • Within the next month, Facebook will place a tool at the top of the News Feed that gives people a way to disable apps
  • The company also plans to “investigate all apps that had access to large amounts” in the past to ensure nothing was abused and tell users if it’s discovered that their data was mishandled
  • To do that, Facebook says it will look for “suspicious activity” among the companies it investigates and “conduct a full audit” of them - if they decline the audit, they’ll be banned from Facebook
  • Developers that misused “personally identifiable information” will also be banned. The investigation applies to developers who were on the platform during or before 2014, when Facebook made a change that limited how much data they had access to
  • Facebook has agreed to appear before Congress and answer questions about the data and how it affected the elections
  • Facebook is revamping the platform’s security settings to make it easier for people to find and edit the personal information that is stored about them. It’s important to note that these settings already exist on the platform, Facebook is just making it easier to find them. This was, in all likelihood, prepared in response to GDPR and not just the Cambridge Analytica issue
  • In response to the crisis, Facebook published print ads in US and UK newspapers admitting that they have a responsibility to protect the data of the users

What this means for our clients and other advertisers

Whilst the public outcry is largely centered around the unauthorised use of data and manipulation for political purposes, everyone involved in marketing on Facebook should be aware of the increased scrutiny their targeting activity will be exposed to. At We Are Social, our Facebook user targeting is only ever based on data that consumers have given permission to be used, so none of our clients' ad bookings on Facebook need to be withdrawn for data reasons. However, there are a few considerations for our clients and other advertisers springing from the debate:

  • Ensure when consumer data is required, the value exchange offered to consumers is strong enough (Discounts offered, time saved, other benefits), as consumers will be warier of sharing data
  • Consider holding off on running any hyper-targeted ads that use personal data for the next few weeks and review messaging to ensure it cannot be misconstrued as manipulative
  • Review and simplify data policies and warnings, potentially publishing a data transparency statement piece on their website; ensure third party data providers comply with data legislation; in the rare cases where data is obtained from brokers, it may make sense to instead work with influencers or publishers who are trusted to have their audience's data.

 

Other questions

Hasn’t Facebook been collecting our data since the beginning?

  • Yes, Facebook and most apps collect private information from your profile and are clear about this when you accept their terms. This is part of the value exchange with the user for access to the platform and apps. Users are able to disable sharing of specific data points or sharing data with specific apps. What makes this incident different is the data was passed on to a third party after it was collected and not deleted when Facebook requested. Facebook say this breached their policies.


 

Do we think advertisers should stop using Facebook as a marketing and ad channel?

  • Some brands may feel Facebook could have done more in preventing an unethical data breach (through tighter auditing of third parties) and choose not to work with them in future. Mozilla Foundation, Pep Boys, Sonos, and German bank Commerzbank have pulled advertising from Facebook. Sonos for one week only.
  • We will continue to monitor the situation but our view is that the majority of brands will continue to use Facebook’s targeting options to reach consumers. Brand content that is from an advertiser and relevant to the the user should not be a case for concern. We have not seen a drop off in user numbers (although it is too soon to comment definitely on this). 


  • Some in the industry have questioned why brands would pull out of advertising on Facebook when they have been demanding more and more personal data for targeting from Facebook to enable them to run hyper-targeted campaigns
  • What appears to have caused concern with users is that this particular incident involves political advertising, where content was not clearly marked as coming from a political party, with little clarity on who funded the advertising as well as the veracity of some of claims in the content.

How have consumers reacted?

There have been around 450K mentions of #deletefacebook since the story broke (to 15-28th March). Elon Musk is one notable deleter, having  deleted his personal Facebook account and that of Tesla. However, Elon himself commented that he didn’t actually know the pages even existed and the number of regular users who have deleted their accounts has been unnoticeable. For the average consumer, deleting Facebook is easier said than done.

The issue is that Facebook has become such an integrated part of our social infrastructure, with Messenger and Events being a large part of connecting people. As such, people are likely to continue to use Facebook, and due to its reach and scale, it will likely maintain its status within the media mix.

What is likely to happen, though, is that users will become more aware of the data technology companies and social platforms hold about them and be more critical of what they sign up for and how their data is used.

Our conclusion

Facebook is doing what it can to accommodate the demands of the consumers in regards to their data, but we expect to see greater regulation in this area. Facebook has probably already been preparing for a higher level of privacy control and transparency in response to the upcoming GDPR regulation.

However, as we have seen in other industries, brands are facing more and more pressure to take responsibility for what happens at every stage of the supply chain, and technology companies and social platforms are likely to come under the same pressure in the future. Even though Facebook received legally binding assurance from Cambridge Analytica that the data had been deleted, this will be far from enough in the future. They will be held accountable for suppliers or third-party partners misusing the data they collect, and they will be responsible for protecting their consumers and their data in an ethical way.

The tighter control of third party apps and usage of their data should prevent future issues of this scale, but as social media data regulation is a new area, further unforeseen issues are to be expected. Just following the Cambridge Analytica case, it was revealed that Facebook has been logging calls and texts on some Android phones as far back as 2015. We should be ready to amend our approach to work and targeting if other situations arise where Facebook or any other platform is in the crosshairs.

Sources/ Further reading:

https://www.campaignlive.co.uk/article/brands-hypocritical-leave-facebook-cambridge-analyticas-data-breach/1460176

http://www.thedrum.com/opinion/2018/03/25/are-we-really-brave-enough-unplug-the-social-matrix

https://www.cmo.com.au/article/634943/big-lessons-marketers-wake-facebook-cambridge-analytica-data-leak/

https://www.theverge.com/2018/3/21/17148726/facebook-developer-data-crackdown-cambridge-analytica

http://www.adnews.com.au/opinion/the-perfect-facebook-storm

https://medium.com/tow-center/the-graph-api-key-points-in-the-facebook-and-cambridge-analytica-debacle-b69fe692d747

http://www.bbc.co.uk/news/technology-43557803

https://newsroom.fb.com/news/2018/03/privacy-shortcuts/

http://www.bbc.com/news/business-43532948

http://money.cnn.com/2018/03/27/technology/mark-zuckerberg-testify-congress-facebook/index.html

https://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-mark-zuckerberg-uk-parliament-data-cambridge-analytica-dcms-damian-collins-a8275501.html

https://www.cnbc.com/2018/03/25/facebook-saves-extensive-call-text-data-made-by-android-users-ars-technica.html