I’ve been reading a lot about Facebook and Cambridge Analytica and this is typical:
Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” Carole Cadwalladr and Emma Graham-Harrison The Guardian
Reaction to these revelations has been filling our newsfeeds and we’ve seen headlines like:
Calling this a data breach misses the point. Every time we see this called a ‘breach’ or a ‘leak’ the central issue is ignored and this matters. As Facebook’s Chief of Security said, it wasn’t a data breach.
He’s right, it wasn’t.
We’ve got the story all wrong. We need to rewrite the story before business returns to usual.
The use of personal information taken without authorisation was a result of policy. Cambridge Analytica failed to follow policy. Facebook failed to adequately and timely enforce that policy. What’s even worse, is that Facebook chose not to take the violation seriously, refusing to take trust-building action at the time, sitting on the knowledge of the violation for 2 years.
Read more here.
Facebook chose not to act. That’s the issue. It’s not a technical one. It’s a matter of policy and prioritisation.
For Facebook, and other advertisers that profit from users’ detailed data, the more complete the user data, the greater the value. It comes as no surprise that this detailed personal data is their most valuable commodity. How else can you make money? Anyone can have access to a huge amount of data about you through Facebook. Trusting these companies not to misuse that data is not a good enough response. Expecting them to do better is not realistic.
We’re looking at it all wrong.
Facebook has intimate knowledge about you because that is their business. It’s literally their entire business model. Facebook’s average revenue per user was $20.21 last year. Considering the sheer size of their user base – over 2 billion people – that is astronomical. If we continue to refer to this as a ‘breach’ or a ‘leak’ we are painting the picture that Facebook can, should and will change and improve their protection of their user’s data. All this does is showcases a do-nothing approach to issues that fundamentally impact a company’s bottom line, and underestimates the degree to which this data can be profited from. Instead, we have to talk about the way these companies do business. If you tell Facebook to do X or Y but it negatively effects their $20.21 average revenue per user, it’s never in their interest to change.
Expecting a company to delete highly valued data, and claiming their refusal to do so is the root cause of concern, is misunderstanding the central issue – it’s their business model that is flawed. That, or they’re in desperate need of regulation.
Many of my friends say, “I don’t worry about Facebook because I don’t use it that much.”
It doesn’t matter that you’re not using Facebook everyday. They are still using you.
Pixel tracking and a widespread ad network mean your activities are tracked. Just because you aren’t telling Facebook anything about you doesn’t mean they don’t know.
Facebook’s problem has never been the technology. It’s been their deliberate confusion of privacy controls, and their lack of prioritisation of privacy protection. Their business model relies on it. They don’t have a business need to be more in control of who has what kind of access to their data. Until their business model changes, our data is still everyone’s business.