Written By Amy Johnson
The New York Times recently revealed that Cambridge Analytica, a data analysis firm based in London, was hired by the Trump Campaign to “harvest private information from the Facebook profiles of more than 50 million users without their permission.” Facebook has faced growing backlash since the information was revealed – their stocks have been dropping, Chief Security Officer Alex Stamos has stepped down, Chief Executive Officer Mark Zuckerberg is expected to brief congressional committees, and as of March 21, 2018, both Facebook and Cambridge Analytica have been sued in the United States District Court for the Northern District of California. Mark Zuckerberg called the scandal “a major breach of trust” during a recent interview with CNN.
What did Facebook and Cambridge Analytica do?
Cambridge is a company owned by billionaire Robert Mercer. Steve Bannon, a former Trump adviser, is alleged to have presided over a project with Cambridge Analytica in which information was obtained to construct and analyze voter profiles. The company worked with the Trump Campaign team to compile millions of United States Facebook users’ profiles to build a program to predict and influence voter choices. This data was obtained through Aleksandr Kogan, a Cambridge University researcher, who created a personality quiz for users to take on Facebook. Once a user linked into the quiz, Kogan was able to access the user’s page and data. Through several hundred thousand quiz takers, Kogan was able to access more than 50 million Facebook users’ profiles, later targeting them with personally-tailored political advertisements. In other words, if a user took the quiz, he or she (and thousands of Facebook friends’ ‘likes’ and ‘dislikes’) were accessible.
Kogan’s access to this data was known to Facebook and was consistent with Facebook’s developer application program interface (“API”). The Facebook developer page shows that their application program creator allows developers of apps to not only get user’s account information, but to access information like “friends_interests” and “friends_religion_politics.” However, Facebook’s policy only allowed for the collection of friends’ data for the purpose of improving user experience in the app – not for sale or advertising uses. This “unprecedented data harvesting” of millions of Facebook users’ information by Cambridge Analytica, and more specifically, the use of that data, raises many new questions about Facebook’s role in targeting United States voters in the past election.
In the midst of the reveal of the Cambridge Analytica breach, President Donald J. Trump took to Twitter to discuss his campaign’s success in utilizing social media during his campaign. He tweeted, “Remember when they were saying, during the campaign, that Donald Trump is giving great speeches and drawing big crowds, but he is spending much less money and not using social media as well as Crooked Hillary’s large and highly sophisticated staff. Well, not saying that anymore!”
What Laws Might Apply to Facebook and Cambridge Analytica?
With one lawsuit filed, and a potential for more filings in the future, there are several ways that Facebook users and Facebook could proceed to court.
(1) Computer Fraud and Abuse Act (CFAA)
The CFAA provides criminal and civil penalties for unauthorized access to computer networks. However, the statute itself focuses on the “authorization” of the “accesser” which, technically, Kogan had. The quiz created required voluntary action on part of the user in taking the quiz, which notified the user of access to their user profiles. In a recent Ninth Circuit decision, the Court stated “a defendant can run afoul of the CFAA when he or she has no permission to access a computer” when the permission granted “has been revoked explicitly.” However, the Court did not say that ‘overstaying one’s welcome’ was a violation of the CFAA. Here, Kogan had authorization to the Facebook profiles and that authorization was not revoked during his access. He may have done more than “welcome,” but it will be up to the courts to determine whether or not this constitutes a violation.
The CFAA also punishes users who exceed authorized access, which could be where Kogan is deemed to be in violation. However, the language in the statute states that exceeding authorized access is accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to.” When Kogan created the quiz, he obtained access to information in a way allowed by Facebook’s API; yet, when that information was subsequently used beyond what Facebook allows, it lent itself to a possible violation of the CFAA.
(2) Federal Trade Commission (FTC) Rules
Bloomberg recently reported that the FTC is also investigating whether Facebook violated the terms of the 2011 consent decree between the social media site and the FTC. The decree provided that Facebook needs to be transparent about user privacy and to not deceive its users as to how their data will be used. If a court finds that Facebook violated this policy, the penalty could be up to $40,000 per day per violation. Lawmakers have also asked the FTC to look into whether Facebook should pay damages to individual users. The FTC said in a statement that “it takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.” A group of 37 attorneys have sent a letter to Mark Zuckerberg for details on Facebook’s privacy safeguards.
(3) Securities Law
Securities law encourages companies to “disclose material information promptly, including disclosures pertaining to cybersecurity matters.” Facebook’s 2014 and 2015 reports have no mention of the Cambridge Analytica incident, and the site, as a whole, mentions data breach as a risk but never discloses if any breaches took place. Moreover, Facebook never reported this incident to investors or to the Securities Exchange Commission (SEC). It remains to be seen whether the SEC will pursue action against Facebook, along with the potential forthcoming actions of the FTC and individual users.
Moving forward, users can expect to see hearings, lawsuits, potential jail time, and in general terms, what has been described by some as a regulatory nightmare. For Facebook, pinning this breach on Kogan and Cambridge may be key. If not, users may observe the downfall of the social media tycoon.
Andrew Keane Woods, The Cambridge Analytica-Facebook Debacle: A Legal Primer, Lawfare (March 20, 2018).
Carole Cadwalladr, Emma Graham-Harrison, Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach, The Guardian (March 17, 2018).
Facebook, Inc., v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016).
Computer Fraud & Abuse Act, 18 U.S.C.A. § 1001, Pub. L. 99-474 (1986).
Tiffany Hsu & Cecilia Kang, Facebook Comes Under Scrutiny of Federal Trade Commission, New York Times (March 26, 2018).
Eric Auchard, Jonathan Stempel, Facebook, Cambridge Analytica sued in U.S. by users over data harvesting, Reuters (March 21, 2018).
Dustin Volz, David Shepardson, Munsif Vengattil, Facebook investors fret over costs as Zuckerberg apologizes, Reuters (March 22, 2018).
Photo courtesy of New York Post.