If you downloaded the app “thisisyourdigitallife” in 2015 or were a Facebook friend of someone who did, you may recall seeing political ads during the 2016 presidential campaign that favored Trump. The app, which purported to offer a personality prediction in the form of “a research app used by psychologists”, allegedly collected personal profile information in violation of Facebook’s data privacy policies to attempt to sway voters in the 2016 Trump presidential campaign.
On March 17, 2018, the New York Times reported that Cambridge Analytica, a startup voter-profiling company, had improperly obtained the personal profile data of more than 50 million Facebook users through app “thisisyourdigitallife”. The company then allegedly used that data to target articles and advertisements to voters who may or may not be backing Donald Trump in the 2016 presidential election. Interviews with several Cambridge Analytica employees and contractors supported the allegations and said that the company was still in possession of the data at the time of the writing on March 17th.
One former employee of Cambridge said, “rules don’t matter for them, this is a war, and it’s all fair. They want to fight a culture war in America. Cambridge Analytica was supposed to be the arsenal of weapons to fight that culture war.”
The New York Times published one such political advertisement used in the 2016 presidential campaign supporting Trump, below:
Number May Stand at 87 Million
In an article by money.cnn.com on April 4, 2018, they stated that “previous reporting had put the number of people whose information may have been shared with Cambridge Analytica at around 50 million” and that Facebook had “announced its own [higher] estimate” in a blog post.
According to Facebook, their calculation has estimated a maximum number of 87 million users that could have been impacted after analyzing the number of friends app users had at that time.
Facebook Admits Mistake
In a Facebook post by a company vice president Andrew Bosworth, he wrote “we thought that every app could be social. Your calendar should have your events and your friends birthdays, your maps should know where your friends live, your address book should show their pictures. It was a reasonable vision but it didn’t materialize the way we had hoped.”
Can Duruk, a technology consultant and software engineer, questioned Facebook’s permissiveness of data collection and the ramifications of Facebook’s loose policies, “it seems insane that you can make haphazard decisions about so many people’s data” and called Facebook policies “extremely lax with what kind of data they allowed people to get.”
Facebook CEO Mark Zuckerberg called it a “major breach of trust” and said he was “sorry that happened” in a CNN interview, here.
Data Breach Statistics
In a recent article published by TechBeacon, the company showed the following data breach statistics for 2017:
- 1,579 publicly disclosed data breaches; 44.7% higher than 1,091 in 2016
- 1,946,181,599 records containing personal data were compromised between Jan. 1, 2017 and March 20, 2018
- 75% of data breaches were caused by external hackers (i.e., cyber-crime groups, state-affiliated groups), 25% caused by malicious insiders – per survey of 1,200 companies that reported at least one data breach
- 71% of U.S. enterprises reported suffering at least one data breach in the last few years
- $3.62 million was the average cost of a data breach
- 191 days was the average length of time it took an organization to identify a data breach
- 66 days is the average time needed to contain a data breach
Data Breach Notification Requirements for Washington State
There are laws and requirements that businesses must abide by when they own or maintain data such as consumer names, social security numbers, driver’s license numbers, financial records, credit card numbers, passwords, etc., whether stored electronically or on paper. A breach of such is defined as unauthorized access which may compromise the data’s security.
In Washington, consumers must be notified within 45 calendar days of the discovery of a breach. If more than 500 residents receive notice, government notification is also required.