Privacy SOS

Think Cambridge Analytica is bad? Wait until ISPs start selling our dossiers to shady political actors.

The Cambridge Analytica and Facebook scandal has woken the United States up to the seedy underbelly of online advertising markets. Unless we take action soon, this problem will only get worse. Thankfully, states like Massachusetts are considering legislation that would protect consumers and our democracy from even more dangerous data surveillance and manipulation.

For years, advertisers and companies like Facebook, Google, and Amazon have implied that their business model is good for us. After all, the story goes, we the people get “free” services like email, mapping, online shopping, and social networking, and in exchange, we get to see advertisements relevant to our interests. It’s a win-win model, the narrative claims.

This week, that narrative has come crashing down under the weight of its own contradictions.

The New York Times, the Guardian, and Channel 4 have published new details, expanding on the work of the Intercept, pertaining Cambridge Analytica’s use of Facebook data during the 2016 election campaign. And those details have shocked much of the country into attention.

Here’s the quick and dirty of what happened: A man named Alexander Nix teamed up with billionaire conservative political donor Robert Mercer to create a company called Cambridge Analytica. The company aimed to use data driven methods to advance conservative political causes. Cambridge Analytica worked on the Brexit campaign, which was a surprise victory.

Reporting indicates the company also had a hand in Trump’s victory. Videos filmed by undercover reporters and published by the UK’s Channel 4 show Cambridge Analytica executives bragging about how their data-driven insights propelled the Trump team to the White House. Their analysis helped shape the message of Trump’s campaign, the executives said.

Among the data Cambridge Analytica reportedly used to help Trump shape his messaging was information from Facebook users who had consented to participate in an academic study, done by a psychology professor at the University of Cambridge, Dr. Aleksandr Kogan. About 270,000 Facebook users signed up to participate in the “study” by downloading an app through their Facebook accounts, and consenting to data collection that the app claimed would be used for academic research purposes.

Facebook’s developer API allowed researchers like Kogan to obtain sensitive records not only from people who opted-in to this type of research, but also from those Facebook users’ friends. That’s how Kogan ended up with Facebook data on 50 million users.

But instead of using the data for academic purposes, as he’d promised Facebook users and the company itself, Kogan reportedly shared the information with another researcher, Chris Wylie. The two of them, according to reports, used this information to create voter dossiers for Cambridge Analytica, which analyzed those dossiers in order to provide the Trump campaign with insights about messaging and strategy.

Conservative commentator Ben Shapiro has complained that the backlash against Cambridge Analytica over the past week isn’t fair. After all, he writes, the Obama campaign used data-driven insights to great effect in its 2012 effort.

That’s true, but there are at least two fundamental differences between what Obama did and what Trump did.

First, Obama’s campaign solicited Facebook data from people who signed up with the Obama campaign. Facebook’s developer platform allowed Obama’s team access to the friends of the people who signed up, as well. But the Obama campaign’s use of data-driven analysis was not secret, and the people who consented to give their information (and their friends’ information) to Obama’s team did so knowingly. Obama’s campaigns did not hide its use of these advertising methods; numerous publications wrote about it before the 2012 election.

Contrast that relative degree of openness to what Cambridge Analytica and the Trump team reportedly did. In that case, information collected under the auspices of an academic study, for solely academic purposes, was repurposed for the Trump political campaign. That’s a massive breach of trust. Unlike Obama’s data work, the Trump campaign’s work with these data was never public, and only came out after reporters at the Intercept blew the whistle on it.

Second, Obama used data-driven profiling of voters to sell a message of hope and change to the American people. Trump used similar techniques to sell a message of bigotry and authoritarianism.

This last point is crucial, because it gets to the heart of why people are so upset about what Facebook and Cambridge Analytica did, in secret.

People have generally accepted the bargain that we use services like Facebook for “free,” in exchange for our data, because people generally don’t mind so much if that data is used to sell them things like cars, computers, or clothing. But when the information is collected surreptitiously, or under false premises, and then used to sell them authoritarianism? That’s when people start to get upset.

In a way, this scandal is healthy for our country, because it directly points to the seedy underbelly of the data markets that animate much of online commerce and many of the most popular websites. Regulators in the United States haven’t taken this problem seriously, despite plenty of research going back years indicating how these markets, unregulated, pose threats not only to individual privacy and autonomy but to democratic societies themselves.

And the problem is getting much, much worse, as you read this.

Back in April 2017, Congress and the Trump administration killed privacy rules established by the FCC under President Obama. These rules would have barred internet service providers like Comcast and Verizon from monetizing their customers’ sensitive data without opt-in consent. Those rules would have effectively kept the ISPs out of the online advertising market.

Now, without those rules, we face these types of attacks on personal privacy and democracy not only from companies like Google and Facebook, which can access large quantities of information about their users, but from ISPs like Comcast and Verizon, which can collect far more detailed information about millions of people nationwide—whether or not they use Google or Facebook.

Massachusetts lawmakers have an opportunity to ensure that doesn’t happen, by passing comprehensive consumer privacy law to reinstate the protections we lost when Trump killed the Obama-era FCC rules. All states should do the same.

It’s not enough to wave our hands and bemoan the loss of our privacy. We must take swift and decisive action to plug the ISP-privacy-sized hole in our boat, which could sink us fast. Then, and only then, will we have the opportunity to seriously consider regulation on companies like Facebook, and begin to empty our boat of the existing high waters that threaten our individual autonomy and collective ability to act in our best interests.

© 2018 ACLU of Massachusetts.