In 2015, two Princeton computer scientists Arvind Narayanan and Steven Englehardt published an audit of a million of the most popular websites and their tracking behaviours using their newly created OpenWPM software. In the largest study of its kind, the data they produced painted a concerning picture of the state of internet privacy. It was revealed that many websites were sharing your browsing data with another party, sometimes several. Even more insidious was the revelation of several hitherto unknown ‘fingerprinting’ techniques which involve websites making the user’s machine run hidden tasks and using the differences in the machine’s performance to identify that individual user.
Just a year later, the 2016 US Presidential Election became one of the most acrimonious in modern history, and data and its misuse were at the centre of it all. While the issue of who leaked Hillary Clinton’s e-mails was dominating headlines, both candidates spent $81 million on targeted Facebook ads alone. The Russian troll farm known as the ‘Internet Research Agency’ spent a fraction of this, and with just $46,000 dollars it is estimated they could have reached as many as 126 million Facebook users. As the dust settled on the election, to many unscrupulous companies and states the message was clear: user data for ad targeting was big business, whether for products or for politics. The stage was now set for one of the largest data scandals of our era.
In March of 2018, ex-Cambridge Analytica employee Christopher Wylie went public with allegations of data abuse on an unprecedented scale carried out by the British political consulting firm with alleged knowledge from Facebook. As many as 87 million Facebook users had their data harvested from the platform by Cambridge Analytica who had initially released an app called “This Is Your Digital Life” which several hundred thousand Facebook users had signed up for, with the understanding that their data would be used only for academic purposes. Facebook’s design, however, allowed the app not only to harvest the personal data of the participant but of all those in the participant’s Facebook social network, escalating the number into the millions and without their consent.
Data included public profile, page likes, birthday and current city – but for some also included access to their timeline, news feed and Facebook messages. The information was sufficient for Cambridge Analytica to create psychographic profiles from the data. Utilizing as little as just 10 Facebook likes, Cambridge Analytica’s algorithm was able to place the user into a big five personality test model with higher accuracy than their work colleagues. And with 300 likes, it was able to predict their score more accurately even than their own partner could the BBC reports. This personality data was then used to tailor political ads to elicit specific emotional responses from the viewer based on their personality type. The same ad was often worded in different ways to provide the highest emotional impact depending on which values the respondent held most dear.
It is alleged the info Cambridge Analytica provided was used by a number of high-profile political campaigns, including US Senator Ted Cruz’s 2016 Presidential bid and Donald Trump’s election campaign. The fallout from these revelations wiped over $100 billion from Facebook’s stock price in a single day, with the company also being found criminally liable in the UK and ordered to pay £500,000 as a result. Facebook CEO Mark Zuckerberg was called to explain himself before Congress and stated Facebook should have acted sooner and more decisively. He also offered to implement newly developed EU General Data Protection Regulations (GDPR) across the whole of Facebook’s operations, not just in EU states. However, to this day his actions have haunted him – in last month’s Congressional hearings, Facebook’s efforts to create a governmentally approved cryptocurrency, Libra, have been stymied by the lack of public trust in the company after its litany of data abuses.
The EU hoped that GDPR would be the final word in the data saga, with the cost of compliance estimated to be as high as $7.8bn for the 500 largest global firms, and a significant financial cost for all other firms both large and small. Yet compliance remains patchy, with Techcrunch pointing out that many EU websites themselves are allowing tracking cookies that at the very least are not in the spirit of the GPDR law, with visitors to EU health-related services being tracked by third-party ad cookies. Cookiebot founder Daniel Johnson concludes, far from being the panacea to the vexed issue of internet privacy, that:
“More than nine months into the GDPR [General Data Protection Regulation], a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it.”
If the state has failed to provide the solution to the quagmire of data security, it seems that the free market may be stepping in to offer a hand instead. The rise of private virtual networks (VPNs) which are able to mask the location and other information of a user has continued unabated over the last few years. It is now predicted that 1-2% of all traffic on the internet is being hidden behind a VPN, and VPNs are being used to get around state censorship of the internet such as in China, as well as aiding in much more dubious activities like evading location-specific copyright and engaging in piracy.
It is however unlikely that the proliferation of VPN use will fully solve the issue of data protection and the practice has a myriad of issues of its own. So, what can be done? The first step for many is to simply understand the value of their own data and the risks of its potential exploitation. Despite the cacophony of high-profile data breach scandals, many consumers and private individuals simply seem unaware of the scope of the issue. Vigilance is the first step in taking back control of your data, don’t access websites you don’t trust, and rethink those that you do. You are being watched, and it will only be the private individual who can take on the mantle of watching the watchers.
With 6 in house GDPR practitioners on-site, Holograph understands the challenges many businesses face on account of more legal obligations weighing down on data controllers and data processors. A service you can trust from Holograph, talk to us about your GDPR requirements.