UPDATED: The big lessons for marketers in the wake of Facebook/Cambridge Analytica data leak
- 20 March, 2018 11:50
News that more than 50 million Facebook user profiles were leaked to controversial political data analytics provider, Cambridge Analytica, should serve as a hefty warning to marketers on the importance of transparency with consumers about how their information is used, and more stringent governance practices around access, and usage.
Facebook this week banned controversial data analytics provider, Cambridge Analytica, and its parent company, Strategic Communication Laboratories (SCL) from the platform and has launched an investigation into both after coming under heavy fire for one of the biggest data leaks in the social media giant’s history.
Over the weekend, both The New York Times and The Observer UK published reports alleging Cambridge Analytica harvested the Facebook profiles of 50 million users unlawfully in order to hypertarget voters in US and UK elections and political activities. More recently, the firm has worked to convince voters to vote for Trump in the 2016 US presidential election, as well as to vote yes in the UK Brexit Leave campaign.
The reports were based on Christopher Wylie, a key figure behind Cambridge Analytica’s formation who has since turned whistleblower.
According to the media reports, Cambridge Analytica allegedly gained access to the data via University of Cambridge psychology professor, Dr Aleksandr Kogan, who helped build up the consumer insights pool initially legitimately through a personality predictions survey and app on Facebook, called ‘thisisyourdigitallife’. As part of the program, the research team paid 27,000 individuals a small fee to take a personality quiz and download the app, which scraped private information from both their profiles and those of their friends.
Separately to this, Dr Kogan built his own app and began harvesting data for Cambridge Analytica in mid-2014, ultimately providing more than 50 million raw profiles to the firm and Wylie’s firm, Eunoia Technologies. These allegedly formed the framework for how Cambridge Analytica then hypertargeted consumers in some of its political work.
The news has raised criticism across the globe around Facebook’s consumer data practices, and the concerning influence hypertargeting can have on the outcome of political elections and referendums.
In a post on 16 March, Facebook VP and deputy general counsel, Paul Grewal, said Dr Kogan’s actions in passing user information was a violation of the platform’s policies. Having learnt of the data leak in 2015, Facebook removed the app and demanded – and was given - certifications from all parties that the data had been destroyed. At the time, users were not informed of the potential data leak.
In recent days, however, reports have emerged the data was not deleted, Grewal said, leading Facebook to suspend SCL/Cambridge Analytica, Wylie and Kogan from Facebook pending further information. Cambridge Analytica, meanwhile, funded by wealthy Republican donor, Robert Mercer, and founded by Stephen Bannon, has been under scrutiny for the past year for its role in the Trump presidential election campaign.
“We will take whatever steps are required to see that this happens,” Grewal stated. “We will take legal action if necessary to hold them responsible and accountable for any unlawful behaviour.”
Already, concerns have been expressed and legal questions raised by US senators and congressional committee members through to US attorney generals, British MPs and informational commissioners and the British Prime Minister, on how the data leak happened and Facebook’s role in it. And already, investigations are underway into Facebook's interference with elections.
In a company post on 19 March, Facebook confirmed it’s now hired independent forensic investigation firm, Stroz Friedberg, to conduct an audit of Cambridge Analytica, which it said the firm had agreed to comply with.
“We have approached the other parties involved – Christopher Wylie and Aleksandr Kogan – and asked them to submit to an audit as well,” the statement read. “Mr Kogan has given his verbal agreement to do so. Mr Wylie thus far has declined.
“This is part of a comprehensive internal and external review we are conducting to determine the accuracy of the claims that the Facebook data in question still exists.
“If this data still exists, it would be a grave violate of Facebook’s policies and an unacceptable violation of trust and the commitments these groups made.”
The social engine giant admitted the rules during the time when Kogan’s app was created were not stringent enough. “We actually reject a significant number of apps through this process. Kogan’s app would not be permitted access to details friends’ data today,” the company stated.
Facebook said it’s also committed to enforcing policies to protect people’s information. “We also want to be clear that today when developers create apps that ask for certain information from people, we conduct a robust review to identify potential policy violations and to assess whether the app has a legitimate use for the data,” it said in its latest statement.
Damaging consumer trust
The latest data ‘breach’ comes amid growing discontent around how consumer behavioural data is being used to deliver controversial, harmful or extremist content to consumers not only across the Facebook platform, but also sites on such as YouTube.
In February, Unilever’s CMO, Keith Weed, came out swinging against both Facebook and Google, threatening to pull digital advertising dollars from both platforms if they don’t do something about the controversial and extremist content being published on their online platforms and “breeding division” as a result.
“As one of the largest advertisers in the world, we cannot have an environment where our consumers don’t trust what they see online,” Weed told attendees at the recent IAB Annual Leadership Meeting. “We cannot continue to prop up a digital supply chain – one that delivers over a quarter of our advertising to our consumers – which at times is little better than a swamp in terms of its transparency.”
And to some extent, the platform giants are starting to respond by banning content producers and advertising, although many suggest it’s nowhere near enough.
Commenting on the ramifications of these data concerns for marketers, Red Planet executive manager, Vaughan Chandler, said consumers are naturally protective of their privacy and personal data and want to maintain control of it.
“As an industry, data-led marketers and brands therefore need to be transparent to make sure consumers are aware about how their data is being used,” he told CMO. “Having that awareness will help them better understand the benefit of how behavioural data is being used, which is to deliver experiences and interactions that are more relevant to them.”
At Red Planet, data and insights are connected at an anonymised, de-identified level and only shared with third-parties as aggregated insights.
“Brands can significantly enhance the customer experience when they have the right data and that’s a good thing for the consumer, but marketers must be transparent for consumers to realise the potential value of their data being shared,” Chandler added.
Principal of marketing technology research house and the Customer Data Platform (CDP) Institute, David Raab, said the news was significant because of the lack of similar actions reported by Facebook and others in the past around such data breaches.
“Assuming it is in fact new, it shows Facebook accepting more responsibility to take seriously its obligations to protect customer data,” he said, adding the forthcoming introduction of the GDPR laws would certainly have played a role in this decision.
So what lesson should this latest data ‘breach’ be teaching the wider marketing and media industry about how consumer data is accessed, used and shared?
“It should raise their awareness of obligations to enforce their policies by monitoring what clients actually do with data they provide,” Raab said. “Many marketers have been quite cavalier about this in practice. It’s possible other marketers with less data and less reliance on revenues from that data will decide this is not relevant to them. That would be a mistake from a compliance viewpoint and for their customer relationships.”
Facebook’s business worth has already taken a substantial hit as interest in the data leak escalates, with its value dropping by US$30 billion - close to 6 per cent - in early trading on the US stock market, according to Markets Insider.
Data Republic co-founder and CEO, Paul McCarney, labelled the scandal a "telling example of what can happen when data is shared without a strictly defined guideline on ‘permitted use’".
"It's a challenge for organisations that make data available publicly, like Facebook, to envisage every possible use of its data in advance and so a lack of governance on each ‘use’ can lead to episodes like this," he said. "Whether you’re Facebook, a university, or a government - it’s critical that you can govern the flows of data in and out of your organisation, that you can track where and how shared-data is used both now and in the future, that you can revoke access when you need to, and that you can ensure that nothing dodgy or ethically unsound like this can happen."
The CMO Council senior VP of marketing, Liz Miller, said the industry must be "hyper vigilant" in developing transparency and authenticity with customers in partnership with the platforms being leveraged to connect with them.
"Think long and hard about how you explain data policies and the value intelligence will bring to your customers, and then deliver - every time," she advised. "Our customers are willing to provide us with data, and they will volunteer it in exchange for value. But thanks to Cambridge Analytica, some of that trust is eroded and we will need to win it back."
Data access versus targeting
As brands look to increasingly hypertarget consumers through behavioural data, there are also growing community concerns about the significant influence they could have on consumers. Certainly in the political sphere, this can be seen from the alleged claims of Russian interference in the 2016 US Presidential Election, as well as Cambridge Analytica’s impact on Brexit.
Raab argued the Cambridge Analytica scandal is more about unauthorised use of data than problematic hypertargeting.
“There is nothing wrong with hypertargeting in itself, apart from possible discrimination based on race, religion, sexual orientation, media condition and so on, which are generally illegal,” he commented. “But brands do need to carefully monitor how data buyers plan to use their data and then to check that they follow those plans.
“They also need to do what direct mail list managers have always done, which is to include some seed records that allow them to monitor how lists are being used in order to identify anyone who violates the terms of the agreements.”
Raab said brands also need to be mindful and think carefully about whether some data they provide is inherently “too subject to abuse”, such as visits to certain kinds of websites related to political, religious or sexual orientation, and he pointed out Facebook was also criticised previously for enabling advertisers to target ‘Jew haters’.
Miller agreed it's far too easy for marketers to forget they themselves are consumers too. "We need to reinstitute a litmus test of how would we react, and how would our mothers react," she said.
Customers are willing to share their data in exchange for value, which is usually something that saves money, saves time or adds and enhances their lives or makes their lives easier/more enjoyable.
"If we can demonstrate that by leveraging data and intelligence we are adding value, issues like these will be seen as exactly what they are: Bad actors defrauding the public," Miller said.
"I'm not going to fault them for acting, but it’s really a matter of it’s about time. Both Facebook and Google have spent enough time on the sidelines wondering why everyone expects them to help police and protect a digital world they helped create. They have spent enough time playing the 'but we are just the platform' card. Get in the game guys."
Closer to home, the Australian Information and Privacy Comissioner has confirmed the office is making inquiries with Facebook to ascertain whether any personal information from Australian consumers was involved in the leak.
"I will consider Facebook’s response and whether any further regulatory action is required," the commissioner stated. "The Privacy Act 1988 confers a range of privacy regulatory powers which include powers to investigate an alleged interference with privacy and enforcement powers ranging from less serious to more serious regulatory action, including powers to accept an enforceable undertaking, make a determination, or apply to the court for a civil penalty order for a breach of a civil penalty provision."