The Facebook uproar – wow! I’m shocked that people are shocked. We put our lives online for the world to see – the temptation for nefarious actors to act is there. We can’t be surprised at the result.

What happened? Facebook and UK-based Cambridge Analytica (“CA”) are at the eye of the storm. What occurred was NOT a data breach. It was NOT a cyber-attack. It was a case of poor supervision on the part of Facebook with regard to how a 3^rd party developer accessed and used Facebook member data.

Who is Cambridge Analytica? Other than dead in the water, CA is a data mining/data analytics firm. There are thousands of companies like CA that aggregate and analyze data for various purposes.

What did CA do wrong? CA’s sin was that the firm misrepresented itself and how it would access and use Facebook member data. CA positioned itself as a personality survey application. Approximately 300,000 Facebook members downloaded the app. CA designed the app to capture your data and that of your Facebook friends. So for every person that downloaded the application, CA captured data not only on the 300,000 people that downloaded the app, but also on an additional 166 people for every one person – or 50 million people in total. While you may have provided consent, your Facebook friends did not. That’s strike one against CA.

Second, CA used this data to inform the Trump campaign’s political targeting effort. The Facebook members who gave their consent did so never knowing that their data would be used for a political campaign, much less their friends whom never consented to anything.

By the way, the Obama campaign did something similar. It too created an app for political purposes. It too captured Facebook data not only for those members who provided consent, but also for Facebook members who were friends of those who consented but never provided content themselves. So CA and the Obama campaign had strike one in common.

What should Facebook do? I believe Facebook should create a sandbox environment where 3^rd party applications are tested to see how they would behave on FB’s platform – a proving ground of sorts – where Facebook could compare 3^rd party application behavior to Facebook’s usage terms. However, this won’t happen as Facebook is not commercially motivated to provide this type of expensive preventative measure. It would be a waste of time and taxpayer dollars for the Federal Government to mandate this type of measure as it would be ill-equipped to audit such a process.

A more practical approach for Facebook would be to make it easier for members to provision their personal data in terms of visibility and sharing with 3^rd party developers. Second, Facebook should pursue legal action against developers who abuse Facebook’s Terms of Use. Do so loudly and with maximum visibility to deter would be bad actors.

What should you do? There is nothing you can do to remove your digital footprint from the world. At the extreme, delete your social media accounts after you have purged your data from the respective platforms. A more practical approach would be to set your privacy provisions to “closed” or “private” across all applications and Websites that you use. Don’t volunteer to share your personal data and that of your contacts when you download apps.

This Facebook CA scandal is hardly news. Guess who else knows much about who you are? Your bank. Visa. Amex. MasterCard. Your local supermarket. Your doctor. Other companies that know or can infer much of what makes you “you” are many. Here are a few:

• Google: Google scans your email and knows what you store in the cloud. It knows your browsing history. Your search history.
• Amazon: Your Amazon order history. Your Amazon search history. Your credit cards stored with Amazon. Amazon provides auto insurance in the UK. Amazon will soon provide healthcare in conjunction with JP Morgan and Berkshire. AmazonGo grocery stores.
• LinkedIn/Microsoft: MSFT’s LinkedIn has your career history and professional network.
• Twitter: TWTR knows your personal and professional interests and who/what you’re connected to.
• Oracle: Oracle owns LiveRamp and other MarTech businesses that infer or know bits and pieces about who you are through deterministic and/or probabilistic analysis. Drawbridge also plays in this space. Acxiom. Experian. There are hundreds of these Analytics firms.
• Apple: Apple knows much about who you are based upon how you use your phone – particularly if your privacy settings are set to “open”.
• Travel & Hospitality: various airlines and airline reservation systems, hotel and restaurant reservation systems, rental car providers – all store personal data elements and preferences.

Here’s our recent CEORater Podcast covering this subject:

• Corporate Governance
• Cybersecurity
• Social Media
• Technology