Cambridge Analytica controversy: Was there a Facebook data breach?

By now you’ve probably seen some of the hundreds of headlines about Cambridge Analytica, the shady data analytics firm which managed to get its paws on information about some 50 million Facebook users collected via a personality testing app.

Some have suggested that the information could have helped influence Facebook users into voting for Donald Trump in the US presidential election.

In its initial exposé, The Guardian referred to the incident as a “major data breach”, and described it as “one of the largest-ever breaches of Facebook data.”

The claim of a “data breach” understandably stung Facebook badly, as the implication for the average person in the street would be that hackers somehow managed to infiltrate Facebook’s servers and make off with a haul of personal information.

Facebook’s Chief Security Officer Alex Stamos said it was unfair to describe what happened as a breach, in a now-deleted tweet:

The recent Cambridge Analytica stories by the NY Times and The Guardian are important and powerful, but it is incorrect to call this a “breach” under any reasonable definition of the term. We can condemn this behaviour while being accurate in our description of it.”

And the social network updated its official statement on its suspension of Cambridge Analytica to reinforce that it had not suffered a breach.

Not data breach

Now, you might reasonably respond “Well they would say that, wouldn’t they?”

But let’s try to think this through. In my opinion, the question of whether it’s a data breach or not depends on where you stand.

From Facebook’s point of view, it’s not a traditional data breach. That’s because this isn’t a case of malicious hackers breaking into a server, exploiting a vulnerability, or grabbing passwords.

This is how Facebook was designed to work, and many apps over the years have scooped up users’ information and (privacy settings permitting) those of their friends as well.

Hundreds of millions of times every day Facebook hones the content it displays to you based on what it has determined you are interested in, who you are, and what it thinks will be most effective. So, it’s not that different from what Cambridge Analytica did with the same access to the data.

What was against Facebook’s guidelines was for Aleksandr Kogan (the developer of the “thisisyourdigitallife” app) to share the data he captured with Cambridge Analytica. However, I don’t see how Facebook could have technically prevented that, other than doing what it already does – requesting third parties play by the rules.

In short, Facebook might try to argue this is not a data security breach, but rather a misappropriation of data, or (if you like) a data policy breach.

However, millions of Facebook users around the world might take a dimmer view of things.

Many of them may not realise that just because one of their Facebook friends allowed a personality test to scoop up their friends’ details, their own information may also have been exposed to and shared with third parties against their wishes.

None of this is news. Facebook has been working this way for years.

And the fact that this is how Facebook is supposed to work actually makes it worse than any data breach.

The only way to reduce your exposure is to refuse to play Facebook’s game and not be a member of the site. If you can’t bring yourself to leave, at the very least lock down your privacy settings and reduce the level of information that you share.

Finally, it’s worth saying, Facebook isn’t the only website that collects vast amounts of information about its users and exploits it in this fashion.

Facebook products

If you are not paying for it, you’re not the customer; you’re the product being sold.”

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.

Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Follow @gcluley