Here in late 2019, the FTC released a ruling and public order on their findings on Cambridge Analytica’s dealings on Facebook. That’s Cambridge Analytica, one of the many major reasons Facebook faced major scrutiny for their role in the spread of disinformation during the 2016 US Presidential Election season. This is not the first time Cambridge Analytica was found guilty of deception and criminal activity – it is, however, the latest clear sign that the FTC is not equipped to protect the privacy of citizens of the United States.
The FTC found that Cambridge Analytica used an app in Facebook called GSRApp (aka thisisyourdigitallife) to target Facebook users for several years. Targeting “tens of millions of Facebook users” with “false and deceptive tactics to harvest personal information” meant Cambridge Analytica violated the Federal Trade Commission Act (“FTC Act”).
The FTC reported that Cambridge Analytica harvested data directly from 250,000–270,000 users on Facebook directly, then millions more by association with the original 250k+ users. With the GSRApp, Cambridge Analytica harvested Facebook user profile data from 50–65 million “friends” of the original 250,000–270,000 users.
The original app falsely suggested that the “GSRApp did not collect any personally identifiable information from Facebook users who interacted with it, such as their Facebook User ID.” The FTC found that Cambridge Analytica used collected information for voter-profiling and targeted advertising purposes.
GSRApp had permission to harvest data from Facebook users. So long as users tapped a button to “authorize the app to collect their Facebook data”, they had said permission. At one point, per the FTC findings, the creators of the GSRApp found that a significant number of Facebook users were not granting the GSRApp access to their Facebook profile data, so they included the following text:
In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information—we are interested in your demographics and likes.
Despite this text, they collected said information via their Facebook User ID. They harvested the following Facebook profile data from App Users AND connected Facebook Friends:
• Facebook User ID
• location (“current city”)
• friends list
• “Likes” of public Facebook pages
And what’s their punishment? The FTC required that Cambridge Analytica delete all the information they’d collected with GSRApp. The FTC’s final order also “prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations.”
In a nutshell
The FTC told Cambridge Analytica that they had to delete the info they collected, and that they were not allowed to break the laws that they’d already broken… ever again!
If you’d like to read the full documentation, seek out the FTC page for “FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield.” Also seek the FTC case page for Cambridge Analytica.
Why is this inadequate?
Because the laws were already broken, the information was already collected, and the damage was already done. If we only relied on the FTC to handle lawbreakers like Cambridge Analytica, the only deterrent against violating the privacy of US citizens on the internet would be their public reputation and the time and effort it’d take to unlawfully collect data on internet users.
Unless you count the FTC’s $5 billion USD fine for Facebook. That’s the fine that the FTC congratulated themselves on because it was so big, yet the amount was actually so small that Facebook’s stock price shot UPWARD when the fine was made public.