CRS INSIGHT – Data, Social Media, and Users: Can We All Get Along? April 4, 2018 (IN10879). “In March 2018, media reported that voter-profiling company Cambridge Analytica had exceeded Facebook’s data use policies by collecting data on millions of Facebook users. Cambridge Analytica did this by working with a researcher to gain access to the data, so the company itself was not the entity seeking access to the information. This allowed Cambridge Analytica to “scrape” or download data from users who had granted access to their profiles, as well as those users’ Facebook friends (whose profiles the first user had access to, but for which the friends did not authorize access). At this time, it is publicly unknown what data were accessed. Facebook hired a digital forensics firm to audit the event. Based on media reporting and old Facebook applications, user profile data such as interests, relationships, photos, “likes,” and political affiliation may have been accessible, but not all data held by Facebook appear to have been accessed by an outside party. Additionally, as initial access to a user’s profile was granted via an app, other information about the user, such as other apps installed on the device and Internet Protocol addresses, may have been accessed. With this information, Cambridge Analytica built profiles of potential voters to test messaging and target advertisements. In addition to ads on Facebook, search engine optimization may have been used to drive users toward ads and other web content (i.e., blogs) outside Facebook. This event could be characterized as a data breach despite Facebook systems not being breached (i.e., hacked) because a third party was able to access data that neither users nor Facebook intended to share. Rather than compromise a vulnerability in Facebook’s information technology (IT), Cambridge Analytica compromised weak security controls and violated Facebook’s data policies. This breach is akin to an insider exceeding authorized access to retrieve information, or an outsider using information they were authorized to access for purposes prohibited by contractual agreement. In response to this incident, some Members of Congress have questioned Facebook and have invited Facebook CEO Mark Zuckerburg to testify before House and Senate committees. This Insight examines policy issues surrounding this incident and provides options for Congress to consider. While this event has started discussions on election security and social media company requirements to report advertising, this Insight addresses data security concerns without discussing the impacts or consequences of data use…”
Sorry, comments are closed for this post.