The Cambridge Analytica Debacle is not a Facebook “Data Breach.” Maybe It Should Be.

On March 16, we learned that Facebook will be suspending Strategic Communications Laboratories (SCL) and its offshoot Cambridge Analytica. According to Facebook, a University of Cambridge professor Aleksandr Kogan was using Facebook Login in his “research app,” collecting data about its users, and passing it on to Cambridge Analytica, a third party. Cambridge Analytica, in turn, obtained personal information belonging to as many as 50 million Facebook users, through Kogan’s app, and without any express authorization from Facebook. This personal information was subsequently used to target voters and sway public opinion, in ways that benefited the then presidential candidate Trump.

In response to accusations that this constituted a data breach, Paul Grewal, Deputy General Counsel for Facebook claimed that –

“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

Technically speaking, this assessment is probably correct. There was no unauthorized external hacking involved, meaning that Facebook databases were not breached by an outside malicious actor. At the same time, this approach misses the point entirely in terms of user privacy and security. It should not matter for a company like Facebook whether their users’ personal information was forcefully obtained through brute-force, or whether Facebook’s personnel were manipulated to hand in that information to malicious and untrustworthy party.

Image: Bryce Durbin/TechCrunch

The cliché goes that humans are the weakest link in cybersecurity, and potentially even the leading cause for the majority of cybersecurity incidents in recent years. This debacle demonstrates that cliché to its full extent. But there is a deeper question here – why are our current data breach notification laws creating this dichotomy between active breaches, where hackers penetrate a database and obtain valuable data, and passive breaches, where humans are being tricked into passing that data into unauthorized hands? After all, the result is the same – users’ private data is compromised.

Other than empowering State Attorney Generals to investigate and pursue legal action against violating companies, the primary purpose of data breach notification laws is to ensure that if personal information belonging to platform users and service consumers is compromised, then the target of the breach is under obligation to duly notify any person whose data has been leaked. But our current data breach notification system is broken. A good analogy is to say that tn the case of Facebook, these laws only take into account the cybersecurity “walls” surrounding Facebook’s databases, because they only recognize the security perimeter above the surface. What these laws fail to understand, is that there are tunnels underneath the surface accessing Facebook’s databases, where personal information is being extracted from almost unrestrictedly. If our current laws are unable to characterize similar incidents as data breaches, then they are missing their purpose.

There should be no material difference if the personal information was obtained through a breach or through manipulating and exploiting Facebook’s data ecosystem. The result is the same – user personal information in unauthorized hands. The users should have the right to know, and potentially pursue legal action against Facebook and other involved parties. The distinction currently drawn by data breach notification laws between active and passive breaches should be abandoned, because it provides an incentive for malicious actors to obtain personal data through social engineering, rather than through hacking.

Just as we expect from companies to invest in cybersecurity to prevent future breaches, we should also expect that they ensure that personal information is shared with thoroughly vetted and trusted parties. The best way to achieve this goal is through direct regulation – amending any data breach related laws to accommodate that. Unfortunately, the tech industry has long resisted such regulation, and created the appearance that its own self-regulation would solve the problem. This has not been effective, since tech companies do not have the incentive to follow their own regulations, and these self-regulations only come after a crises of the Cambridge Analytica sort have already occurred. This creates a reality where users’ data is vulnerable, and companies do not seem to take any preventative measures in response.

This is a call to amend our current data breach notification laws to encompass personal data obtained through social engineering as a recognized form of data breach. That would not necessarily mean that companies would be under obligation report every personal data leak, but that they will have to employ measures to prevent manipulation techniques from gaining access to personal information, and if such techniques are occasionally successful, that they notify users and consumers in due course, and that appropriate legal action is authorized to ensure compliance. It is up to states to make this happen, because the boilerplate corporate “we care about your privacy” announcements are not working.