Security

Australia latest to open probe into Facebook data scandal

Comment

Image Credits: Getty Images/TechCrunch

Australia’s privacy watchdog has opened an investigation into Facebook in the wake of the Cambridge Analytica data misuse scandal.

Yesterday Facebook revealed that more users than previously thought could have had their personal information passed to the company back in 2014 — saying as many as 87 million Facebook users could have had their data “improperly shared”, thereby confirming the testimony of ex-Cambridge Analytica employee, Chris Wylie, who last month told a UK parliamentary committee he believed that substantially more than 50M Facebook users had had their information swiped.

And while most of these Facebook users are located in the US, multiple millions are not.

The company confirmed the international split yesterday in a blog post — including that 1 million+ of the total are UK users; more than 620k are Canadian; and more than 300k are Australian.

Though in tiny grey lettering at the bottom of the graphic Facebook caveats that these figures are merely its “best estimates” of the maximum number of affected users.

After the US, the largest proportion of Facebook users affected by the data leakage were in the Philippines and Indonesia.

In a statement today the Australian watchdog (OAIC) said it has opened a formal investigation into Facebook.

“The investigation will consider whether Facebook has breached the Privacy Act 1988(Privacy Act). Given the global nature of this matter, the OAIC will confer with regulatory authorities internationally,” it writes. “All organisations that are covered by the Privacy Act have obligations in relation to the personal information that they hold. This includes taking reasonable steps to ensure that personal information is held securely, and ensuring that customers are adequately notified about the collection and handling of their personal information.”

We’ve reached out to the National Privacy Commission in the Philippines for a reaction to the Cambridge Analytica revelations. Update: The agency has now put out a statement in which privacy commissioner Raymund Enriquez Liboroit states that Facebook told it 558 Filipino users had installed the personality quiz app that was used by CA as the route to harvest Facebook friend data — and ultimately to pull data on up to 1,175,312 more local users.

“Mark Zuckerberg claims he values the trust of his customers. This incident involving Cambride Analytica clearly puts this to question,” the commissioner writes. “While Facebook claims remediation is underway, we continue to call on Facebook to face us Filipinos with a new level of transparency. This should begin with their terms of service and settings that could be unclear to users. The process by which Facebook monitors third party app developers and tech providers who may have access to Filipino user data should also be looked into. This is to ensure that adequate protective nets are in place to guard against any abuse or misuse of data.”

He goes on to call on Filipino Facebook users “to be circumspect in using the platform and exercise online personal vigilance”. “Users should minimize the personal information they share online and maximize the use of existing privacy protection features and tools,” he adds. “We encourage the public to exercise a new level of care about their privacy and to take part in forming the future of Facebook in the country.”

Indonesia does not yet have a comprehensive regulation protecting personal data — and concerned consumers in the country can but hope this latest Facebook privacy scandal will act as a catalyst for change.

Elsewhere, the Office of the Privacy Commissioner of Canada announced that it was opening a formal investigation into Facebook on March 26. In an op-ed, privacy commissioner Daniel Therrien also wrote that the Cambridge Analytica scandal underscored deficiencies in the country’s privacy laws.

“At the moment, for example, federal political parties are not subject to privacy laws,” he said. “This is clearly unacceptable. Information about our political views is highly sensitive and therefore particularly worthy of protection. We must take action in the face of serious allegations that democracy is being manipulated through analysis of the personal information of voters. Bringing parties under privacy laws would be a step in the right direction.”

Back in Europe, the UK’s data watchdog, the ICO, was already investigating Facebook as part of a wider investigation into data analytics for political purposes which it kicked off in May 2017.

We’ve asked if the agency intends to also open a second investigation into Facebook in light of the 1M+ UK users affected by the CA data mishandling — and will update this post with any response. Update: A spokesperson for the ICO said is investigating 30 organizations, including Facebook, as part of its probe into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors.

“The ICO is looking at how data was collected from a third party app on Facebook and shared with Cambridge Analytica. We are also conducting a broader investigation into how social media platforms were used in political campaigning.

The UK’s information commissioner, Elizabeth Denham, added in a statement: “Facebook has been co-operating with us and, while I am pleased with the changes they are making, it is too early to say whether they are sufficient under the law.

“This is an important time for privacy rights. Transparency and accountability must be considered, otherwise it will be impossible to rebuild trust in the way that personal information is obtained, used and shared online. This is why, besides my investigation, which could result in enforcement action, I will also be making clear public policy recommendations to help us understand how our personal data is used online and what we can do to control how it’s used.”

Late last month Denham revealed the watchdog had been looking into Facebook’s partner category service as part of its political probe, examining how the company used third party data to inform targeted advertising.

In a statement then she said she had raised the service as “a significant area of concern” with Facebook — and welcomed Facebook’s decision to shutter it.

And last month the ICO was also granted a warrant to enter and search Cambridge Analytica’s offices.

Reacting to the Cambridge Analytica scandal last month, Andrea Jelinek, chair of the European Union’s influential data protection body, the Article 29 Working Party — which is made up of reps of all the national DPAs — said the group would be supporting the ICO’s investigation.

“As a rule personal data cannot be used without full transparency on how it is used and with whom it is shared. This is therefore a very serious allegation with far-reaching consequences for data protection rights of individuals and the democratic process,” she said in a statement. “ICO, the UK ́s data protection authority, is conducting the investigation into this matter. As Chair of the Article 29 Working Party, I fully support their investigation. The Members of the Article 29 Working Party will work together in this process.”

Also last month the European Commission’s justice and consumer affairs commissioner, Vera Jourova, told the BBC that the executive body would like to see new legislation in the US to strengthen data protection.

In Europe the incoming General Data Protection Regulation (GDPR) beefs up the enforcement of privacy rules with tighter requirements on how data is handled and a new regime of tougher fines for violations.

“We would like to see more robust and reliable legislation on American side,” said Jourova. “Something similar or comparable with the GDPR. And I believe that one day it will happen also in United States and that’s why I am now so curious how American society will react on this scandal — and other scandals which might come.”

The EC has a specific lever to press the US on this point — in the form of the Privacy Shield arrangement which simplifies the process of authorizing personal data flows between the EU and the US by allowing companies to self-certify their adherence to a set of privacy principles.

Both Facebook and Cambridge Analytica are signatories to Privacy Shield — and are currently listed as ‘active participants’ in the framework (for now).

 

A spokesman for Jourova confirmed that listed companies can be removed by the FTC — although he also noted that the Cambridge Analytica data misuse pre-dates Privacy Shield (which was signed in August 2016).

“The FTC has made use of this possibility already a number of times under the Privacy Shield,” he added of the possibility of listed companies being removed from the framework.

The Privacy Shield mechanism was negotiated as a direct replacement for Safe Harbor after Europe’s top court struck down that earlier arrangement, in 2015, in the wake of the Snowden disclosures about US government mass surveillance programs.

The Privacy Shield arrangement has its critics. It also includes a regime of annual reviews. In the BBC interview Jourova made a point of reminding the US that the arrangement — which thousands of companies rely on to keep their data flows moving — remains under constant review.

She also said she would be writing to Facebook seeking answers about the Cambridge Analytica scandal. “What we want from Facebook is to obey and to respect the European laws,” she added.

For its part Facebook caused confusion about its commitment to raising data protection standards on its platform this week after founder Mark Zuckerberg told a Reuters journalist that it will not be universally applying GDPR for all its users — given the law applies for all Facebook’s international users that essentially means the company intends to apply a lower privacy standard for North American users (whose data is processed in the US, rather than in Ireland where its international HQ is located, within the EU).

However in a follow up conference call with journalists Zuckerberg made some carefully worded remarks that seem to further fog the issue — saying: “We intend to make all the same controls available everywhere, not just in Europe” yet going on to caveat that statement with: “Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places.”

At this stage it remains unclear whether Facebook will universally apply GDPR or not. Zuckerberg’s remarks suggest there will indeed be some discrepancies in how it handles data protection for different users — what those differences will be remains to be seen.

In remarks made on Twitter today, Jourova described the growing scale of the data misuse scandal as “very worrying” — and said the Commission “will watch closely” how the company’s application of GDPR “will work in practice”.

The UK’s digital minister, Matt Hancock, has also tweeted about the data misuse scandal — saying he will be meeting Facebook representatives next week and expects the company “to explain why they put the data of over a million of our citizens at risk”. “This is completely unacceptable, and they must demonstrate this won’t happen again,” Hancock added.

Yesterday the Facebook founder also revealed that search tools on the platform had made it possible for “malicious actors” to discover the identities and collect information on most of its 2 billion users worldwide — essentially confessing to yet another massive data leak.

He said Facebook had now disabled the tool.

As with the millions of Facebook users whose data was improperly passed to Cambridge Analytica, the company is unlikely to be able to precisely confirm the full extent of how the search loophole was exploited to leak personal data.

Nor will it be able to delete any of the personal information that was maliciously swiped.

This report was updated with additional comment

More TechCrunch

Ahead of the AI safety summit kicking off in Seoul, South Korea later this week, its co-host the United Kingdom is expanding its own efforts in the field. The AI…

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

9 hours ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities