A comprehensive data privacy law, the General Data Protection Regulation (GDPR) became active in the European Union on May 25th, 2018. The personal information of EU citizens is now subject to stricter security measures and processing restrictions than ever before.
The breach that resulted in the fine was due to a third party app that required Facebook login credentials to access its API. Such apps are not uncommon for Facebook; there are more than 270,000 such apps currently available on the site.
The app in question, “This is Your Digital Life”, was a personality quiz that Facebook users could take. The app then scraped user data, including profile information and private messages. 270,000 users of the app in question gave it permission to access their Facebook account. However, it ended up collecting the personal information of far more than just those who had downloaded the app: it also grabbed data from each user’s friends list, without their knowledge or consent. It did this by exploiting a security feature in Facebook’s code that allowed it to collect data not only about users who used the app, but also about all of each user’s friends.
The data was gathered using an API (application programming interface) from 2014 to 2015. While the app developer required users to agree to its terms by clicking a box at the bottom of the sign-up page, it did not require them to agree with Facebook’s own terms of service. These terms state that users will share personal information about themselves with apps such as This is Your Digital Life.
After the APIs had been disabled in 2015, the data was transferred to third-party app developer Kogan, who later sold it to Cambridge Analytica (CA). CA obtained the data while developing psychographic profiles of US voters before the 2016 election. The company used it to build a software program called “thisisyourdigitallife”, which worked by matching people’s Facebook profiles against a database of 300 million social media profiles.
Since the data-collecting practice was revealed in 2015, Facebook has changed its policy requirements for app developers. The social media giant now requires its app developers to allow users to give permission when they want their information to be shared with other apps. If a developer fails to ask for permission, users can revoke it.
By using this loophole and collecting data not just on those who downloaded the app but also on the friend network of each user, the app managed to gather information on millions of Americans without their knowledge or consent. It then transferred the data it had collected to CA, which used it for political profiling. CA says that it didn’t use this Facebook data during its work on the Trump campaign in 2016. It will be interesting to see whether or not EU regulators are as forgiving of companies that transfer data gathered without consent even after they claim to have curbed such practices.
However, because the app was only available on Facebook between November 2013 and December 2015, only users who downloaded the app during this period were affected by the breach.
| Homepage | Click Hear |
