Uploaded by Stacy lala

Case 8(Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy)

advertisement
For the exclusive use of T. Choy, 2023.
UV8106
Rev. Feb. 9, 2021
Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy
We don’t exactly have the strongest reputation on privacy right now, to put it lightly.
—Mark Zuckerberg, May 3, 20191
When it was widely reported that during the 2016 US presidential election, more Facebook users got their
news from social media than anywhere else, alarms around unverified news and disinformation rang. Fake news
became more widely read than real news items. The commotion got even louder as elected officials and
regulators started to investigate the public’s growing apprehension around the internet. Accusations of
Facebook spreading disinformation, allowing foreign influences in US elections, and even promoting genocide
grew. Facebook’s contact-importing practices, called “friend permissions,” became a lightning rod for privacy
advocates. Yet throughout the turmoil, advertisers continued to favor Facebook over other social media
platforms.
For Facebook’s founder, Marc Zuckerberg, there was a certain amount of incredulity around the sustained
attacks and new restrictions regulators proposed for tech firms and privacy. The pivotal point seemed to arrive
with a third-party data broker called Cambridge Analytica, which purchased data gleaned from Facebook users
and used it to inform political operatives. How could something that had started as a survey end with Facebook
under fire in such a public way?
The company was at a time of reflection, Zuckerberg had said, midway through 10 hours of testimony on
Capitol Hill. He noted that the first decade of company strategy had focused on creating tools that brought
folks together and empowered them to do good things.2 By the spring of 2019, Zuckerberg had admitted to an
urgency to launch a new business phase that would go beyond building tools and include examining the firm’s
responsibility to “make sure that they’re used for good.”3 With the Federal Trade Commission (FTC) ruling
that Zuckerberg must make quarterly reports to Facebook’s board (and its newly formed privacy committee)
about actions his business took regarding privacy and personal data, did the tech giant have any choice?
1 Julia Carrie Wong, “Facebook’s Zuckerberg Announces Privacy Overhaul: ‘We Don’t Have the Strongest Reputation,’” Guardian, April 30, 2019,
https://www.theguardian.com/technology/2019/apr/30/facebook-f8-conference-privacy-mark-zuckerberg (accessed Mar. 10, 2020).
2 “Transcript of Mark Zuckerberg’s Senate Hearing,” Washington Post, April 10, 2018, https://www.washingtonpost.com/news/theswitch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/ (accessed Sept. 15, 2019).
3 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/.
This public-sourced case was prepared by Tami Kim, Assistant Professor of Business Administration; and Gerry Yemen, Senior Researcher. It was
written as a basis for class discussion rather than to illustrate effective or ineffective handling of an administrative situation. Copyright  2020 by the
University of Virginia Darden School Foundation, Charlottesville, VA. All rights reserved. To order copies, send an email to
sales@dardenbusinesspublishing.com. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by
any means—electronic, mechanical, photocopying, recording, or otherwise—without the permission of the Darden School Foundation. Our goal is to publish materials of the
highest quality, so please submit any errata to editorial@dardenbusinesspublishing.com.
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 2
UV8106
Data Collection: Risk and Opportunity
As the world’s largest internet peer-to-peer platform with more than 2.4 billion users,4 Facebook was built
upon a simple premise—people wanted to share things with their friends and family (see Exhibit 1). And share
they did, in over 100 different languages worldwide. Through online profiles, users posted images and videos,
shared information and news, played games with one another, and discovered new products and services. Part
of the experience was facilitated by developers of third-party apps, which were allowed to integrate with
Facebook. Through all these touch points, Facebook collected and stored 96 data categories, which generated
192 billion data points from users around the world.5 (See Exhibit 2 for the type of data collected and the
usage thereof.) Data centers in the United States and Europe stored the data Facebook collected.
The data Facebook shared with partners6 through its analytics services was quite extensive. Indeed, some
referred to its practice as leasing: “[Facebook] is most certainly the largest data broker in the history of the data
industry.”7 Zuckerberg was quick to point out that Facebook sold ads (thereby earning money that was almost
entirely revenue for Facebook8), not data. When data was reported to advertisers, Facebook user statistics were
commonly aggregated. Personal identifiers like name and address were shared only if Facebook users gave the
company permission.9 Advertisers were provided information around which ads led the user to buy something
or take an action (or not) around a product or service they had viewed.10 If a Facebook user logged off its site
or app, the firm continued to track his or her internet activity.
“We do that for a number of reasons,” Zuckerberg said, “including security, and including measuring ads
to make sure that the ad experiences are the most effective.”11 Users could opt out of this feature. While
Zuckerberg acknowledged that users were often uncomfortable with companies’ gathering information about
them, they seemed willing to do it as long the ads were of interest. “What we found is that even though some
people don’t like ads,” Zuckerberg said, “people really don’t like ads that aren’t relevant.”12 Facebook earned
income based on the number of user clicks, likes, and shares of customer ads.
In addition to gathering users’ data to target advertising, Facebook shared it with data brokers who collected
and sold consumers’ personal information. Data brokers claimed that the purpose for wanting data included
marketing, verifying identities, and revealing fraud—all seemingly appropriate. But there were benefits and risks
to consumers from this practice. For example, the use of personal data collected prevented someone from
getting a bank loan using someone else’s identity was a good thing. But someone being denied a bank loan
because of a mistaken identity was a bad thing. Both situations could happen using data-brokered information.
Concerns around personal privacy and data collection surfaced, and Facebook users started to pay more
attention to what was happening.
While Facebook had been considered a favored platform in the first decade of the 2000s, its favor seemed
to be declining in the second decade of the 2000s. Indeed, in 2014, the FTC settled an investigation of Facebook
over privacy violations, which forced the company to strengthen efforts to guard users’ information (five years
later, the FTC fined Facebook $5 billion for privacy violations). Facebook was not alone. The same year, the
Facebook annual report, 2019.
https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/.
6 Partners included advertisers, aggregators, product/service sellers and vendors, researchers and academics, and law enforcement.
7 “Written Testimony of John Battell—Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks,” US Senate Committee
on Commerce, Science, & Transportation, June 17, 2018, https://nsarchive.gwu.edu/news/cyber-vault/2019-02-06/congressional-hearing-documents
(accessed Sept. 13, 2019).
8 Facebook annual report, 2019.
9 “Data Policy,” Facebook, https://www.facebook.com/about/privacy/update/printable (accessed Oct. 1, 2019).
10 https://www.facebook.com/about/privacy/update/printable.
11 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/.
12 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/.
4
5
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 3
UV8106
Snapchat mobile messaging application settled an FTC privacy case for keeping photo and video messages that
were posted through third-party applications—even though Snapchat promised users that their messages
disappeared once opened. Likewise, Google had to pay a $22.5 million fine for privacy violations. Search
engines Google, Chrome, and Mozilla Firefox, as well as tech behemoth Amazon, came under scrutiny because
their browser extensions (called add-ons or plug-ins) were harvesting data around browser history and page
views.13 For instance, a marketing-intelligence service called Nacho Analytics provided personal information
such as “usernames, passwords, and GPS coordinates” along with “names of patients, doctors, and even
medications to clients using data from plug-ins.”14 The third-party browser-extension companies running the
apps defended the practice as their terms of services stated they may collect personal data. At least Amazon paid
users $10 for using the extensions and allowing collection of user data.
The tech industry was not the only sector under attack for its practices around consumers’ personal data.
Target, the large retailer with an often-envied reputation of being a “cooler” company than other discount
retailers, tarnished its standing among many consumers with privacy violations. It came to light that every
Target customer was given a guest ID number linked to their credit card, name, and email address. Within that
number was everything that person purchased as well as any demographic data that could be gleaned. As
consumer profiles grew, shopping behaviors could be predicted. For example, the firm’s digital team ran test
data searching for patterns and discovered a connection between its baby registry and the purchase of unscented
baby lotion. They also noted that supplements were frequently purchased early on in pregnancy, and that large
bags of cotton balls and scent-free soap were common during late stages of pregnancy. Target’s data team ran
data around categories of shoppers and items that fit and came up with a “pregnancy prediction” score that
was eerily accurate.15 With that knowledge, Target started to send baby-item coupons to customers as their due
date approached. This practice earned screeching headlines when a father read a coupon mailer for baby items
addressed to his high-school-aged daughter.16 Target’s reputation went from “cool” to “snoop” as its customers
objected to the practice. Consumers organized on Facebook and Twitter calling for boycotts (using the hashtags
#boycotttarget, #boycotttargetcouponing, and #pregnant). Although Target continued to use predictive data,
it changed the coupon practice by creating a coupon booklet to make baby items appear arbitrary. Within a
short period of time, consumers relaxed, used Target coupons, and decided they were not being spied on by
the company.17
Savvier consumers understood how their personal data was used and shared, and some were okay with the
lack of transparency in which it occurred. Other consumers had no knowledge that their personal information
was being collected. Some wanted their personal data used only with their consent, and others wanted to be
compensated. There were even calls for personal data to be protected as a human right.18 For those who were
deeply concerned about privacy but still wanted a social media account, there was MeWe, which had its “privacy
bill of rights” on its homepage and marketed itself as the social media firm that “doesn’t own your personal
information and content.”19 In contrast to Facebook’s 4,000-plus words and 72 links on its data policy, MeWe’s
privacy policy contained 1,000-plus words and a single link to archived policies on its homepage.
13
Geoffrey
A.
Fowler,
“Your
Data’s
For
Sale.
I
Found
It.,”
Washington
Post,
July
19,
2019,
https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/?utm_term=.7ff63ac62014 (accessed Jul. 19, 2019).
14 https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/?utm_term=.7ff63ac62014.
15 Kashmir Hill, “How Target Figured out a Teen Girl Was Pregnant before Her Father Did,” Forbes, February 16, 2012,
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#5e5f64f76668
(accessed May 13, 2019).
16 See Gus Lubin, “The Incredible Story of How Target Exposed a Teen Girl’s Pregnancy,” Business Insider, February 16, 2012,
https://www.businessinsider.com/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2 (accessed Oct. 1, 2019); or
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/ for more.
17 https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#5e5f64f76668.
18 “The World’s Most Valuable Resource Is No Longer Oil, but Data,” Economist, May 6, 2017.
19 MeWe, “MeWe’s Privacy Bill of Rights—Check It Out,” https://mewe.com/#bill (accessed Jul. 18, 2019).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 4
UV8106
Overall, in a Pew Research Center survey, 88% of respondents believed they had little to no control over
their purchase histories, 85% said they had little to no control over their internet history or social media
activity.20 The majority felt they had little to no control over their location data (82%). And they certainly weren’t
confident that companies would take responsibility when their data had been misused or compromised.21
Cambridge Analytica
Although Facebook users often agreed to share their own data, many were caught off guard by learning
that they had inadvertently shared their contact-list information with the company. This all came to head in
2015 in a privacy breach with a political consulting company called Cambridge Analytica. A social psychologist
and researcher at Cambridge University, Aleksandr Kogan, designed a survey app called This Is Your Digital Life.
The app involved personality questions and invited users to participate through Facebook. The survey app
could be logged into using Facebook, which in turn authorized Kogan to access Facebook users’ data (“names,
birthdays, gender, location, affinities, and page likes”22). In addition, Kogan was given permission from
Facebook survey participants to use their friends’ data if they used “friend permissions” on their Facebook
settings.23 The survey app’s terms of service stated that respondents’ data could be sold or transferred (this was
not allowed by Facebook, but in this case, it wasn’t prevented). Kogan used participants’ responses to build
personality profiles that could be used to predict behavior. Roughly 300,000 Facebook users downloaded the
app and took the survey, but because of their privacy settings, “Kogan was able to access some information
about tens of millions of their friends.”24
Kogan’s research moved away from academic research when, for $800,000, he sold the data—which
essentially had been mined from 87 million of Facebook’s users without their knowledge—to Cambridge
Analytica, a Facebook advertising client.25 The data enabled Cambridge Analytica to identify “undecided”
voters, and it then sold this data to political operatives in the United States—to Ted Cruz’s presidential
nomination campaign and to the Donald Trump campaign—as well as to pro-Brexit operatives in the United
Kingdom to help hone political messaging.26 According to Facebook, the violation of the company’s Platform
Policy occurred when Kogan sold the data.27
Once this information was made public in 2015 in the Guardian, Facebook contacted Kogan and Cambridge
Analytica. Both verified that the report was accurate and were told to delete the data.28 Facebook also revoked
Kogan’s Facebook account. Facebook did not contact users who had been impacted by the breach. Writing on
January 18, 2016, Cambridge Analytica confirmed that it had deleted Kogan’s data and all backups thereof.29
20 Farhad Manjoo, “We Hate Data Collection. That Doesn’t Mean We Can Stop It,” New York Times, November 15, 2019,
https://www.nytimes.com/2019/11/15/opinion/privacy-facebook-pew-survey.html (accessed Jun. 23, 2020).
21 https://www.nytimes.com/2019/11/15/opinion/privacy-facebook-pew-survey.html.
22 United States District Court Northern District of California, Security and Exchange Commission vs. Facebook, Inc., Case 3:19-cv-04241, July 27, 2019,
https://www.sec.gov/litigation/complaints/2019/comp-pr2019-140.pdf (accessed Jun. 23, 2020).
23 Lesley Stahl, “Aleksandr Kogan: The Link between Cambridge Analytica and Facebook,” 60 Minutes, September 2, 2018,
https://www.cbsnews.com/news/aleksandr-kogan-the-link-between-cambridge-analytica-and-facebook-60-minutes/ (accessed Jun. 23, 2020).
24 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/.
25 Hannah Kuchler, “How Facebook Grew Too Big to Handle,” Financial Times, March 28, 2019, https://www.ft.com/content/be723754-501c-11e99c76-bf4a0ce37d49 (accessed Jul. 18, 2019).
26 Carole Cadwalladr and Emma Graham-Harrison, “Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data
Breach,” Guardian, March 17, 2018, https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election (accessed
Sept. 12, 2019).
27 https://www.sec.gov/litigation/complaints/2019/comp-pr2019-140.pdf.
28 https://www.sec.gov/litigation/complaints/2019/comp-pr2019-140.pdf.
29 “House Energy and Commerce Questions for the Record,” US House of Representatives Energy and Commerce Committee, June 29, 2019,
https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf (accessed Mar. 30, 2020).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 5
UV8106
On June 11, 2016, Kogan provided certified verification that he (and all other researchers and entities with
whom he’d shared the data) had deleted the data and backups of it.30
At first, Facebook said little to nothing about anything that had happened around data and Cambridge
Analytica. Facebook did, however, announce that it was removing Cambridge Analytica’s Facebook page on
March 16, 2018—one day before the New York Times and the Guardian broke a more complete story from a
former Cambridge Analytica employee. Just shy of a month later, Facebook posted a notice about the breach,
as shown in Figure 1, notifying users directly for the first time. (See Exhibit 3 for changes Facebook made as
a result). Facebook maintained that the data had been illegally taken. Kogan said: The idea that we stole the
data, I think, is technically incorrect. I mean they created these great tools for developers to collect the data.
And they made it very easy. I mean, this was not a hack. This was, “Here’s the door. It’s open. We’re giving
away the groceries. Please collect them.”31
As Facebook replied in writing to the Energy and Commerce Committee of the US House of
Representatives on June 29, 2018:
Because all of these concerns relate to activity that took place off of Facebook and its systems, we have
no way to confirm whether Cambridge Analytica may have Facebook data without conducting a
forensic audit of its systems. Cambridge Analytica has agreed to submit to a forensic audit, but we have
not commenced that yet due to a request from the UK Information Commissioner’s Office, which is
simultaneously investigating Cambridge Analytica (which is based in the UK). And even with an audit,
it may not be possible to determine conclusively what data was shared with Cambridge Analytica or
whether it retained data after the date it certified that data had been deleted.32
Figure 1. Facebook users’ notification at the top of their news feed on April 10, 2018.33
“Protecting Your Information
“We understand the importance of keeping your data safe. We have banned the app “This Is Your
Digital Life,” which one of your friends used Facebook to log into. We did this because the app
may have misused some of your Facebook information by sharing it with a company called
Cambridge Analytica. In most cases, the information was limited to public profiles, Page likes,
birthday, and current city.
“You can learn more about what happened and how you can remove apps and websites anytime
if you no longer want them to have access to your Facebook information.
“There is more work to do, but we are committed to confronting abuse and to putting you in
control of your privacy.”
Data source: Olivia Harvey, “Did Facebook Warn You That a Friend Used the “This Is Your Digital Life” App? Here’s What That Means.”
Hellogiggles, April 13, 2018, https://hellogiggles.com/news/facebook-this-is-your-digital-life-app/ (accessed July 2, 2020).
Regardless of how the data breach occurred, the notion that Facebook had failed to keep user data secure
grew to the extent that WhatsApp cofounder Brian Acton spearheaded a movement to delete Facebook
accounts. What had been done with breached Facebook users’ data angered the users themselves, legislators,
https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf.
https://www.cbsnews.com/news/aleksandr-kogan-the-link-between-cambridge-analytica-and-facebook-60-minutes/.
32 https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf.
33 Olivia Harvey, “Did Facebook Warn You That a Friend Used the “This Is Your Digital Life” App? Here’s What That Means.” Hellogiggles, April
13, 2018, https://hellogiggles.com/news/facebook-this-is-your-digital-life-app/ (accessed July 2, 2020).
30
31
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 6
UV8106
and the general public, so that mishandling of privacy and trust became a prime example of all that was wrong
in the tech field. The judgment and anger may have been high among many, but there were some strong
supporters of Zuckerberg and the company. The cofounder of PayPal, Peter Thiel, counseled Zuckerberg and
opposed suggestions that Facebook conduct an outside investigation of the Cambridge Analytica breach.34
Legislators summoned Zuckerberg to Congress to testify before the House of Representatives’ Committee on
Energy and Commerce on April 11, 2018, on the issue of transparency and use of consumer data—and the
previous day, he had testified before the Senate Committee on the Judiciary and the Senate Committee on
Commerce, Science, and Transportation (see Appendix 1 for excerpts from these hearings). Both public
hearings included some Congressional members who supported Facebook. Indeed, after reporting on the
scandal and hearings, one USA Today journalist asked, “Can we go back to loving Facebook again, now?”35
Consumer Data Rights and Privacy Concerns
As Facebook, Google, and other tech giants made headlines due to privacy concerns, it was clear that
consumer and regulator concerns about the use and protection of their data had been simmering for some time.
Data breaches of sites such as Ashley Madison (an extramarital-affair platform) and Equifax (a credit-reporting
agency) affected 32 million and 147 million consumers, respectively, and left tech firms with an urgent need to
take huge measures to preempt other breaches and to devise contingency plans in case such breaches did occur.
Some companies worried about consumer protection from certain types of exploitative advertisers (e.g.,
moneylenders that charged extremely high interest rates or that threatened violence against people who were
late on payments targeting low-income consumers). Even when tech companies had strong privacy policies and
enforced them, some argued that it wasn’t enough protection because those policies were often difficult to
decipher and understand.
Similarly, privacy-control settings were often elusive and far from user friendly, making it less likely that
consumers would actually take appropriate steps to ensure their data was used in the ways they desired. Some
leaders in business and government subscribed to the notion that consumers were naïve, and thus it was up to
regulators and companies to take proactive actions to protect them. At the same time, industry experts raised
the impracticality of too many protection measures—for instance, even if a company were to ask its consumers
to give consent to every party it shared their personal data with, the complex ecosystem would make it
impractical, not to mention costly. “It might surprise some to know that many major corporations also don’t
actually sell their consumer data,” one marketing scholar said, “because it is valuable.”36
While consumers did already have the ability to opt out of sharing some of their data by purchasing apps
that didn’t practice data collection, most didn’t buy said apps. “It’s really bizarre that we are unwilling to pay
50 cents for an app in the app store but we are totally okay with paying $5 or $6 for a cup of coffee,” another
scholar noted. “Because of this psychology, it’s really hard to ask people to pay for electronic things they expect
to be free.”37
34
Eric
Lutz,
“Guess
Who’s
Behind
Facebook’s
Political
Ad
Policy,”
Vanity
Fair,
December
19,
2019,
https://www.vanityfair.com/news/2019/12/peter-thiel-behind-facebooks-political-ad-policy (accessed Jun. 23, 2020).
35
Jefferson Graham, “Facebook’s Zuckerberg Got Grilled, but Nothing’s Really Changed,” USA Today, April 14, 2018,
https://www.usatoday.com/story/tech/talkingtech/2018/04/14/facebooks-zuckerberg-got-grilled-but-nothings-really-changed/516312002/
(accessed Jun. 23, 2020).
36
“Your Data Is Shared and Sold…What’s Being Done about It?,” Knowledge@Wharton, October 28, 2019,
https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/ (accessed Jun. 23, 2020).
37 https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/.
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 7
UV8106
Facebook: The Crackdown?
Certainly, Facebook was under tremendous pressure from the general public and regulators. Consumer
trust had been broken. As people became increasingly concerned about their own privacy, so too did regulators.
The top regulator on privacy and data security in the United States was the FTC, which frequently launched
investigations, issued reports, and recommended legislation around the internet and its lack of transparency
with regards to personal data gathered. Although the FTC had the ability to fine businesses, payment was often
made without admissions of wrongdoing (e.g., in the cases of Google and Equifax). Indeed, the regulator’s
authority was limited to the laws around privacy protection, of which few existed when it came to the internet.
Despite that, since 2018, Facebook had made progress on providing users more transparency around how
the organization operated, how policies were enforced, and how shared data was collected. Yet challenges
persisted over how to deal with misinformation on Facebook’s platform and what to do with efforts to regain
public trust. Facebook needed access to user data in order to ensure its advertising revenue source remained
profitable (see Exhibit 4) and to ensure its platform remained attractive for its more than 7 million advertisers.38
Zuckerberg had this to say:
But it’s clear now that we didn’t do enough to prevent these [Facebook] tools from being used for
harm as well. That goes for fake news, foreign interference in elections, and hate speech, as well as
developers and data privacy. We didn’t take a broad enough view of our responsibility, and that was a
big mistake. It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for
what happens here.39
Facebook had an important existential decision to make. Had it crossed the line with users over data
collection? Or would things smooth out, as it had for Target and its relationship with shoppers? And what
exactly was part of Facebook’s responsibility and what wasn’t?
38 Kerry Flynn, “Cheatsheet: Facebook Now Has 7 Million Advertisers,” Digiday, January 30, 2019, https://digiday.com/marketing/facebookearnings-q4-2018/#:~:text=Facebook%20has%207%20million%20advertisers,operating%20officer%20Sheryl%20Sandberg%20revealed
(accessed
Jun. 18, 2020).
39 House of Representatives Committee on Energy and Commerce Hearing, April 11, 2018.
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 8
UV8106
Exhibit 1
Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy
Snapchat Survey: Why People Use Each App, 2018
Application
How People Use It
Facebook
Talk to friends and family
Share pictures
Conduct private conversations
Learn about events
Instagram
Share pictures
Talk to friends
Follow influencers and celebrities
Share my day
Share videos
Snapchat
Talk to friends
Share pictures
Play with lenses and filters
Share videos
Share my day
Twitter
Keep up on current events and news
Follow discussions, influencers, celebrities
Learn about interests and topics of interest
Share views on topics
YouTube
Learn about interests and topics of interest
Learn about new products
Share videos
Follow pop culture news
Find products to buy
Data source: “[US] Apposphere: How the Apps You Use Impact Your Daily Life and Emotions,” Snapchat Business, January
8, 2019, https://forbusiness.snapchat.com/blog/apposphere-how-the-apps-you-use-impact-your-daily-life-and-emotions
(accessed Oct. 1, 2019).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 9
UV8106
Exhibit 2
Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy
Data Facebook Collected
From users and
Facebook friends
All content and communications posted on Facebook
products
Metadata (i.e., photo/file location, date taken or
created)
All Facebook camera material
Networks and connections (contact information from
synced devices)
How Facebook products were used
All content viewed on Facebook
Transaction made using Facebook (credit/debit card
numbers, billing, shipping, contact information)
Information/content that other Facebook users
provided about you
From devices
Information about all devices integrated with
Facebook (attributes, operations, and behaviors such
as mouse movement, identifiers, signals, settings,
networks and connections, cookie data)
From partners and
Facebook business
tools
Activities used offline (i.e., when logged out of
Facebook) including APIs and SDKs, websites visited,
purchases, ads, games played, and store purchases
API = application programming interface; SDK = software development kit.
Data source: All policies in this part of the exhibit are taken directly from “Data Policy,” Facebook,
https://www.facebook.com/policy.php (accessed Oct. 1, 2019).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 10
UV8106
Exhibit 2 (continued)
How Facebook Used Collected Data
Improve products
Make suggestions on content/features that may
interest user
Personalize products for user (i.e., location-related
information)
Learn how Facebook products were used
Tailor Facebook products offered to user
Autofill information from one product to another and
one device to another
Develop and test better products
Face recognition1
Customize ads and sponsored content
Research and innovate for social good
Provide measurement
analytics to Facebook
partners
Measure ad effectiveness and distribute partner ads
Improve communication about products/services
Understand how products were used and what type of
people were using them
Promote safety and
security
Investigate suspicious activity
Prevent spam
Maintain product integrity
Data source: “Data Policy,” Facebook, https://www.facebook.com/policy.php (accessed Oct. 1, 2019).
1
If turned on.
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 11
UV8106
Exhibit 2 (continued)
How Facebook Used Collected Data
Your activity with
other businesses
When you share information like your phone number
or email address with a business, they might add it to
a customer list that can be matched to your Facebook
profile. We can then try to match the ad to the most
relevant audience. You may have shared your
information with these businesses by:
“Signing up for an email newsletter
“Making purchases at retail stores
“Signing up for a coupon or discount”
Your activity across
Facebook companies
and products
Ads are shown to you based on your activity across
Facebook companies and products—such as:
Pages you and your friends like
Information from your Facebook and Instagram
profile
Places you check in using Facebook
Your activity on other Websites you visit or apps you use can send Facebook
websites and apps
data directly by using our business tools (such as a
pixel) to help us show you ads based on products or
services you've looked at, such as a shirt on a clothing
retailer's website. Examples of this include:
Viewing one of their web pages
Downloading their mobile app
Adding a product to a shopping cart or making a
purchase
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 12
UV8106
Exhibit 2 (continued)
How Facebook Used Collected Data
Your location
We use location data to show you ads from
advertisers trying to reach people in or near a specific
place. We get this information from sources such as:
Where you connect to the internet
Where you use your phone
Your location from your Facebook and Instagram
profile
Data source: All policies in this part of the exhibit are taken directly from “Understand What Data Is Used
to Show You Ads,” Facebook, https://www.facebook.com/ads/about/?entry_product=ad_preferences
(accessed Jul. 7, 2020).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 13
UV8106
Exhibit 2 (continued)
Personal Data Facebook Collected
Age
Age of car
Email service used
Field of study
Generation
Industry
Interests
Language
Office type
Property size
School
Square footage of home
Year home was built
Ethnic affinity
Income and net worth
Year car was bought
Education level
Employer
Gender
Home ownership and type
Home value
Household composition
Internet browser
Job title
Location
Operating system
Parents
Relationship status
Style and brand of car a user drives
Expectant parents
Conservatives and liberals
Expats (divided by country of origin)
Mothers, divided by type (e.g., soccer, trendy)
How many employees a user’s company has
Where user is likely to buy their next car
How much money user is likely to spend on
their next car
Number of credit lines a user has open
Kinds of stores user shops at
Types of restaurants user eats at
Types of vacations user tends to go on
Length of time user has lived in their house
Early/late adopters of technology
Users in new relationships
Users who have new jobs
Users who are newly engaged
Users who are newly married
Users who have recently moved
Users who have birthdays soon
Users likely to engage in politics
Users who are likely to move soon
Users who are away from family or their
hometown
Users who have an anniversary within 30 days
Users who have donated to charity (divided by
type)
Users who play canvas games
Users who own a gaming console
Users who plan to buy a car, including kind/brand and how soon
Users who bought auto parts or accessories recently
Users who are likely to need auto parts or services
Users who work in management or are executives
Users who have used Facebook Payments
Users who own motorcycles
Users who own small businesses
Users who spend money on household products
Users whose household makes more purchases than the average
Users who tend to shop online or offline
Users in long-distance relationships
Users who travel frequently, for work or pleasure
Users who recently used a travel app
Users who have created a Facebook event
Users who administer a Facebook page
Users who have spent more than average via Facebook Payments
Users who have recently uploaded photos to Facebook
Users who belong to a credit union, national bank, or regional bank
Users who are interested in the Olympics, American football, cricket, or Ramadan
Users who recently returned from a trip
Users who participate in a timeshare
Users who invest (divided by investment type)
Users who commute to work
Users receptive to online auto insurance, higher education, mortgages, prepaid debit
cards, or satellite TV
Users who buy allergy meds, cough/cold meds, pain-relief products, over-the-counter
meds
Users who are friends with someone who has an anniversary, is newly married/engaged,
who recently moved, or who has an upcoming birthday
Users who spend money on products for kids or pets, and what kinds of pets they have
Source: Caitlin Dewey, “98 Personal Data Points That Facebook Uses to Target Ads to You,” Washington Post, August 19, 2016, https://www.washingtonpost.com/news/the-intersect/wp/2016/08/19/98personal-data-points-that-facebook-uses-to-target-ads-to-you/ (accessed Jun. 23, 2020).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 14
UV8106
Exhibit 3
Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy
Facebook Policy Changes after Cambridge Analytica
Apps
Limit information apps could access from Facebook
Must have approval from Facebook for access to anything from users beyond their public profile,
email address, and friends list
Make it easier for users to understand what data they allow apps access to
Make it easier to remove permissions from any apps users had previously given access to their data
Platform
Removed developers’ access to users who hadn’t used the app in three months
User approval for apps is limited to name, profile photo, email address
Apps must sign a contract with Facebook to ask users for access to data beyond
name, profile photo, email address
Restrict APIs like groups and events from users sharing other people’s information
Shut down Facebook feature that allowed users to look up phone numbers and
email addresses
Investigating
Investigate all apps that had access to vast amounts of data
Conduct forensic audit of apps suspected of misusing data
Data source: “Transcript of Mark Zuckerberg’s Senate Hearing,” Washington Post, April 10, 2018, https://www.washingtonpost.com/news/theswitch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/ (accessed Sept. 15, 2019).
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 15
UV8106
Exhibit 4
Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy
Net Digital Ad Revenue February, 20191
40%
35%
30%
25%
20%
15%
10%
5%
0%
Amazon
Facebook
Google
Microsoft
Verizon
Data source: James Grimaldi and Brent Kendall, “The Government v. The Tech Giants,”
Wall Street Journal, September 10, 2019.
Facebook Stock Price
$250
$200
$150
$100
$50
$‐
Data source: “Facebook, Inc. (FB), Time Period: May 18, 2012–Sept. 15, 2019,” Yahoo! Finance,
https://finance.yahoo.com/quote/FB/history?period1=1337313600&period2=1568520000&interval=1m
o&filter=history&frequency=1mo (accessed Oct. 1, 2019).
1
Google data included YouTube, and Facebook data included Instagram.
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
For the exclusive use of T. Choy, 2023.
Page 16
UV8106
Appendix 1
Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy
Zuckerberg Testimony at the Senate Committee on the Judiciary
and the Senate Committee on Commerce, Science, and Transportation
Honorable Greg Walden (chair):
The incident involving Cambridge Analytica and the compromised
personal information of approximately 87 million American users—or
mostly American users—is deeply disturbing to this committee. The
American people are concerned about how Facebook protects and profits
from its users’ data. In short, does Facebook keep its end of the agreement
with its users? How should we as policymakers evaluate and respond to
these events? Does Congress need to clarify whether or not consumers own
or have any real power over their online data? Have edge providers grown
to the point that they need federal supervision?1
Mark Zuckerberg:
My top priority has always been our social mission of connecting people,
building community, and bringing the world closer together. Advertisers
and developers will never take priority over that, as long as I am running
Facebook.2
Zuckerberg:
When we learned in 2015 that Cambridge Analytica had bought data from
an app developer on Facebook that people had shared it with, we did take
action.
We took down the app, and we demanded that both the app developer and
Cambridge Analytica delete and stop using any data that they had. They
told us that they did this. In retrospect, it was clearly a mistake to believe
them...
Senator Bill Nelson:
Yes.
Zuckerberg:
…and we should have followed up and done a full audit then. And that is
not a mistake that we will make.
Nelson:
Yes, you did that, and you apologized for it. But you didn’t notify them.
And do you think that you have an ethical obligation to notify 87 million
Facebook users?
Zuckerberg:
Senator, when we heard back from Cambridge Analytica that they had told
us that they weren’t using the data and had deleted it, we considered it a
closed case. In retrospect, that was clearly a mistake.
We shouldn’t have taken their word for it, and we’ve updated our policies
and how we’re going to operate the company to make sure that we don’t
make that mistake again.
Nelson:
Did anybody notify the FTC?
Zuckerberg:
No, senator, for the same reason—that we’d considered it a closed—a
closed case.3
House of Representatives Committee on Energy and Commerce Hearing, April 11, 2018.
“Transcript of Mark Zuckerberg’s Senate Hearing, Washington Post, April 10, 2018, https://www.washingtonpost.com/news/theswitch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/ (accessed Sept. 15, 2019).
3 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/.
1
2
This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.
Download