Seeing Facebook's Mark Zuckerberg face the Senate in the US recently showcased something that we don't get to see that often: a company, and its CEO, held accountable.
The furore over the revelations that Cambridge Analytica harvested data on 87 million users – including some 300,000 Australians – via an app that tied into Facebook and slurped up data without permission isn't all that surprising: Facebook, YouTube, Twitter and others have built their business on user-generated data.
Cambridge Analytica caused such a backlash because it harvested this data without permission, and not only of Facebook users but also of people who have never used Facebook, thanks in part to 'shadow profiles' gleaned from personal data.
This is in addition to Cambridge Analytica’s alleged role in manipulating the 2016 US Trump election campaign through targeted fake news based on the psychological profiling of Facebook users.
No wonder we saw Zuckerberg in tense moments as he fielded questions from Senators. The breach of trust has been huge.
It's a multi-faceted problem.
Part of it is a lack of ethical frameworks from the ground up for digital products, something frequently left by the way side in the agile, fail-fast start-up ideology.
Part of it is on the shoulders of us as users, the majority of whom don't understand the value of our own data, and why you may not want to give everything away for free for these services.
And part of it is the lack of legislation for the enforcement of privacy principles that puts people first, though the tide is slowly turning – the Office of the Information Commissioner (OAIC) just announced an investigation of Facebook to determine if the Privacy Act 1988 has been breached; while in Europe the General Data Protection Regulation (GDPR), which includes provisions ensuring consumer consent on the collection and use of data, comes into effect May 25th this year.
It also enforces protection of that data, and carries hefty fines for breaches: up to €20 million per breach, or 4% of global turnover. For Europe's 2.7 million users caught up in this affair, this could number in the billions.
It sends a clear message: being custodian of personal information cannot be taken lightly anymore.
So, what's the solution? Firstly, and to take Facebook out of the equation for a moment, is to recognise that most every business today is a data business; even if it’s just storing basic details to manage clients, there comes responsibility to protect that information.
The recently enacted Data Breach Notification scheme is part of ensuring businesses do the right thing by the people whose data they have collected.
But more needs to be done. Europe's GDPR is perhaps a good place to start, especially its data principles which include ‘Right to Access’ and ‘Right to be Forgotten’.
These are the first steps to restoring control of data back to the people who are providing it -- you, me, and everyone else.
Other principles that Australia may benefit from considering include:
· Where privacy settings are provided with a service, platform, or application that these settings default to ‘enabled’. Additionally, such settings are not obtuse, and a one-click enable/disable function allows a user to easily enforce control.
· To help prevent the type of abuse of trust seen with Cambridge Analytica, that access by third-parties must explicitly be opted-in by the user. Additionally, the user is notified when data is disclosed to a third party, and who that third party is.
· Tighter controls on the storage of information on individuals with which a business has no direct relationship, to prevent for example the building of shadow profiles.
There’s no silver bullet, and there may be exceptions to the above, but the very public outing of Facebook's failings should be taken as a canary in the coalmine for our data-driven times.
Unless we as consumers recognise the true value our of our data, and businesses as custodians of it are bound by law to protect it, this won't be last time we see a CEO dragged in front of a hearing to explain the latest breach of both data and trust.