Cambridge Analytica

Auto Added by WPeMatico

Facebook didn’t see Cambridge Analytica breach coming because it was focused ‘on the old threat’

In light of the massive data scandal involving Cambridge Analytica around the 2016 U.S. presidential election, a lot of people wondered how something like that could’ve happened. Well, Facebook didn’t see it coming, Facebook COO Sheryl Sandberg said at the Code conference this evening.

“If you go back to 2016 and you think about what people were worried about in terms of nations, states or election security, it was largely spam and phishing hacking,” Sandberg said. “That’s what people were worried about.”

She referenced the Sony email hack and how Facebook didn’t have a lot of the problems other companies were having at the time. Unfortunately, while Facebook was focused on not screwing up in that area, “we didn’t see coming a different kind of more insidious threat,” Sandberg said.

Sandberg added, “We realized we didn’t see the new threat coming. We were focused on the old threat and now we understand that this is the kind of threat we have.”

Moving forward, Sandberg said, Facebook now understands the threat and that it’s better able to meet those threats leading in to future elections. On stage, Sandberg also said Facebook was not only late to discovering Cambridge Analytica’s unauthorized access to its data, but that Facebook still doesn’t know exactly what data Cambridge Analytica accessed. Facebook was in the midst of conducting its own audit when the U.K. government decided to conduct one of their own, therefore putting Facebook’s on hold.

“They didn’t have any data that we could’ve identified as ours,” Sandberg said. “To this day, we still don’t know what data Cambridge Analytica had.”

RSS is undead

RSS died. Whether you blame Feedburner, or Google Reader, or Digg Reader last month, or any number of other product failures over the years, the humble protocol has managed to keep on trudging along despite all evidence that it is dead, dead, dead.

Now, with Facebook’s scandal over Cambridge Analytica, there is a whole new wave of commentators calling for RSS to be resuscitated. Brian Barrett at Wired said a week ago that “… anyone weary of black-box algorithms controlling what you see online at least has a respite, one that’s been there all along but has often gone ignored. Tired of Twitter? Facebook fatigued? It’s time to head back to RSS.”

Let’s be clear: RSS isn’t coming back alive so much as it is officially entering its undead phase.

Don’t get me wrong, I love RSS. At its core, it is a beautiful manifestation of some of the most visionary principles of the internet, namely transparency and openness. The protocol really is simple and human-readable. It feels like how the internet was originally designed with static, full-text articles in HTML. Perhaps most importantly, it is decentralized, with no power structure trying to stuff other content in front of your face.

It’s wonderfully idealistic, but the reality of RSS is that it lacks the features required by nearly every actor in the modern content ecosystem, and I would strongly suspect that its return is not forthcoming.

Now, it is important before diving in here to separate out RSS the protocol from RSS readers, the software that interprets that protocol. While some of the challenges facing this technology are reader-centric and therefore fixable with better product design, many of these challenges are ultimately problems with the underlying protocol itself.

Let’s start with users. I, as a journalist, love having hundreds of RSS feeds organized in chronological order allowing me to see every single news story published in my areas of interest. This use case though is a minuscule fraction of all users, who aren’t paid to report on the news comprehensively. Instead, users want personalization and prioritization — they want a feed or stream that shows them the most important content first, since they are busy and lack the time to digest enormous sums of content.

To get a flavor of this, try subscribing to the published headlines RSS feed of a major newspaper like the Washington Post, which publishes roughly 1,200 stories a day. Seriously, try it. It’s an exhausting experience wading through articles from the style and food sections just to run into the latest update on troop movements in the Middle East.

Some sites try to get around this by offering an array of RSS feeds built around keywords. Yet, stories are almost always assigned more than one keyword, and keyword selection can vary tremendously in quality across sites. Now, I see duplicate stories and still manage to miss other stories I wanted to see.

Ultimately, all of media is prioritization — every site, every newspaper, every broadcast has editors involved in determining what is the hierarchy of information to be presented to users. Somehow, RSS (at least in its current incarnation) never understood that. This is both a failure of the readers themselves, but also of the protocol, which never forced publishers to provide signals on what was most and least important.

Another enormous challenge is discovery and curation. How exactly do you find good RSS feeds? Once you have found them, how do you group and prune them over time to maximize signal? Curation is one of the biggest on-boarding challenges of social networks like Twitter and Reddit, which has prevented both from reaching the stratospheric numbers of Facebook. The cold start problem with RSS is perhaps its greatest failing today, although could potentially be solved by better RSS reader software without protocol changes.

RSS’ true failings though are on the publisher side, with the most obvious issue being analytics. RSS doesn’t allow publishers to track user behavior. It’s nearly impossible to get a sense of how many RSS subscribers there are, due to the way that RSS readers cache feeds. No one knows how much time someone reads an article, or whether they opened an article at all. In this way, RSS shares a similar product design problem with podcasting, in that user behavior is essentially a black box.

For some users, that lack of analytics is a privacy boon. The reality though is that the modern internet content economy is built around advertising, and while I push for subscriptions all the time, such an economy still looks very distant. Analytics increases revenues from advertising, and that means it is critical for companies to have those trackers in place if they want a chance to make it in the competitive media environment.

RSS also offers very few opportunities for branding content effectively. Given that the brand equity for media today is so important, losing your logo, colors, and fonts on an article is an effective way to kill enterprise value. This issue isn’t unique to RSS — it has affected Google’s AMP project as well as Facebook Instant Articles. Brands want users to know that the brand wrote something, and they aren’t going to use technologies that strip out what they consider to be a business critical part of their user experience.

These are just some of the product issues with RSS, and together they ensure that the protocol will never reach the ubiquity required to supplant centralized tech corporations. So, what are we to do then if we want a path away from Facebook’s hegemony?

I think the solution is a set of improvements. RSS as a protocol needs to be expanded so that it can offer more data around prioritization as well as other signals critical to making the technology more effective at the reader layer. This isn’t just about updating the protocol, but also about updating all of the content management systems that publish an RSS feed to take advantage of those features.

That leads to the most significant challenge — solving RSS as business model. There needs to be some sort of a commerce layer around feeds, so that there is an incentive to improve and optimize the RSS experience. I would gladly pay money for an Amazon Prime-like subscription where I can get unlimited text-only feeds from a bunch of a major news sources at a reasonable price. It would also allow me to get my privacy back to boot.

Next, RSS readers need to get a lot smarter about marketing and on-boarding. They need to actively guide users to find where the best content is, and help them curate their feeds with algorithms (with some settings so that users like me can turn it off). These apps could be written in such a way that the feeds are built using local machine learning models, to maximize privacy.

Do I think such a solution will become ubiquitous? No, I don’t, and certainly not in the decentralized way that many would hope for. I don’t think users actually, truly care about privacy (Facebook has been stealing it for years — has that stopped its growth at all?) and they certainly aren’t news junkies either. But with the right business model in place, there could be enough users to make such a renewed approach to streams viable for companies, and that is ultimately the critical ingredient you need to have for a fresh news economy to surface and for RSS to come back to life.

Australia also investigates Facebook following data scandal

TwitterFacebook

Facebook might be getting a “booting” Down Under.

The Office of the Australian Information Commissioner (OAIC) announced on Thursday it would open a formal investigation into the social media giant to see if it has breached Australia’s privacy laws. 

It follows news the personal information of 300,000 Australian Facebook users “may have been acquired and used without authorisation” as part of the Cambridge Analytica scandal that affected 87 million.

OAIC said it would work with foreign authorities on the investigation, “given the global nature of the matter.”  Read more…

More about Facebook, Australia, Privacy, Cambridge Analytica, and Tech

Highlights and audio from Zuckerberg’s emotional Q&A on scandals

“This is going to be a never-ending battle” said Mark Zuckerberg . He just gave the most candid look yet into his thoughts about Cambridge Analytica, data privacy, and Facebook’s sweeping developer platform changes today during a conference call with reporters. Sounding alternately vulnerable about his past negligence and confident about Facebook’s strategy going forward, Zuckerberg took nearly an hour of tough questions.

You can read a transcript here and listen to a recording of the call below:



The CEO started the call by giving his condolences to those affected by the shooting at YouTube yesterday. He then delivered this mea culpa on privacy:

We’re an idealistic and optimistic company . . . but it’s clear now that we didn’t do enough. We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well . . . We didn’t take a broad enough view of what our responsibility is and that was a huge mistake. That was my mistake.

It’s not enough to just connect people. We have to make sure those connections are positive and that they’re bringing people together.  It’s not enough just to give people a voice, we have to make sure that people are not using that voice to hurt people or spread misinformation. And it’s not enough to give people tools to sign into apps, we have to make sure that all those developers protect people’s information too.

It’s not enough to have rules requiring that they protect the information. It’s not enough to believe them when they’re telling us they’re protecting information. We actually have to ensure that everyone in our ecosystem protects people’s information.”

This is Zuckerberg’s strongest statement yet about his and Facebook’s failure to anticipate worst-case scenarios, which has led to a string of scandals that are now decimating the company’s morale. Spelling out how policy means nothing without enforcement, and pairing that with a massive reduction in how much data app developers can request from users makes it seem like Facebook is ready to turn over a new leaf.

Here are the highlights from the rest of the call:

On Zuckerberg calling fake news’ influence “crazy”: “I clearly made a mistake by just dismissing fake news as crazy — as having an impact . . . it was too flippant. I never should have referred to it as crazy.

On deleting Russian trolls: Not only did Facebook delete 135 Facebook and Instagram accounts belonging to Russian government-connected election interference troll farm the Internet Research Agency, as Facebook announced yesterday. Zuckerberg said Facebook removed “a Russian news organization that we determined was controlled and operated by the IRA”.

On the 87 million number: Regarding today’s disclosure that up to 87 million people had their data improperly access by Cambridge Analytica, “it very well could be less but we wanted to put out the maximum that we felt it could be as soon as we had that analysis.” Zuckerberg also referred to The New York Times’ report, noting that “We never put out the 50 million number, that was other parties.”

On users having their public info scraped: Facebook announced this morning that “we believe most people on Facebook could have had their public profile scraped” via its search by phone number or email address feature and account recovery system. Scammers abused these to punch in one piece of info and then pair it to someone’s name and photo . Zuckerberg said search features are useful in languages where it’s hard to type or a lot of people have the same names. But “the methods of react limiting this weren’t able to prevent malicious actors who cycled through hundreds of thousands of IP addresses and did a relatively small number of queries for each one, so given that and what we know to day it just makes sense to shut that down.”

On when Facebook learned about the scraping and why it didn’t inform the public sooner: This was my question, and Zuckerberg dodged, merely saying “We looked into this and understood it more over the last few days as part of the audit of our overall system”, while declining to specify when Facebook first identified the issue.

On implementing GDPR worldwide: Zuckerberg refuted a Reuters story from yesterday saying that Facebook wouldn’t bring GDPR privacy protections to the U.S. and elsewhere. Instead he says, “we’re going to make all the same controls and settings available everywhere, not just in Europe.”

On if board has discussed him stepping down as chairman: “Not that I’m aware of” Zuckerberg said happily.

On if he still thinks he’s the best person to run Facebook: “Yes. Life is about learning from the mistakes and figuring out what you need to do to move forward . . . I think what people should evaluate us on is learning from our mistakes . . .and if we’re building things people like and that make their lives better . . . there are billions of people who love the products we’re building.”

On the Boz memo and prioritizing business over safety: “The things that makes our product challenging to manage and operate are not the tradeoffs between people and the business. I actually think those are quite easy because over the long-term, the business will be better if you serve people. I think it would be near-sighted to focus on short-term revenue over people, and I don’t think we’re that short-sighted. All the hard decisions we have to make are tradeoffs between people. Different people who use Facebook have different needs. Some people want to share political speech that they think is valid, and other people feel like it’s hate speech . . . we don’t always get them right.”

On whether Facebook can audit all app developers: “We’re not going to be able to go out and necessarily find every bad use of data” Zuckerberg said, but confidently said “I actually do think we’re going to be be able to cover a large amount of that activity.

On whether Facebook will sue Cambridge Analytica: “We have stood down temporarily to let the [UK government] do their investigation and their audit. Once that’s done we’ll resume ours … and ultimately to make sure none of the data persists or is being used improperly. And at that point if it makes sense we will take legal action if we need to do that to get people’s information.”

On how Facebook will measure its impact on fixing privacy: Zuckerberg wants to be able to measure “the prevalence of different categories of bad content like fake news, hate speech, bullying, terrorism. . . That’s going to end up being the way we should be held accountable and measured by the public . . .  My hope is that over time the playbook and scorecard we put out will also be followed by other internet platforms so that way there can be a standard measure across the industry.”

On whether Facebook should try to earn less money by using less data for targeting “People tell us if they’re going to see ads they want the ads to be good . . . that the ads are actually relevant to what they care about . . On the one hand people want relevant experiences, and on the other hand I do think there’s some discomfort with how data is used in systems like ads. But I think the feedback is overwhelmingly on the side of wanting a better experience. Maybe it’s 95-5.”

On whether #DeleteFacebook has had an impact on usage or ad revenue: “I don’t think there’s been any meaningful impact that we’ve observed…but it’s not good.”

On the timeline for fixing data privacy: “This is going to be a never-ending battle. You never fully solve security. It’s an arms race” Zuckerberg said early in the call. Then to close Q&A, he said “I think this is a multi-year effort. My hope is that by the end of this year we’ll have turned the corner on a lot of these issues and that people will see that things are getting a lot better.”

Overall, this was the moment of humility, candor, and contrition Facebook desperately needed. Users, developers, regulators, and the company’s own employees have felt in the dark this last month, but Zuckerberg did his best to lay out a clear path forward for Facebook. His willingness to endure this question was admirable, even if he deserved the grilling.

The company’s problems won’t disappear, and its past transgressions can’t be apologized away. But Facebook and its leader have finally matured past the incredulous dismissals and paralysis that characterized its response to past scandals. It’s ready to get to work.

Facebook plans crackdown on ad targeting by email without consent

Facebook is scrambling to add safeguards against abuse of user data as it reels from backlash over the Cambridge Analytica scandal. Now TechCrunch has learned Facebook will launch a certification tool that demands that marketers guarantee email addresses used for ad targeting were rightfully attained. This new Custom Audiences certification tool was described by Facebook representatives to their marketing clients, according to two sources. Facebook will also prevent the sharing of Custom Audience data across Business accounts.

This snippet of a message sent by a Facebook rep to a client notes that “for any Custom Audiences data imported into Facebook, Advertisers will be required to represent and warrant that proper user content has been obtained.”

Once shown the message, Facebook spokesperson Elisabeth Diana told TechCrunch “I can confirm there is a permissions tool that we’re building.” It will require that advertisers and the agencies representing them pledge that “I certify that I have permission to use this data”, she said.

Diana noted that “We’ve always had terms in place to ensure that advertisers have consent for data they use but we’re going to make that much more prominent and educate advertisers on the way they can use the data.” The change isn’t in response to a specific incident, but Facebook does plan to re-review the way it works with third-party data measurement firms to ensure everything is responsibly used. This is a way to safeguard data” Diana concluded.The company declined to specify whether it’s ever blocked usage of a Custom Audience because it suspected the owner didn’t have user consent. ”

The social network is hoping to prevent further misuse of ill-gotten data after Dr. Aleksandr Kogan’s app that pulled data on 50 million Facebook users was passed to Cambridge Analytica in violation of Facebook policy. That sordid data is suspected to have been used by Cambridge Analytica to support the Trump and Brexit campaigns, which employed Custom Audiences to reach voters.

Facebook launched Custom Audiences back in 2012 to let businesses upload hashed lists of their customers email addresses or phone numbers, allowing advertisers to target specific people instead of broad demographics. Custom Audiences quickly became one of Facebook’s most powerful advertising options because businesses could easily reach existing customers to drive repeat sales. The Custom Audiences terms of service require that businesses have “provided appropriate notice to and secured any necessary consent from the data subjects” to attain and use these people’s contact info.

But just like Facebook’s policy told app developers like Kogan not to sell, share, or misuse data they collected from Facebook users, the company didn’t go further to enforce this rule. It essentially trusted that the fear of legal repercussions or suspension on Facebook would deter violations of both its app data privacy and Custom Audiences consent policies. With clear financial incentives to bend or break those rules and limited effort spent investigating to ensure compliance, Facebook left itself and its users open to exploitation.

Last week Facebook banned the use of third-party data brokers like Experian and Acxiom for ad targeting, closing a marketing featured called Partner Categories. Facebook is believed to have been trying to prevent any ill-gotten data from being laundered through these data brokers and then directly imported to Facebook to target users. But that left open the option for businesses to compile illicit data sets or pull them from data brokers, then upload them to Facebook as Custom Audiences by themselves.

The Custom Audiences certification tool could close that loophole. It’s still being built, so Facebook wouldn’t say exactly how it will work. I asked if Facebook would scan uploaded user lists and try to match them against a database of suspicious data, but for now it sounds more like Facebook will merely require a written promise.

Meanwhile, barring the sharing of Custom Audiences between Business Accounts might prevent those with access to email lists from using them to promote companies unrelated to the one to which users gave their email address. Facebook declined to comment on how the new ban on Custom Audience sharing would work.

Now Facebook must find ways to thwart misuse of its targeting tools and audit anyone it suspects may have already violated its policies. Otherwise it may receive the ire of privacy-conscious users and critics, and strengthen the case for substantial regulation of its ads (though regulation could end up protecting Facebook from competitors who can’t afford compliance). Still the question remains why it took such a massive data privacy scandal for Facebook to take a tougher stance on requiring user consent for ad targeting. And given that written promises didn’t stop Kogan or Cambridge Analytica from misusing data, why would they stop advertisers bent on boosting profits?

For more on Facebook’s recent scandals, check out TechCrunch’s coverage:

 

Scientist at centre of Facebook scandal didn’t think data would be used to target voters

TwitterFacebook

The man who helped gather Facebook users’ information for Cambridge Analytica claims that he didn’t think it’d be used to target voters.

Data scientist Aleksandr Kogan, who also goes by the surname of Spectre, told CNN‘s Anderson Cooper on Tuesday that he was “heavily siloed” from knowing about the UK data firm’s clients and funders, who are linked to the 2016 Trump election campaign.

“I found out about Donald Trump just like everybody else, through the news,” Kogan told the program. 

Exclusive: Aleksandr Kogan, the data scientist who worked with Cambridge Analytica to harvest data, tells @AndersonCooper he didn’t know they would use the data to target voters. Full interview, tonight on 9p ET, on @CNN https://t.co/9L3itGMW79 pic.twitter.com/z4ny9vytCp

— Anderson Cooper 360° (@AC360) March 21, 2018 Read more…

More about Facebook, Social Media, Data Breach, Cambridge Analytica, and Social Media Companies

Facebook’s latest privacy debacle stirs up more regulatory interest from lawmakers

Facebook’s late Friday disclosure that a data analytics company with ties to the Trump campaign improperly obtained — and then failed to destroy — the private data of 50 million users is generating more unwanted attention from politicians, some of whom were already beating the drums of regulation in the company’s direction.

On Saturday morning, Facebook dove into the semantics of its disclosure, arguing against wording in the New York Times story the company was attempting to get out in front of that referred to the incident as a breach. Most of this happened on the Twitter account of Facebook chief security officer Alex Stamos before Stamos took down his tweets and the gist of the conversation made its way into an update to Facebook’s official post.

“People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” the added language argued.

I have deleted my Tweets on Cambridge Analytica, not because they were factually incorrect but because I should have done a better job weighing in.

— Alex Stamos (@alexstamos) March 17, 2018

While the language is up for debate, lawmakers don’t appear to be looking kindly on Facebook’s arguably legitimate effort to sidestep data breach notification laws that, were this a proper hack, could have required the company to disclose that it lost track of the data of 50 million users, only 270,000 of which consented to data sharing to the third party app involved. (In April of 2015, Facebook changed its policy, shutting down the API that shared friends data with third-party Facebook apps that they did not consent to sharing in the first place.)

While most lawmakers and politicians haven’t crafted formal statements yet (expect a landslide of those on Monday), a few are weighing in. Minnesota Senator Amy Klobuchar calling for Facebook’s chief executive — and not just its counsel — to appear before the Senate Judiciary committee.

Facebook breach: This is a major breach that must be investigated. It’s clear these platforms can’t police themselves. I’ve called for more transparency & accountability for online political ads. They say “trust us.” Mark Zuckerberg needs to testify before Senate Judiciary.

— Amy Klobuchar (@amyklobuchar) March 17, 2018

Senator Mark Warner, a prominent figure in tech’s role in enabling Russian interference in the 2016 U.S. election, used the incident to call attention to a piece of bipartisan legislation called the Honest Ads Act, designed to “prevent foreign interference in future elections and improve the transparency of online political advertisements.”

“This is more evidence that the online political advertising market is essentially the Wild West,” Warner said in a statement. “Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency.”

That call for transparency was echoed Saturday by Massachusetts Attorney General Maura Healey who announced that her office would be launching an investigation into the situation. “Massachusetts residents deserve answers immediately from Facebook and Cambridge Analytica,” Healey tweeted. TechCrunch has reached out to Healey’s office for additional information.

On Cambridge Analytica’s side, it looks possible that the company may have violated Federal Election Commission laws forbidding foreign participation in domestic U.S. elections. The FEC enforces a “broad prohibition on foreign national activity in connection with elections in the United States.”

“Now is a time of reckoning for all tech and internet companies to truly consider their impact on democracies worldwide,” said Nuala O’Connor, President of the Center for Democracy & Technology. “Internet users in the U.S. are left incredibly vulnerable to this sort of abuse because of the lack of comprehensive data protection and privacy laws, which leaves this data unprotected.”

Just what lawmakers intend to do about big tech’s latest privacy debacle will be more clear come Monday, but the chorus calling for regulation is likely to grow louder from here on out.