The American presidential election in 2016 represented a landmark moment. The world woke up to the fact that social media platforms just might know too much about us. We all thoughtlessly give away personal information to the digital world every day, but should you actually be worried about data misuse?
Yes. Probably. You’ve already been subject to it, and the odds are it’s had a pretty major impact on your life.
How many times have you logged into a third-party app using Facebook? We see the classic ‘X will receive the following: your public profile, friend list, email address, birthday and likes.’ And most of us just accept this without a thought.
After all, who cares if a stupid game knows when my birthday is? Why would you be bothered about Spotify having access to your friend list?
In all fairness, you could be completely forgiven for believing that there is little to worry about when it comes to sharing your data. Most third parties that harvest this information use it to aid the user experience of their platform, to increase personalization and make interaction with their business as beneficial to you as possible.
But what happens when the third-party has another purpose for your data? What could a business do with the reams and reams of information we constantly give away? After all, there’s been enough discussion about data misuse in the news. But how powerful can this data be, anyway?
The Power of Data
Realistically, how much does Facebook know about you?
To demonstrate this, we’re going to refer to the man who is one of the most instrumental people in how data is collected and used, Michal Kosinski, and an experiment he carried out back in 2008.
Along with fellow Cambridge University student, David Stillwell, Kosinski launched an app called MyPersonality. This was a quiz app that invited users to answer revealing questions about themselves in order to determine their personality in accordance with the ‘Big Five’ personality attributes.
Oh, and users logged in by sharing their Facebook information.
The app unexpectedly blew up. Millions of people filled in the questionnaire and suddenly Kosinski and Stillwell were in possession of the most extensive set of data that combined in-depth personality testing with Facebook profiles.
When they compared the data from MyPersonality with information they could glean from Facebook – in particular, what users ‘like’ – the results were somewhat interesting.
They found that individual likes could deliver some pretty accurate insights about a person. For example, someone who liked Lady Gaga was generally more outgoing, whilst someone who liked philosophy was more introverted.
However, these were mere correlations, too weak to actually reliably trust when getting a full picture of a human being.
But when you combined hundreds of individual data points that users had willingly given up to Facebook and to many other third-party companies, you could build up a frighteningly accurate picture of what a person was like.
The model Kosinski developed could tell him whether a particular person was single, a smoker, how intelligent they were, whether their parents were divorced, whether they were falling out of love, their political affiliations…
If a person had ‘liked’ a mere 10 things, Kosinski was able to evaluate them better than your standard colleague. After 70 ‘likes’, he knew more than the subject’s friends did. 150 ‘likes’ were enough to surpass what their parents knew, and 300 were enough to outdo their partner.
In fact, beyond 300 ‘likes’ could even outdo what a person knew about themselves.
Of course, a personal profile can be made up of all these data points, but as well as this, data could be used to identify specific groups of people. You could use data to identify everyone that was a football fan, everyone who listened to a certain type of music, or everyone that had a certain political alignment.
It took years to develop a data analysis system this accurate. By the time he had, in 2014, Kosinski was approached by someone called Aleksandr Kogan (who we’ll come back to later). All you really need to know for now is that Kogan was inquiring about the method on behalf of a company called SCL (Strategic Communication Laboratories). SCL is a company that further demonstrates the power that data can have and illustrates how the spread of misinformation can be so effective.
SCL have, in the past at least, sinisterly described themselves as a company that specializes in “psychological warfare” and “influencing elections”. Sounds sinister, and is sinister. They’ve had influence over elections in India, Malta, Mexico and more.
It’s been inferred that SCL had a hand in spreading misinformation that helped the monarchy of Nepal overthrow a corrupt government. They claim to have the ability to “override all national TV and radio broadcasts in time of crisis”, but all for the greater good, of course.
The fact that the spreading of ‘mistruths’ in order to save lives and improve society is what SCL rests on is concerning. A private company that is playing an insidious role in how countries are run? It seems a little… undemocratic.
Mark Broughton is the public affairs director of SCL, and has been quoted as saying, “There’s some altruism in it [SCL], but we also want to earn money”. Surely this would suggest that if you can buy the services of this strategic communications company, the highest bidder could have a real impact on the way that society is run.
So, Kogan came to Kosinski. He was a psychology researcher who had himself been approached by Christopher Wiley. Wiley essentially wanted to improve the way a break-off company of SCL’s harvested data for greater influence over political matters. This spin-off company was called Cambridge Analytica.
How Data Won the 2016 Presidential Election
I’m sure you’ve heard of Cambridge Analytica. Even if it was just catching a phrase on the radio or on a TV news channel. When you’ve heard it, you will have almost certainly heard the word that has become ubiquitous with the company: scandal.
Well, that’s because when Kogan could replicate the methodology that was developed by Kosinski, he did, with an app called ‘thisisyourdigitallife’. Similar to the MyPersonality app, thisisyourdigitallife got hundreds of thousands of Facebook users to give away their Facebook data, and (illegally) harvested the data of more than 87 million.
This information that was mined by Kogan was then given to, yes, Cambridge Analytica. And who had Cambridge Analytica’s services just been bought buy? Whose political campaigns were they supporting?
Well, in 2015, their services were bought by the Brexit campaign. The Brexit campaign won in June 2016. In the same month, Donald Trump hired them to run his own digital campaign.
And Cambridge Analytica had unbelievably accurate data on what they claimed to be every single adult in the US. This left them with a frightening ability to target ads at people in such a personalised fashion that they were bound to evoke the right response (quite literally the right response).
Ads weren’t aimed at people of a certain demographic, but rather a certain psychographic. Ads that played on the personality of a voter, that played on the way they thought, their fears, their hopes.
This was demonstrated by the CEO of Cambridge Analytica at the time, Alexander Nix. In a talk at the Concordia Summit in September 2016, he displayed in perfect British bad guy style how his team had helped the Republican candidate Ted Cruz achieve great success in the primary elections in 2016.
Nix demonstrated how certain ads could genuinely influence a voter’s decision. They could target individuals who, thanks to data harvested from Facebook, they knew extremely intimately.
He went on to show how certain ads could be served to people who would respond in the ‘right way’, and finished his presentation with the line, “of the two candidates left in this election, one of them is using these technologies, and it’s going to be very interesting to see how they impact the next seven weeks.”
Well, there’s no question of who hired Cambridge Analytica now, and there’s no question of who won the election.
Every single decision made by the Trump campaign was driven by data. What states to target at particular times. What messages to send out to particular groups of people, particular households, or even particular individuals.
The ability to target specific users with specific messages opened the door to the ‘false news’ phenomenon. Social media bots with the ability to spread misinformation and inflammatory material sprang up to saturate real and meaningful debate.
Basically, the guys with the best data strategy won. The Clinton campaign worked on the basis of demographics; targeting large groups of the same race, gender, income etc with the same message. The Trump campaign worked on the basis of psychographics that could be built up from data harvested from Facebook and third-party companies.
When Trump won and the part that Cambridge Analytica played came to public light, the wider public were made acutely aware of a new, data driven age of not just politics, but the way we live our lives in general.
One question you might want to take away from this whole episode however, is that the data is there, ready to be accessed.
Is this really a case of data misuse? Or is it just intelligent marketing using the best tools to hand?
Should You Worry About Data Misuse?
This was all nearly 3 years ago now. The scandal is out, and Cambridge Analytica have been dissolved, so should we still worry about how much Facebook knows about you? How easy is it for third parties to mine this information? Are there still going to be groups out there looking to exploit this data?
To answer this last question, there are always going to be groups out there ready to exploit personal information in order to manipulate a population.
Whether it’s the bizarrely altruistic yet money-driven approach of SCL (they claim to spread misinformation for a ‘greater good’); the mysterious, nationalistic doings of the Internet Research Agency; or some other shady organisation that we don’t even know exists; you can guarantee that there is someone out there trying to dig around in your digital brain to meet their own ends.
But now, we have The General Data Protection Regulation, a regulation introduced by the European Union in 2016 and rolled out on May 25th, 2018. It sets out new rules in terms of how businesses can interact with a user’s digital footprint and data.
The GDPR essentially aims to put users in greater control of how they share their data, making consent more informed and explicit, heavily fining any company that fails to comply with the new data rules.
But has it worked? Has it really made our data safe from tech companies? Are we at risk of becoming victims to data misuse?
Realistically, it will take years to see whether the GDPR will have a significant impact on the issue. But, just over one year in, we seem to be able to take two key lessons from its implementation:
1. Personal Data Breach Notifications Have Risen
Now, although this might seem a worrying first point, it’s actually a pretty positive development.
It’s estimated that there will be a 100% rise in the number of personal data breaches in 2019. Even in the first 8 months after the rule was introduced, nearly 60,000 breaches were reported across Europe.
Again, why is this a positive development? Because it doesn’t mean that there were half the number of personal data breaches pre-2018. The fact that these breaches are now being reported is a huge step forward in the way we deal with personal data breaches that infringe upon an individual’s rights.
Companies are now required to inform the individual at risk and the relevant authorities of a data breach within 72 hours. And this is evidently happening. When a person becomes a victim of data misuse, they are at least more likely to be kept in the loop.
2. Companies Aren’t Being Fined for Failing Customers
Despite the huge increase in the number of breaches being reported, authorities don’t seem to be following through on the punishment for breaking the rules.
It was specified that companies found to be violating the law could be subject to fines that equalled 4% of a business’s annual revenue, or €20 million, whichever was larger.
As of yet, these types of fines have not been forthcoming. As of nine months into the jurisdiction of the GDPR, the total combined amount of the fines came to €55,955,871. This seems like a lot until you consider that a pretty hefty €50 million came from Google alone, for the fine they received back in January (0.04% of their 2018 revenue).
Most companies are not being fined at all, and the fines themselves are too small to actually inspire any action.
So, the answer, currently, is yes. You probably should be worried about data misuse.
There are just so many individual data points that can be harvested with in the simple press of a button by signing into a service with Facebook. Realistically, you have already given away so much data about yourself to third party providers that the internet knows pretty much everything about you.
Of course, it’s easy to say that there’s no point worrying about what third parties might know about you, but we’ve already seen what data misuse can do: it can win elections.
Whilst it may not feel like you as an individual are ever victim to data misuse, when large data-driven campaigns are conducted, it’s a worrying thought that a few individuals can pull the strings of an entire nation.
As the 2016 presidential election ushered in a new age of digital democracy, it’s going to be fascinating to see how the next election, due to take place in November 2020, will demonstrate any development in the way data is used to influence people.