Facebook, Cambridge Analytica, and Mark Zuckerberg have been center stage in the news recently, since the New York Times reported how the social media platform was used to affect the 2014 midterm election. The fallout from the dispute provides a cautionary tale for companies using terms of service to limit liability to users.
Cambridge Analytica Uses Facebook Tools To Gather User Data
In March, 2018, the New York Times reported that Cambridge Analytica, a voter-profiling company, had harvested information from 50 million Facebook users for use in the 2014 midterm elections. Dr. Aleksandr Kogan, a Cambridge University professor, took advantage of Facebook’s credentialing software. He created an app called “thisisyourdigitallife” to gathered information from 270,000 people who used the app, and nearly 30 million Facebook friends and connections without their knowledge. Using Facebook’s software, Kogan was able to collect enough information about those people’s locations, interests, photos, status updates, and check-ins to allow him to build psychological profiles.
All that information was passed on to Robert Mercer, a Republican donor, and Stephen Bannon, his political advisor, to identify and influence swing voters. Cambridge’s psychological modeling techniques were used in the 2016 election campaign, raising questions about whether the use was legal.
Facebook Terms Of Service Allowed For Data Harvesting
In 2014, when Cambridge’s data collection happened, Facebook’s terms of service allowed for this kind of data harvesting. In fact, it was part of the company’s business model. Facebook’s users, including the 270,000 who used the “thisisyourdigitallife” app, consented to collection of this kind of information. According to tweets made by Alex Stamos, Facebook’s chief security officer, and later deleted:
“Kogan did not break into any systems, bypass any technical controls, our use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach.’”
Stamos defended Facebook’s Terms of Service, saying that “several other prominent platforms, like Android and iOS, allow access to friend (contact) data with user permission. Like us, those platforms have policies about the use of data, but misusing contacts gathered knowing from a phone is also not a ‘breach.’”
However, Cambridge was bound by terms of service too. The university had paid for the personal information from Facebook for academic purposes. Developers were allowed to collect data for their own uses, but they are not allowed to “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.” Facebook has taken the position that Kogan violated his Terms of Service by distributing the psychological profiles as aggregate data.
Changes To Facebook Terms Of Service Reduce Access, Increase Transparency
Facebook changed its Terms of Service in 2015 to limit developers’ access to the third-party friends or contacts of users. By that time, the company had already aggregated the personal data and made the psychological profiles available to its political customers.
Now Facebook is amending its Terms of Service again. The new policies are longer and include new details about what access Facebook has to users’ electronic data, including “contact information if you choose to upload, sync or import it (such as an address book or call log or SMS log history).” In defense of the change, Facebook says:
“It’s important to show people in black and white how our products work — it’s one of the ways people can make informed decisions about their privacy.”
Learning From Facebook’s Terms Of Service Troubles
Software developers and other business owners can learn from the trouble with Facebook’s Terms of Service. User agreements should be clear enough for the average user to understand, and should avoid unnecessary invasions of privacy.
Perhaps more importantly, developers are warned that their commercial users want that data for a reason. Before selling users’ contact information or personality profiles, be clear about what can and cannot be done with the data. If it later becomes clear that commercial users have violated the company’s Terms of Service, it is up to the developer, and its business attorneys, to enforce the contract and limit its users’ exposure. Otherwise the company’s executives could find themselves under legal scrutiny, like Mark Zuckerberg.
The Cronin Law Firm has experienced attorneys to aid with whatever legal issue you’re facing. If you are a business owner looking for help with Terms of Service, contact the Cronin Law Firm today to schedule a consultation.