Code

Are you unwittingly heading your company into a Cambridge Analytica data privacy Armageddon?

Providing enterprise-value social media listening and insights is expensive for vendors of such products. Some cut corners, in the pursuit of lower costs, by resorting to “alternative” methods of social data acquisition. If your company uses such products, and you use this data, you have nowhere to hide should this be exposed. You have more to lose than your brand reputation and your job. You may lose your company, as did Cambridge Analytica.

Why is this more important than ever?

In the past, social media data streaming into a company was often transient. Today as social media data is acquired and layered on top of customer and transaction records it has become very much part of an enterprise’s systems of record.

The push towards “digital” and superior customer experiences across digital and the drive towards building comprehensive customer demographic and psychographic profiles requires the embedding of data from social networks.

These trends place organisations squarely in the firing line to be able to prove that all such data was collected in accordance with the law, and in accordance with the acceptable ethics of the time. In other words, it needs to be more than legal.

It needs to be traced back up the data chain and be found to be being obtained legally, transparently, and ethically right to the source.

What Cambridge Analytica did was not even illegal

Cambridge Analytica did nothing obviously illegal. This was clearly stated by Facebook – before the affair started to spiral out of control and to threaten Facebook’s own business model.

Both Cambridge Analytica and Facebook deny they did anything illegal.

Politico, 24 March 2018

The case subsequently became a red-hot potato and Facebook suspended Cambridge Analytica‘s access.

The point is that even in this case, which swung an election for a US President – the most powerful person in the world – it took a lot of time and effort before a final determination was made that CA had violated the terms of service. In fact, CA stated, after being suspended, that “It would be entirely incorrect to attempt to claim that (we) illegally acquired Facebook data. Indeed (we) worked with Facebook over this period to ensure that they were satisfied that (we) had not knowingly breached any of Facebook’s Terms of Service“.

Here’s the point. It took CA and Facebook a huge amount of discussion and consideration before it was declared that CA had breached the Terms of Service – because initially, it was unclear.

Do you have similar resources and expertise and channels into Facebook or Twitter or Tumblr to be able to do the same? The answer is no.

Are you relying on your vendor’s interpretation of the ToS to assuage your doubts? If so, you better start preparing your story for the Board.

Today, not only do you need to be 100% sure in black and white but 200% sure ethically as well.

Today ethics count like never before. When scandal after scandal hits an industry, such as the Australian banking industry, and trust falls to all-time lows, then arguing the fine points of legalize only brings more disdain upon the firm.

How are companies obtaining such data?

Firstly, let’s take one step back and look at why companies are working their way around the ToS.

Paying for streams of social media data is one of the biggest expense items of social media listening vendors.

Twitter’s enterprise pricing costs so much it dare not disclose the figure publicly; you have to ask the company to reveal the numbers.

Access to the full Twitter data stream costs a lot, access to the full Facebook data stream costs multiples more.

So naturally, if you’re starting out or in a smaller league you want to find ways to reduce those costs. What you do is to find other ways to get your data sources by flying under the radar of the ToS.

There are two prominent methods:

  • There are “shadow profiles” aggregators which actually mimic what Facebook does to obtain data on people who are not signed up to Facebook. These were recently called out at a US Congress hearing as “the biggest flaw in Facebook’s privacy defense”. But this is not just Facebook doing this kind of aggregation, there are others using the 270 million fake or clone accounts on Facebook. Account creation bots can not only place Likes “to order” but they can harvest personal data. That’s the same reason that you see fake profiles on Linkedin. Once people connect they can harvest emails and add layers to identity profiles which can eventually be good enough to be sold. False Linkedin accounts also facilitate data scraping of personal details across the site (see below).
  • The other most common means is by web scraping. Web scrapers play a constant game of cat and mouse with Facebook. They harvest as much personal data as they can while hiding their tracks and changing their identities. Facebook plays hardball if it can find them and it does not hesitate to prosecute. However, despite being a clear violation of Facebooks ToS it is still a grey area legally. Linkedin sued anonymous data scrapers and lost the case recently. The common argument of the web scrapers is that this is public data. In return, the owners of the data argue that their account owners have not agreed to the use of the data for whatever purpose the scrapers have in mind.

The point is this – if you are debating the legality or otherwise of the source of your social media vendor’s data then you are clearly in the wrong place at the wrong time in corporate history.

Ethically you have nothing to win, the answer is crystal clear. Legally you have everything to lose.

In these cases, if you allow yourself to want to be convinced, and walk past this grey area, then don’t be surprised later when you hear phrases such as “lack of due diligence”, “lack of oversight”, and “governance failure”.

Conclusion – beyond reasonable doubt

The fallout from the data-analytics driven victory of Donald Trump in the  2016 American presidential election has been dramatic, swift, and brutal for many, and now exacerbated by the GDPR and other enhanced privacy laws around the world. As a direct response, Facebook has rewritten its Terms of Service and is taking a harder line on robot identities and web scrapers.

Actions:

  1. If your social team has never asked, make sure your legal team reviews the sources of all data being supplied by your social media vendor and ensure that they are compliant with all the applicable terms of service.
  2. If your legal team reviewed this prior to now, ask them to do it again and confirm their previous findings.

Remember, you no longer just need to be assured, you need to be absolutely certain. Post-Cambridge Analytica this is not just about the balance of probability, it is about being beyond reasonable doubt.

After all, with today’s expectations, a breach may bring on criminal actions, not just civil ones. Splitting hairs ethically will no longer cut the mustard.

Remember, CA got it wrong, Facebook got it wrong. Interpreting the legality of your social media data sources is not a game for your social media people, not even a game for your legal people alone.

It’s about strict “supply chain” compliance right up the chain through your social media vendor to the source. Even if Facebook does not suspend you, and even if the GDPR does not fine you 4% of your annual global turnover, an ethical breach could decimate the worth of your company.

Just ask AMP how much breaches of trust and unethical behaviours has cost their shareholders, board members, and senior executives.

Don’t let yourself be guiled into being on the wrong side of history. Make sure all data coming into your organisation is totally legal and absolutely ethical.

Contact Us for audit and data sourcing advice; strategy and implementation of your customer experiences enhanced by social data.

—– Walter Adamson
@adamson
Linked.com/adamson
Snap:walteradamson