It's Too Late
After the Cambridge Analytica fiasco, Mark Zuckerberg says Facebook is taking steps to secure data given to third-party applications. But it's already been stolen and laundered.
Image: Paul Marotta/Getty Images
Wednesday, Facebook CEO Mark Zuckerberg broke his silence about the scandal threatening his company, in which data analytics company Cambridge Analytica used data obtained using a third-party Facebook app to profile 50 million Americans and target them with ads for the Donald Trump campaign.
Zuckerberg said that the company has taken steps to prevent a similar event from happening again, and that it will take steps in the future to prevent third party apps from selling your data:
“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps.”
This sounds like a good idea, but the fact remains that it is too late. If your data has already been taken, Facebook has no mechanism and no power to make people delete it. If your data was taken, it has very likely been sold, laundered, and put back into Facebook.
“You have to proceed on the assumption that this information has been extracted from you,” Woodrow Hartzog, author of Privacy’s Blueprint: The Battle to Control the Design of New Technologies, told me earlier this week.
This is because many of the quizzes, games, personality tests, and third party apps Facebook allowed on its platform several years ago were not really games at all, they were fronts for data mining. Sure, Facebook could “ban” them from the platform, but many apps that were operating between 2011 and 2015 have already gone out of business, and many of them likely sold your data to data brokers that compile dossiers about people that can be used by advertisers.
It is extremely important to note that many data brokers are Facebook “marketing partners” that allow advertisers to target people based on the data they’ve compiled. This means your data was probably taken by a sketchy third party app, sold to one of the many data brokers, which now uses that data on Facebook. Just because the data is a few years old does not mean it’s no longer useful.
“Selling the data was nominally against Facebook’s developer terms, but so many of these apps were ephemeral, and as far as we know, there was little enforcement,” Alan Mislove, a researcher at Northeastern University who has studied data broker activity on Facebook’s platform, told me. “You can absolutely still use old data in the new system.”
For example, if you’ve unliked all the pages you used to like, deleted all your photos and status updates, and otherwise tried to get rid of much of your information on Facebook, data brokers could have obtained that historical data and—let’s say you still have a profile—can re-import it into the platform as a .csv spreadsheet to continue to target you. And of course, Facebook can’t police the use of this data elsewhere on the internet.
Facebook and Zuckerberg know this is true. If you revoke the access of a third-party app to your profile, Facebook tells you that the app “may still have the data you shared with them.”
So, yeah, it’s great that Facebook is now trying to take steps from our data being misused. But it’s too late. Many people have given their data to hundreds if not thousands of apps, few of which exist anymore and many of which existed solely to steal your data. There is nothing Facebook can do to change that.
Soon after he created Facebook, Zuckerberg said in an instant message that people who use his platform were “dumb fucks” for trusting him with personal data. That IM has been reprinted thousands of times since then. He should know better than anyone that once data enters the hands of a third party, it’s near-impossible to make it disappear.