Home Data Facebook Can’t Control Unauthorized Data Sharing

Facebook Can’t Control Unauthorized Data Sharing

SHARE:

The Cambridge Analytica debacle demonstrated that Facebook has no systematic way of knowing what happens to data once it leaves the platform.

What happened wasn’t a data breach – but that isn’t what matters.

“Partners are bound by agreements that say they’re not supposed to share the data out, but there’s no way to regulate it, and it’s probably happening every day,” one mobile ad exec told AdExchanger.

While Cambridge Analytica is a poster child for this, how many other Cambridge Analyticas are out there? The answer is probably a heck of a lot.

The sharing isn’t necessarily nefarious.

“I can’t tell you how many times I’ve worked with data scientists that are brilliant, way smarter than me, but many haven’t caught up to how ad technology works,” said John Lockmer, director of programmatic and ad ops at DuMont Project, a programmatic consultancy. “There’s a lot of compartmentalization in our industry.”

Before 2014, Facebook’s API let developers collect friend data by default – a practice that has been discontinued. That’s why UK researcher Aleksandr Kogan was able to gather up 50 million Facebook profiles despite his app only having 270,000 users. Kogan eventually sold that data to Cambridge Analytica.

Today, apps that want to request detailed user info go through a review process with Facebook in which developers are required to justify what they want to collect and why.

After the lid blew off the Cambridge Analytica story, Facebook hired a forensic auditor in the UK to investigate the company’s servers in London. The auditor was asked to leave the premises on Monday by Britain’s Information Commissioner’s Office, which is pursuing its own warrant to investigate Cambridge Analytica’s systems.

When AdExchanger asked Facebook if it has plans to audit other third parties it had previously told to delete data to make sure they actually did, a company rep pointed to a blog post by Paul Grewal, Facebook’s VP and deputy general counsel, which said it has a “variety of manual and automated checks” to ensure compliance with its policies, including random audits of existing apps and “regular and proactive monitoring of the fastest-growing apps.”

But one ad executive called it “enforcement theater.” When this person’s company was asked to delete data, the request came orally, rather than in writing, and no one from Facebook requested a look inside the company’s database. The company says it did destroy the data, but there was no follow-up and Facebook never asked for proof.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“We deleted all of it, but there was no audit beyond that,” the exec told AdExchanger. “We could easily have just not deleted it.”

In Kogan’s case, he had permission to collect Facebook data, just not to resell it or share it. But former Cambridge Analytica contractor Christopher Wylie told The Observer that when Facebook’s security protocols were triggered, because Kogan was pulling a large amount of data in a short period of time – millions of profiles over just a few weeks – “apparently Kogan told them it was for academic use so, they were like, ‘Fine.’”

But, as clearly happened with Cambridge Analytica, Facebook data does make its way into the commercial sphere.

Bryant Garvin, director of YouTube, search and display advertising at Purple, has also been on the receiving end of shady emails from obscure companies with claims of some sort of fancy, proprietary data collection technique.

“It happens every couple of months,” Garvin said. “Someone sends an email from a company I’ve never heard of that purports to have personalized targeting options, and they’re never clear on the science behind it or how they’re getting the data. It’s always a major red flag for me.”

And a CEO of a small agency told AdExchanger that it’s common to get emails from people, sometimes with ties to academia, offering Facebook data or device IDs for sale.

But rather than a thriving black market for Facebook data fueled by malevolent intent, the more likely issue is willful ignorance. A case of “data suppliers promising lots of deep data without being forthcoming about the source, and data buyers determined to not look that closely,” said Beth Morgan, COO at mobile data company Twine.

“The terms of service say that publishers can’t share the data they get through Facebook,” Morgan said. “So, the problem lies in a) ignorance and b) difficulty in auditing/checking. Basically, the data industry operates largely on trust, because it’s relatively hard to track data flows and see where it’s going.”

And this isn’t Facebook’s problem alone. Tracking the provenance of data and where it goes is a major frustration for anyone with proprietary data operating in the digital ecosystem.

“If you integrate with most data vendors, they commingle the data,” said Keith Petri, chief strategy officer at Screen6. “And, especially if you have direct-to-publisher relationships with access to proprietary data, those publishers don’t want their users to be commingled, mixed and profiled by other platforms.”

Must Read

Even Sony Needed Guidance For Its First In-Game Ad Campaign

In-game advertising is uncharted territory even for brands like Sony Electronics that consumers associate with gaming.

Comic: Always Be Paddling

The Trade Desk Maintains Its High Growth Rate And Touts New Channels

“It’s hard not to be bullish about CTV when it’s both our largest channel and our fastest growing,” said The Trade Desk Founder and CEO Green during the company’s earnings report on Thursday.

After The Election, News Corp Has Harsh Words For Advertisers Who Avoided News

News Corp’s chief exec blasted “the blatant biases of ad agencies and ad associations,” which are “boycotting certain media properties” due to “personal political prejudices.”

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

LiveRamp Outperforms On Earnings And Lays Out Its Data Network Ambitions

LiveRamp reported an unexpected boost to Q3 revenue, from $160 million last year to $185 million in 2024, during its quarterly call with investors on Wednesday.

Google in the antitrust crosshairs (Law concept. Single line draw design. Full length animation illustration. High quality 4k footage)

Google And The DOJ Recap Their Cases In The Countdown To Closing Arguments

If you’re trying to read more than 1,000 pages of legal documents about the US v. Google ad tech antitrust case on Election Day, you’ve come to the right place.

NYT’s Ad And Subscription Revenue Surge As WaPo Flails

While WaPo recently lost 250,000 subscribers due to concerns over its journalistic independence, NYT added 260,000 subscriptions in Q3 thanks largely to the popularity of its non-news offerings.