FOLLOWING REVELATIONS ABOUT the alleged misuse of Facebook users’ personal data by communications firm Cambridge Analytica, there are questions now about whether Ireland’s data protection regime is robust enough to prevent this kind of activity.
According to the New York Times and Britain’s Observer newspapers, Cambridge Analytica collected information from 50 million Facebook users’ profiles in the tech giant’s biggest-ever data breach, to help them design software to predict and influence voters’ choices at the ballot box.
Companies like Cambridge Analytica are open about the fact that they collect data through social media, but they maintain this is information the user has given them consent to access.
This is why the users themselves need to be vigilant about what they agree to, data protection experts have said.
Solicitor Simon McGarr has been highlighting issues with Facebook’s handing of data since as far back as 2008. He told TheJournal.ie that this news is “hardly surprising”.
“This wasn’t a data breach in the sense that it wasn’t hacked, no passwords were stolen, this system was working as it should.”
Applications on Facebook – games, quizzes, websites you sign into using Facebook etc - can ask your permission to access information on your profile, including your date of birth, your friends list, your posts, the pages you like and more.
For years, these apps could also ask your permission to access information on your friends’ profiles without their knowledge.
Ireland’s Data Protection Commissioner raised concerns about this in 2012 and in 2014 Facebook did make a change.
However McGarr pointed out that Facebook settings tend to change regularly and move around, so users need to pay attention if they want to maintain control of their data.
There is no need now, he said, for people to worry about information companies already have – there is very little that can be done about that.
‘Bait in the trap’
What users can do now is be more aware of the data they are agreeing to share and to be more questioning of websites and apps that ask their permission.
“I have Facebook, but I don’t really install apps. If I do, I use it for as long as I want it and then I delete it. I don’t do any quiz apps etc.,” McGarr said.
“You don’t know the real purpose the developers have. It all seems like a bit of fun, you install an app that makes you look like an elf or something like that and these are all just machines for getting you to agree to share data. Everything else is just the bait in the trap.
“When people install Facebook apps and Android apps on their phones they should look and see what the app wants to access and whether that’s proportionate.
If you’re using a selfie app, it may ask to access your photos library and camera, that’s reasonable because it can’t work otherwise. If it wants to look at your history of texts and other things on your phone, you should really pause before you agree.
He said smartphones are “a goldmine of data” and people need to recognise that what they may see as harmless data “might be used in a quite powerful way to profile you”.
These profiles can then be used in an attempt to influence consumers and voters in a very targeted manner.
To check your app settings on Facebook, follow these steps:
- Click the downward pointing arrow in top right-hand corner.
- Click ‘Settings’
- In the sidebar on the left, select ‘Apps’
- Tap the icon with the three horizontal lines
- Scroll down and select ‘Settings’
- Then ‘Account Settings’
- Scroll own and select ‘Apps’
- Tap ‘Logged in with Facebook’ to see all of the services accessing your account.
Here, you can see any app you’ve logged into with Facebook, and the information you’ve given them permission to take. You can also remove any of these applications if you feel you are providing it with more information than you would like.
What is the State doing to protect your data?
In a statement, the office of the Data Protection Commissioner (DPC) said the issues reported in recent days in relation to the profiling of Facebook users “affected substantially US Facebook users”.
The issue of ‘friends’ data being harvested when a Facebook user engaged with an app on Facebook was resolved by Facebook in May 2014 when access to friends data was restricted by a platform upgrade. This followed a 2012 recommendation by DPC Ireland on foot of its re-audit of Facebook Ireland in relation to access to friends data.
It said the purported misuse of data by strategic communications companies is incorporated in the UK Information Commissioner’s Office’s investigation into political influencing.
On Saturday, the UK’s Information Commissioner Elizabeth Denham said her office was investigating the circumstances in which Facebook data may have been illegaly acquired and used.
“It’s part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analysing people’s personal information to micro target voters,” she said.
It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy.
Her office is now seeking a warrant to obtain information and access to Cambridge Analytica systems and evidence related to its investigation.
The Irish DPC said it is following up with Facebook Ireland in relation to what forms of active oversight of app developers and third parties that utilise their platform is in place with a view to ensuring it is effective.
The micro-targeting of social media users with political advertisements and sponsored stories remains an ongoing issue today.
In the absence of laws specifically regulating such political targeting online, the Irish DPC intends to issue guidance to users in terms of how they can trace why they are receiving certain advertisements and stories on social media, how they can mute or turn off receiving advertisements from those sources and how they can amend their ad preferences to control the types of ads they are served.
The government is also moving to introduce new data protection legislation. However, one particular loophole in the new bill is raising questions.
Simon McGarr explained that Section 43 of the new bill allows for the collection of and use of personal data for people who are candidates in elections, office holders or State entities of any sort.
The European General Data Protection Regulation (GDPR), which comes into force across the EU this May, only contains ten exemptions for the processing of personal data.
McGarr said Section 43 of the Irish bill does not fall under these exemptions and therefore the new legislation is “attempting to make legal something that is illegal under European law”.
Fianna Fáil TD James Lawless said it is for this reason that he will be proposing amendments to the bill when it comes before the Dáil.
Speaking to RTÉ’s Morning Ireland yesterday said the recent revelations should be a “wake-up call” to government.
“There is no reason to believe Ireland will be immune to these activities in election or indeed referendum campaigns and we’ve a big referendum as you know coming up in a couple of months.”
He said the government needs to take steps to protect our own democracy and ensure our data protection regime is properly resourced and managed.
Last year he proposed a social media transparency bill in the Dail, which passed to committee stage with the support of other opposition parties – but not the government.
He said there is no reason why this cannot be enacted before the referendum and he called on the government to aid its passage.
TheJournal.ie contacted the Department of Business, Enterprise and Innovation for a comment from Minister of State Pat Breen, who has responsibility for Data Protection.
A spokesperson said data protection legislation does not come under the remit of the minister with responsibility for data protection and referred us to the Department of An Taoiseach and the Department of Justice. Neither of these departments responded to queries.