You know what takes 17 minutes?
- Building a piece of Ikea’s 5-minute furniture.
- Walking one mile if you’re in decent shape.
- Making £500k (USD $569,000) if you’re Facebook.
The Register crunched the numbers because that sliver of Facebook revenue – £500k (about $640k) – is how much the social media giant has been fined by the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), over the Cambridge Analytica fiasco.
The ICO said in July that it intended to fine Facebook the maximum possible amount.
That’s exactly what it did. The sum sounds like a trifle, but it’s the best the ICO could do. The fine was served under the Data Protection Act 1998, which was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation (GDPR). Facebook would be looking at a lot more pecuniary pain under the new regulations, which include maximum fines of £17 million or 4% of global turnover.
Cambridge Analytica – in case you pulled a Rip Van Winkle and missed the saga as it played out earlier this year – was a web analytics company started by a group of researchers with connections to Cambridge University in the UK.
Mix a jigger of web analytics with a shot of Cambridge researchers and you get Cambridge Analytica. And that’s where you also get Cambridge University professor Aleksandr Kogan, one of multiple researchers who collected user data without permission in order to build a system that could profile individual US voters so as to target them with personalized political ads. They got the data via a Facebook personality test called thisisyourdigitallife that billed itself as “a research app used by psychologists.”
From the ICO’s statement about the fine:
Facebook… failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.
On Thursday, the ICO said that Facebook had broken two of the UK’s legally binding data protection principles by allowing Kogan to harvest users’ personal data through what looked like an innocent online quiz.
The app scraped not just test-takers’ private profile data, but also that of their friends. Facebook didn’t disallow such behavior from apps at the time, but such data harvesting was supposed to be allowed only to improve user experience in the app, not to be sold or used for advertising. For its part, Facebook says that no evidence has been found that user data was actually shared with Cambridge Analytica.
Still, the ICO said that Facebook had given app developers access to people’s data “without clear consent”. Of course, when it came to harvesting data from test-takers’ friends, consent wasn’t just murky; it was non-existent. From the ICO’s announcement:
Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.
Financially, the fine might affect Facebook little more than the bite of a gnat, but as with the TalkTalk breach, the effect of the bad publicity could make for a much more painful bite. In the TalkTalk case, the fine was £400k, but the company estimated that the hack cost them far more: between restoring its online capability, enhancing security, and losing 101,000 customers, it admitted that its costs were in excess of £40m (about $50m).