Are other social networks doing what Facebook did?
How did Facebook harvest users’ data, and do Twitter, WhatsApp and Instagram do the same?
Facebook chief executive Mark Zuckerberg: he says the company will retrospectively examine Facebook Connects’ liberal data sharing policy. Photograph: Josh Edelson/AFP/Getty Images
Facebook chief executive Mark Zuckerberg gave interviews to a number of media outlets last Wednesday. They followed the news that data-mining and political consultancy firm Cambridge Analytica had used personal information from Facebook, without users’ permission.
Cambridge Analytica worked on Donald Trump’s presidential election campaign and on the Brexit campaign in the UK. After the Observer, the New York Times and Channel 4 News reported the data breach, Facebook banned Cambridge Analytica from advertising on its network.
Zuckerberg’s conversation with Kara Swisher for tech publication Recode was among the more revealing interviews, in that it helped explain not only how Cambridge Analytica exploited Facebook data, but how Facebook itself was designed.
The launch of the “Facebook Platform” was a critical step in Facebook’s growth path in 2007, also the year Facebook launched in Ireland and the UK. To grow faster, Facebook sought out developers who – in return for getting access to users’ data – could build applications that would further benefit Facebook’s pervasiveness, at no cost to the network.
The platform allowed developers to build applications within Facebook – people will be familiar with the idea of “signing in” to apps via Facebook, rather than using the traditional username/password method. This was promoted by Facebook as Facebook Connect and is now called Facebook Login for Apps.
When authorised, those apps usually sought extra data from Facebook profiles (dates of birth, “ liked” pages and, crucially, friends lists). And unless users turned off access, these apps had continuous access those details as users’ Facebook profile evolved.
Cambridge Analytica and third-party researcher Alexander Kogan exploited this functionality, as did tens of thousands of other developers. A year after Facebook Platform’s launch, Facebook had 33,000 applications and 400,000 developers registered.
Just how many apps, developers and Facebook user data was transferred or stored elsewhere?
But Kogan did something additional, building a personality quiz app that Facebook users authorised to access their data. His objective: to identify personality traits, and match these with Facebook data.
Some 270,000 people filled in the quiz – enough for Kogan’s research. It is claimed that Kogan handed Cambridge Analytica not only data on these 270,000 users, but also all their friends – about 50 million users (the average Facebook user has about 180 friends).
This was done in 2014, before Facebook implemented changes that restricted this type of behaviour to some degree.
The question now is: between the dates of 2007 and 2014 when Facebook Connect had a more liberal data sharing policy: just how many apps, developers and Facebook user data was transferred or stored elsewhere? Zuckerberg has said Facebook will now pursue this issue retrospectively.
But Facebook was not the only company that pursued a platform strategy in the late 2000s. Do other social networks leave users similarly vulnerable?
Twitter is at lower risk than Facebook to the kinds of data “breaches” we saw with Cambridge Analytica. Because Twitter collects less information and because it is a more open platform by default, it is less vulnerable to the same tactics.
Perhaps the biggest difference between Twitter and Facebook is the breadth of data each holds. While Facebook focuses on harvesting as much data from users as it can – from where you went to school to whether you are in a relationship – Twitter keeps it simpler: your name, description and a link.
Twitter allows similar app functionality – when you “sign in” via Twitter, the third-party app seeks permission to read tweets in your timeline, post tweets on your behalf, or send you private messages.
However because Twitter is open, it’s possible – though difficult – to “mine” the social connections of users. Twitter has set relatively high limits on how developers can graph relationships (who follows you, who you follow), based on how many times a developer could “call” their platform per hour.
But if you can convince people to authorise your app, you can use that person’s spare “calls” to augment your own. This allows you to effectively understand the inter-relationships of Twitter’s user base – which can be valuable for understanding or targeting users based on communities they have formed via mutual connections. (It also happens to be useful for detecting “bots” – automated user networks – since these networksoften follow each other).
Twitter’s biggest risk is not data breaches. It is fake users or “bot armies” that influence conversations by forcing hashtags to trend, shaping the narrative of news online, as in the 2016 US election campaign.
Where it perhaps gets more interesting is in Facebook’s other holdings. The company owns Instagram, the messaging service WhatsApp and of course Facebook Messenger.
Instagram is similar to Twitter in structure and style. Instead of tweets, there are pictures. But they share a similar format and have the same followers/following network structure. Facebook can infer lots of information about a user once it knows an Instagram account is tied to a Facebook account (generally because the same email address is being used for both logins).
One data point that Instagram users share far more than Facebook users is location. So if your Facebook and Instagram accounts are linked, Facebook can deduce quite a lot of information about your life.
WhatsApp encrypts the content of messages between users (so not even Facebook can read them), but a great deal of other data is available. The system can determine when users are active or inactive; gather phone contacts; and this data can be tied to cookies on users’ browsers.
Messenger is not encrypted, so users’ communication with friends can be stored on a server controlled by Facebook. Facebook has admitted in the past that it scans these chats to further understand users and their preferences.
Indeed, in a 2014 conference call Zuckerberg himself said Facebook would focus on private communications for opportunities.
Facebook spent years allowing apps to be built on its platform, in exchange for access by developers to its users’ data. Though the company later changed its mind on this, it also acquired companies such as WhatsApp and Instagram that have allowed Facebook to augment its understanding of billions of people – and to monetise that understanding through advertising. Zuckerberg may say that Facebook helps connects people, but at what price for society, for democracy and for you, the user? Gavin Sheridan is a journalist and digital rights advocate