Additional article :
[nytimes.com...]

I hope Facebook is ready for the EU GDPR ...

The profiles were not harvested in some sinister manner according to FB, they just used the same tools that other organizations have taken advantage of. Games, apps and surveys were permitted to harvest profiles - not only of the user but of others on their Friends List. If at any time since 2007 you used the tools they put out as Social Bookmarks (Share type) links or "Log in through FaceBook" links, your profile and Friends List profiles were being harvested. Facebook changed its policy in 2015 but that was after the data had been made available. There's no "undo" button.

Facebook chief executive Mark Zuckerberg in 2007 invited outside developers to build their businesses off Facebook’s data, giving them ready access to the friend lists, “likes” and affinities that connect millions of Facebook users. Practically any engineer who could persuade a Facebook user to download an app or to sign into a website using Facebook’s popular “log-in through Facebook” feature would have been able to access not only the profile, behavior and location of that Facebook user but also that of all the user’s Facebook friends, developers said.

- source [washingtonpost.com]

FaceBook's response is a weaselly "Read the Privacy Policy". They feel that they were covered by telling people in the little boilerplate permissions screen that popped up when you used their tools: This app will receive the following info: your public profile, friend list, birthday, groups, current city, photos, and personal description and your friends’s birthdays, photos, and likes. However, there is also an FTC agreement, a consent decree that may have been broken by allowing the scope of data to be made available.

_{How much is $40,000.00 X 50 million?}

Is this really about a data breach, or is it more about how that data was used? That this data exists, or that it was used in an election for a candidate of whom they disapprove?

Everyone should really know that FB is funded by selling user data. Everyone surely does.

I would be prepared to bet that everyone- everyone - thinks they are immune to advertising. Unfortunately, some also believe that there exists some poor subsection of the world who are naive sheep, prone to suggestion by malign forces. Up until now, it was the Russians and their bots. Now it turns out it was targetted advertising. You know, of the type that has been funding Facebook since it was conceived.

Not to veer off into politics, but a previous election winner was feted for their leveraging of The Power of Friendship [theguardian.com]. You will note that links to the Guardian, the same paper in the OP, now decrying it a "major data breach"

Well, as you say, not to veer off into politics. ;)

I really don't think that the vast majority of FB users realised that their data was being used by such companies.

Games, apps and surveys were permitted to harvest profiles - not only of the user but of others on their Friends List.

For quite some time now, as soon as I realised, whenever someone sends me a quiz or similar on FB, I ignore it. I still see these quizzes and surveys going round. They look either fun or easy to show how smart people are, but, really, it's nothing to do with that, it's about data harvesting, and it's not obvious that the data is being swapped in the is way.

Sure, but from the 2012 Guardian article:

Every time an individual volunteers to help out – for instance by offering to host a fundraising party for the president – he or she will be asked to log onto the re-election website with their Facebook credentials. That in turn will engage Facebook Connect, the digital interface that shares a user's personal information with a third party.

Consciously or otherwise, the individual volunteer will be injecting all the information they store publicly on their Facebook page – home location, date of birth, interests and, crucially, network of friends – directly into the central <redacted> database.

"If you log in with Facebook, now the campaign has connected you with all your relationships," a digital campaign organiser who has worked on behalf of <redacted> says.
Emphasis Mine

No one was objecting back then. Everyone (if not the actual users, then the observers) knew what was happening, and wrote it up in glowing terms. That was six whole years ago.

The only difference is who is making use of the technology.

The only difference is who is making use of the technology.

The difference is that Cambridge Analytica broke terms of service contract with FB, and thus this constitutes a theft of data. Potentially a criminal act.

Nothing has yet been proven on this, and the fact that users clicking on something quite innocent, such as a quiz, can end up sharing information they were unaware of, is the biggest concern.

The UK's ICO should be able to investigate, but i'm concerned it doesn't have sufficient teeth.

To be fair, I haven't read the service contract. Obviously, data theft would be criminal- but that concerns Cambridge Analytica.

In terms of Facebook, the platform is working exactly as intended.

The UK's ICO should be able to investigate, but i'm concerned it doesn't have sufficient teeth.

Not yet. And new laws obviously can't apply retrospectively.

But GDPR will give them serious teeth.

Actually, if CA are in possession of illegally acquired info, I wonder if that is a current crime, and therefore subject to GDPR sanctions.

Incidentally, I doubt that the amount of data shared with those quiz authors is compliant with GDPR. That will be one to watch.

I don't see how it would be "legal" for FB or anyone else to provide the personal information of one user based on the consent given by another user.

I am not sure that it is clear as to what was done in this case. Cambridge Anaylitca (or someone associated with the firm) released the quiz to FB users, about 275 thousand respondents replied to the quiz and accepted the terms, but as a result Cambridge then mined the data of all the friends and followers of those users, thus collecting data on 50 million users (or the equivalent of 1/3 of the US electorate). that is well over 100x times the number of consenting users.

Now assume a conservative conversion rate, say 1%. This works out to exactly 1/100 or the inverse the ratio above. Basically we can roughly assume that every person who's data was mined saw the ad for the quiz, 1% clicked and accepted the terms, but the other 99% tacitly refused the terms but still had their data mined.

If this isn't illegal it probably should be and anybody using FB seriously needs reconsider that decision. Oh wait, ... I know... "But I have nothing to hide"

I'm one of the few (probably not the case within the WW community) that reads and often refuses service for online services. I am especially bearish when comes to services relating to my kids and their schooling. And I am often criticized for my position. So I typically feel a certain "schadenfreude" from these types of breaches but i really find that this time it far more worrisome, because it is not a "breach" in the conventional sense but an invasion of privacy at scale by design.

The problem with CA which differentiates their data collection, is that they used the pretense of this data being for the purpose of educational research. Tinder app and FarmVille (zynga games) apps collect data for marketing purposes which allows a different scope of data and users can decide on their privacy settings. Researchers are given broader information. That's where they were in variance with their agreement. The advertising API offers certain information to advertisers. But to obtain access to the widest level of data, the Social Graph API, they masked their intent which did not allow users to make an informed decision.

There is another article from the London Observer [theguardian.com] that addresses some of the GDPR related concerns.

Was the data really breached? I infer from that that the data was hacked somehow. As far as I know, Zuckerberg gave them complete access to Facebook data.

@azlinda

I didn't give them consent to take my personal data, but they still took it == breach. Whether Mark Zuckerburg or anyone else gave them access or not is irrelevant to determining whether or not it is a breach.

It could easily be argued that the CEO of Equifax gave hackers access to that data by simply not doing his job. Zuckerburg is not doing his job either.

The data wasn't breached. If one reads the OTHER media reporting on this nothing burger the previous opposition made use of the same data in 2012 AND got a note and nod from FB saying they didn't stop it because they were on THEIR SIDE. If anyone wants links (I know better than to post a conservative link HERE to avoid triggering a fit storm) sticky me.

Many people do realise that their data is being collected, although many don't.

But that's not the point. The point is that there is nowhere obvious on Facebook where you can find out how that data is used and who it is sold to. Well, now a whole wedge of the world has just learnt that their data was used to attempt to influence their voting and they don't like it.

What else is it being used for?