April 3, 2018
SUMMARIZING THE SITUATION
In 2015, Facebook learned that a psychology professor at the University of Cambridge violated Facebook’s Platform Policies by passing data from an app he developed (which used Facebook Login to collect private information from user profiles) to Cambridge Analytica, a firm that does political, government and military work around the globe. This activity was not permitted by Facebook—while they do allow the collection of some data by third party apps, they strictly prohibit for this data to be sold or transferred to any ad network, data broker, or other advertiser or monetization-related service. When confronted, Cambridge Analytica acknowledged that they acquired the data, but said it was deleted as soon as they learned of the problem two years ago.
After additional investigations, it was uncovered that Cambridge Analytica may not have deleted the data, as they had previously certified. The firm was immediately banned from using all of Facebook’s services and has agreed to a forensic audit to confirm the data has been permanently deleted. Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We’re also working with regulators as they investigate what happened.Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We’re also working with regulators as they investigate what happened.Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We’re also working with regulators as they investigate what happened.
HOW IS FACEBOOK ADDRESSING THE DATA SECURITY ISSUE?
- Reviewing their platform. Facebook will investigate all apps that may have had access to large amounts of personal information before they changed their platform in 2014 to reduce data access. They are actively working to conduct a full audit of any app with suspicious activity. Developers who have misused personally identifiable information will be banned from the platform.
- Telling people about data misuse. Facebook will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed by Kogan’s app “thisisyourdigitallife.” Moving forward, if Facebook removes an app for misusing data, they will tell everyone who used it.
- Turning off access for unused apps.If someone hasn’t used an app within the last three months, Facebook will turn off app access to their information.
- Restricting Facebook Login data.Facebook is changing user Login, reducing the data that an app can request without going through login review, to include only name, profile photo, and email address. Requesting any other data will require Facebook’s approval.
- Encouraging people to manage the apps they use.Facebook already shows people which apps their accounts are connected to and what data they’ve permitted those apps to use. Going forward, Facebook is going to encourage users to check their settings and work to make these choices more prominent and easier to manage.
- Rewarding people who find vulnerabilities. Facebook plans to expand their bug bounty program so that people can also report if they find misuses of data by app developers.
CENTRO POV
Advertisers using the Facebook platform and its data should not be concerned that they are participating in any illegal violations of data, as users have agreed to all platform policies that dictate how they can be targeted.
Centro-run social campaigns only utilize approved Facebook targeting segments made available within the Facebook platform, from approved third-party data providers, or through our clients’ first party data collection (CRM lists and pixel data).
Facebook users can decide their level of comfort for continuing to be a user of the Facebook platform, which includes the receipt of ads within targeting policies they have agreed to. We are not recommending any advertisers take action to halt advertising geared towards Facebook users, who are still voluntary active members of the platform.
Potential Implications of Breach:
- Less depth of Facebook 1st party data
- Users are likely to limit the data they share with Facebook via privacy settings
- Users are likely to limit the places they use Facebook log-in for account development to protect their privacy
- Increase of Facebook account deactivation rates
- Users might remove themselves from the Facebook platform completely due to privacy concerns
- Centro will continue to monitor reach of the platform against the most desirable audiences
At this time, Centro is not overly concerned about declining user base due to the existing volume of Facebook users. Even if 20% of users decide to deactivate their accounts, Facebook will still reach the most people on a daily basis than any other social platform.
DEACTIVATION OF THIRD PARTY DATA SEGMENTS
The use of third party data segments in audience targeting is a common industry practice. Many partner segments are directly integrated into the Facebook platform and automatically refreshed by third party partners like Oracle, Epsilon, or Acxiom. Example of third party data segments include “In-market for a luxury vehicle”, or “People who own their own home.”
While Facebook has good protections in place to ensure this data is being utilized appropriately by advertisers, they do not have complete visibility into how third party partners collect user data. Therefore, they do not feel comfortable letting advertisers activate media against those segments at this time. Over the next six months, Facebook will be removing access to these segments from their native platform.
Timeline for Changes:
- May 10 :: We will no longer be able to create new campaigns using partner data for the UK, France and Germany. Existing campaigns using this data will be able to run through May 24.
- July 1 :: We will no longer be able to create new campaigns using partner data for the US. Existing campaigns using this data will be able to run through September 30.
- October 1 :: All delivery against partner data audiences will be stopped. Delivery against all other audience targeting will not be effected.
- Past this date, clients can independently purchase third party data segments directly from partner providers and upload them manually into the platform.
Centro is conducting a performance audit of all campaigns currently utilizing third party audience targeting, and we will be communicating proactive recommendations for shifting media into other audiences over the coming months.
Audiences built off of first party Facebook data (Interests, demographic information, look-a-like audiences) or first party client data (custom CRM audiences and pixel data) will not be effected. These tactics often outperform third party partner audiences in terms of cost efficiency and performance, and there is no additional data fee built in. Therefore, we expect the impact to campaign performance to be minimal at this time.
WHAT DOES THIS MEAN FOR ADVERTISERS?
Despite this news, the social platforms of Facebook and Instagram are still the right environments for advertisers to invest in. Users have opted in to sharing their data and receiving advertising. Correct usage of first party data within the platform allows advertisements on Facebook to be relevant and individually meaningful to users. Additionally, Facebook is taking aggressive steps to protect users and their data. Many of these changes were in process prior to the data breach occurring.
As this privacy issue will not affect the way users who have opted in continue to utilize Facebook, advertisements placed on the platform are still highly impactful.
