I was counting the mentions of Donald Trump in the Dallas Morning News yesterday morning, and yes, they might have an obsession, when I noticed an article, from the Associated Press, in which the author(s) claim that Facebook had been hacked again.
Which raised my eyebrows because as far as I’m aware, using systems in the way which they were designed to be used isn’t hacking.
The internet seems to have my back on this. Techopedia defines hacking as “Hacking is unauthorized intrusion into a computer or a network . . . [a] hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system.” Merriam-Webster defines a hacker as “a person who illegally gains access to and sometimes tampers with information in a computer system.”
So, let’s take a look at what’s happened so far and see if there’s been any of the following:
- Unauthorized intrusion into a computer or network
- Alteration of security features
- Tampering with information
First, the Cambridge Analytica (CA) scandal.
I’m going to attempt to reassemble what happened mainly from these two articles, one by the New York Times, and one by PolitiFact. I say “reassemble,” because there’s some conflicting information out there, but that’s mostly related to whose idea various actions were.
Cambridge Analytica was founded. They need data about people in order to run their business, which is supposed to analyze data as a service on behalf of others. Potential clients included Mastercard, the New York Yankees, the Joint Chiefs of Staff, and yes, the Trump campaign.
How do they get that information?
Here’s where things diverge a little bit. CA says they were approached by Dr. Aleksandr Kogan with an offer to provide data, while Kogan claims that CA approached him and did fundamental legwork on his app and assured him that it was in compliance with Facebook’s Terms of Service. Kogan claims he was not paid for his work.
What was Kogan’s app?
It was a personality app, that claimed to be used by Cambridge University researchers. This was partially true, as Kogan worked at Cambridge at the time. Whether paid or not, Kogan transferred the data he gathered to CA.
While only 270,000 people used the app, at the time Facebook allowed apps to gain access to a person’s friend list, meaning that approximately 50 million people’s data were accessed.
So, there was no unauthorized intrusion, alteration of security features, or tampering with information. Kogan used the tools Facebook had built to gather the information, in compliance with the Terms of Service, and then probably violated it by transferring it to CA. It wasn’t a hack, even if it was morally scummy.
And while it’s unfortunate that millions of people had their data taken without consenting, the fault for that lies with Facebook for making that a feature people could use in the first place.
Now, let’s jump to yesterday, where The Dallas Morning News is calling a new event a “hack.”
The story begins with hackers “harvesting email addresses and phone numbers on the ‘dark web.’” So, the data in this story had already been hacked. The use of it is secondary and does not constitute a hack of its own.
These people fed those emails and phone numbers into Facebook’s search bar, enabling them to get full names and public profile information, which could include profile pictures and hometowns. This is how the search bar is supposed to work.
And while it is possible to shield yourself from being searched for, most people probably didn’t turn that setting on.
The same group of people, described as “hackers” in the article when they take this action, also used the account recovery tool. They would feed the phone number or email address into the system, which would return names, profile pictures, and links to the profile itself. The information gained did not differ much from that gained with the other strategy. Incredibly, this could have affected up to 2 billion of the 2.1 billion Facebook users.
So, was it a hack?
No, there was no unauthorized intrusion, alteration of security features, or tampering with information.
What’s really scary about this story is not that information was hacked, because it wasn’t, but that the tools Facebook designed are being used pretty much in the way in which they were intended to be used and turning over a lot of data.
What really bothers me, though, is that the only distinction that Facebook seems to make about the use of its data is whether it gets paid or not. It’s okay for a researcher, Kogan, to have it, because he’s not getting paid, but it’s wrong for a researcher with financial motives, Cambridge Analytica, to have it.
We need to remember what Facebook’s financial model is, though. They charge people who want to advertise on their platform. The reason that advertising on Facebook is so appealing is that you can target different demographics, locations, and so forth when you run your ads. I know this. I’ve run ads on Facebook. It’s kind of creepy. And, maybe they don’t want companies to use the data for political purposes without people’s consent, but that’s the world we live in. It’s the world Facebook created.
And, Facebook needs the information these groups are after in order to turn a profit, but furthermore, it relies on you to give it up willingly.
The real boogeyman here isn’t the people on the outside of the company trying to use the monster that Facebook created; it’s the company that made the monster in the first place.
So, did this information swing an election?
According to PolitiFact, the answer is probably no. The Obama campaign used a similar method in 2012 to gain information about users and their friends and may actually have gained information on more people than CA did. However, a researcher interviewed for the article claimed that “neither tactic [used by Trump’s or Obama’s campaign] was greatly effective at persuading people to vote,” meaning that all of that data turned out to be not very useful.
It remains to be seen if someone will find a better use for it in the future.