Brian Billy Nainggolan
1606897712
FH UI KKI 2016
Telematics Law
Case Study: Cambridge Analytica – Facebook Scandal and Data
Protection
Cambridge Analytica is an offshoot of SCL Group, a government and military
contractor that says it works on everything from food security research to counter-
narcotics to political campaigns. SCL was founded more than 25 years ago, according
to its website. SCL Group provides data, analytics and strategy to governments and
military organizations worldwide. It claims that it has conducted behavioral change
programs in over 60 countries & have been formally recognized for our work in defense
& social change. According to its website on May 2018 as stated,
“Cambridge Analytica provided the Donald J. Trump for President campaign
with the expertise and insights that helped win the White House. Analyzing
millions of data points, we consistently identified the most persuadable voters
and the issues they cared about. We then sent targeted messages to them at key
times in order to move them to action. All of this was achieved in a fraction of
the time and at a much lower cost than was spent by our rivals. With our help,
your campaign can use these same intelligent targeting and sophisticated
messaging techniques. Cambridge Analytica deployed three integrated teams to
support the campaign: research, data science, and digital marketing.”1
The firm claimed that the data was self-obtained by its own research and data
collecting. Cambridge Analytica beginning in 2014 obtained data on 50 million
Facebook users via means that deceived both the users and Facebook, the New York
Times and London’s Observer reported on Saturday. The data was harvested by an
application developed by a British academic, Aleksandr Kogan, the newspapers said.
Some 270,000 people downloaded the application and logged in with their Facebook
1
“Donald J. Trump for President” https://ca-political.com/casestudies Accessed on 11/12/19 from
achieve on 02/05/2018. Website is currently not active.
�credentials, according to Facebook. The application gathered their data and data about
their friends, and then Kogan passed the data to Cambridge Analytica, according to
both Cambridge Analytica and Facebook.2 The data was collected through an app called
thisisyourdigitallife, built by academic Aleksandr Kogan, separately from his work at
Cambridge University. Through his company Global Science Research (GSR), in
collaboration with Cambridge Analytica, hundreds of thousands of users were paid to
take a personality test and agreed to have their data collected for academic use.
However, the app also collected the information of the test-takers’ Facebook friends,
leading to the accumulation of a data pool tens of millions-strong. Facebook’s “platform
policy” allowed only collection of friends’ data to improve user experience in the app
and barred it being sold on or used for advertising. The discovery of the unprecedented
data harvesting, and the use to which it was put, raises urgent new questions about
Facebook’s role in targeting voters in the US presidential election.
Cambridge Analytica said on Saturday that it did not initially know Kogan
violated Facebook’s terms, and that it deleted the data once it found out in 2015. Kogan
could not be reached for comment. The data, though, was not deleted, the two
newspapers reported on Saturday. Cambridge Analytica said that the allegation was not
true. Facebook said it was investigating to verify the accuracy of the claim. Simon
Milner, Facebook’s UK policy director, when asked if Cambridge Analytica had
Facebook data, told MPs: “They may have lots of data but it will not be Facebook user
data. It may be data about people who are on Facebook that they have gathered
themselves, but it is not data that we have provided.” Cambridge Analytica’s chief
executive, Alexander Nix, told the inquiry: “We do not work with Facebook data and
we do not have Facebook data.” Wylie, a Canadian data analytics expert who worked
with Cambridge Analytica and Kogan to devise and implement the scheme, showed a
dossier of evidence about the data misuse to the Observer which appears to raise
questions about their testimony. He has passed it to the National Crime Agency’s
cybercrime unit and the Information Commissioner’s Office. It includes emails,
invoices, contracts and bank transfers that reveal more than 50 million profiles – mostly
belonging to registered US voters – were harvested from the site in one of the largest-
ever breaches of Facebook data. Facebook on Friday said that it was also suspending
2
Factbox: Who is Cambridge Analytica and what did it do?
https://es.reuters.com/article/idUSKBN1GW07F accessed on 11/12/19
�Wylie from accessing the platform while it carried out its investigation, despite his role
as a whistleblower.
At the time of the data breach, Wylie was a Cambridge Analytica employee, but
Facebook described him as working for Eunoia Technologies, a firm he set up on his
own after leaving his former employer in late 2014. The evidence Wylie supplied to
UK and US authorities includes a letter from Facebook’s own lawyers sent to him in
August 2016, asking him to destroy any data he held that had been collected by GSR,
the company set up by Kogan to harvest the profiles.
This case shows an example of failure of data security especially transparency
of personal data protection in regards to consent of personal data use. On the time of
the case occurred, Facebook data policy creates opportunity for firm like Cambridge
Analytica to obtain up to 87 million user of their personal data by paying 270.000 to
use its third party application without telling the user that their data, and the data of
other by its network of friends.3
In relation to data protection, Indonesia has regulate these matters by Ministry
of Communication and Information Regulation Number 20 Year 2016. Article 2 of this
regulation stated that,
(1) Protection of Personal Data in an Electronic System includes the protection
of the acquisition, collection, processing, analysis, storage, appearance,
announcement, transmission, distribution and destruction of Personal Data.
(2) In implementing the provisions referred to in paragraph (1) must be based
on the principle of good protection of Personal Data, which includes:
a. respect for Personal Data as privacy;
b. Personal Data is confidential in accordance with the consent and / or
based on statutory provisions;
c. based on the Agreement;
3
Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users
https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-congress.html accessed
on 11/12/19
� d. relevance to the objectives of acquisition, collection, processing,
analysis, storage, appearance, announcement, delivery and
dissemination;
e. eligibility of the Electronic System used;
f. good faith to immediately notify the Owner of Personal Data in writing
of any failure to protect Personal Data;
g. the availability of internal rules for managing Personal Data protection;
h. responsibility for Personal Data that is in the possession of the User;
i. easy access and correction of Personal Data by the Owner of Personal
Data; and
j. integrity, accuracy, and validity and updating of Personal Data.
(3) Privacy as referred to in paragraph (2) letter a is the freedom of the Owner
of Personal Data to declare confidential or not reveal the confidentiality of his
Personal Data, unless otherwise stipulated in accordance with statutory
provisions.
(4) Approval as referred to in paragraph (2) letter b is given after the Owner of
Personal Data confirms the truth, confidentiality status and the purpose of
managing Personal Data.
(5) Legitimacy as referred to in paragraph (2) letter j constitutes the legality in
the acquisition, collection, processing, analysis, storage, appearance,
announcement, transmission, distribution and destruction of Personal Data.
Based on the article, it stated that consent must be obtained in the usage of personal
data. This clearly shows that the application of Cambridge Analytica failed to ask their
user that the personal data was used for commercial purposes and will be processed as
product to sell as service for political campaigns. It also shows that facebook fails to
protect users that are not using the application so that their personal data was breach
without any of their mistakes.
