The London-based data analytics firm Cambridge Analytica has been accused of using illegally gathered information from more than 50 million Facebook users to support Donald Trump’s US presidential campaign. Facebook has suspended the accounts of the firm along with Cambridge University academic Aleksandr Kogan and consultant-turned-whistle-blower Christopher Wylie, who were responsible for harvesting the data from Facebook.

The personal data was gathered using a Facebook application called “thisisyourdigitallife” created by Kogan through his firm Global Science Research (GSR). The data was passed on to Cambridge Analytica, which claims to have deleted the data when the company realised that it was collected contrary to Facebook’s terms of service.

Psychometric profile for targeted advertising

The original idea was to use the collected data to target political ads at people based on their psychometric profiles. This concept was adapted by Cambridge Analytica and Kogan from work done in part by another Cambridge University psychologist, David Stillwell. Along with researchers Matz, Kosinski and Nave, Stillwell showed that advertising that was tailored to a person’s level of extraversion or openness was far more effective at getting them to click on an ad and ultimately buy something.

The psychometric personality profile was built up by asking the users to complete an assessment questionnaire and also to allow an application to look at the user’s Facebook posts and likes. The profile is based on five factors:

• Neuroticism (calm or stressed)

• Openness (traditional or liberal)

• Extraversion (introverted or outgoing)

• Agreeableness (cooperative or competitive)

• Conscientiousness (organised or flexible)

Using information about the posts that someone likes on Facebook has been shown to greatly enhance the accuracy of determining a person’s profile.

The process of working out the profile and then targeting the ads is not actually that sophisticated, as the ads designed for low and high extraversion show.

Facebook is not committed to protecting its users’ data

Facebook does not make the process of collecting data from its platform particularly difficult. It is essentially an “honour code” with few negative consequences to those that abuse it. Facebook itself uses this type of approach to target ads to users and so refrains from criticising others for doing the same. Facebook has itself experimented with influencing the voting intentions of its users without getting their informed consent.

The simple fact of the matter is that as long as for-profit companies make their money out of advertising, they will try and make that advertising as effective as possible by gathering ever more detailed personal and behavioural information about their users to target ads and make them more effective. Social media and search companies such as Facebook and Google have little incentive other than the risk of government regulation and fines to limit the amount and types of information collected or the ways in which this information is used to target users with ads.

US and European officials are again raising questions about Facebook’s willingness to protect users’ data and to not allow its platform to be abused by governments and private interests to influence political outcomes. Previous attempts to seek answers from Facebook have largely failed, even during official hearings. The threat of fines to change the tech companies’ behaviour is also not completely effective, as company lawyers challenge every action by governments and the fines that companies face are seen as simply a cost of doing business.

The best way to protect yourself from social networks? Leave them

Users of social networks are now being advised about how to protect their data from apps. In 2014, Facebook changed the way applications could access the list of friends for a particular user. After the change, apps could only get information about the friends of a user if they themselves were using the app.

Facebook CEO Mark Zuckerberg has stated that Facebook will reduce the access that applications have to user data even further in the wake of the Cambridge Analytica scandal. However, this will still not stop those determined to harvest user data from doing so. If the list of a user’s Facebook friends is set to public, it is possible to simply use a program to “scrape” the data without using a direct programming interface. A simple search on Google reveals many applications and scripts that will do this.

Even changing Facebook’s privacy settings to keep your list of friends private does not necessarily stop anyone from knowing things about you. Anything that is available publically through the profile of one of your friends may include information about you. Also, making information private does not stop Facebook from using it even though the company claims that you can control this. It only applies to information obtained from outside of Facebook, and the firm can still exploit user information to target ads and for any other purpose it chooses.

And while users can block Facebook ads by using extensions such as F.B. Purity, this simply means giving yet another company access to your personal data.

In the end, the only way we have to limit the use of our personal data by social media is to avoid joining the platforms in the first place. This means not having an account at all, because setting up a profile and logging in even once leaves the ability to be tracked when visiting other sites. And if you’re already on Facebook, the best way to protect your personal data is to delete the account completely and permanently. While it may seem like a radical solution, it’s the only truly effective one.

David Glance, Director of UWA Centre for Software Practice, University of Western Australia

This article was originally published on The Conversation. Read the original article.

Australians are increasingly concerned about how companies handle their personal data, especially online.

Faced with the increasing likelihood that this data will be compromised, either through cyber attacks or mishandling, companies are now being forced into a more comprehensive approach to collecting and protecting customers’ personal data. The question remains – what is the best approach to achieving this goal?

The Organisation for Economic Co-operation and Development (OECD) has proposed that instead of talking about cybersecurity – companies, organisations and nations should be viewing the problem from a digital security risk management perspective.

Cybersecurity often overlooks risks to data that have nothing to do with a “cyber” element, even if people could agree on a definition of that term. In the case of Edward Snowden for example, he used a colleague’s credentials to access the system and copied files to a USB drive.

Digital security risk management involves getting everyone in an organisation to see digital risk as part of the overall risks that the organisation faces. The extent of risk any organisation is willing to take in any particular activity depends on the activities value. The aim is to manage the risk to a level that is acceptable to all parties.

What do you do about the weak link: humans?

It is worth remembering that in the case of the Equifax breach in which the personal details of up to 143 million customers in the US were leaked, it was largely human errors that were to blame.

Put simply, the person who was responsible for applying the patch (a piece of software designed to update a computer program or its supporting data, to fix or improve it) simply didn’t do their job. The software that was supposed to check whether the patch had been applied also failed to pick this up.

Until humans can be taken out of the equation entirely, it is almost impossible to remain entirely secure, or to avoid the inadvertent disclosure of personal and private information. Insider threat (as this type of risk is known) is difficult to combat and companies have tried various approaches to managing this risk including predictions based on psychological profiling of staff.

Automation and artificial intelligence may be a way of achieving this in the future. This works by minimising the amount of sensitive information staff have direct access to and surfacing only the analysis or interpretation of that data.

A litany of recent breaches

If you needed convincing about the vulnerability of personal data on the Internet, you only need look at Gemalto’s data breach website or DataBreaches.net.

The breaches of private and personal information don’t recognise national boundaries with hacks of companies like Yahoo having affected 3 billion users, including millions of Australians.

Of course, Australian companies and organisations have also been involved with spectacular data breaches. Last year saw the Australian Red Cross expose 555,000 customer records online.

Of more concern was the Australian Department of Health had published online what they believed were de-identified records of Medicare and pharmaceutical claims of more than 3 million patients. Researchers at the University of Melbourne discovered that the “encrypted” doctor provider numbers could be decrypted.

Are we looking at it in the wrong way?

Whilst there are practical steps companies can take to protect digital systems and data, there are more fundamental questions companies should be asking from a risk perspective. In order to navigate these questions, companies need to understand the data they collect and perhaps surprisingly, this is something most companies struggle to do.

The 13 Australian Privacy Principles from the Office of the Australian Information Commissioner outline the basics of how organisations and agencies should handle personal information. The practical application of these principles involves an approach called Privacy By Design for all applications and services companies offer.

Enter confidential computing

For CSIRO’s Data61, the answer to breaches of this sort is “confidential computing”. Data61 is tasked with data innovation and commercialisation of its research ideas. Confidential computing is the remit of Data61’s latest spin-off, N1 Analytics.

The main aspect of confidential computing involves keeping data encrypted at all times and using special techniques to be able to query data that is still encrypted and only decrypting the answer.

This can even allow others outside an organisation to query internal data directly or link to it with their own data without revealing the actual underlying data to either party.

Aside from the case of allowing the use of sensitive data in research, this approach would allow a company with financial information say, to share this data with an insurance company without handing over sensitive information but theoretically letting the insurance company carry out extensive data analytics.

What companies should do now to protect your data

As a starting point, Australian companies should only collect the minimum of personal information that the business actually needs. This means not collecting extra information simply for marketing purposes at some later date for example.

Companies then need to explain in simple, clear, terms why information is being collected, what it is being used for and get users to consent to giving that information.

Companies then need to secure the data that is collected. Security involves dedicated staff understanding the data that is kept by a company and taking responsibility for its physical security and for controlling who has access, when they have access and what form they can access the data.

Lastly, they need to understand and enact a risk management approach to all digital data. This means that this is part of the overall culture of the company for every employee.

This article was originally published on The Conversation. Read the original article.