mixmagic - stock.adobe.com

MEPs call for action in wake of Facebook-Cambridge Analytica scandal

European members of parliament demand action to protect citizens’ privacy from abuses such as those uncovered in the Facebook-Cambridge Analytica data sharing scandal

European MEPs have demanded a full audit by EU bodies on Facebook, as a resolution adopted at the UK’s Information Commissioner’s Office confirmed a £500,000 fine for Facebook for failings relating to the Cambridge Analytica data sharing scandal.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded a quiz app, but were simply “friends” with people who had.

Facebook also failed to keep the personal information secure because it did not make suitable checks on apps and developers using its platform. These failings meant one developer, Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.

The MEPs’ resolution also calls for electoral laws to be updated to reflect the new digital reality and for EU member states to investigate alleged misuse of online political spaces by foreign forces.

The resolution comes as a response to the unauthorised collection and sharing of personal data of 87 million Facebook users, including 1.1 million Britons that was exposed in March 2018.

MEPs say Facebook did not only breach the trust of EU citizens, but also breached EU law. They recommend that Facebook make changes to its platform to comply with EU data protection law.

MEPs note that the data obtained by Cambridge Analytica may have been used for political purposes, by both sides in the UK referendum on membership of the EU and to target voters during the 2016 American presidential election.

Read more about Facebook and privacy

They highlight the urgency of countering any attempt to manipulate EU elections and to adapt electoral laws to reflect the new digital reality.

To prevent electoral meddling via social media, MEPs propose:

  • Applying conventional “offline” electoral safeguards online: rules on spending transparency and limits, respect for silence periods and equal treatment of candidates;
  • Making it easy to recognise online political paid advertisements and the organisation behind them;
  • Banning profiling for electoral purposes, including use of online behaviour that may reveal political preferences;
  • That social media platforms should label content shared by bots, speed up the process of removing fake accounts and work with independent fact-checkers and academia to tackle disinformation;
  • Investigations should be carried out by member states with the support of Eurojust, into alleged misuse of the online political space by foreign forces.

The resolution summarises the conclusions reached following last May’s meeting between leading MEPs and Facebook CEO Mark Zuckerberg, and the three subsequent hearings. It also references the data breach suffered by Facebook on 28 September.

Facebook reported a “security issue” affecting “almost 50 million accounts” on 28 September, three days after detecting the problem and starting investigations.

Three vulnerabilities

According to the social networking firm, attackers exploited three vulnerabilities in Facebook’s code related to the “View As” feature that lets people see what their own profile looks like to someone else.

This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts, the company said, explaining that access tokens are the equivalent of digital keys that keep people logged in to Facebook so they do not need to re-enter their password every time they use the app.

The case is under investigation by Ireland’s Data Protection Commission has demanded more information from Facebook about the scope and nature of the breach to determine how many EU residents were affected and the risk to users.

If Facebook is found to be in contravention of the EU’s General Data Protection Regulation (GDPR), which went into full force about four months before the breach, the social networking firm could face a fine of up to $1.6bn, which is roughly 4% of the company’s global annual turnover.

Civil Liberties committee chair Claude Moraes said: “This is a global issue, which has already affected our referenda and our elections.

“This resolution sets out the measures that are needed, including an independent audit of Facebook, an update to our competition rules and additional measures to protect our elections. Action must be taken now, not just to restore trust in online platforms, but to protect citizens’ privacy and restore trust and confidence in our democratic systems.”

Read more on Privacy and data protection

Data Center
Data Management