When the Customer is the Product: Cambridge Analytica and a Peak Behind the Data Curtain

Unless you’ve been living under a rock for the last month, you have heard and read stories about a previously obscure British consulting firm Cambridge Analytica. Without going into great depth in this article, Cambridge Analytica apparently gained access to data obtained through a Facebook app developed by a Cambridge professor, which included information about not only the users, but also about their activities on Facebook and their friend networks. This data was then used by Cambridge Analytica in support of paying clients to micromarket to particular individuals or groups. Furor has arisen because those marketing activities included political campaigns such as the “Brexit” vote for the UK to leave the EU, the US election of Donald Trump, and reportedly elections in Australia, Brazil, Kenya, Malaysia and Mexico Regardless of your political stripes, it is the illicit use of user data for purpose unknown to and unintended by the individual(s) that data refers to that is at issue.

This is by no means an issue limited to Cambridge Analytica, or to politics. Data recorded by an Apple watch was used in the last week in an Australian murder trial. Best Buy recently stopped selling devices made by Chinese company Huawei in part because of security concerns, and notably the heads of the FBI, the CIA, the NSA, and the director of national intelligence have warned Americans against using phones by Huawei and ZTE for the same reasons. There are reports of Google devices recording all activities in a home. China has banned smartwatches in its military, and Germany has banned them for kids.

This problem is the result of the business model of many of the tech companies we now rely on. Google provides free, cloud-based office and email capabilities, as well as mapping, video, audio. Facebook is also free, and it is a primary point of contact for many people to their friends and family. LinkedIn, Monster and Indeed, etc., are free, and largely replacing classified ads for seeking and finding employees and employment. You buy the device, but don’t pay a fee to use the capabilities of your home networking hub, your smartwatch, your fitness band. These companies make money by gathering, packaging, and selling data, or by helping other companies to use data to target marketing for its maximum effectiveness. At the root of the Cambridge Analytica scandal was an app designed to obtain data primarily for sociological and psychological studies. The product isn’t the service, it’s access to the users of that service, and their data that these companies are selling.

And so you ask: “what does this have to do with my business?” Do your employees use cell phones and laptops? Do they have work-related documents and communications on them? Does your company have a website and use data analytics? Do your employees log in to Facebook or LinkedIn or Instagram at work? Does your company have a social media profile, complete with its own friend network? What would you pay to know the websites your competitor’s employees and customers visited, or the names and contact information for their social media network contacts? How about the filenames of documents emailed around and the times and dates of those file transfers. What would your competitors pay for that data about your company? Chances are at least some companies have at least some of that data, for both you and your competitors.

A savvy company puts policies in place governing the storage, deletion, and transfer of data, as well as who can access such data, when, and why, and how and under what circumstances data leaves its possession. Making clear to employees and clients that there may be a data privacy issue is the first step to avoiding such an issue, and putting policies, rules, and protocols in place to govern data is easier, cheaper, and faster than cleaning up after data has escaped. Every company should, at a minimum, have a policy regarding the use of company-owned devices, smart devices with access to company data or systems, and access to social media on such devices, or, in light of recent events, get one.

If you have questions about this article, please contact Dov Szego at 804.377.1263 or dszego@setlifflaw.com, or contact Steve Setliff at 804.377.1261 or ssetliff@setlifflaw.com