Skip to main content
banner image
venafi logo

Privacy and Consent: The Heart of the Cambridge Analytica Scandal

Privacy and Consent: The Heart of the Cambridge Analytica Scandal

facebook and cambridge analytica privacy scandal
April 2, 2018 | Guest Blogger: Justin Sherman

On March 17, 2018, The New York Times and The Guardian’s Observer broke the story that London-based firm Cambridge Analytica had accessed the personal data of 50 million Facebook users, without permission.

Once in possession of the data, Cambridge Analytica – then headed by Donald Trump’s advisor Steve Bannon – used these “psychographic profiles” to target individual US voters for the Trump campaign. The whistleblower who helped expose the incident called the data an “arsenal of weapons,” which the firm intended to use for fighting a “culture war.”

There is much to unpack in this scandal, and it’s still unfolding.

Friday, March 23, bipartisan representatives in both the U.S. Senate and House of Representatives asked that Mark Zuckerberg testify in front of Congress; the UK Parliament has already requested the same. The following morning, Cambridge Analytica’s London offices were searched by British law enforcement from the Information Commissioner’s Office; they’re now in the process of actively processing evidence and investigating claims of wrongdoing. On March 28th, Facebook announced they will permanently end their Partner Categories feature, which allows third party data brokers to access advertising data. And, to complicate matters even further, three Facebook users from the Northern District of California have now filed a class action lawsuit on the basis of mishandling personal data.


Without getting bogged down in details, this scandal is similar to many others – accusations and denials, questions of who knew what when, and a lot of throwing around the word “ethics.” There are ongoing legal investigations; there is negative public press; and there is a lot of speculation about what will happen to Facebook and Cambridge Analytica as a result.

This is without question a groundbreaking story, and we should all follow it closely. But for the sake of simplicity, let’s exclude the political implications for just a minute. Because – from the technology perspective – such an incident was a long time coming; as one journalist put it, this scandal “reveals nothing new about the social network or its data policies.”

Even though it took Cambridge Analytica to force discussion of data tracking into the public sphere, these tensions have existed for years. In short: it’s privacy and consent that are at the heart of this scandal.

Consent: Did I really read that agreement?

When we register to use an online service like Facebook, we sign a Terms of Service agreement. Sometimes this lengthy document is put directly in front of us, and we have to click “Agree”; other times, as noted on the footer of many websites, using a platform in and of itself equates to consenting to their policies. Either way, it doesn’t really matter – because pretty much none of us read the Terms in the first place.

In those terms, however, may be a mess of information. Data tracking, data transfers, and data use are just some of the items that we may be agreeing too without even realizing it.

So, then, we have to ask ourselves: Is this actually consent? If we sign an agreement without reading it, or without fully understanding what it’s describing, does that mean we consent to all of its contained items? Or should we know better? Is the responsibility on users to read agreements in full and decline if we don’t consent?

These are tough questions, but they’re something we have to think about. Technology permeates our society more and more each day, and issues of consent are only going to play a greater role in our digital (and physical) lives.

With all of this in mind, let’s bring it back to the scandal at hand: if Facebook’s data sharing with Cambridge Analytica had been in total compliance with their Terms, would we have any right to complain? Do we have any right to claim conditional consent – that we’re fine with Facebook collecting our data, but only dependent upon who they share it with? And to that point, what ethical responsibility does Facebook have to actively comply with our wishes? Once we click “Agree,” should they even care at all?

Privacy: What happens to my data?

Linked but distinct from the consent question is the issue of privacy. Because, after all, Facebook collects immense amounts of data on its users – quite literally all of the time.

Take, for instance, these phrases buried within Facebook’s Terms of Service agreement:

  • “You give us permission to use your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it. If you are under the age of eighteen (18), you represent that a parent or legal guardian also agrees to this section on your behalf.”
  • “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

And these paragraphs, buried in Facebook’s Data Policy – a document separate from their Terms:

  • “We collect information from or about the computers, phones, or other devices where you install or access our Services, depending on the permissions you’ve granted. We may associate the information we collect from your different devices, which helps us provide consistent Services across your devices. Here are some examples of the device information we collect:
    • Attributes such as the operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers.
    • Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals.
    • Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.”
  • “When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share. For example, when you play a game with your Facebook friends or use the Facebook Comment or Share button on a website, the game developer or website may get information about your activities in the game or receive a comment or link that you share from their website on Facebook. In addition, when you download or use such third-party services, they can access your Public Profile, which includes your username or user ID, your age range and country/language, your list of friends, as well as any information that you share with them.”

This raises even more questions: Are we comfortable with this amount of data collection? Are we comfortable with not having technical or legal control over our Facebook data? Is it fair to pose mass data collection as a “trade-off” for free use of the platform? Do we have any fundamental right to data privacy or data ownership in the US, like is the case in the European Union?

We could go on all day, but the point is clear: Facebook’s practices have existed for years. If this intense data collection, sharing, and selling seems new, that’s only because you haven’t heard about it.

So what?

Stepping outside the Cambridge Analytica scandal for a minute, we must recognize that Facebook isn’t the only tech giant collecting, analyzing, and profiting off our personal information. Further, Facebook is hardly the only company who considers our clicking of “Agree” – on an agreement we likely didn’t read – as full, deliberate, and legal consent.

Simply put, this issue is larger than Facebook. This is an issue of digital and online consent. This is an issue of privacy and corporate data-tracking. This is an issue of data ownership and trust.

The Cambridge Analytica scandal goes well beyond Cambridge Analytica, and it goes well beyond Facebook. Finally, this is the time we might realize this truth.

Learn more about machine identity management. Explore now.

Related blogs

Like this blog? We think you will love this.
Featured Blog

What Is Encryption Key Management?

Why Is Key Manag

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Justin Sherman
Guest Blogger: Justin Sherman

Justin Sherman conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy and corporate cybersecurity management.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more