Corrective Measures after Facebook Data Breach

Sameer Dhanrajani(Sameer Dhanrajani is Chief Strategy Officer at alytics service provider Fractal Alytics. The views expressed are persol. He can be contacted at sameerdhanrajani@gmail.com)

T he Facebook data breach raises urgent questions that need to be answered responsibly by our industry — given its terrifying scale and impact. In today’s world, data is a form of soft power, and it is essential for those who wield it, to use it responsibly so that consumer confidence isn’t compromised.

The challenge is that, at an idea-generation stage, it can be difficult to draw a clear, bright line between whether data is being used for optimisation or for manipulation.

Take, for instance, the Obama and Trump campaigns in the US. The former used the same digital platforms for optimising communication and ensuring voter confidence and dissemition of information. On the other hand, British political consulting firm Cambridge Alytica used the same platforms but with malafide intent — to manipulate the views and preferences of voters.

As investigations continue, it is increasingly clear that data was stolen, models used were uuthorised for the purpose they were being used, the messages (in many cases) were outright lies.

So the whole operation was questioble from the get-go. It is, therefore, extremely critical to demarcate this difference: are the fil consumers of a data-driven model being actively manipulated or is data being used to merely optimise a communications strategy?

It is also essential to clearly define the parties involved in the data “lifecycle” and their roles and responsibilities, with regard to how data is being used. There are usually three parties in this lifecycle, each requiring a different kind of oversight and norms.

First are the data origitors, those that capture and store the data. And I’m not only talking about Facebook and Google, but also a wide range of other origitors — for example, Equifax (which holds extremely sensitive consumer credit information), banks (which store individual-centric fincial information), telecom organizations (which hold a treasure trove of communications and browsing information), etc.

Two safeguards are critical here.

One, data security safeguards to ensure the privacy (exterl parties shouldn’t be able to see it) and integrity (exterl parties shouldn’t be able to change it) of the data. This can be improved by ring-fencing the data sources and ensuring advanced security measures. And two, ensuring explicit consumer consent for sharing and using this data. This can be done by introducing easy-to-understand verbiage around fair-use — where their data could be used and for what purposes. These two interventions — data security and informing users where data could be shared — are the key and will go a long way in winning back consumer trust in these platforms.

The second type of entity involved is the data processing companies which employ intelligent algorithms over the data to extract insights. This includes companies like Cambridge Alytica.

Given that data processing companies also have access to a large scale of data, entrusted by clients, it is imperative that their systems are subject to similar levels of security, compliance and governce norms.

This can be resolved through globally-agreed standards of security, enforced through regular third-party audits. We need to be held to the same standards as the data sources themselves when it comes to security of the data so that we aren’t the weak link in the event of a data leak.

There may also be value in exploring how we can expressly declare the ture of algorithms employed and the source of these algorithms (in cases where there is a patent to one), to an uffiliated third-party regulator. This will ensure better transparency around what the data is being used for.

Filly, we have the third party in the data lifecycle: The buyers of the data — organizations that pay for the data and algorithm-driven insights around it. In this case, they are the political organizations that are beneficiaries of the alysis work by the processing companies.

Here, let’s go back to my earlier point of drawing the line between what is optimization and manipulation.

Are the data buying organizations sponsoring an ad because they feel consumers genuinely stand to benefit from the content, or are they using the data to manipulate users into actions that are not in their best interest?

More importantly, does the ad-sponsoring organization have the authority to display that ad, or are they a geo-political adversary? This can be cleared up by implementing fair-usage policies around what the extracted data is being used for, who is using it, and what are the implications of that data — all of which needs to be made more transparent and subject to governce norms in certain cases.

Obviously, the three parties interplay with each other. For instance, Facebook and Google are two of these parties — the source and the processor. Thus, it needs to be ensured that they be accountable to both sets of norms.

It is imperative that all parties in the data lifecycle take seriously the trust with which data is being shared with them by their users — for their own good. The way things stand right now, biting around the edges of this debate is not going to win back lost consumer confidence in our industry and we are all the losers in the long term. (IANS)