How to remove apps from Facebook after the Cambridge Analytica scandal: is Facebook compliant with GDPR?

Posted by Lee Noble

shutterstock_686822866

A scandal that has been widely reported in the last few days has uncovered that an app developed initially for Facebook users to find out their personality type, scraped the data of over 50 million people.

in 2014, Facebook used an app developed by a Cambridge academic to invite users to find out their "personality type". Some 270,000 people had their data collected by this app but the app also collected public data from users' friends. It has been reported by a whistleblower that Cambridge Analytica harvested the data of over 50 million users that they then used to psychologically profile and deliver pro-Trump material to them in the run up to the US General Elections.

But what does that mean for us? And more specifically, how do you know what data is being harvested by apps that you have given access to on Facebook? The answers may shock you.

 

How do you find this information?

You can find this information by logging into your Facebook account and navigating to the Settings page. You can do this by clicking on the downward arrow at the top right of your page, next to the Question Mark in a dark grey circle:

Facebook-example-1

From here, you can navigate to "Apps" about two thirds of the way down the column on the left of this page:

apps-pointerIt is also interesting to note that on the settings page, Facebook have created a link that allows you to download a copy of your data. Presumably this is to satisfy GDPR legislation when it comes into force in May.

On this apps page, you will see a list of all of the apps that you have used your Facebook details to login with. Basically, every time you download an app to your phone or visit a website where you click "Use Facebook to Sign In" you are granting access to your public data on Facebook to that app.

apps-in-use-imageIn all 189 of the apps above, some are reputable companies, some games that I have played in the past and some random quizzes that I have taken when bored ("Are you a MORON?"; I won't reveal the answer to that one). And all 189 of these apps have the access - consented by me when I used Facebook to sign up with them - to my public personal data. And here's the clinch; a majority of them also have access to all of my friend's personal data, too; without my friends even knowing.

So the question is, now that it has been uncovered just what Cambridge Analytica have been doing with the personal data that they purchased, how many more companies are doing this and what else is happening with our data that is being potentially harvested by one of these various apps?

From here you can then start to delete each app that you don't recognise or no longer want to have access to your public data. You can't bulk-remove all of the apps so you have to do it individually (annoying but I suspect this was done on purpose).

So, now that you see and potentially remove all of these apps, you can also see the statement from Facebook that tells you exactly which data is publicly available. The statement says:

"On Facebook, your name, profile picture, cover photo, gender, networks, username, and user id are always publicly available to both people and apps. Learn why. Apps also have access to your friends list and any information you choose to make public."

I saw this and decided that I would indeed like to "learn why" so this is what I found.

It has not been much of a secret that Facebook is turning into a massive data collection tool. The worrying element is that there are over 1 billion active users in the world all with their public data available for Facebook, or other apps, to harvest at their will. The "learn why" link takes me to Facebook's "Data Policy" page which explains, in detail, the information that they collect and store about you depending on your actions.

You can read the full list here but in short (deep breath), they collect information about the things that you do, things that others do but include you (like uploading a picture of you), information about how you interact with your network, payment information if you buy something through Facebook, what devices you use to view Facebook, information about websites that use their services, information provided about you by third-party partners and information will also be collected about you from companies that are owned by Facebook (such as Instagram and Whatsapp).

A lot of info farming.

Will GDPR affect this? You would certainly think so. Many people wrongly believe that GDPR only seems to affect consent around sending communications but this is not true. GDPR will affect any company that collects and stores any personal information about anyone in Europe. Facebook's statement on their position relating to GDPR is:

"Facebook takes data protection seriously and we comply with data protection laws that apply to us. We will ensure that our services align with the GDPR. We've built tools to help people manage their data and understand their choices with respect to how we use their personal data. We appreciate that the GDPR requires our advertisers and business partners, when acting as data controllers, to make sure that Facebook (acting as the data processor) has the appropriate safeguards in place. We are committed to those safeguards and will meet those requirements."

It is understandable that when one uses Facebook you are willingly disclosing personal data and Facebook have a right to process your data when you have asked them to by signing up for an account. However under GDPR they will be prevented from using this data for any purposes other than what you have consented to. "Purpose limitation" is the ideology behind GDPR that means data must only be collected "for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (According to the General Data Protection Regulation, Article 5, paragraph 1, b. To be precise.)

An excellent article by PageFair explains in more detail the GDPR consent and elements that will specifically affect Facebook and other technology behemoth Google. They have put together a sliding scale for how certain elements of Facebook need consent under the GDPR:

PageFair image on GDPR

Facebook has already been fined by both the French and Spanish Governments (€150,000 and €1.2m respectively) and the EU is definitely not kidding when it comes to the fines under GDPR for similar breaches - a maximum of 4% of total global revenues or $4.4 billion in Facebook's case.

"Organisations will have to re-obtain user consent (for the data they wish to keep) and build a fully documented permission trail before GDPR becomes enforceable - or existing data will risk becoming obsolete. There is a risk of further customer data loss once users have the right to opt out of marketing campaigns and erase their personal data." - Lisa Yang, Analyst at Goldman Sachs.

The tools that they have build (or are building) to help us include the "activity log" tool that allows you to see all of your activity on Facebook from posting to commenting, sharing things and "liking" things. You will also be able to see at a glance which of this information is set as "public" and you can change the settings here. You can also access the privacy settings of your account so that only your friends can see information about you.

You can access a copy of all of the data Facebook hold about you (as mentioned previously), too.

Facebook's statement regarding how you can manage or delete information about yourself is summed up by explaining to you how you can delete your account entirely. Is this a subtle way of telling us that you either let Facebook do what they want with your data or delete your account entirely? It looks that way.