Amid Facebook Data Scandal, Israeli Cyberprivacy Leaders Say Preventative Tech Is Key To Privacy Protection
Facebook has been dominating headlines over the past few weeks as the unfolding privacy breach involving some 50 million users of the social media giant allegedly masterminded by British data mining firm Cambridge Analytica has prompted investigations by data protection authorities in Israel, the US and the UK.
The developing scandal has sparked questions about the role of Israeli companies and former Israeli spies said to be involved in Cambridge Analytica’s information-gathering methods, and has once again brought to light data privacy concerns amounting to a fervent #DeleteFacebook campaign across social media and slew of urgent posts instructing users on how to determine what information Facebook has on them (a whole lot) and how to scale that back.
Sign up for our free weekly newsletterSubscribe
The affair began with media exposés in the New York Times and the UK daily the Guardian earlier this month, detailing Cambridge Analytica’s business practices, provided in part by a former employee and whistleblower Christopher Wylie, and the firm’s connection to the presidential campaign of now-US president Donald Trump and the Brexit campaign. The company, partly owned by major Trump supporter and donor Robert Mercer, was allegedly hired by the campaign to build targeted ads and potentially influence political opinion during the 2016 elections, using personal data harvested through a personality quiz on Facebook developed by Cambridge data scientist Aleksandr Kogan.
A subsequent report by the UK’s Channel 4 featuring hidden camera footage showed Cambridge Analytica executives, including CEO Alexander Nix, as they described uncouth company practices to an undercover reporter posing as a potential customer. Company practices included bribery stings, prostitutes, and the use of Israeli companies and former Israeli spies to gather intelligence and information about voters. Israeli hackers also reportedly offered Cambridge Analytica hacked emails of politicians in Nigeria and the Caribbean island of St Kitts and Nevis who are now heads of state.
The revelations sparked outrage and public debate on ethical standards for social media companies turned powerful data gatherers and political consulting firms. The scandal also put a spotlight on Facebook’s failure to provide adequate privacy protection, for which Facebook founder Mark Zuckerberg apologized – after days of silence – accusing Cambridge Analytica of “breach of trust” and listing actions taken by the tech giant to prevent such events from happening again.
Nevertheless, the US Federal Trade Commission, British authorities, and Israel’s Privacy Protection Authority (part of the Justice Ministry) all announced separate investigations into Facebook’s activities. Cambridge Analytica’s London offices were also raided by UK police.
And as the world grapples with the developments and their ramifications, and amid a global push for new privacy standards, questions abound on the social contract between technology companies and their users and the right to cyberprivacy.
In Israel, already a cybersecurity powerhouse, the cyberprivacy sector is a “burgeoning industry” notable for the development of software or technology aimed at enhancing the online privacy of users and companies. In 2017, there were 57 active privacy protection companies in Israel, covering areas like public key identification, VPN, permissions control, and digital footprint management, according to a Haaretz report from January. One Israeli company had even gone as far as undercutting Facebook and other tech companies, developing a “firewall to block facial recognition so that people could share pictures while still protecting their identity.
The rise of cyberprivacy
Israeli startup BigID, an early-stage company that just raised $14 million in a Series A funding round in January, claims it is “redefining data protection” and the cyberprivacy industry with a software that uses machine learning and identity intelligence technologies to help companies secure and track customer and employee data. BigID CTO and co-founder Nimrod Vax tells NoCamels he believes that technology has more of a relevant purpose in the future of digital privacy than contracts like the one that was breached between Cambridge Analytica and Facebook.
“Cambridge Analytica did violate legitimate use of data, but the bigger issue here is the lack of automation in today’s privacy,” he tells NoCamels, referring to the idea that technology should be responsible for privacy protection and not the human operator. Automation never fully eliminates the operator, but it does shift responsibility to the machine or technology, he explains.
Yoav Degani, CEO of the Israeli-founded MyPermissions (soon to rebrand as MyPrivacy) since 2016, echoes this sentiment, suggesting that social media users need a “bottom-up approach” where they can be proactive through private protection technology rather than waiting for Facebook to make policy changes.
“Maybe this is an opportunity to change people’s thinking about privacy — that they have solutions,” he tells NoCamels, “The key point is being proactive instead of reactive. Search for privacy tools, read permissions, look at the app description page.”
Degani says MyPermissions brings “awareness” to the social media user through its app, which provides an automatic personal cloud protection service that scans the online services and apps the user is connected to, alerts them in real time when apps gain permissions to personal information, and show them the best and quickest way to protect their data.
“Until they install our app, people don’t realize so many apps and services are running their data,” he adds.
“Technology did not stop the misuse of information and it was limited by a contract, so we saw the breach,” Jonathan Klinger, an Israeli-certified lawyer who works with Israeli startups on privacy, copyright, and information challenges, tells NoCamels, “In the case of Cambridge Analytica, the misuse of data occurred because the data the company received was in breach of contract. The contract was between Facebook and the researcher, who was specifically prohibited from sharing it.”
Is Facebook solely to blame?
Facebook may not have allowed Cambridge Analytica to use its data in the way it did, but it never enforced its own privacy policies, even when rumors persisted that the data analytics firm might have been doing something wrong, which there were indications of as early as 2015, the experts explain.
“I believe that, because Facebook acted reasonably, but not in the best manner, it should be free of any liability,” says Klinger, who also volunteers as the legal counsel of the Digital Rights Movement, which acts to protect privacy and free speech in Israel.
“Facebook did request that its developers refrain from such use, and was unable to ensure in any other way that the information is used in a legitimate fashion. Had Facebook employed stricter security measures, then yes, it would be liable. This is the case where closing your eyes will set you free,” he says.
“What they need to change is how they share data in third-party [programs] so they will not expose or endanger their users,” Vax suggests, reiterating that today’s enforcement relies on contract when it should be relying on technology. “The role of technology is to automate those processes so it would be more robust.”
“You don’t need to wait for Facebook to make changes,” says Degani, “With one scan you could have seen that the [Facebook] quiz was taking your data. It’s just one of the many cases [of such breaches].”
Local enforcement and legislation
Another question that arises from the scandal is the role of government and law enforcement in securing personal data.
In the wake of the Facebook data case, the European Council, which regulates data privacy through the EU General Data Protection Regulation (GDPR), issued a warning at a summit in Brussels last Thursday saying that EU and national legislation must be respected and enforced by social networks and digital platforms. It didn’t specify Facebook by name.
While the GDPR was approved by the EU Parliament on April 14, 2016, its enforcement date is May 25, 2018 at which time a stricter European law will take effect and those organizations not in compliance will face heavy fines.
The UK data protection authority, the Information Commissioner’s Office, said it was investigating the Facebook case as part of a larger look into how personal data is analyzed for political campaign purposes. EU privacy regulators also said that “authorities from other member states are participating in a joint investigation led by the British watchdog.”
Israel meanwhile said its investigation into Facebook’s actions came “following the publications on the transfers of personal data from Facebook to Cambridge Analytica,” and amid “the possibility of other infringements of the privacy law regarding Israelis.”
According to Israeli Privacy Law, personal data may only be used for the purpose for which it was given, with the consent of the individual,” said the Israeli Privacy Protection Authority, adding that it will “investigate whether personal data of Israeli citizens were illegally used in a way that infringes upon their right to privacy and the provisions [of the law].”
For Israel to have jurisdiction, “they’ll need to show that the data [belonged to] Israeli nationals, as well as that the data was used against Israeli law. Israeli law is a bit more lenient than EU laws, and therefore I’m not sure that the use was made in violation of Israeli law,” Klinger explains.
“I think that the [Israeli Privacy Protection Authority] needed to respond to a media crisis instead of seeking action against other entities that do harm Israeli nationals’ privacy on a daily basis,” he says.