The Cambridge Analytica- Facebook data revelations have set off a vigorous round of blame-shifting among the political consulting firm, the social network and Aleksandr Kogan, the academic who transmitted data between them.

Facebook bears the lion’s share of responsibility for allowing millions of users’ profile information to land in the hands of a private consultancy—but not for the reasons others have claimed. The company’s error lies not in its collection and sharing of data, but rather in its failure to take technological measures to oversee and protect that data as it went out the door.

Mr. Kogan used an app he built to harvest Facebook users’ data starting in 2013. The company claims he had agreed to use the information only for academic purposes, but reports suggest Mr. Kogan soon began sharing data with Cambridge Analytica.

That Facebook collects data and gives it out to third parties for any number of reasons—including targeted campaigns—is unremarkable. Facebook itself has long offered advanced user-targeting to advertisers. The Obama re-election campaign skillfully took advantage of these tools in 2012, to the delight of the mainstream media.

In handing out user data for a restricted purpose, however, Facebook had a responsibility to ensure that it would be used only for that purpose. Mr. Kogan disputes that his agreement with Facebook prohibited him from reselling the data. But even if it did, Facebook had no way to enforce this once the records were in Mr. Kogan’s hands. Like forwarded emails, data sets are hard to control once they are given away.

Compare the Facebook-Kogan transactions with those of a lawyer who gives a corporate client’s documents to opposing counsel ahead of litigation, as required by law. The lawyer recognizes the risk that opposing counsel could abuse its access to this private information by sharing the client’s secrets with competitor firms. That’s why lawyers may impose various physical restrictions on access to the client’s papers—such as holding them in a guarded file room or storing them on an internet-disconnected computer for viewing purposes only. It would be malpractice for an attorney merely to hand over a flash drive of millions of files to opposing counsel with a note saying, “Don’t be naughty.”

As a technology company, Facebook had a menu of technological solutions to restrict Mr. Kogan to his professed academic intentions. Computer scientists have developed algorithms, sometimes called “differential privacy,” that randomize or modify data in ways that make them useful for academic research but not for other uses. Apple has pioneered the use of this tool. Similar measures might have prevented Facebook’s raw user data from being misused by Cambridge Analytica under allegedly false pretenses.

No matter what the terms of Facebook’s agreement with Mr. Kogan, the company’s failure to control its user data is inexcusable. Facebook is entitled to share user data with third parties, so long as it takes necessary precautions against abuse. Surely America’s fifth-largest technology company can afford to put some technology behind keeping its promises.

Image credit: rvlsoft

Featured Publications