The Facebook/Cambridge Analytica case headlined technical news the whole Spring of 2018. This case is not the first (and certainly not the last) that demonstrates privacy issues with Facebook and the ecosystem around it; yet, it gained notoriety because of its scale and alleged direct effect on the outcome of the US presidential election. In this talk we look behind the scenes and under the hood and analyze the IT, economic, psychological and legal background necessary to understand the full impact of the Cambridge Analytica case. We touch upon the underlying economic theory on externalities that defines interdependent privacy and sets the scene at a high level; the permission system of the Facebook API that enabled the collection of personal data at scale; the breakthrough psychology research that enabled the use of these data to influence political elections; and the legal impact through the lens of the GDPR.

1. Interdependent Privacy and the
Psychology of Likes
A Unique Take on the Cambridge Analytica Case
Gergely Biczók
biczok@crysys.hu
(some slides courtesy of Gergely Ács)
CrySyS Lab
Dept. of Networked Systems and Services
Budapest University of Technology and Economics
www.crysys.hu
blog.crysys.hu

2. |
CrySyS Lab
§ 20% women
§ 30% Gerg*
2Hacktivity 2018

3. |
Facebook vs. Cambridge Analytica vs. You
270K (paid) users
thru AMT & FB app
30-50-87M friend
profiles harvested
(Allegedly) used to
influence voters:
• US presidential
elections
• Brexit vote
• Kenya
• „undisclosed
Eastern European
country”
Investigations and
lawsuits
• GSR-> SCL data
transfer is
violating FB
termsHacktivity 2018 3

4. |
Mark Z hearings
Hacktivity 2018 4

5. |
Unique take?
§ 2011: FTC investigation about FB 3rd party apps
§ 2013: „Interdependent Privacy: Let Me Share Your Data” at
Financial Crypto
§ 2013-14: Kogan’s app operational, SCL, CA
§ 2014: FB investigates Kogan’s case, changes API
§ 2016: „Collateral Damage of Facebook Apps: Friends,
Providers, and Privacy Interdependence” at IFIP SEC
§ 2016: US Presidential elections
§ 2018*: Chris Wyile blows whistle on CA
§ 2018*: „Collateral damage of Facebook third-party
applications: a comprehensive study” in Computers&Security
5Hacktivity 2018

6. |
Unique take!
§ Economics
§ Psychometrics
§ Technical
§ (Little bit of) Legal
§ (Politics excluded)
– Except for Mark Z
6Hacktivity 2018

7. |
Economics of interdependent privacy
7Hacktivity 2018
§ Externality is a cost (-) or benefit (+) that affects a party
who did not choose to incur that cost or benefit
§ Privacy loss is a negative ext => Interdependent privacy
– Friends were not notified/asked
§ Internalize them!
§ Tax (Pigou): whoever causes the negative ext. should
reimburse „society” (friend? CA? FB?)
§ Regulation: limiting the activity causing negative ext.
§ System (Mechanism) design: FB users could have direct
control over every bit of their personal info

8. |
Psychometric profiling (Kosinski et al., UCam)
§ Personality can be defined by the “Big Five”
– OCEAN: Openness, Conscientiousness,
Extraversion, Agreeableness, and Neuroticism
§ Such traits can be predicted pretty well
from your Facebook likes
– Example: emotionally less stable people
(high in neuroticism)
tend to like Kurt Cobain, or Gothic rock
§ How many likes are needed?
– 70 likes: friend’s level
– 150 likes: parent’s level
– 300 likes: spouse’s level
§ Typical Facebook user: 227 likes…
Hacktivity 2018 8

9. |
How is it used?
– Conscientious individuals are
generally more drawn to ads
which evoke anger
§ Microtargeted ads
– Fear advertising are best
suited for extroverts and
agreeable
Hacktivity 2018 9

10. |
Interdependent privacy: Facebook API
§ FB Graph API was designed explicitly for being able to scrape
information of app users’ friends
§ Issue: without the knowledge and consent of the friend!
§ V1.0 (depr. 2015): friends_xxx, ~1 permission per profile
attribute (also read_mailbox...)
§ V2.0 (2014-): user_friends, 1 permission for all
§ FB claims it solved the problem with v2.0
– Information only on friends who also installed the app
– Mutual consent for user_friends
§ (Currently v3.1 with weak permissions and strong app review
features)
Hacktivity 2018 10

11. |
Evidence: Facebook API Explorer
• Q(FB): why are we seeing this?
• A(FB): this is the same for all 2.x versions.
The friend installed the same app and there
is mutual consent given.
• Us: ...
• ... v2.4 fixed this
Hacktivity 2018 11

12. |
Privacy settings: Apps Others Use
• Note the defaults
• we noticed no change
in app behavior when
unchecking boxes
• FB confirms: not doing
anything since API v2.0
(except for posts on
your timeline)
• Was in the GUI until
April 2018 J
Hacktivity 2018 12

13. |
Collateral damage quantified (single app!)
Hacktivity 2018 13

14. |
Facebook’s reactions and remaining issues
§ „We are an idealistic company...”
§ Tightening privacy controls
§ Tool to check if you were affected by CA (32000 Hungarians)
§ Restricting APIs (e.g., Instagram, Graph API v3.0)
§ Working towards being GDPR-compliant
§ Hearings for Mark Z (US, EU)
§ Rumours of paid subscription (no ads!)
§ Some privacy issues untouched
– Multi-app data fusion
– Graph Search still available thru direct URLs
Hacktivity 2018 14

15. |
Is privacy lost for good?
• Hopefully not...
• European General Data Protection Regulation (GDPR)
• Privacy-by-design, differential privacy, PETs...
• On FB though...
?
?
Hacktivity 2018 16

16. |
FB privacy scandals over the years
§ 2006: News Feed
§ 2007: Beacon (ads)
§ 2011: FTC charges (3rd party apps behavior)
§ 2013: Graph Search („Catholic friends who like Durex” ...)
§ 2013: bug exposes private contact info (6M users)
§ 2014: mood manipulation (by FB scientists)
§ 2018: user tracking (Belgian court)
§ 2018: Cambridge Analytica
§ 2019:
§ 2020:
§ ...
§ FB is built on personal data, privacy has been/is/will
be an issue!
17Hacktivity 2018

17. |
Price of FB shares over the years
18Hacktivity 2018

18. |
§ Discovered 25th Sept.
§ 50 million accounts hacked
§ combination of 3 bugs in
the „View As” feature
Current FB security scandal
19Hacktivity 2018

19. |
§ Google’s „Cambridge
Analytica moment”
§ Very similar to the FB case
but (allegedly) caused by a
bug
§ Permission to 3rd party
app for user’s public profle
also yields user’s and
friends’ private profile
§ 438 apps, 500K profiles
§ Buggy 2015-2018!
§ G patched in March but no
announcement (guess
why?)
Google+ ongoing controversy
20Hacktivity 2018

20. |
15 minutes of fame J
Hacktivity 2018 21

21. |
Partners in crime
§ Interdependent privacy: Pern Hui Chia (@Google)
§ Collateral damage: Iraklis Symeonidis (@Univ. of Luxemburg)
§ Plus more from Belgium, Spain and Hungary
22Hacktivity 2018

22. |
Blog.crysys.hu & research papers
• Collateral damage of Facebook third-party applications: a
comprehensive study, Computers & Security, 77:179-208, 2018.
Joint work with I Symeonidis, KU Leuven (COSIC and CiTiP) and UAB
Barcelona.
• Interdependent Privacy: Let Me Share Your Data (Financial Crypto
’13). Joint work with PH Chia (now at Google)
Hacktivity 2018 23