News ICO hits Facebook with £500k fine promise

£500k fine? Rather like a flea bite to an elephant.

 

Is there a reason why Britain sets such comically low maximum fines? The government might as well just wag it's finger and say to these global mega corps "that was naughty, very naughty".

 

Think they will pay the fine as it could cost them more in hiring their own lawyers to fight the case than to pay the fine

 

Still not convinced this wasn't just user error...

 

Yes and no.
I think the real problem is the underlying issue that the average person lacks education on technology, which includes the simple fact that if you put your real life identity online it will with 100% certainty be used for purposes you do not agree with.

Of course on the flipside this lack of education allowed social media to grow from nothing into a multi billion industry and the philosophical debate over which one we should value more is unlikely to ever get settled.

 

I agree with that but I don't think it should be the platform where the data misuse occurred that should be blamed. If a shop was to collect and misuse your data you wouldn't blame the landlord for allowing them to operate.

 

The closest metaphor I can think of is:
- A shop offers to display notices you put in the window, or notices you put inside.
- The notices are signed by you.
- If you put a notice inside, you can tell them only to show it to a friend, or only to a friend of your friend.
- Your friend goes inside, fills out a survey from $Researcher, and says "$Researcher is my friend!"
- $Researcher goes in, reads the notices you wrote to your friend - that your friend told the shop they could read - and also reads all the ones you displayed in the window.
- $Researcher then gave their copies of the notices to $ShadyGuys, who sent out some questionably effective spam.

Everyone is now very angry at $ShadyGuys (and at $Researcher if they actually noticed who the questionnaire was written by), and at the shop, though everyone is angry for different reasons, not all of which make sense (for example, complaining that the notices they put in the windows have been looked at and copied down by everyone).

 

Except the Landlord provided the recording equipment, took a cut of the profits, then spent years trying to hide what was going on from the outside world and authorities, only to be caught when it had become so brazen even Average Joe in the street knew what was going on.

I think they'll 'negotiate' every step of the way, the cost of lawyers is insignificant against the implicaions of being convicted and/or getting regulated. Big companies care far more about keeping alleged infractions alleged than they do legal fees, it's hard to fight a lawsuit if you've already been convicted of the crime.

 

Remember that the data gathered by Facebook for targeted advertising (e.g. via web bugs etc) and the data provided by users to Facebook (e.g. posts, likes, uploaded photos) are basically two separate silos of data. The former remains tightly controlled within Facebook (the closest people have come to exfiltration is by submitting very highly targeted ads then using side channels to identify who has clicked on those ads, e.g. an advert that leads to a survey that requests your real name, and this has been mitigated by target fudging), and the latter is varying degrees of publicly accessible depending on your privacy settings. API access to the latter is free, but is effectively just webscraping without the hassle (i.e. you could gather the exact same data without any API access, API access just reduces the load on Facebook's servers), but there is no API access to the former whatsoever.

There was some rather overstated headlines recently over data access by Huawei, Lenovo, etc. In those cases, Huawei and Lenovo wrote their own clients for user's to access Facebook via, which out of necessity meant those applications needed to access data at the same level as the user logged into them in order to actually function (or you'd end up in the situation where you set your account to private, and then find your client can no longer display your own posts). They too did not have any access to the internal ad targeting dataset.