The Value of Personal Online Data

This cybersecurity info note reviews recent challenges in data protection and the impact to our society on the occasion of the abuse of 87 million Facebook profiles for the purpose of US election campaigns through Cambridge Analytica.

April 23, 2018


Data is considered to be the gold of the digital age. A gold rush is ongoing within businesses operating in highly competitive markets looking for data and information about all aspects of human life such as consumer behaviour, social and political orientation, money spending habits, health, lifestyle, etc. Data has become an important commodity generating profits on its own; and data collection has become the main activity for numerus businesses. The estimated ARPU (average revenue per user) in digital advertisement, mainly controlled by Google and Facebook, reached $59 per person in 2017[1]. Multiplying this number by an average 3.8 billion internet active users, we can roughly estimate the size of this business.

The collection and analysis of personal data is not only important for businesses but for society in general: policy decisions taken based on personal data analysis and medical research using patients and caregivers data to improve healthcare are just few examples. While the benefits from collecting and analysing personal data are evident for a large number of actors/organisation, various interests recurrently challenge its protection.

This cybersecurity info note reviews recent challenges in data protection and the impact to our society on the occasion of the abuse of 87 million Facebook profiles for the purpose of US election campaigns through Cambridge Analytica. Though this incident is at initial stages of analysis, there are grounds to believe that it is the top of the iceberg with regard to available practices in harvesting user data, analysing and acting upon the results for a variety of objectives.

Contextual Information

The recent Facebook and Cambridge Analytica incident confirmed what was already known, at least within data privacy experts: online digital services use personal data to monetize their business models and politicians leverage from big data analytics to support election campaigns.

At a first glance, it has become public – revealed by a whistle-blower - that Facebook deliberately opened a door in 2013 for a third-party app[2] to harvest personal data without the user’s consent. Cambridge Analytica - a British political consulting firm – obtained access to a database with personal data from 87 million Facebook accounts (initially estimated in 50 million) collected via a third-party app offering a free personality test quiz. The owner of the app, Aleksandr Kogan a Cambridge University Psychology Professor, took advantage of a Facebook privacy breach[3] and legally obtained consent[4] from 200,000 users to access their personal data, including details about their friends who in any case were not in a position to provide their consent. This way, the app owner increased the number of Facebook accounts accessed and the amount of personal data harvested by ca. 250 times. Moreover, according to the whistle-blower, a database with the harvested data was later shared with Cambridge Analytica, utilized for political analysis and Facebook advertisement in support of political campaigns. In the attempt to apologise for the incident, Facebook CEO could not confirm which other third-party apps took advantage of this privacy breach between 2013 and 2015, and if other copies of the data possessed by Cambridge Analytic were distributed. Furthermore, Facebook recently acknowledged a breach in its search engine and account recovery functions that it said could have exposed “most” of its 2 billion users to having their public profile information harvested.

Investigations over Facebook conduct and practices with regards of processing personal data (PII) and free movement of such data are not new. In the past the Canadian Privacy Regulator, US Federal Trade Commission and EU Data Protection Authorities from UK, Ireland, Belgium, Norway and Germany scrutinized the practices of the social media giant imposing significant changes to its software. The European Union data protection acts, 1988 and 2003 - EU Data Protection Directive 95/46/EC - adopted in 1995 introduced important legislation into EU Member States legal systems, allowing the investigation of such incidents and consequent legal prosecution. The General Data Protection Regulation (GDPR), due to come in force May 2018 superseding this directive, will have significant impact on companies such as Google, Facebook and Twitter who if proven, could face huge fines for this type of incidents.

Nonetheless, in the realm of this incident, there are some further investigations regarding various data collection activities that have been performed by Facebook in the past; and some debates are coming up regarding the consistency/coverage of privacy issues mentioned in user agreements.

Furthermore, a news media investigation uncovered the actions of Cambridge Analytica that included the use of personal data analytics to format political messages published in the social media in an attempt to manipulate the public opinion towards specific electoral candidates. This revelation occurs while the civil society still debates and the judiciary investigates alleged foreign interference in the 2016 US presidential elections and UK Brexit referendum using social media adds and fake news.

This incident also demonstrated the power of big data analysis: service offerings go beyond traditional statistics and may support any objective related to human behaviour, such as supporting of election campaigns. Cambridge Analytica publicly announced how their services influenced elections around the world. Though formally lawful, such interventions may move usage of user data in grey zones. The incident has made clear that a lot of discussion is still pending about data privacy issues and about potential regulation needs in the usage of big data. Such regulation come to complement data protection regulation to cover appropriateness and legitimation of data analysis campaigns.


Users are advised to reevaluate their privacy settings in the digital world by taking the following actions:

  • Avoid subscribing or installing suspicious third-party apps - Those are common on the network and most request access to personal data without the user noticing.
  • Review which services or apps are sharing personal data – Digital platforms offer third-party authentication services to other applications. Users are advised to review which applications and services are connected to their accounts.
  • Change privacy settings – Digital platforms have many privacy settings available to control who can have access to personal information.
  • Review the privacy policy before subscribing to digital applications and services – Policies are long and hard to read but these are meant to inform users about their commitment to privacy protection.

Closing Remarks

People’s confidence in digital players to protect their privacy has been recurrently undermined by these type of incidents, with serious impact in credibility and trust in the digital economy. We cannot expect that data carers will proactively revert this situation by regulating themselves putting an end to a situation that ultimately generates large profits for them. Since the start of this incident, Facebook already lost US $80 billion in market value (ca. 18% depreciation in stock price) followed by other social media giants Google (ca. 7%) and Twitter (ca. 20%). The way the story evolves, it is premature to anticipate what will be the result and predict what will be the outlook of companies and business models that rely exclusively in the monetization of personal data.

[1] ARPU – Average Revenue per User - calculated using the total online advertisement revenue in USD and the average number of online users during 2017.

[2] Facebook provides a platform that allows third party developers to build applications that integrate with Facebook social network., accessed March 2018.

[3] Experts agree, based on the information available, that this incident cannot be classified as a security data breach given fact that compromised data was not obtained from a malicious attack or attributed to Facebook negligence., accessed March 2018.

[4]  Acknowledged by the user when s/he signs up to Facebook and agrees to the Statement of Rights and Responsibilities and the related Data Use Policy., accessed March 2018.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies