Online data privacy is again being thrust into the spotlight after Facebook announced Friday it suspended yet another analytics firm due to concerns about the collection and sharing of data.
The company is launching an investigation into whether Boston-based Crimson Hexagon’s collection of public user data was a violation of its policies concerning using data for government surveillance. So far, Facebook said that it has not found evidence that Crimson Hexagon obtained any Facebook information inappropriately.
Crimson Hexagon collects public posts from an array of social-media sites – including Facebook and Instagram – and then uses analytics to measure public feelings toward varying issues. According to the Wall Street Journal, the analytics firm has contracts with several US government agencies to analyze public Facebook data in this way, as well as with a Russian nonprofit with ties to the Kremlin.
“We are investigating the claims about Crimson Hexagon to see if they violated any of our policies,” said Ime Archibong, vice president of product partnerships at Facebook, told Threatpost in an email. “People can share their information with developers on Facebook and Instagram — just as they can when they download an app on their phone. We also have APIs so that developers can use public or aggregated information to produce anonymized insights for business purposes. Facebook has a responsibility to help protect people’s information which is one of the reasons why we have tightened our APIs significantly over the last few years.”
The controversy stems from a March 2017 Facebook rule preventing user data from being used for government surveillance. The data policy regulation came after pressure arose from privacy advocates like the American Civil Liberties Union of California and the Center for Media Justice.
A Facebook spokesperson told Threatpost that the social-media company doesn’t allow developers to build surveillance tools using information from Facebook or Instagram: “We take these allegations seriously, and we have suspended these apps while we investigate.”
“Crimson Hexagon is fully cooperating with Facebook and working together to resolve the issue as quickly as possible,” Chris Bingham, the CTO of Crimson Hexagon, said in an emailed statement.
Crimson Hexagon has also teamed up with Twitter, and the two companies in April extended their partnership to “advance big data analytics and insight innovation for joint customers.” Twitter did not respond to a request for comment from Threatpost.
The incident comes months after Facebook dealt with scandal around Cambridge Analytica harvesting user data, and its subsequent vow to crack down on data misuse. However, there is an important distinction between the two incidents: Unlike Cambridge Analytica, Crimson Hexagon has been collecting data that users have labeled “public,” instead of scraping private pages.
Crimson Hexagon’s Bingham, for his part, stressed this point in a blog post.
“Cambridge Analytica raised alarm surrounding the potential for misuse of private Facebook data, but public data appears to be coming under increased scrutiny as well,” he said in the post. “To be abundantly clear: What Cambridge Analytica did was explicitly illegal, while the collection of public data is completely legal and sanctioned by the data providers that Crimson engages with, including Twitter and Facebook, among others.”
Regardless, the discussion around social-media data privacy – for both public and private posts – and where users’ information goes once they post something online, is still a concern for many.
“Users still don’t understand how their data is used by social media platforms and third parties that these platforms work with,” Kevin Lee, trust and safety architect of Sift Science, told Threatpost. “Any platform that allows user generated content to persist on their site will be impacted by data privacy issues. Facebook has the resources to shape what the new data privacy landscape will look like and to protect themselves but not all companies will have this luxury.”