If we’re friends, I’ve shared my information with you. I haven’t given you (or Facebook, or anyone else) permission to share my data with Cambridge analytica.
If you authorized an app to access the data shared with you, then you authorized release of your friends' information because that's what data you agreed to share with the app.
Indeed, where is a screenshot of the 'Authorize App' consent dialogue that users were presented with.
- A agrees to sharing info with B by accepting a friend request. Explicitly per the terms of service, and implicitly because technically anyone can take a screenshot or a photo or a video and share whatever's shared with them (even in DRM'd systems with limited key distribution).
- B authorizes C to retrieve the data available to B.
- C then reshares, sells, distributes, or otherwise transmits information to D.
F enabled A to share data with B, given explicit user consent. F enabled B to share data with C, given explicit user consent.
If you don't want people to know things, don't put that information on the internet; and don't authorize friends to share information you haven't volunteered.
Your post conflates ethics (what should happen), law (what is legal to happen) and what actually happens.
Ethically, if I tell you my email address, and you sell my name + email address to advertisers without telling me, you've done me wrong. You violated my reasonable expectation of privacy. I have the same expectation if I make a private post to facebook, visible only to my (curated) list of friends. That content is for your eyes only.
Violating that expectation probably has no repercussions under US law. But it is almost certainly illegal under the GDPR. I installed Clubhouse the other day and clubhouse asked me to share my contacts with the app. Saying yes without checking with everyone on my contacts' list was probably illegal in europe. (Rightfully so, in my opinion.)
In this case, A shared information (posts, etc) with B (A's friend) on Facebook. B authorized app X to access their information - which in turn passed that information to Z (Cambridge Analytica) with neither A nor B's consent. Things that went wrong here:
- B should not have been able to pass A's information to a third party (X) without A's explicit consent.
- X should not have passed information to Z (Cambridge Analytica)
- Facebook shouldn't have built a platform which permitted / encouraged such obvious and blatant abuses of privacy. If a user told facebook that some content was private, facebook violated user's trust by sharing that information with a random 3rd party app. B's consent isn't relevant wrt A's data. (Permission isn't transitive.)
Who's legally at fault here? I have no idea, and I'm glad the courts exist to figure all this out.
Meanwhile, our technology is utterly failing user's expectations of privacy - which, yes, actually exists in much of the rest of the world.
> If you don't want people to know things, don't put that information on the internet
What a ridiculous sentiment. No. I want to use the internet and have an expectation of privacy. I will not settle for mediocrity so that facebook can make more money.
> Edit: Correction that users had a chance to learn about Dr. Kogan, not CA.
The end users granted Facebook the right to share the friend data that their friends had granted them access to.
Is there a screenshot of the 'Authorize App' screen at the time? Indeed, what did the fine print say?
I can draw a chord chart of my friend graph using only user IDs and names.
You can analyze my personality with what data that I explicitly grant access to?