Facebook's recent privacy breach has made me wonder whether these same missteps could happen to an ag tech provider. I think the answer is most-assuredly yes. An ag tech provider could carelessly walk into the same trap that caught Facebook. What should we learn from what happened?
The story began with a Facebook app that appeared harmless to most users. The app contained a survey and required a user's Facebook login to complete. The New York Times reported that about 270,000 people participated in the survey, which allowed the app harvest participating users' Facebook data. This was likely fine, since these users were advised in the fine print that the app was using their Facebook data. However, the app also promised that the data gathered was only for academic research purposes.
Ultimately, the app collected the data from not only the participants but the participants' friends who were connected on Facebook, reportedly up to 50 million users. This data was then provided to Cambridge Analytica, a UK-based data analytics firm, to develop psychological profiles for likely voters in the US. This data had tremendous potential to help political campaigns, offering insights into voter behavior. Both the Cruz and Trump campaigns contracted with Cambridge Analytica during the 2016 presidential campaign.
In sum, a few people gave a Facebook app permission to collect their data, which opened the access door to millions of non-participating users' data which was then collected too.
Facebook apparently discovered that unauthorized data was harvested by the app in August 2016 and provided to Cambridge Analytica. Facebook advised Cambridge Analytica that "data was obtained and used without permission" and should be "deleted immediately." Cambridge Analytica responded that it had deleted the data, but employees have subsequently contradicted that deletion actually occurred. These employees claimed that copies of data were left on servers even after it was certified as deleted.
Lessons for ag data platform providers.
Carefully monitor third-party apps that have access to your users. Ag tech providers that give app providers or vendors access to their users' data should make sure they know with whom they are dealing. Facebook trusted a seemingly harmless app provider that turned out to be a for-profit political research company. A company that holds customer data has a duty to keep the wolf out of the henhouse. Facebook should have learned more about the app provider before allowing it to collect data from its users.
Share data only with a user's consent. Facebook made a big mistake when it allowed Cambridge Analytica to harvest data from users who were not participants in the survey app. This was a case of a shepherd not watching its sheep, and not having the internal protocols to recognize (and then stop) an app that was violating its users' privacy.
Don't try to bury a data breach. Presumably Facebook did not want this story to go public, and so Facebook wrongly assumed that Cambridge Analytica deleted the unauthorized collected data August 2016, after the company certified the data was deleted. This was a mistake. If a company collects your users' data without your permission, you should never assume they will voluntarily delete the same when you make that request.
Fortunately for ag tech providers, Facebook executives will face the scrutiny from Congress long before this type of data breach happens in our industry. But watch closely, because the Facebook/Cambridge Analytica fiasco teaches some valuable lessons about user expectations for data privacy that apply to ag data too.