When does 270,000 equal 50 million?

When you can pay for a couple hundred thousand people to participate in an online personality quiz, then sweep up not only their Facebook data but the data of their millions of Facebook friends—50 million and maybe as many as 80 million people.

That’s the gist of the Cambridge Analytica (CA) story. But here’s the rub: The data collection method doesn’t pass the informed consent smell test. And given the efforts at opinion-altering messaging and content that resulted in this case, the perceived social contract between consumers and data collectors has been broken.

Was Cambridge Analytica a data collection bridge too far? And where does this leave us in 2018 and going forward?  And maybe, most importantly for the circles in which I travel, are there parallels and implications for B2B data buyers and vendors?

Much Ado About Nothing?

It should come as no surprise, the horse is out of the barn. The chicken has flown the coop. The genie is out of the bottle, and the train has left the station. If you don’t mind me mixing in another metaphor, there’s no way we’re going to close this Pandora’s box of Big Data and analytics.

And yet, ever since the CA debacle (or Facebook debacle, if you prefer) started trending, I’ve been more than a little surprised at the degree of outrage. This is, after all, the same slippery slope we’ve been on for the past 40…50…60 years or longer. Think Nielsen, think Comscore, think Arbitron, think Visa, think Comcast, think Google.  Just different media, more data and highly sophisticated algorithms.

Or is it?

Before I try to answer that, let me give you the CliffsNotes version of Cambridge Analytica:

Moldavian-born data scientist Aleksandr Kogan developed an app called “This Is Your Digital Life”— a personality test designed to build psychological profiles and predict user behavior. He collected personal information on both the participants and, more troublesome, their friends who were unwittingly caught up in the collection process, then sold the cumulative data to CA.

Besides a lack of informed consent, participants never enjoyed the value, greater convenience or improved user experience we expect in exchange for free applications. In the words of self-proclaimed whistleblower and former CA director of research Christopher Wylie, CA was building a “full-service propaganda machine.” The psychological profiles helped Cambridge Analytica create content and messaging designed to influence opinion and ultimately people’s votes. We’re talking classic influence marketing and some would say mind manipulation at an Orwellian scale —thanks to Big Data and algorithmic microtargeting.

The public rose to the occasion of the news media’s outrage. They would leave social media (or at least Facebook) en masse. Overnight, Mark Zuckerberg saw the value of Facebook shares plummet 7% (about $40 billion). He had to testify before Congress in April. But by May, Facebook had largely recovered—trust renewed, share price back (not just back…but now at all time highs) and the hashtag #DeleteFacebook all but forgotten. How fleeting is indignation.

So maybe even this data breach isn’t a bridge too far…not once the public has had a couple weeks to digest the news, miss their friends on social media more than their privacy and fret that they might miss out on the next new thing for the cost of an ethical bribe.

I’m left wondering that if it weren’t for the salacious details recorded in a conversation among top executives talking about the potential for blackmail and entrapping politicians with sex I doubt we’d have spent the last few months on Cambridge Analytica.

The Slippery Slope

Think about it. Human nature being what it is, advertising, marketing, advertorials, commercials, promotional content are probably as old as clay tablets and papyrus. They certainly date to the invention of movable type in the 15th century. When Martin Luther tacked his Ninety-five Theses to the door of Castle Church in 1517, wasn’t he just trying to sway public opinion?

Meanwhile, consumers and B2C data buyers have been the proverbial frogs sitting in tepid water ignoring the slowly rising heat. We keep giving away more and more information and relinquishing our privacy, oblivious to the rising temperature, all for more and better user experience, benefits and convenience.  

But on those rare occasions when someone raises the temperature of our water a little too quickly, the government responds with new legislation before we jump out of the pot. Watergate triggered the Privacy Act of 1974, and the Enron and WorldCom corporate scandals led to Sarbanes-Oxley Act (SOX) in 2002.  In 2003, President George W. Bush signed into law CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing), and yet I’m getting as much unsolicited email as ever. You too?

After signing the Data Broker Accountability and Transparency Act of 2015, Senator Edward Markey told Newsweek:  “What was a business of data keeping has morphed into data reaping, resulting in the covert collection of dossiers on hundreds of millions of Americans. Consumers, not corporations, should be in control of their private data.”

And yet, two years later Cambridge Analytica would bust wide open.

For all the rules and regs in the world—and maybe a few token examples of enforcement—most consumer data collectors and their customers are left unscathed and more importantly unfettered, free to go about business as usual. Case in point, there are 200 million numbers on the National Do Not Call Registry…and yet we’re solicited daily, even on our cellphones.

This year, GDPR (General Data Protection Regulation)—the latest white knight and defender of consumer data—has gone into effect. It’s goal is to regulate privacy, ensure clear consent and enforce transparency for individuals in the European Union and European Economic Area. After reading the law, I was surprised any European business turned on its lights on May 28th (it’s that onerous). But it remains to be seen how effectively it can be enforced.  My prediction – not much will change from a B2B perspective but possibly some courts will create some sacrificial lambs within the B2C community over the next few years.  Lawyers are making a fortune off contract amendments that take the form of new consent agreements we need to click through online, but other than that short term financial bounty for our JD friends, I think GDPR will be as toothless as the last half dozen regulations on which it was built.  

Those in Glass Houses

So what does this all mean for those of us in the B2B data world?  

As a B2B data vendor or data buyer, do you care about the legal or ethical implications of data collection?  Sadly, I’ve found that most buyers quickly apply situational ethics to their B2B vendor relationships. At best, buyers simply want indemnification for a vendor’s collection methods.  At worst, a buyer will purposefully not want to know how data is collected. The corporate equivalent of ‘ignorance is bliss.’

I would argue that the ostrich-head-in-the-sand approach is not in any of our long-term best interests.  Buying data you know was acquired in an illegal or questionable manner may give you a short term market advantage, but has the potential to hurt our entire industry in the process.  I worry about the classic tragedy of the commons scenario playing out for us in the B2B data space over time.

Think I’m overstating the case?  Below are the most common ‘questionable’ means of data collection used by many B2B data vendors.  I am guessing every single person reading this blog has either actively participated or passively used data that has been acquired through some of these methods.

  • Give-to-Get Sharing – Popularized over a decade ago by Jigsaw (bought and, sadly, just recently shut down to Salesforce.com), this crowdsourcing method is based on user generated information.  The more you share into the joint database of information, the more you can access what was shared by others. Often overlooked in these models is the actual data ownership of those sharing data, and hence, the major risk in this business design.  If the user doesn’t own or have the legal rights to share the data, these methods have enormous risk transference…a proverbial house built on sand.
  • Email Signature Scraping – With over 200 billion emails being sent on a daily basis, the signature blocks automatically added to these communications is a rich means of capturing user information.  And if you are like me, you probably list your direct phone number and even mobile phone number in your signature. So it’s not surprising that many vendors have written Chrome Extensions or similar applets to harvest this information, often times, unbeknownst to the user.
  • Cell Phone Address Book Aggregation – If you’re like me, the address book on your phone is chaos.  Duplicate records, partial entries on the same person split between multiple entries.  To the rescue comes a number of sophisticated address book management applications which are fantastic.  They can merge records, dedup and otherwise keep your address book neat and tidy. What’s not to love right?  How would you feel if you knew you were sharing that address book with a vendor who was then selling the contact data they mined from your cell phone?  Home phones…they got ‘em. Personal email address – those too.
  • Business Card Scanning Applications –  25 years ago, I used to spend Friday nights re-keying business cards into Lotus 1-2-3 (look it up) to add my weekly prospects to my electronic Rolodex.  But thanks to the latest OCR software, snapping a quick picture on your phone and your Friday nights are free to live it up a little. But by now you get the point – you aren’t the only one getting business contact information scanned into your database.

Just as in the CA case, there might not be legal issues with these methods but there certainly are ethical ones.  By you adding me to your address book, or by me replying to an email you sent me, MY contact information can be shared without my knowledge or consent because of tools you are using.  And you probably weren’t even aware of your transgression of trust. Now made you aware, do you care enough to stop using those tools? Or is the value you are getting from these tools worth more than the uneasiness you feel by ‘selling’ my information?  Hard questions with not so clear answers, for sure.

So Now What?

So now that you know, what the hell do you do about it?

I actually don’t have a clean or even amusing response.  I can’t tie this sloppy situation with a nice bow and make it pretty.  For years, I’ve been on both sides of the conundrum of questionable B2B data practices, as both a buyer and competing against vendors using these methods to build it.  What I do believe is that our current state of winks-and-nods as well as purposeful ignorance can’t last. I only wish the path forward wasn’t as murky as the methods I felt compelled to illuminate.