The case of Cambridge Analytica and Facebook has been in the news recently with Facebook’s CEO Mark Zuckerberg appearing before the US House and Senate to respond to questioning. Cambridge in 2015 was using an app produced by a third party, Dr. Kogan, to harvest data for what the professor told users was research. The scandal at the heart of the matter is that of the 87 million people whose data was affected, to use Facebook’s numbers, only some 270,000 had given their consent. The news was troubling for users and companies both. What is important to note is that this sort of data scraping would be impossible today because in 2014 Facebook already rolled out major changes on how user data could be shared as an improvement to their platform.
The three main modifications to Facebook’s policy were that users were informed directly on the social login screen about the specific fields that were being ceded. You don’t cede your entire public profile, just specific fields you opt in to share like email, age, or likes. The user controls what fields can be accessed and there is absolutely no access to friends’ data. These changes are aligned with the EU’s new General Data Protection Regulation (GDPR) which comes into effect in May of this year and covers any company anywhere in the world and how it processes European citizen data. It will put a regulatory end to cases like Cambridge Analytica.
All our clients at Xeerpa take their users’ privacy very seriously, and from Xeerpa we help them follow market best practices and comply with all applicable legislation. Europe has always been at the forefront in terms of data privacy, with one of the strictest regulations worldwide (Facebook recently said it would be giving its US users the same control it gives its European users) and will be even more so with the GDPR coming next month. Spain, in particular, already has its own local data protection law in place which regulates any data companies might scrape, how companies have to inform users, how they can use that information, and what level of protection has to be offered. Xeerpa already complies with Spain’s Law on Personal Data, in force, and the EU’s forthcoming GDPR.
Not satisfied with the bare minimum, Xeerpa has attained the ISO 27001 certification on data security and processing as a show of our commitment to fair and consent-based data use and the highest standards. We also have a Data Protection Officer who reports directly to the board and the CEO and monitors GDPR compliance and data security.
Xeerpa helps companies understand the interests and preferences of their users, always after they have provided their informed consent, through social login. During login the user is told what information they give the company access to, if they choose to do so. When data has been ceded through informed consent, Xeerpa ensures that data is kept secure. It is stored under password-protected encryption at the OS level, any access is encrypted through the https SSL/TLS protocol, transfers encrypted with AES-128, and drives are erased with the DoD 5220.22-M algorithm to prevent any erased data being restored later on. We have also complied with all the other requirements in the new EU legislation. Xeerpa strives to make it easy for companies to comply with regulation and go one step further in data security and protection with social login.