By Brian Cute, CEO of Public Interest Registry

Internet users around the world are still reeling from the news that Cambridge Analytica found a loophole that allowed them to use the data of a reported 50 million Facebook users to potentially influence the 2016 U.S. presidential election. A #DeleteFacebook campaign is underway with many high-profile Facebook users calling on people to delete their Facebook accounts because of the company’s mishandling of personal data. What does this mean to nonprofits that are online and why should they care? Let’s look at what happened.

Collecting data and profiling Facebook users

Cambridge Analytica, a data firm based in the United Kingdom, harvested profile data from more than 50 million Facebook users – without their consent – to create a user profiling methodology to try to influence potential voters in political campaigns. Cambridge Analytica’s massive database of Facebook user profiles was used to target specific users based, in part, on their “psychographic” profile to influence their attitudes. Cambridge Analytica then sold this data to many other organisations working for political campaigns. These political organisations in turn launched targeted campaigns at the Facebook users based on their profile to try to influence their thinking and ultimately their election votes.

This was a loophole not a hack

Cambridge Analytica was able to procure this data in the first place thanks to a loophole in Facebook’s API that allowed third-party developers to collect data not only from users of an app, but also from the app user’s friend network on Facebook. The data collected was supposed to be restricted from being marketed or sold, and Cambridge Analytica apparently violated those terms by selling the collected data to third parties.

The actual tool used to collect Facebook user data was a Facebook app quiz. While the app collected data from Facebook users who took the quiz, it exposed a loophole in Facebook’s API that allowed it to also collect data from the user’s Facebook friends. As a Facebook spokesperson reiterated to the New York Times, “No systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

Now imagine your nonprofit’s data was collected

Imagine a third-party company collecting data through your use of the internet not only about your nonprofit organisation but also about all your supporters, volunteers and donors. Now imagine that this data is sold to a government or bad actor who then uses the data to run targeted campaigns to these same individuals. That campaign could use misinformation to tarnish the reputation of your nonprofit or cause your target audiences to question the work that you do and decide to turn away from your organisation.

Worse, imagine you are a nonprofit providing programs and services in a country whose government is hostile to your activities. There is no end to what that government could do with your data or the data of your most critical stakeholders.

Facebook and social media platform considerations

Facebook and other social media platforms are attractive for creating an online identity because they are free, relatively easy to use and can help build large networks of supporters for nonprofits. There is a reason they are free and it’s because Facebook and other platforms monetize your data and your supporters’ data. That’s their business model.

In the wake of the Cambridge Analytica debacle, Facebook employees have said that tension exists between those in the company who work on user privacy issues and those who focus on growing the business. “The people whose job is to protect the user always are fighting an uphill battle against the people whose job is to make money for the company,” said Sandy Parakilas, a Facebook employee who worked on the privacy side and as told to the New York Times.

What should nonprofits online do?

Nonprofits should understand the pros and cons of using social media platforms versus a website on a reputable and trusted domain name. Know the difference between platforms where you are in control of your data versus those where the platform is in more control. As Paul Diaz from Public Interest Registry posted in a recent blog, using social media platforms has both pros and cons, particularly when it comes to the security of your and your supporters’ data. Data management and security is largely out of your hands when you use social media platforms, especially as your data is subject to the profit focus of the organisations that run those platforms.

I encourage nonprofit leaders around the world to spend time getting educated about any online platform on which you choose to create an online identity for your organisation. Make sure you and your team understand the Terms of Service and what they say they will do with your data. Even if you determine the existing Terms of Service are compliant with your organisation’s data management and security thresholds, the Cambridge Analytica incident shows us that Terms of Service themselves are not enough to secure our data. It’s up to you to protect your data and the data of those who support and contribute to your mission.

Stay tuned to the Public Interest Registry blog as we continue to follow issues related data security and privacy in our “NGOs and Data Security” series.