May 22, 2018

May 22, 2018

Subscribe to Latest Legal News and Analysis

May 21, 2018

Subscribe to Latest Legal News and Analysis

Another Facebook App Leaves Anonymised Data of 3 Million Users Potentially Exposed

Recent news reports have revealed that Facebook has been hit with another data scandal.

The anonymised data of approximately 3 million Facebook users has reportedly been published on a poorly protected website. This data was originally collected via a Facebook quiz app called “myPersonality”. The myPersonality app was developed as part of the “myPersonality project” run by academics at the University of Cambridge’s The Psychometrics Centre.

Around 6 million quiz participants answered a number of personality trait questions using the myPersonality app. Half of those quiz participants agreed to share data from their profile. This data, along with quiz answers, were anonymised by the University of Cambridge academics and then placed on a website. Researchers could register to collaborate on the myPersonality project and gain access to the anonymised data on the website. According to New Scientist, more than 280 people from about 150 institutions (universities and companies) registered to access the website.

However, if you were not a researcher there were other ways to access the anonymised data. A username and password to access the website could be found online from a single web search.

On 7 April 2018, Facebook suspended the myPersonalty app from the Facebook platform as part of its clean up of third party applications and its investigation into misuse of user data.

This incident continues to shed light on Facebook’s practice of allowing third parties, such as researchers to use the Facebook platform to gather users’ data. However what is more revealing is the poor approach the academics took to protect the data by third parties with the means to re-identify the data. Providing access to anonymised data is not necessarily a problem per se. However, according to New Scientist the data could be easily re-identified.

Anonymised data will be considered personal information under the Australian Privacy Act if it can be de-anonymised and identify the personal information about an individual. Therefore, care must be taken when dealing with and creating “anonymised datasets” as that data will only fall outside the remit of the Australian Privacy Act if other data cannot be used with the anonymised data to reveal the personal information about an individual. If an anonymised dataset can be de-anonymised then it should be properly protected in accordance with the Australian Privacy Act.

Copyright 2018 K & L Gates

TRENDING LEGAL ANALYSIS


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm
Partner

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

+61.3.9640.4261
Keely O'Dowd, K&L Gates, attorney, Melbourne
Attorney

Ms. O'Dowd is an experienced lawyer with a focus on technology and sourcing projects. She advises on a broad range of technology transactions, including procurement, outsourcing and software licensing. This work includes drafting and advising on a range of IT procurement and supply agreements. Ms. O'Dowd advises a range of corporations on privacy and cybersecurity.

61-3-9640-4308