> The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.
Users knowingly _agreed_ to share their data with Dr. Kogan. Dr. Kogan was contractually prohibited from passing that information on to third parties (Cambridge Analytica) but did so anyway and was banned as a result.
I haven't seen it phrased that way before, and now that I have, I simultaneously accept the logic of it and am horrified by the bureaucratic churn that must spin up just to ferry legal responsibility to (in theory) the correct party.
'luckily' it is expensive to sue, so everything works out.
Consider the alternative: the laptop you bought on Amazon catches fire and burns down the school of your daughter. The school contacts your insurance, who now has to contact a component supplier in Shenzen (who supplied the power supply), and sue them under Chinese law, instead of Amazon.
I think that this can end up resulting in less bureaucratic churn then the other approach. In this particular case a bunch of users had their data forwarded by one entity - if CA had harvested data from multiple sources using the Facebook API then I think it'd be unreasonable for those users to need to legally pursue each terms violator - Facebook may also refuse to share the identity of the breach for a variety of reasons[1] making the lawsuit without an identified defendant which doesn't really help matters.
1. Proprietary customer information, privacy, just generally not talking.
The real world is ridiculously complex place, something about almost endless fractal. I too would like to see companies like FB burn because they gave us plenty of reasons in the past, but in this case...
I look it from outdoor equipment perspective - if on my goretex jacket an YKK zipper fails, for me the jacket manufacturer (say Rab) would be the one to raise a warranty ticket/questions, not japanese YKK which produce billions of zippers for everybody all the time. Although Rab is just buying products from DuPont (sigh...), YKK, threads etc. and putting them together (at least that's a more common situation compared to manufacturing it yourself).
I guess in real world Rab would swallow my specific issue while in warranty and issue a fix/replacement, and if they see enough issues with supplier they raise it in batch mode ie for discount for future or one-time compensation.
Well one potential outcome of a suit against YKK for a zipper failure might be that, in fact, the zipper itself didn't fail due to poor quality reasons - but instead the fabric shed and accumulated in the teeth wearing them down over time... Basically, with an assembled product, it's unreasonable to expect consumers to try and identify the actual fault of the design.
As an anecdote on this topic.... I recall having a long necked jacket as a kid where the zipper wore down heavily around the collar since the neck was so long that it ended up being too tall for normal day-wear - and thus a lot of unnecessary stress was put on the zipper mechanism when it was partially zipped up. After a few months the teeth had weakened in that area to the point where the zipper would frequently come off the tracks there. In this specific case fitting a jacket with a four inch collar caused a zipper failure - the zipper was probably cheaply made anyways but if the cut of the jacket had been different there likely wouldn't have been an issue.
Well sure, I don't have a contract with Dr. Kogan, so what can I sue him for? There is no breach of any contract between us. I do have a contract with Facebook, so they are pretty much the only people I can sue. They can turn around and sue Dr. Kogan because they did have a contract with him, but I can't sue him directly for breaching a contract I'm not a part of.
> I do have a contract with Facebook, so they are pretty much the only people I can sue.
Can you sue them for this, though? Your contract would need to say "if I personally turn my data over to a third party, that third party will not misuse it". And in the unlikely event that it did say that, misuse of your data by the third party still wouldn't violate the contract, because... the third party is not party to the contract.
Facebook offered an API for sharing your data with a 3rd party vetted by Facebook.
Even if you don't buy that argument, at the very least the people who were FB friends of people who sent shared their lists with Kogan should still be able to sue FB, as they had absolutely no relation with Kogan or his app and still some of their data ended up sold.
I believe by using Dr. Kogan's app and explicitly giving Dr. Kogan permission to use your data (by accepting the FB interstitial UI that confirms with you as a user whether you would like to give a third-party access to your FB data via the FB API), you are entering in some kind of contract with him, no?
FB doesn't just hand users' data over without user confirmation... Users see UI permission dialogs and have to explicitly agree to it first (similar to an iPhone app asking for permission to use your microphone or location -- how is Apple responsible if said app gets hacked and leaks your microphone recordings?).
The reason we have a system of civil laws is so that everybody doesn’t have to all individually set up their own system to guard against contractual breaches.
> The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.
Users knowingly _agreed_ to share their data with Dr. Kogan. Dr. Kogan was contractually prohibited from passing that information on to third parties (Cambridge Analytica) but did so anyway and was banned as a result.