Facebook is facing international investigations into the illicit harvesting of users' personal data. The information was collected by Cambridge Analytica, a political consulting firm that backed President Trump’s 2016 election campaign.
According to a whistleblower, Cambridge Analytica gathered data from 50 million users, then developed a software program that profiled these citizens to predict voting patterns – and, through micro-targeted ads, influence US citizens’ voting decisions.
We’re laying out everything we know and don’t know about how Cambridge Analytica used Facebook to influence elections in the US and around the world, and what this means for the tech giant’s future.
Update: On March 26, the US Federal Trade Commission (FTC) announced it is investigating Facebook's privacy practices following the CA revelations. The agency appears to be looking into whether Facebook violated the terms of a 2011 settlement to enhance its privacy policies so that third parties couldn't acquire user data without their express knowledge or consent.
This follows a summons for Facebook CEO Mark Zuckerberg to the US House Committee to testify on user data and the Cambridge Analytica scandal.
BREAKING: House committee sends formal invitation to Facebook CEO Zuckerberg to testify on user data - letter pic.twitter.com/4Hk6BQSsQ9— Reuters Politics (@ReutersPolitics) March 23, 2018
Data was harvested using a third-party app
Cambridge Analytica (CA) obtained voter data through a Facebook-linked app named 'thisisyourdigitallife'. Through the app, CA member Aleksandr Kogan paid Facebook users in exchange for a detailed personality test, supposedly for academic research purposes.
These users volunteered to provide this information, something Facebook Deputy General Counsel was quick to emphasize in a statement:
“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
But the app also pulled personal data from all of the test-taker’s linked Facebook friends without their consent—data that, per Facebook’s Platform Policy, can only be used to enhance the in-app experience, and should not be given out to anyone.
Instead, Kogan and his associates allegedly built a software platform for influencing US elections, and sold it to Donald Trump. In 2014, former Trump advisor Steve Bannon ran Cambridge Analytica.
Around a quarter of a million people took the test willingly, but 50 million people reportedly ended up having their private data used for political and financial gain without their knowledge or consent.
Facebook only became aware of CA’s breach of contract in 2016, but reportedly waited months to order CA to delete the data. The consulting firm subsequently ignored this order, and Facebook allegedly never followed up to check.
Only after the media asked for comment last Friday did Facebook apparently realize it had been duped for four years. Facebook responded by threatening to sue outlets reporting on the issue.
Mark Zuckerberg has promised change
On March 21, five days after the story broke, CEO Mark Zuckerberg used a post on his Facebook page to issue a statement.
"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg wrote. “I've been working to understand exactly what happened and how to make sure this doesn't happen again.”
He promised that the company will investigate all third-party apps that had access to large amounts of data before 2014 (when Facebook prevented app developers accessing data from users' friends). He added that the site will ban any app developers that don't comply with a full audit and inform their users if a violation is found.
Zuckerberg proposed limiting access to data if a user hasn't used an app for three months, and to reduce the amount of information given when a user signs up for an app to just their name, email address and profile photo. If app developers want more information, the user will need to sign a contract to grant permission.
Finally, within the next month app users' permissions will appear above their news feeds rather than hidden away on a settings page.
Zuckerberg repeated his pledge to take action in an interview with CNN the same day – his first public appearance since the scandal broke.
On March 25, Facebook took out full-page ads in several major US and UK newspapers, with the headline "We have a responsibility to protect your information. If we can't, we don't deserve it." The ads quoted Zuckerberg, again promising that the company is "taking steps to make sure this doesn't happen again."
Cambridge Analytica is under investigation
Although it operates in the US, Cambridge Analytica is a UK company, meaning the data scandal could have global repercussions. It worked on the Brexit referendum, and has catered to politicians worldwide.
An undercover sting video from Britain’s Channel 4 News revealed CA executives offering to 'fix' Sri Lankan elections for an undercover reporter. Its 'services' included blackmailing, entrapping or extorting rival politicians, and releasing propaganda to the public. One offer was to send 'Ukranian girls' to a man’s house, then release the footage publicly to shame him.
These offers to spread targeted disinformation are what most concern government agencies like the US Federal Trade Commission (FTC) and British Information Commissioner's Office (ICO). If CA was able to obtain information on voters through Facebook, they would know where to specifically target propaganda to influence elections—just as Russia’s Internet Research Agency did in 2016.
CA may not be the only company that has obtained or purchased information that has been obtained through third-party apps. Considering Facebook’s inability to check if CA stole private user information, we have no way of knowing how many other companies could be hoarding and selling data to influence democratic elections.
The US, UK and EU investigations have only just begun, but they could have major repercussions on how Facebook and other social media companies are required to protect user data in future.
Facebook is facing international probes
Facebook has typically tried to self-regulate in the face of criticism. Earlier this year, after revealing that advertisers linked to Russia had spent thousands of dollars on ads influence public opinion in the run-up to the 2016 US presidential election, the company insisted it would prevent democratic meddling in the future itself.
This time, however, that approach might not be enough. The FTC is now officially investigating Facebook, the agency announced on March 26. This follows an earlier report by Bloomberg that the FTC is investigating whether Facebook violated a 2011 settlement, which required it to improve its privacy settings so that third parties could not acquire users’ data without their express knowledge or consent.
Three years after this agreement, Cambridge Analytica was still able to obtain data on a huge portion of Facebook’s user base, the majority of whom did not consent to their personal data being taken for political use.
In its statement announcing the investigation, the FTC said it "takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." As such, the agency has opened a "non-public investigation into these practices."
The FTC could fine Facebook $40,000 for each violation of the 2011 settlement; multiply that by 50 million, and Facebook could be looking at catastrophic financial damages.
Along with the FTC, the British ICO is investigating whether Cambridge Analytica could have used similar voter data to influence UK citizens during the Brexit referendum.
The EU’s Electoral Commission and Australia's Privacy Commissioner have also piped up, with both officially investigating Facebook’s actions to determine if the data of their voters were used without authorization.
Facebook denies unauthorized call logging
In the wake of the Cambridge Analytica scandal, many people have chosen to download their Facebook data and delete their accounts – and some were surprised by what they found.
According to a report by Ars Technica, New Zealand man, Dylan McKay, discovered that the Facebook Lite app had gathered all the contacts from his phone, and logged two years' worth of calls, and claimed it had done so without his permission.
Facebook reacted immediately with a post on its Newsroom blog, denying the accusations. "You may have seen some recent reports that Facebook has been logging people’s call and SMS (text) history without their permission," it said. "This is not the case."
Facebook says that, although its Lite and Messenger apps can log users' call and text histories, they won't do so without explicit consent.
Facebook also clarified that it doesn't sell any of this data, and it doesn't record the content of your messages and calls.
By Michael Hicks, Cat Ellis
© Future Publishing Limited Quay House, The Ambury, Bath BA1 1UA. All rights reserved