Facebook has banned the analytics firm Strategic Communication Laboratories and its political arm, Cambridge Analytica, for failure to follow its rules regarding the handling of personal data — and what may be among the largest abuses of personal data in U.S. history.
Facebook founder and CEO Mark Zuckerberg released his first statement on the matter just today. In it, Zuckerberg takes responsibility for Cambridge Analytica’s abuse of the Facebook platform, and promises that the company will do better in the future.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again,” Zuckerberg said. “The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there’s more to do, and we need to step up and do it.”
The statement goes on to describe how Facebook intends to address the problem going forward, but Zuckerberg is quick to point out that the company has already taken the first steps toward securing your data. First, Zuckerberg claims, Facebook will be auditing thousands of apps which may have improperly accessed user data.
“We will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity,” Zuckerberg said. “We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps.”
Second, Facebook will be cracking down on developers access to your personal data, reducing the data apps are able to access when you use Facebook to login — restricting it to just your name, profile photo, and email address. Lastly, Facebook will now list apps which have access to your private data in a bar above your news feed. You can already access this information, but Zuckerberg says moving it to a more visible location will keep people aware of which apps have access to their data. Users will be able to revoke permissions without digging into their privacy settings.
It’s a good set of first steps, but what Zuckerberg fails to mention is why it took Facebook over two years to publicly acknowledge the problem, when it knew sensitive user data was compromised.
Here’s what happened
While some outlets have reported that this was the result of a breach, the social network denies this claim. In the company’s statement, Facebook VP and Deputy General Counsel Paul Grewal said that the reports regarding a data breach were “completely false.”
The truth seems more complex than that.
Cambridge Analytica, which is best known for its work alongside Donald Trump’s presidential campaign, obtained the information from Dr. Aleksandr Kogan, who created an app called “thisisyourdigitallife.” The app billed itself as a personality test and was downloaded by about 270,000 people. By downloading the app, the users gave permission for the app’s developers to access information regarding the city they lived in, what kind of content they liked on Facebook, and other general information.
But by sniffing through the friends of those users, and the friends of friends, the company was able to gather up info on 50 million people in total, according to the New York Times — none of whom granted the company permission to use or even access to their data, these details were corroborated in Zuckerberg’s statement.
“The firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history,” the Times reported. This may not have been a data breach, but user’s wishes certainly weren’t honored.
While Kogan obtained the information on the initial 270,000 users legitimately and in accordance with Facebook’s rules, he then proceeded to violate those rules by sharing them with a third party — in this case, Cambridge Analytica.
“By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies,” Grewal wrote. “When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan, and Wylie all certified to us that they destroyed the data.”
Meanwhile, threats of legal action are beginning to appear. On Saturday, Massachusetts attorney general Maura Healey said she planned to look into the situation.
— Maura Healey (@MassAGO) March 17, 2018
Last week, Facebook received reports that not all of the data had been destroyed as promised. Facebook has not yet verified these claims, but has chosen to suspend SCL/Cambridge Analytica and Kogan from the site while it investigates these accusations.
Facebook isn’t the only organization looking into Cambridge Analytica. The Guardian has reported that the British Election Commission is investigating the organization in regards to the Brexit vote, which saw the U.K. vote to leave the European Union.
“We are investigating the circumstances in which Facebook data may have been illegally acquired and used,” said the Commission’s Elizabeth Denham. “It’s part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the U.K. are using and analysing people’s personal information to micro-target voters.”
Facebook itself has faced questions regarding how it handles user data as well.
- Cambridge Analytica whistleblower warns election is still ‘wide open to abuse’
- Facebook won’t ban political ads that lie to voters ahead of the 2020 election
- Apple rejects U.S. Attorney General request to unlock another phone
- Microsoft reveals a security breach of an internal customer support database
- Private data of some Facebook and Twitter users leaked through malicious apps