It’s no secret that Facebook tracks user data, as anyone who has seen an add related to a topic they just posted about can attest — but the alleged illegal data mining of as many as 87 million users that was acquired by Cambridge Analytica is raising new concerns about the security of personal information stored on Facebook. Facebook has since banned the analytics firm and the parent company Strategic Communication Laboratories and launched wide-spread changes to data privacy and third-party app access, but with Cambridge Analytica handling social media campaigns related to President Donald Trump’s presidential bid and the U.K.’s Brexit vote, the scrutiny will likely continue for some time.
After Facebook CEO Mark Zuckerberg broke his silence and shared a post detailing what happened, several of those changes have already been set in motion. On April 4, Facebook shared a draft of an updated data policy while launching several limitations to third-party app use (one of which broke Tinder). Facebook says users impacted by the data misuse will be notified, but added that the list of security changes announced this week is only the start, with more adjustments coming over the next few weeks. Cambridge Analytica says the company has done nothing wrong and, so far, has appeared to cooperate with investigations.
In a press conference April 4, Zuckerberg said the company, at first, did not have a wide enough view on how the network could potentially be abused. “We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well. That goes for fake news, foreign interference in elections, hate speech, in addition to developers and data privacy. We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake. It was my mistake.”
On Monday, March 26, the Federal Trade Commission confirmed an open but non-public investigation into Facebook’s privacy policies. Along with mentioning current privacy laws, the statement also mentions that companies with earlier settlements with the FTC must also comply with orders — and Facebook has already faced AFTC scrutiny for a similar list of complaints in 2011.
So what do Facebook users need to know about the illegal data mining? Here is what we know so far.
Users didn’t have to authorize an app to have their data mined
Some of the user data in question was accessed by authorizing the app “thisisyourdigitallife,” by Global Science Research, a personality app that told users the information was anonymous and for physiological research. Granting access to a third-party app prompts a pop-up screen that says what data the app will have access to, requiring the user to agree to the terms before allowing access. The app was also reportedly boosted by Amazon Turk, a program that pays users to complete surveys and other online tasks. Global Science Research allegedly sold that data to Cambridge Analytica.
That is not why the app’s developers and Cambridge Analytic are under fire, however. Around 270,000 people actually accessed the app. But the app didn’t stop there; it also gathered data on those users’ friends, until it had access to information from millions of users. This means the vast majority of users who had their data stolen never authorized the app to access their accounts, thus prompting the ensuing controversy and Facebook’s ban of Cambridge Analytica.
The New York Times first estimated 50 million users were affected. Facebook still hasn’t come up with an exact count but said that 87 million users either had a friend using the app or downloaded the app themselves, so the network is saying the highest number of users that could have been affected is 87 million. Cambridge Analytica claims the app gathered information on “no more than” 30 million people.
Most of those numbers are users based in the U.S. but some of that data jumps borders. While other countries only make up around one percent of the possible users affected, users in the Phillipines, Indonesia, United Kingdom, Mexico, Canada, India, Brazil, Vietnam and Australia could have been tracked by the third-party app.
While wasting three minutes of your life taking a quiz to find out what kind of potato chip you are is nobody’s proudest moment, granting an unknown company access to your data, and that of your friends, is an irrationally high price to pay.
Third-party apps can no longer access your friends’ data — and Facebook is still doing more
Facebook says that today’s platform doesn’t allow third-party apps to access the same information from your friends. This change was made in 2014 when Facebook removed the API that allowed developers to access data on a user’s friends.
While third-party apps have not had access to friend data for years, Zuckerberg says the platform will take several steps to further protect user data. Third-party apps will now only stay connected for three months, preventing one-time use apps from monitoring data in the background. The network is also launching an audit of all the apps that used friend data prior to 2014 — and removing anyone who doesn’t cooperate with the audit as well as apps that misused data. And while users could always look in the settings to see what apps have access to their data, Facebook will put the tool right in the newsfeed over the next month so users can easily check the permitted apps.
In April, Facebook made several changes to the API that allows third-party app access, including limiting access to Groups and excluding the guest list from the Events API. The changes (detailed in full here) limit the data third-party apps can access and even removes a search feature.
In an official blog post following Zuckerberg’s statement, Facebook also said that they would be informing users involved in any data misuse, including users that were impacted by the “thisisyourdigitallife” app. By expanding the existing bug bounty program, the network also hopes to find data misuse faster by rewarding hackers that find those loopholes for the company to correct.
“I started Facebook, and at the end of the day I’m responsible for what happens on our platform,” Zuckerberg wrote. “I’m serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn’t change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward.”
Facebook knew about the data in 2015
Facebook discovered the misuse of data from journalists back in 2015. The app’s creator, Dr. Aleksandr Kogan, claimed he was using it for an academic study — and insists he didn’t think he was doing anything wrong. When Facebook found out about the data the app was gathering in 2015, it asked Global Science Research to delete it — and thought the company did. When Facebook received reports suggesting that the deletion never happened, they suspended the company from the platform and launched an investigation.
A lawsuit filed by investors said Facebook should have disclosed this information.
Cmabridge Analytica claims that the information was deleted and is cooperating with audits. The company also says that the information was not used during the 2016 presidential campaign.
Facebook is losing money — and that might be a good thing
Advertisers often choose Facebook because the company can target a specific customer using legal, publicly shared information to advertise, say, diapers only to new parents. The scandal, however, is affecting the company’s value. In just the first two days, the company’s stock lost around $60 billion dollars in value.
While that’s not good news if you invested in Facebook stock, for the average user, that impact could be a good sign — Facebook isn’t going to sit by idly and lose billions. Social media platforms are profit-driven companies, and a threat to the bottom line can spur a rapid change of course. Just look at how fast YouTube changed advertising policies when advertisers boycotted the platform after seeing their ads inserted in hate speech videos.
The scandal has also sparked a #deletefacebook movement, but Zuckerberg says that the company hasn’t seen any “meaningful impact” from the movement. The CEO said that, while the movement hasn’t created drastic user drops, the company is still working to repair that distrust.
This isn’t the first time Facebook has been scrutinized over privacy
In 2011, Facebook faced a list of seven complaints from the Federal Trade Commission about user privacy. One of those complaints said that “Facebook represented that third-party apps that users installed would have access only to user information they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.”
A second complaint on the list sounds familiar in the midst of the current scandal, which reads “selecting ‘Friends Only’ did not prevent their information from being shared with third-party applications their friends used.” Additionally, while Facebook claimed it verified that participating apps were secure, the FTC said this was not true. Facebook settled the complaint, agreed to get user approval before allowing apps to access data, and agreed to allow privacy audits.
In 2017, Facebook faced legal fines in France and the Netherlands for violating privacy protection laws in those countries. At the time, the government organizations said that Facebook didn’t allow enough privacy controls and that the platform was also using browser history without user consent.
That turmoil in France and the Netherlands likely prompted Facebook to announce a new Privacy Center, designed to help users understand just how their data is used. The Privacy Center hasn’t yet rolled out, but Facebook moved up the original May launch following the scandal.
The U.S., U.K., Australia and FTC are all investigating
More information will likely come over the next few weeks as several groups dig into the controversy. Facebook reportedly met with Congress for two days following the scandal. Facebook hired a private investigative firm — but the U.K.’s Information Commissioner’s Office asked the group to leave as it pursued its own investigation. The FTC is also investigating how the information was used — after initial reports of an investigation, the FTC has now confirmed an investigation. An Australian watchdog organization is also investigating.
As the investigation continues, additional details will likely become available. Currently, it’s unclear exactly how the data was used, which campaigns the data was used in, and if those campaigns had any major impact. Cambridge Analytica is claiming no wrongdoing.
Facebook claims it was deceived
While the information wasn’t stolen in a hack-like breach, Zuckerberg called the mishandling of data a breach of trust.”This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” he said. “But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”
Andrew “Boz” Bosworth, the company’s vice president of augmented and virtual reality and the former vice president in advertising, said Facebook is set up so that personal data isn’t sold to other companies. “Yes developers can receive data that helps them provide better experiences to people, but we don’t make money from that directly and have set this up in a way so that no one’s personal information is sold to businesses,” he wrote in a Facebook post. “We are able to show better ads when we know more about people relative to other businesses, so giving data to them is the opposite of a good strategy. Also if people aren’t having a positive experience connecting with businesses and apps then it all breaks down. This is specifically what I mean when we say our interests are aligned with users when it comes to protecting data.”
This isn’t the only questionable practice Cambridge Analytica is accused of
While misuse of user data is at the heart of the scandal, that’s not all Cambridge Analytica is facing. British undercover reporters set up several meetings with the company and recorded CEO Alexander Nix suggesting creating a sex scandal to discredit an opponent. Cambridge Analytica has cried foul and said it never intended carrying out those suggestions.
ABC News also reports that the company is facing legal action from the Federal Election Commission and Department of Justice. The legal complaints suggest that the company allegedly broke election laws that say only U.S. citizens can participate in political campaigns. According to the complaints, a lawyer warned the firm of the laws back in 2014. Cambridge Analytica is based in the U.K.
Users can revoke authorization to third-party apps
While even the former owner of WhatsApp is calling for users to delete Facebook, there are settings users can adjust to limit shared data and view which third-party apps have been authorized. This may not prevent illegal access to data if someone finds a way to access information outside of Facebook’s rules, but it’s a start for users who would rather not cut all ties with Facebook.
As the investigation continues, we will update this post with additional information.
Updated on April 5: Added Facebook’s revised data policy, new restrictions on third-party app access, and a new estimate of as many as 87 million users affected.
- Federal investigation digs into Facebook’s data-sharing deals
- Facebook says the future is private, but what does that mean?
- A Facebook, Instagram bug exposed millions of passwords to its employees
- In latest blow to Facebook, 540 million user records exposed by third-party apps
- Facebook’s privacy-focused clear history tool is set to land in 2019