Facebook suspends firm that took 50M users' data, says it wasn't a breach

Facebook suspended Trump-linked data firm Cambridge Analytica, which pilfered 50 million Facebook users’ data, claiming the collected personal data was not the result of a breach.

Facebook suspends firm that took 50M users' data, says it wasn't a breach
Rob Schultz/IDG

Facebook announced late on Friday that it was suspending Strategic Communication Laboratories (SCL) and its political data analytics firm Cambridge Analytica — the data analytics firm that worked with President Donald Trump’s 2016 election.

The move came a few hours before The Guardian and The New York Times reported on Saturday that SCL and Cambridge Analytica had surreptitiously harvested data from about 50 million Facebook accounts. The social network maintains that Cambridge Analytica violated Facebook’s rules, but all of that collected personal data did not come from a hack.

How Cambridge Analytica got the Facebook data

Until the middle of 2014, Facebook allowed apps to abuse a loophole to collect personal data on a user’s entire friend network. In this case, an app not only harvested data from the person using the personality quiz app called "thisisyourdigitallife," created by U.K. academic Aleksandr Kogan, but also delved into that person’s friends network and harvested all of their Facebook profile data, as well. Facebook claimed only 270,000 people downloaded that app, but Kogan managed to obtain data from 50 million accounts without their consent. Of those, enough data had been harvested from 30 million for Cambridge Analytica to create psychographic profiles on them.

Facebook removed Kogan’s “research” app in 2015 and demanded users’ collected data to be destroyed. Yet several sources have confirmed that the data was not destroyed in 2015.

Sources close to Cambridge Analytica told Wired that the data allegedly deleted in 2015 was still accessible in 2017. The internal Cambridge Analytica database, called “Kogan-import,” had “included Facebook IDs, and responses to personality surveys that had been administered by Kogan in 2015.” This database “was only visible to a small number of staffers in data science, engineering, and IT. The source says the database was tightly controlled in terms of who could edit or delete it.”

On Saturday, U.S. Senator Amy Klobuchar (D-Minn.) called on Mark Zuckerberg to testify before the Senate about the “Facebook breach.”

Facebook then updated its announcement about suspending Cambridge Analytica to include:

The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

In a series of rapid-fire and later-deleted tweets made on Saturday, Facebook CSO Alex Stamos took exception to the “breach” terminology. Stamos then said he deleted them “not because they were factually incorrect but because I should have done a better job weighing in.”

Cambridge Analytica responds

Cambridge Analytica put out its own statement after Facebook’s announcement, claiming it deleted all the data obtained by Global Science Research, which had been contracted in 2014, after learning the data had be obtained outside of Facebook’s terms of service. The firm added, “No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.”

Whistleblower Chritopher Wylie tells his story

Whistleblower Christopher Wylie, who helped found Cambridge Analytica, can help you fully understand the scope of what happened and how it “exploited” Facebook.

Wylie is sorry for the role he played in the “full service propaganda machine.” He added that “it was a grossly unethical experiment because you are playing with an entire country. The psychology of an entire country without their consent or awareness.”

How many times will people accept Facebook’s version of truth — that “protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook”? Over and over throughout the years, despite carefully worded statements after some privacy fiasco, Facebook has proven that users’ privacy is not at the heart of the company. Making money via collecting data about users to sell ads is.

Senator Mark Warner (D-Va.) added, “Whether it’s allowing Russians to purchase political ads or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency.”

NEW! Download the Winter 2018 issue of Security Smart