Cambridge Analytica – the data-crunching firm with tools so muscular that founder Christopher Wylie has described it as “Steve Bannon’s psychological warfare mindf**k tool” – has been collecting Facebook user data without permission through “a scam and a fraud,” Facebook said on Friday.
That statement to the New York Times came from Paul Grewal, a Facebook vice president and deputy general counsel. It preceded a day of chaos inspired by big data use and abuse that has raged all weekend and promises to keep playing out as lawmakers pledge to launch investigations.
On Friday, after a week of questions from investigative reporters, Facebook suspended Cambridge Analytica and parent company Strategic Communication Laboratories (SCL) from its platform. The suspensions came late in the game, news outlets are charging, given that Facebook has known about this for three years. Facebook, for its part, claims that the parties involved lied about having deleted harvested data years ago. At least one of the parties involved has shown evidence that points to Facebook having done very little to make sure the data was deleted.
The banishment was unveiled a day before the publishing of two investigatory reports – one from the New York Times, another from The Observer. The reports both detailed how Cambridge used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads.
Cambridge is owned by conservative Republican hedge fund billionaire Robert Mercer. It’s a voter-profiling company that was used by conservative investors during both the Trump and Brexit campaigns.
The NYT/Observer reports relied on interviews with six former employees and contractors plus a review of the firm’s emails and documents. One such source was whistleblower Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data. The Observer quoted Wylie:
We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.
Cambridge did so, the newspapers reported, because it had a $15 million investment from Mercer burning a hole in its pocket. Cambridge wanted to woo Steve Bannon with a tool to identify American voters’ personalities and to influence behavior, but it first needed data to flesh out that tool. So it took Facebook users’ data without their permission, according to the newspapers.
They called it “one of the largest data leaks in the social network’s history” – one that allowed Cambridge to “exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.”
Not surprisingly, Facebook immediately pushed back against the characterization of a massive data leak in an update to its initial announcement of the suspensions. It said that the data got out not through a leak but because some 270,000 Facebook users willingly signed up for a Facebook personality test called thisisyourdigitallife that billed itself as “a research app used by psychologists.”
The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.
Kogan was the developer of thisisyourdigitallife. Facebook says that in 2015, it found out that Kogan had lied and violated Facebook’s Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge. Facebook says that Kogan also gave the data to Wylie. Wylie was an employee of Cambridge Analytica at the time of the alleged breach but went on to start his own firm, Euonia Technologies, in 2014.
Wylie has produced a dossier of evidence about the data misuse to the Observer that apparently contradicts testimony provided last month by Facebook and Cambridge Analytica CEO Alexander Nix, who both told a parliamentary inquiry on fake news that Cambridge didn’t have, nor use, private Facebook data.
The Observer reports that the dossier includes emails, invoices, contracts and bank transfers that reveal more than 50 million profiles – most of which belong to registered US voters – that were harvested from Facebook. Facebook has suspended Wylie from its platform while it carries out its investigation.
With regards to Facebook’s assertion that it was lied to about data deletion, Wylie’s dossier implies that it didn’t break much of a sweat to ensure that the data, improperly shared with third parties as it was, had in fact been deleted. The dossier includes a letter from Facebook’s lawyers, dated August 2016, in which he was asked to destroy data collected by GSR: a company Kogan set up to harvest user profiles.
That’s all that Facebook apparently did about the leak, or breach, or whatever you want to call it. It sent a letter, the receipt of which was delayed since Wylie was traveling, didn’t pursue a response when he didn’t answer for weeks, and neglected to follow up with forensics to make sure the data was deleted from his computers and storage.
Wylie:
That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back.
You might well question how 270,000 people signing up for a Facebook personality quiz blossomed into a potential data breach affecting 50 million users – nearly 25% of potential US voters.
As The Observer describes it, the app scraped not just test-takers’ private profile data, but also that of their friends. Facebook didn’t disallow such behavior from apps at the time, but such data harvesting was allowed only to improve user experience in the app, not to be sold or used for advertising.
Of the 50 million profiles scraped (only 270,000 of which belonged to users who’d granted permission), roughly 30 million contained enough information, including places of residence, that the company could (at least theoretically) match users to other records and build “psychographic” profiles.
The NYT published an email from Kogan to Wylie describing what traits could be predicted from those profiles: they include gender, age, political views, religion, job, “sensational interests” (a category that includes whether somebody’s into guns/shooting/martial arts/drugs/black magic/paganism/how credulous they are), and belief in star signs, among others.
Cambridge Analytica gained notoriety for what its own execs called “psychological warfare” in both the Trump and Brexit campaigns.
Not surprisingly, Facebook has a far different account of what went down. But one thing the social network and the investigative journalists all agree on is that Cambridge not only relied on users’ private Facebook data, but it’s looking like it still possesses “most or all of the trove,” according to the NYT.
From Facebook’s explanation of why it’s suspended SCL and Cambridge:
Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted. We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made.
This is a lot, but there’s far more. The revelations come just weeks after special counsel Robert Mueller indicted 13 Russians for allegedly using Facebook to perpetrate “information warfare” against the US.
Cambridge Analytica is currently under investigation on both sides of the pond: it’s a key focus in two inquiries in the UK, one from the Electoral Commission, into the firm’s possible role in the EU referendum, and one by the Information Commissioner’s Office (ICO), into data analytics for political purposes. In the US, Mueller’s probe is also delving into how the analytics firm helped Donald Trump win the presidency.
And then of course there’s Russia and its part in the dissemination of fake news. It turns out that Kogan has previously unreported links to St. Petersburg State University and has accepted Russian grants for research. His Facebook license was only to collect data for research purposes, not to pass on to a commercial outfit like Cambridge, and thus was in violation of Facebook’s terms.
Kogan claims that everything he did was legal, according to the Observer, and that he had a “close working relationship” with Facebook, which had granted him permission for his apps.
Democrat Senator Mark R. Warner, Vice Chairman of the Senate Select Committee on Intelligence, who’s been proposing an Honest Ads Act to regulate online political advertising similar to how it’s done in television, radio and print, put out a statement saying that the latest revelations are yet another sign that online ads are the Wild West:
This is more evidence that the online political advertising market is essentially the Wild West. Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency. This is another strong indication of the need for Congress to quickly pass the Honest Ads Act to bring transparency and accountability to online political advertisements.