Cambridge Analytica (CA) may have gotten its hands on data from a far greater number of Facebook users, without their knowledge or permission, than independent sources originally estimated: 87 million, up from the initial estimate of 50 million.
Facebook tucked the new number into a post announcing new data access restrictions: just the latest in a string of attempts it’s been making to appease lawmakers and regulatory bodies and to try to keep users from torching their accounts.
(Need a match? Here you go.)
Facebook said in Wednesday’s post that “most people on Facebook” may have had their public profile information scraped by “malicious actors.” The scraping was done with account recovery and search tools that let users look up people by their phone numbers and email addresses, then take information from their profiles.
From the post, written by Facebook CTO Mike Schroepfer:
Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.
Facebook has now disabled the feature that allowed for searching by phone number or email address. It says it’s also making other changes to account recovery to reduce the risk of scraping, but it didn’t give details.
Facebook’s been dishing up its appeasement banquet for a few weeks, ever since whistleblowers started telling the tale of “utterly horrifying” data harvesting that’s been routine at the platform.
Sandy Parakilas, the platform operations manager at Facebook responsible for policing data breaches by third-party software developers between 2011 and 2012, has described a history of Facebook hiding its head in the sand when it came to user data shared with apps, likely frightened of being found liable for what it’s enabled developers to do with that data.
The first whistleblower was CA founder Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data used to create a tool that could be used to profile voters and influence the 2016 US presidential election and Brexit campaign. Kogan has been linked to previously undisclosed Russian affiliations.
The fallout has been all sorts of hairy for Facebook: for one thing, the US Federal Trade Commission (FTC) is on its tail, investigating how the company let all those users’ data wind up with CA … a data analytics firm whose secret influence-voters-with-psychographic-voodoo sauce was recently, allegedly discovered open to all on the internet.
Late last month, Facebook said it was revamping security and privacy settings as one response to the CA mess.
Before that, CEO Mark Zuckerberg announced a crackdown on abuse of Facebook’s platform, strengthened policies, and pledged an easier way for people to revoke apps’ ability to use their data.
Besides disabling the ability to look people up by their phone numbers or email addresses, Facebook’s making a number of other changes to try to crack down on third-party data access.
Apps will no longer be able to see personal information about users, like religion, political views, relationship status, education, work history, fitness activity and what books, movies and music people have consumed.
Apps will also need permission from Facebook before they can access things like Groups, Pages and check-ins. Nor will they be able to see the names and profile photos of people posting and commenting in a group, or see the guest list for events.
Facebook plans to delete call logs older than a year for Messenger and Facebook Lite users on Android who’ve opted in to the call and text history feature. In spite of this having been opt-in, many Android users were startled to discover years of contacts and call history when they downloaded their data archives last month.
On Monday, Facebook users will also see an option on top of their News Feed to review which apps have access to what type of information. As part of that process, Facebook will also tell people if their information was improperly shared with CA.