Skip to content
Naked Security Naked Security

Facebook users were duped by Cambridge Analytica, FTC rules

Delete the data, and don't do any of that again, the FTC told the data analytics company, which already filed for bankruptcy in 2018.

Oh, what a tangled web Cambridge Analytica wove: the US Federal Trade Commission (FTC) on Friday ruled that the infamous and now bankrupt data analytics and consulting company practiced to deceive Facebook users in order to suck up their data

…all the better to tickle your inner demons, my dears.

Cambridge Analytica is, or was, a voter-profiling company that was used during both the Trump and Brexit campaigns. In March 2018, whistleblowers – former employees and contractors, including Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data – said that they had used Facebook to harvest millions of people’s profiles and built models to exploit what they found out about those users in order to “target their inner demons.”


That was the basis the entire company was built on.

In its opinion, issued on 25 November, the FTC also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-US Privacy Shield: a pact that allows US technology companies to legally transfer EU citizens’ personal information across the Atlantic in compliance with EU data protection requirements.

The FTC’s complaint alleged that Cambridge Analytica let its Privacy Shield certification lapse, then didn’t bother to tell the US Department of Commerce that it would continue to apply the data pact’s protections for the personally identifiable information (PII) that it collected while it was participating.

The FTC had sued Cambridge Analytica in July 2019, alleging that it, and its then-CEO Alexander Nix and app developer Aleksandr Kogan, deceived consumers, lying to them about not collecting any PII from Facebook users who were asked to answer survey questions and share some of their Facebook profile data.

Kogan developed a Facebook application called the GSRApp, better known as the “thisisyourdigitallife” app. It asked users to answer personality and other questions, and it collected information such as their – and their friends’ – likes of public Facebook pages.

Nix and Kogan settled. By-then-dead Cambridge Analytica didn’t respond to the complaint or to a motion submitted for summary judgment of the allegations.

Delete the data and don’t do it again

In its Final Order, the FTC prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the Privacy Shield pact and other similar regulatory or standard-setting organizations.

It’s also required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information, and has to delete the PII that it collected through the GSRApp/thisisyourdigitallife.

But who’s left at Cambridge Analytica to carry out those data-deleting orders? The firm is currently filing for bankruptcy: a process it embarked on soon after the data debacle was first uncovered.

At the time, newspapers classified it as “one of the largest data leaks in the social network’s history” – one that allowed the data analytics firm to “exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.”

That was no breach; it was business as usual

Facebook at the time called that classification complete rot: the notion that there was a data breach was “completely false,” it said, and promptly blamed the victims for “[choosing] to sign up to [Kogan’s] app,” with “everyone involved [having given] their consent.”

People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

Well, Facebook was spot-on when it claimed that the data wasn’t filched in a “breach” given that, according to whistleblowers, a fake news inquiry in the UK and private staff emails, it basically amounted to Facebook having turned a blind eye to Cambridge Analytica and other developers scraping away its users’ data.

Facebook was wrong in blaming the victims, however, the FTC said – as in, $5b worth of wrong. In July 2019, the FTC wrist-slapped Facebook $5b over its alleged, repeated use of “deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.


Cambridge Analytica might have weaved about in trying to evade their pursuers, but the wove (not weaved) a tangled web.

” Nix and Kogan settled” `On what terms did they settle?


My New Oxford American Dictionary agrees with you about wove – the strong past tense form is the only one listed as standard usage. The Oxford Dictionary of English agrees.

(US and Commonwealth English sometimes disagree about strong and weak past forms, e.g. US shined and UK shone.)

So I changed it.


So the government got a cut (fine) of $5B, Alexander Nix and Aleksandr Kogan walked away free, and those that were compliant (cough, zukerboy) got,,, well they didn’t lose anything personally. Paying bribes (fines) shouldn’t be an alternative to jail. I could understand if they learned their lesson the first, or second or even third time, but when is enough, enough.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!