Skip to content
Naked Security Naked Security

Facebook loses control of 50 million users’ data, suspends analytics firm

Facebook has suspended Cambridge Analytica for violating its platform policies.

Cambridge Analytica – the data-crunching firm with tools so muscular that founder Christopher Wylie has described it as “Steve Bannon’s psychological warfare mindf**k tool” – has been collecting Facebook user data without permission through “a scam and a fraud,” Facebook said on Friday.
That statement to the New York Times came from Paul Grewal, a Facebook vice president and deputy general counsel. It preceded a day of chaos inspired by big data use and abuse that has raged all weekend and promises to keep playing out as lawmakers pledge to launch investigations.
On Friday, after a week of questions from investigative reporters, Facebook suspended Cambridge Analytica and parent company Strategic Communication Laboratories (SCL) from its platform. The suspensions came late in the game, news outlets are charging, given that Facebook has known about this for three years. Facebook, for its part, claims that the parties involved lied about having deleted harvested data years ago. At least one of the parties involved has shown evidence that points to Facebook having done very little to make sure the data was deleted.
The banishment was unveiled a day before the publishing of two investigatory reports – one from the New York Times, another from The Observer. The reports both detailed how Cambridge used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads.
Cambridge is owned by conservative Republican hedge fund billionaire Robert Mercer. It’s a voter-profiling company that was used by conservative investors during both the Trump and Brexit campaigns.
The NYT/Observer reports relied on interviews with six former employees and contractors plus a review of the firm’s emails and documents. One such source was whistleblower Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data. The Observer quoted Wylie:

We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.

Cambridge did so, the newspapers reported, because it had a $15 million investment from Mercer burning a hole in its pocket. Cambridge wanted to woo Steve Bannon with a tool to identify American voters’ personalities and to influence behavior, but it first needed data to flesh out that tool. So it took Facebook users’ data without their permission, according to the newspapers.
They called it “one of the largest data leaks in the social network’s history” – one that allowed Cambridge to “exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.”
Not surprisingly, Facebook immediately pushed back against the characterization of a massive data leak in an update to its initial announcement of the suspensions. It said that the data got out not through a leak but because some 270,000 Facebook users willingly signed up for a Facebook personality test called thisisyourdigitallife that billed itself as “a research app used by psychologists.”

The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

Kogan was the developer of thisisyourdigitallife. Facebook says that in 2015, it found out that Kogan had lied and violated Facebook’s Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge. Facebook says that Kogan also gave the data to Wylie. Wylie was an employee of Cambridge Analytica at the time of the alleged breach but went on to start his own firm, Euonia Technologies, in 2014.
Wylie has produced a dossier of evidence about the data misuse to the Observer that apparently contradicts testimony provided last month by Facebook and Cambridge Analytica CEO Alexander Nix, who both told a parliamentary inquiry on fake news that Cambridge didn’t have, nor use, private Facebook data.
The Observer reports that the dossier includes emails, invoices, contracts and bank transfers that reveal more than 50 million profiles – most of which belong to registered US voters – that were harvested from Facebook. Facebook has suspended Wylie from its platform while it carries out its investigation.
With regards to Facebook’s assertion that it was lied to about data deletion, Wylie’s dossier implies that it didn’t break much of a sweat to ensure that the data, improperly shared with third parties as it was, had in fact been deleted. The dossier includes a letter from Facebook’s lawyers, dated August 2016, in which he was asked to destroy data collected by GSR: a company Kogan set up to harvest user profiles.
That’s all that Facebook apparently did about the leak, or breach, or whatever you want to call it. It sent a letter, the receipt of which was delayed since Wylie was traveling, didn’t pursue a response when he didn’t answer for weeks, and neglected to follow up with forensics to make sure the data was deleted from his computers and storage.
Wylie:

That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back.

You might well question how 270,000 people signing up for a Facebook personality quiz blossomed into a potential data breach affecting 50 million users – nearly 25% of potential US voters.
As The Observer describes it, the app scraped not just test-takers’ private profile data, but also that of their friends. Facebook didn’t disallow such behavior from apps at the time, but such data harvesting was allowed only to improve user experience in the app, not to be sold or used for advertising.
Of the 50 million profiles scraped (only 270,000 of which belonged to users who’d granted permission), roughly 30 million contained enough information, including places of residence, that the company could (at least theoretically) match users to other records and build “psychographic” profiles.
The NYT published an email from Kogan to Wylie describing what traits could be predicted from those profiles: they include gender, age, political views, religion, job, “sensational interests” (a category that includes whether somebody’s into guns/shooting/martial arts/drugs/black magic/paganism/how credulous they are), and belief in star signs, among others.
Cambridge Analytica gained notoriety for what its own execs called “psychological warfare” in both the Trump and Brexit campaigns.


Not surprisingly, Facebook has a far different account of what went down. But one thing the social network and the investigative journalists all agree on is that Cambridge not only relied on users’ private Facebook data, but it’s looking like it still possesses “most or all of the trove,” according to the NYT.
From Facebook’s explanation of why it’s suspended SCL and Cambridge:

Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted. We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made.

This is a lot, but there’s far more. The revelations come just weeks after special counsel Robert Mueller indicted 13 Russians for allegedly using Facebook to perpetrate “information warfare” against the US.
Cambridge Analytica is currently under investigation on both sides of the pond: it’s a key focus in two inquiries in the UK, one from the Electoral Commission, into the firm’s possible role in the EU referendum, and one by the Information Commissioner’s Office (ICO), into data analytics for political purposes. In the US, Mueller’s probe is also delving into how the analytics firm helped Donald Trump win the presidency.
And then of course there’s Russia and its part in the dissemination of fake news. It turns out that Kogan has previously unreported links to St. Petersburg State University and has accepted Russian grants for research. His Facebook license was only to collect data for research purposes, not to pass on to a commercial outfit like Cambridge, and thus was in violation of Facebook’s terms.
Kogan claims that everything he did was legal, according to the Observer, and that he had a “close working relationship” with Facebook, which had granted him permission for his apps.
Democrat Senator Mark R. Warner, Vice Chairman of the Senate Select Committee on Intelligence, who’s been proposing an Honest Ads Act to regulate online political advertising similar to how it’s done in television, radio and print, put out a statement saying that the latest revelations are yet another sign that online ads are the Wild West:

This is more evidence that the online political advertising market is essentially the Wild West. Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency. This is another strong indication of the need for Congress to quickly pass the Honest Ads Act to bring transparency and accountability to online political advertisements.


6 Comments

So after pledging to prevent a “repeat of 2016” and other comments targeting US Republicans, or the potential Trump 2020 campaign specifically. Facebook decides to ban 2 or so companies out of the probably thousands of instances of data abuse, internally and externally. All this while FB employees are admitting internal bias and discrimination. How long before congress gets involved now?

And so the gifts just keep coming. I think it is about time that we woke out of our digital stupor. We are letting these people and companies use our personal data against us. There are lies, damn lies and now there are lies spun especially for you using your personal data. Fabricated to appeal your deepest thoughts. Well, maybe I am overstating it a bit but it is not far from the truth. Advertising companies have been using targeted response testing for years to see how you react to products. We have all of this online data floating around that can be used to narrow their targeting so now the Politicians, Charities, and other organisations are using it too. Did Facebook lose control of this data? No, there never had control of it in the first place.

and yet the tech is not that great or accurate… but hey it makes for a great political debate.
I bet if they could (they cant) figure out the number of voters CA changed the minds of it would be less than 1000. maybe less than a 100. Don’t give these wannabe’s too much credit by throwing out large numbers like 50 million.

What? I rarely use facebook, but man nothing is safe. i mean people are trying to stay connected (contrary to society studies) to their friends and family any way they can even if its through the internet and facebook fumbles it.

First, an admission of bias. I’m the 32% of Americans not on Facebook.
Second, this sad set of tall tales comes as no surprise. Mr. Z continues to lie, cheat, steal (“legally”), and blame it on the other guy.
The real disappointment is our elected officials plan yet another investigation. As if they could actually glean even a smidge more knowledge than they got from the last investigation – the Equifax castigation for example, which also yielded no action.
And some Senator proposes, as blow-hards always do, just like Mr. Z does, to do something about it. A great big half ass tie their thumbs together proposal. Oh, never you mind about the security of your data. Let’s just make the bastards tell us who they are before we let ’em F us over (or is that FB?). At least we’ll have transparency!

And then there are the links to UK Brexit vote influencing campaigns too.
It’s not surprising that politicians and/or their campaign companies are using tactics such as this to influence votes but that doesn’t make it any less disturbing, especially with the massive amount of voters who’s lives are so integrated with their Social Media accounts

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?