Skip to content
Naked Security Naked Security

Crimson Hexagon banned by Facebook over user data concern

Facebook is probing whether the firm's government contracts comply with its policies, which nix use of user data for government surveillance.

It sounds like the new headquarters for Superman archenemy Lex Luthor, but “Crimson Hexagon” is actually the name of the most recent data analysis firm to have been suspended for harvesting Facebook’s user data.
The Wall Street Journal last week reported that Facebook is investigating whether the firm’s contracts with the US government and a Russian nonprofit tied to the Kremlin violated its policies.
According to the WSJ, Crimson Hexagon signed off on at least 22 government contracts worth more than $800,000 since 2014, including for the State Department, the Federal Emergency Management Agency (FEMA), and the Secret Service, as well as a separate contract with a Russian nonprofit called the Civil Society Development Foundation.
The newspaper reported that a current deal with FEMA involves monitoring online discussion for various disaster-related purposes. Another deal, with the Department of Homeland Security (DHS) Immigration and Customs Enforcement (ICE), fell through after Twitter resisted the firm’s use of its firehose data: a premium version of Twitter’s streaming API that guarantees access to all tweets matching specific criteria.
It’s not surprising that the Twitter deal fell through: Twitter’s got a history of extending, but then deciding to close down, special access to allow surveillance outfits to mine data.
In 2016, for example, in the wake of a report from the American Civil Liberties Union (ACLU) about police monitoring of activists and protesters via social media data, Twitter, Facebook and Instagram cut off the data streams they’d been sending to the Geofeedia app: an app that used the companies’ APIs to create real-time maps of social media activity in protest areas. Those maps have been used to identify, and in some cases arrest, protesters shortly after their posts became public.


Facebook likewise banned use of user data for government surveillance in March 2017, following pressure from civil liberties groups concerned about the targeting of dissidents and protesters, according to the BBC. The publication quoted a statement issued by a Facebook spokesperson on Friday:

We don’t allow developers to build surveillance tools using information from Facebook or Instagram. We take these allegations seriously, and we have suspended these apps while we investigate.

Crimson Hexagon had been paying for access to Twitter’s firehose – in fact, the firm gets more useful data from Twitter than from Facebook, the WSJ reports – but the deal reportedly fell apart over concerns about how data might be used in a potential contract with ICE.
Also on Friday, Crimson Hexagon pointed out in a post that it’s no Cambridge Analytica. It’s never collected anything but publicly available information, said CTO Chris Bingham. That’s in contrast to CA, whose data slurping was “explicitly illegal,” Bingham said:

To be abundantly clear: What Cambridge Analytica did was explicitly illegal, while the collection of public data is completely legal and sanctioned by the data providers that Crimson engages with, including Twitter and Facebook, among others.

As Tech Crunch points out, Crimson Hexagon, unlike Cambridge Analytica, isn’t “a quasi-independent arm of a big, shady network of companies working actively to obscure their connections and deals.” Rather, it’s …

…more above the board, with ordinary venture investment and partnerships. Its work is in a way similar to CA, in that it is gleaning insights of a perhaps troublingly specific nature from billions of public posts, but it’s at least doing it in full view.

Crimson Hexagon has spent years using the public APIs of apps such as Facebook, Instagram, Twitter, and other sources that include newsfeeds and blogs, aggregating public posts so it can measure public opinion about candidates, brands or issues. It’s got clients around the world, including in Russia, Turkey, the UK and the US.
The firm claims to have pulled together a trillion-post archive. Among Crimson Hexagon’s projects: the firm unsuccessfully tried to procure a Defense Department contract monitoring the Islamic State (IS) online; it had a contract to measure Russian President Vladimir Putin’s popularity; and, according to sources familiar with the company, it had a deal in Turkey that led the Recep Tayyip Erdogan-led government to decide, in 2014, to “briefly shut down Twitter amid public dissent,” as the WSJ reports.
In response to questions from the WSJ about its oversight of Crimson Hexagon’s government contracts and its storing of user data, Facebook said on Friday that it wasn’t aware of some of the contracts. The platform said it was suspending Crimson Hexagon’s apps from Facebook and its Instagram unit as it launched a broad inquiry into how Crimson Hexagon collects, shares and stores user data.
Also on Friday, Facebook VP for product partnerships Ime Archibong said that the company planned to meet with Crimson Hexagon’s team over the next few days to look into the matter:

Facebook has a responsibility to help protect people’s information, which is one of the reasons why we have tightened [access to user data].

Archibong added that Facebook allows outside parties to produce “anonymized insights for business purposes.”
Crimson Hexagon, a Boston firm, was founded in 2007 by political scientist Gary King, director for the Institute of Quantitative Social Science at Harvard University. While the “Crimson” part of its name appears to be a hat-tip to Harvard, the company’s site says the name is actually based on the “Crimson Hexagon” featured in Jorge Luis Borges’ short story, the Library of Babel: a “library of astronomical size, comprised of almost infinite hexagonal-shaped rooms that collectively contain every possible combination of just 23 letters, a space, a period, and a comma. Though most of the books are gibberish, the library also contains every valuable book ever written and that might ever be written.”
That’s pretty much what our public posts are to a data analytics firm: continuously churned out mountains of what at first blush seems like gibberish but which, when you figure out how to analyze it, “helps brands find valuable meaning in a seemingly infinite volume of unstructured text and images,” as Crimson Hexagon says.
In other words, it’s figured out how to find great value in gibberish. Now, it’s time for Facebook to work out if, in the hands of Crimson Hexagon, that great value translates into the type of government surveillance the platform has already banned.


1 Comment

What happens with these data analytical firms with GDPR regulations? Aren’t they subject to that, can’t a good chunk of the population opt out, demand to be purged? I’d think if that’s covered and protected, and I think it is, that this would basically make the cost of generating useful data so costly because so many want to opt out, be cleansed and have you show them their data that it isn’t profitable any longer. A movement for Europeans to know of these firms and make a massive amount of work should hurt them.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?