50 Million Facebook Profiles Harvested Without User Consent – Data Monster Chose NOT to Alert Victims & Is Trying to Threaten Reporters
News broke late last night revealing how a startup data analytics firm, Cambridge Analytica, harvested profiles of millions of Facebook users in what is being termed the company's "biggest ever data breach." The analytics firm used this data to build a powerful program to predict and influence voter choices.
By now, a lot has already been reported on how the biggest social networking platform was used by politicians and their wealthy backers in the last few years to sow civic disruption and potentially to influence election results. Whether they managed to influence voters is a debate that will possibly never end. However, the whistleblower's story and Facebook's press release confirm how the company tried to push this incident under the rug instead of informing users who were affected by this biggest data breach.
What exactly happened: 50 million Facebook profiles were harvested to "target their inner demons"
The data monster is apparently not only interested in collecting data for itself, but it also enables others to do the same. According to a whistleblower, Christopher Wylie, who worked with an academic at Cambridge University to obtain this data and helped found the controversial Cambridge Analytica, the firm "exploited Facebook to harvest millions of people’s profiles," and "built models to exploit what we knew about them and target their inner demons."
This data was collected through thisisyourdigitallife app, which was built by academic Aleksandr Kogan of Cambridge University. "Through his company Global Science Research (GSR), in collaboration with Cambridge Analytica, hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use," the Guardian reported.
The app also collected information of the test-takers’ Facebook friends, which turned the original 270k users into a millions-strong data pool.
However, the story here isn't how this data was used. After all the firm was paid by its backers to do exactly what it did. The problem here is how Facebook, the biggest social network, chose to stay silent and not inform the affected users. [Those interested in information on the whistleblower, how this data was verified - which has been confirmed by Facebook itself - and information on key players linked to Cambridge Analytica and GSR can head over to the NYT.]
Facebook failed to alert users & did close to nothing to secure data - why voter influence isn't the biggest story here
The biggest revelation isn't how this data was used to influence voters and polarize debates on hot topics, the problem is Facebook's silence on the matter until it was pushed by the whistleblower who made the details public. While Uber and Equifax have attracted much of the user anger over delayed data breaches, Facebook appears to have done worse.
The company by its own admission first learned about its users' data being harvested by analytics firm without user authorization back in 2015. In its press release, Facebook blamed everything on how it was lied to by a researcher and takes no charge of its policies that allowed such behavior or says anything about why the affected users weren't informed.
"In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc." Facebook
The company goes on to suggest that Kogan gained access to this data "in a legitimate way and through the proper channels," however, broke the rules by sharing this data with a third party (SCL/Cambridge Analytica and Christopher Wylie).
At the time, all the company did was to remove his app from Facebook and believed on all the linked parties when they "certified" that the data was destroyed. That's all it did.
Following the recent flurry of stories, Facebook said it is suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information. More than two years after the data breach was first reported... The Guardian reports that the company also tried to warn reporters for making "false and defamatory" allegations.
Facebook instructed external lawyers and warned us we were making 'false and defamatory' allegations. Today they said it was not correct to call this a data breach. We are calling it a data breach. https://t.co/Q8wrw0FDyr
— Carole Cadwalladr (@carolecadwalla) March 17, 2018
For what it's worth, Cambridge Analytica in its own statement today said it did delete all the data it received from GSR and didn't use it "as part of the services it provided to the Donald Trump 2016 presidential campaign."
Whether the data was used or not won't answer the concerns raised over Facebook's silence on the matter at the time. Facebook says its policies allow collection of friends' data to improve user experience in the app, but developers are barred from selling it or using it for advertisement. However, that's not what happened in the case of Cambridge Analytica and potentially in several other yet-unreported cases.
It appears the data is still circulating around the web. The NYT reports seeing copies of the data harvested for Cambridge Analytica that can still be found online.
How Facebook could have avoided being at the center of this "information warfare" by alerting victims right when it first learned about the breach
The British Information Commissioner’s Office and Electoral Commission are separately investigating Facebook and Cambridge Analytica's role in the EU referendum according to the Guardian. Although the United States has already indicted over a dozen Russians for their role in influencing election results, it is likely that the country will start looking at its own companies before pointing all the fingers at Russia.
50 millions users had no idea for nearly 3 years that they were victims of a data breach. What Facebook did (more like, did not do) appears no less than a crime.
If Facebook had at the time informed the 50 million affected users that their data was "stolen" by a political data firm and could be used to influence their voting choices, the company could have potentially avoided the entire "fake news / cultural warfare / voters manipulated" saga that has ensued the 2016 US presidential election. Every report that has come after the election receives the same response: democrats are annoyed because they didn't win.
However, it is not a bipartisan issue or an American issue at that. Facebook is too big to be reduced to a single election or a single party. If one researcher could siphon off data of 50 million users, who knows how many other app developers "legitimately" steal user data, and how often Facebook chooses to stay silent instead of proactively alerting the affected users.