Facebook is facing international investigations into the illicit harvesting of users' personal data. The information was collected by Cambridge Analytica, a political consulting firm that backed President Trump’s 2016 election campaign.
According to a whistleblower, Cambridge Analytica gathered data from 50 million users (a figure that Facebook has now admitted could be as high as 87 million), then developed a software program that profiled these citizens to predict voting patterns – and, through micro-targeted ads, influence US citizens’ voting decisions.
We’re laying out everything we know and don’t know about how Cambridge Analytica used Facebook to influence elections in the US and around the world, and what this means for the tech giant’s future.
Update: Facebook has published a tool that will tell you whether you were one of the 87 million users affected by the breach. Log into your Facebook account, then visit the page to see if your data was shared with Cambridge Analytica via the app thisisyourdigitallife.
Up to 87 million users affected
Cambridge Analytica (CA) obtained voter data through a Facebook-linked app named 'thisisyourdigitallife'. Through the app, CA member Aleksandr Kogan paid Facebook users in exchange for a detailed personality test, supposedly for academic research purposes.
These users volunteered to provide this information – something Facebook Deputy General Counsel was quick to emphasize in a statement:
“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
But the app also pulled personal data from all of the test-taker’s linked Facebook friends without their consent—data that, per Facebook’s Platform Policy, can only be used to enhance the in-app experience, and should not be given out to anyone.
Instead, Kogan and his associates allegedly built a software platform for influencing US elections, and sold it to Donald Trump. In 2014, former Trump advisor Steve Bannon ran Cambridge Analytica.
Around a quarter of a million people took the test willingly, but millions of people reportedly had their private data used for political and financial gain without their knowledge or consent. The number of people affected was originally believed to be 50 million, but in a blog post on April 4, Facebook revised the figure to 87 million.
Facebook only became aware of CA’s breach of contract in 2016, but reportedly waited months to order CA to delete the data. The consulting firm subsequently ignored this order, and Facebook allegedly never followed up to check.
Only after the media asked for comment did Facebook apparently realize it had been duped for four years. Facebook responded by threatening to sue outlets reporting on the issue.
On April 4, Facebook admitted that up to 87 million users could have been affected. The majority (about 70.5 million) are in the US, but the remaining 19% are in several other countries, including the UK, Canada, Australia and India.
“We do not know precisely what data the app shared with Cambridge Analytica or exactly how many people were impacted,” it said. “Using as expansive a methodology as possible, this is our best estimate of the maximum number of unique accounts that directly installed the thisisyourdigitallife app as well as those whose data may have been shared with the app by their friends.”
Mark Zuckerberg has testified to Congress
On March 21, five days after the story broke, CEO Mark Zuckerberg used a post on his Facebook page to issue his first comment on the situration.
"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg wrote. “I've been working to understand exactly what happened and how to make sure this doesn't happen again.”
He promised that the company will investigate all third-party apps that had access to large amounts of data before 2014 (when Facebook prevented app developers accessing data from users' friends). He added that the site will ban any app developers that don't comply with a full audit and inform their users if a violation is found.
Zuckerberg proposed limiting access to data if a user hasn't used an app for three months, and to reduce the amount of information given when a user signs up for an app to just their name, email address and profile photo. If app developers want more information, the user will need to sign a contract to grant permission.
Finally, within the next month, app users' permissions will appear above their news feeds rather than hidden away on a settings page.
Zuckerberg repeated his pledge to take action in an interview with CNN the same day – his first public appearance since the scandal broke.
On March 25, Facebook took out full-page ads in several major US and UK newspapers, with the headline "We have a responsibility to protect your information. If we can't, we don't deserve it." The ads quoted Zuckerberg, again promising that the company is "taking steps to make sure this doesn't happen again."
On April 10, Zuckerberg testified to the US Congress. His speech began with praise for Facebook's role as a platform for social change, before moving on to the illicit sharing of user data and taking personal responsibility.
"It was my mistake, and I’m sorry," he told senators. "I started Facebook, I run it, and I’m responsible for what happens here."
He gave a brief summary of what happened with Cambridge Analytica and repeated the same pledge he made on March 21 before moving on to the issue of Russian interference in the 2016 US presidential elections. He reiterated the pledge he made in his new year's resolution, to fix Facebook by weeding out fake accounts and divisive ads
Cambridge Analytica is under investigation
Although it operates in the US, Cambridge Analytica is a UK company, meaning the data scandal could have global repercussions. It worked on the Brexit referendum, and has catered to politicians worldwide.
An undercover sting video from Britain’s Channel 4 News revealed CA executives offering to 'fix' Sri Lankan elections for an undercover reporter. Its 'services' included blackmailing, entrapping or extorting rival politicians, and releasing propaganda to the public. One offer was to send 'Ukranian girls' to a man’s house, then release the footage publicly to shame him.
These offers to spread targeted disinformation are what most concern government agencies like the US Federal Trade Commission (FTC) and British Information Commissioner's Office (ICO). If CA was able to obtain information on voters through Facebook, they would know where to specifically target propaganda to influence elections—just as Russia’s Internet Research Agency did in 2016.
CA may not be the only company that has obtained or purchased information that has been obtained through third-party apps. Considering Facebook’s inability to check if CA stole private user information, we have no way of knowing how many other companies could be hoarding and selling data to influence democratic elections.
The US, UK and EU investigations have only just begun, but they could have major repercussions on how Facebook and other social media companies are required to protect user data in future.
Facebook itself is investigating app developers who had access to the same kind of data as Cambridge Analytica. It has also launched a Data Abuse Bounty, offering cash to users who can point the finger at developers misusing personal information.
Facebook faces international probes
Facebook has typically tried to self-regulate in the face of criticism. Earlier this year, after revealing that advertisers linked to Russia had spent thousands of dollars on ads influence public opinion in the run-up to the 2016 US presidential election, the company insisted it would prevent democratic meddling in the future itself.
This time, however, that approach might not be enough. The FTC is now officially investigating Facebook, the agency announced on March 26. This follows an earlier report by Bloomberg that the FTC is investigating whether Facebook violated a 2011 settlement, which required it to improve its privacy settings so that third parties could not acquire users’ data without their express knowledge or consent.
In its statement announcing the investigation, the FTC said it "takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." As such, the agency has opened a "non-public investigation into these practices."
The FTC could fine Facebook $40,000 for each violation of the 2011 settlement; multiply that by 50 million, and Facebook could be looking at catastrophic financial damages.
Along with the FTC, the British ICO is investigating whether Cambridge Analytica could have used similar voter data to influence UK citizens during the Brexit referendum. On March 27, Zuckerberg refused an invitation to speak to the UK parliament about Facebook's use of data, instead offering to send one of his senior deputies.
The EU’s Electoral Commission and Australia's Privacy Commissioner have also piped up, with both officially investigating Facebook’s actions to determine if the data of their voters were used without authorization.
Facebook denies unauthorized call logging
In the wake of the Cambridge Analytica scandal, many people have chosen to download their Facebook data and delete their accounts – and some were surprised by what they found.
According to a report by Ars Technica published on March 24, New Zealand man Dylan McKay discovered that the Facebook Lite app had gathered all the contacts from his phone, and logged two years' worth of calls. McKay claimed it had done so without his permission.
Facebook reacted immediately with a post on its Newsroom blog, denying the accusations. "You may have seen some recent reports that Facebook has been logging people’s call and SMS (text) history without their permission," it said. "This is not the case."
Facebook says that, although its Lite and Messenger apps can log users' call and text histories, they won't do so without explicit consent.
Facebook also clarified that it doesn't sell any of this data, and it doesn't record the content of your messages and calls. It repeated this statement in another blog post on April 4, but also admitted it had collected more information than was strictly necessary to improve the quality of its service.
"This [call logging] means we can surface the people you most frequently connect with at the top of your contact list." it explained. "In the future, the client will only upload to our servers the information needed to offer this feature – not broader data such as the time of calls."
- How to disconnect your Facebook account from third-party apps
- How to delete your Facebook account permanently or temporarily