On March 17, 2018, The Observer revealed that Cambridge Analytica, a U.S. subsidiary of the SCL Group, had harvested the user data of over 50 million Facebook users by abusing Facebook’s lax data sharing rules. The story has persisted in subsequent weeks, and we’ve covered it closely. Here’s everything you need to know:
50 To 230 Million User Profiles Harvested
Whistleblower Christopher Wylie, who was a co-founder of Cambridge Analytica, revealed to the Observer documents that showed how the firm, together with a UK company called Global Sciences Research (GSR), collected the user data of over 50 million users, mostly without their consent. GSR built a quiz application for Facebook and then got over 270,000 Amazon Mechanical Turk workers to install the application.
What those workers didn’t know is that when they installed the application and agreed to all of its permissions, they were sharing not just their own Facebook data, but also the data of all of their friends. The shared data included names, profile information, likes, comments, shares, and more. GSR was able to harvest all of this data without consent from the users’ friends and then share it with Cambridge Analytica because of the way Facebook permitted developers to collect data.
This incident happened in 2014, but Wylie said that by now, Cambridge Analytica should have the data of over 230 million Facebook users. The company reassured Facebook that it deleted the data in 2015, but according to Wylie, the company continued to harvest Facebook’s user data.
It’s Not Just Cambridge Analytica
A former Facebook employee later revealed that Cambridge Analytica was far from the only company to have harvested user data in this way. Sandy Parakilas, who was the the platform operations manager at Facebook between 2011 and 2012, had warned the company that its platform rules were too lax, but his superiors didn’t listen.
Parakilas revealed that there could be thousands of companies and developers that may have harvested the users’ friends data just like Cambridge Analytica and GSR did.
Palantir’s Role In The Scandal
A New York Times report later revealed that Alfredas Chmieliauskas, a Palantir employee in charge of business development, has been teaching Cambridge Analytica how to harvest user data from Facebook.
Chmieliauskas, Alexander Nix (who is a CEO of both SCL Elections and Cambridge Analytica UK), and Erich Schmidt’s daughter were also trying to get Palantir and Cambridge Analytica to work together more. Wylie, the original whistleblower, noted in a UK testimony that Palantir had also been using Cambridge Analytica’s harvested data, but Palantir officials denied the story. They later admitted that “one” of their employees was working with Cambridge Analytica.
Users Report Saved Text History And Unpublished Videos
As more users looked into deleting their Facebook accounts, some of them started noticing that their phones’ call and text history was being saved to their Facebook accounts. Many of them didn’t seem aware of the fact that Facebook’s app and Messenger could do this.
Facebook has been prompting Android users with a request to allow their call and text history to be uploaded to the company’s server as part of a recent Android app permission update. However, it’s not clear whether or not Facebook was saving this data even before prompting users with this corresponding permission. It’s only since Android 8.0 that Google started requiring developers to have more specific permissions around data collection and cloud uploads.
Other users also noticed that Facebook has been saving their unpublished video recordings since at least 2008, even though those drafts were supposedly “discarded.” The company said, as it did on other occasions when it was caught tracking users without their permission, that this was just a bug. It’s still strange that so much video data was being saved to the company’s servers for over a decade, yet Facebook’s employees never seemed to notice.
The company said that it fixed the bug and deleted the unpublished videos.
Facebook Responds With (Mostly Mandated) Changes
After almost a week of silence after the Cambridge Analytica scandal broke out, Facebook CEO Mark Zuckerberg issued yet another apology for the company’s recent misstep–one of many in the past few years.
Facebook also committed to tightening the platform rules and auditing any company that it suspects may have abused its policies, as Cambridge Analytica did. However, the company didn’t respond to our question on whether or not it will also audit Palantir for the use of Cambridge Analytica data.
Palantir’s founder, Peter Thiel, also happens to be on Facebook’s board of directors.
It also remains to be seen how willing the company will be to fix its privacy problems in the long term. Facebook tends to implement platform improvements only in the face of regulations or public outcry, and even then it makes only the minimum necessary changes that meet compliance or assuages the angry public.
For instance, the company recently announced new privacy controls, as well as an ending of its partnership with most third-party data brokers. However, what the company didn’t mention is that it didn’t implement these changes just as a response to the Cambridge Analytica scandal, but primarily because they were mandated by the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018.
Asked whether or not the company will use the strong privacy protections of GDPR for its entire service across the world, Zuckerberg implied that only a limited version of the GDPR changes will be implemented globally. That means Americans and other non-EU citizens (including those in the UK, soon) will not benefit from the same strict data protection rules that EU citizens will.
Governments Investigate Facebook
The UK, EU, and U.S. governments have begun investigating Facebook over the Cambridge Analytica scandal. Both a UK Parliamentary committee and a U.S. Senate Judiciary committee asked Facebook’s CEO to testify. Zuckerberg rejected the UK committee’s invitation, but he agreed to testify before the House Energy and Commerce Committee on April 11, at 10am. CNN sources also said that Zuckerberg may testify before the U.S. Senate Judiciary committee next week, on April 10.