By Saurav Bhandary │Published: April 20, 2018
On Saturday, March 17, 2018, The New York Times, working together with The Observer of London and The Guardian, first reported that a data-mining firm Cambridge Analytica ‘improperly’ harvested millions of Facebook users’ data (Rosenberg, Confessore, & Cadwalladr, 2018).
“Facebook says as many as 87 million people may have had their data accessed — an increase from the 50 million disclosed in published reports,” TIME reported on April 4, 2018 (Associated Press, 2018).
On Wednesday, March 21, 2018, Facebook’s CEO Mark Zuckerberg responded to the situation. “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” he wrote on “his” Facebook Page.
The U.S. Federal Trade Commission released a statement on March 26 confirming it has opened an investigation into Facebook’s privacy practices. “[T]he FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook,” Tom Pahl, Acting Director of the FTC, said in a statement. “Today, the FTC is confirming that it has an open non-public investigation into these practices.”
The Facebook breach wasn’t a hack:
So technically, this Facebook breach was not a hack, but a loophole in its privacy that allowed third-party app developers to not only collect data from its users but also from their users’ friends network (Romano, 2018). As a Facebook’s VP and Deputy General Counsel, Paul Grewal said, “No systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” in a statement released on March 16, 2018 (Facebook Newsroom, 2018).
Back in 2015, Facebook had freely allowed third-party app developers to access and collect data on the app users, initially to create a better experience with an app, which Facebook says it was documented in their terms of service. Up until 2015, they also had access to all the users’ friends profile without having any clue that their data was being collected (Timberg, Adam, & Kranish, 2018).
This is how it all started:
The problem was with this simple feature “log-in through Facebook” that allowed Facebook users to simply log in to a website or sign up for an app without having to create a username and password. After people are logged in using this feature; however, they are also granting the app developers collect their profile information- such as their name, location, email, as well as their friends’ list- which is exactly what happened with the Cambridge Analytica scandal.
How did this happen in the first place?
It all started with an app called “thisisyourdigitallife”, built by Dr. Aleksandr Kogan, separately from his work at Cambridge University (Cadwalladr & Graham-Harrison, 2018). This app allowed some 270,000 people to use the Facebook login to create an account and using this feature granted app developers- in this case, Dr. Aleksandr Kogan- collect personal data from its’ users for “academic use”. Kogan collected the data through legitimate channels and only violated company’s rules when he passed the data to the Cambridge Analytica (Wagner, 2018).
Through those 270,000 people who opted in, Kogan got access to data from some 80 million Facebook users, according to the Times.
Turns out, Facebook was aware of this privacy concern as early as two years ago but did little to nothing to protect millions of its user’s data (Shieber, 2018). The bigger issue, however, is that Facebook did not feel obligated to inform its users how their personal data were used without their permission.
Facebook says it learned about Kogan’s private database in 2015 when it removed his app and demanded that he and any of his partners delete the data (Meyer, 2018).
On April 30, 2014, Facebook announced at F8 2014, Facebook’s annual developer conference, that it would limit access to developers (Newcomb, 2018). However, the policy only took effect in 2015 and by then it was already too late (Cross, 2015).
Between 2013 and 2015, The Cambridge Analytica had already “improperly” harvested data from 50 million Facebook accounts.
In the wake of the Cambridge Analytica scandal, Facebook has announced to even further restrict developers’ access to users data. “we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval,” Facebook wrote in a press release on March 21, 2018.
By default, developers using Facebook Login will now receive only a user’s name, profile photo, and email address when someone signs in through Facebook.
Check back for more on this developing story.
Associated Press. (2018, April 04). Number of Facebook Users Snared by Cambridge Analytica Rises to 87 Million, Social Media Giant Reveals. Retrieved from http://time.com/5228213/cambridge-analytica-87-million-facebook-users/
Cadwalladr, C., & Graham-Harrison, E. (2018, March 17). How Cambridge Analytica turned Facebook ‘likes’ into a lucrative political tool. Retrieved from https://www.theguardian.com/technology/2018/mar/17/facebook-cambridge-analytica-kogan-data-algorithm
Constine, J. (2015, April 28). Facebook Is Shutting Down Its API For Giving Your Friends’ Data To Apps. Retrieved from https://techcrunch.com/2015/04/28/facebook-api-shut-down/
Cross, S. (2015, April 28). What to Expect on April 30 – Upgrading to Graph API and the New Login. Retrieved from https://developers.facebook.com/blog/post/2015/04/28/april-30-migration/?ref=hp
Facebook Newsroom. (2018, March 16). Suspending Cambridge Analytica and SCL Group from Facebook. Retrieved from https://newsroom.fb.com/news/2018/03/suspending-cambridge-analytica/
FTC Office of Public Affairs. (2018, March 26). Statement by the Acting Director of FTC’s Bureau of Consumer Protection Regarding Reported Concerns about Facebook Privacy Practices. Retrieved from https://www.ftc.gov/news-events/press-releases/2018/03/statement-acting-director-ftcs-bureau-consumer-protection
Granville, K. (2018, March 19). Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens. Retrieved from https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html
Ingram, D., & Henderson, P. (2018, March 16). Trump consultants harvested data from 50 million Facebook users:… Retrieved from https://www.reuters.com/article/us-facebook-cambridge-analytica/trump-consultants-harvested-data-from-50-million-facebook-users-reports-idUSKCN1GT02Y
Inskeep, S. (2018, April 06). Full Transcript: Facebook COO Sheryl Sandberg On Protecting User Data. Retrieved from https://www.wabe.org/full-transcript-facebook-coo-sheryl-sandberg-on-protecting-user-data/
Meyer, R. (2018, March 20). The Cambridge Analytica Scandal, in 3 Paragraphs. Retrieved from https://www.theatlantic.com/technology/archive/2018/03/the-cambridge-analytica-scandal-in-three-paragraphs/556046/
Newcomb, A. (2018, March 24). A timeline of Facebook’s privacy issues – and its responses. Retrieved from https://www.nbcnews.com/tech/social-media/timeline-facebook-s-privacy-issues-its-responses-n859651
Romano, A. (2018, March 20). The Facebook data breach wasn’t a hack. It was a wake-up call. Retrieved from https://www.vox.com/2018/3/20/17138756/facebook-data-breach-cambridge-analytica-explained
Rosenberg, M., Confessore, N., & Cadwalladr, C. (2018, March 17). How Trump Consultants Exploited the Facebook Data of Millions. Retrieved from https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html
Scott, M., & Cerulus, L. (2018, March 26). Facebook data scandal opens new era in global privacy enforcement. Retrieved from https://www.politico.eu/article/facebook-cambridge-analytica-data-protection-privacy-mark-zuckerberg-regulators/
Shieber, J. (2018, March 21). User data leaks at Facebook pull tech further into political debate. Retrieved from https://techcrunch.com/story/facebook-data-leak-politics/
Steinmetz, K. (2018, March 22). Cambridge Analytica’s Facebook Data Was Valuable, Worthless. Retrieved from http://time.com/5207764/cambridge-analytica-facebook-data/
The Federal Trade Commission. (2017). Federal Trade Commission 2017 Privacy and Data Security Update1. Retrieved from https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2017-overview-commissions-enforcement-policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf
Timberg, C., Adam, K., & Kranish, M. (2018, March 20). Bannon oversaw Cambridge Analytica’s collection of Facebook data, according to former employee. Retrieved from https://www.washingtonpost.com/politics/bannon-oversaw-cambridge-analyticas-collection-of-facebook-data-according-to-former-employee/2018/03/20/8fb369a6-2c55-11e8-b0b0-f706877db618_story.html?utm_term=.351d12103d4f
Wagner, K. (2018, March 17). Here’s how Facebook allowed Cambridge Analytica to get data for 50 million users. Retrieved from https://www.recode.net/2018/3/17/17134072/facebook-cambridge-analytica-trump-explained-user-data
Weiss, B. (2018, March 17). Trump-linked firm Cambridge Analytica collected personal information from 50 million Facebook users without permission. Retrieved from http://www.businessinsider.com/cambridge-analytica-trump-firm-facebook-data-50-million-users-2018-3