On Saturday, March 17, 2018, The New York Times, working together with The Observer of London and The Guardian, first reported that a data-mining firm Cambridge Analytica ‘improperly’ harvested millions of Facebook users’ data (Rosenberg, Confessore, & Cadwalladr, 2018).
“Facebook says as many as 87 million people may have had their data accessed” — an increase from the “50 million disclosed in published reports,” TIME reported on April 4, 2018 (Associated Press, 2018).
On Wednesday, March 21, 2018, Facebook’s CEO Mark Zuckerberg responded to the situation. “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” he wrote on “his” Facebook Page.
The U.S. Federal Trade Commission released a statement on March 26 confirming it has opened an investigation into Facebook’s privacy practices. “[T]he FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook,” Tom Pahl, Acting Director of the FTC, said in a statement. “Today, the FTC is confirming that it has an open non-public investigation into these practices.”
The Facebook breach wasn’t a hack:
So technically, this Facebook breach was not a hack, but a loophole in its privacy that allowed third-party app developers to not only collect data from its users but also from their users’ friends network (Romano, 2018).
As a Facebook’s VP and Deputy General Counsel, Paul Grewal said, “No systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” in a statement released on March 16, 2018 (Facebook Newsroom, 2018).
Back in 2015, Facebook had freely allowed third-party app developers to access and collect data on the app users, initially to create a better experience with an app, which Facebook says it was documented in their terms of service. Up until 2015, they also had access to all the users’ friends profile without having any clue that their data was being collected (Timberg, Adam, & Kranish, 2018).
This is how it all started:
The problem was with this simple feature “log-in through Facebook” that allowed Facebook users to simply log in to a website or sign up for an app without having to create a username and password. After people are logged in using this feature; however, they are also granting the app developers collect their profile information- such as their name, location, email, as well as their friends’ list- which is exactly what happened with the Cambridge Analytica scandal.
How did this happen in the first place?
It all started with an app called ‘thisisyourdigitallife’- built by Dr. Aleksandr Kogan, separately from his work at Cambridge University (Cadwalladr & Graham-Harrison, 2018). This app allowed some 270,000 people to use the Facebook login to create an account and using this feature granted app developers- in this case, Dr. Aleksandr Kogan- collect personal data from its’ users for “academic use.”
Kogan collected the data through legitimate channels and only violated the company’s rules when he passed the data to the Cambridge Analytica (Wagner, 2018).
Through those 270,000 people who opted in, Kogan got access to data from some 80 million Facebook users, according to the Times.
Turns out, Facebook was aware of this privacy concern as early as two years ago but did little to nothing to protect millions of its user’s data (Shieber, 2018). The bigger issue, however, is that Facebook did not feel obligated to inform its users how their personal data were used without their permission.
Facebook says it learned about Kogan’s private database in 2015 when it removed his app and demanded that he and any of his partners delete the data (Meyer, 2018).
On April 30, 2014, Facebook announced at F8 2014, Facebook’s annual developer conference, that it would limit access to developers (Newcomb, 2018). However, the policy only took effect in 2015 and by then it was already too late (Cross, 2015).
Between 2013 and 2015, The Cambridge Analytica had already “improperly” harvested data from 50 million Facebook accounts.
In the wake of the Cambridge Analytica scandal, Facebook has announced to even further restrict developers’ access to users data. “We will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval,” Facebook wrote in a press release on March 21, 2018.
By default, developers using Facebook Login will now receive only a user’s name, profile photo, and email address when someone signs in through Facebook.