Photo: Cambridge Analytica

Late Friday night, Facebook published an unusual announcement to its newsroom blog. “We are suspending Strategic Communication Laboratories (SCL), including their political data analytics firm, Cambridge Analytica, from Facebook,” deputy general counsel Paul Grewal wrote. SCL had illegitimately obtained data about Facebook users, and had apparently not destroyed that data when Facebook ordered it to in 2015. Consequently, the company was no longer allowed access to Facebook’s platform. “We are constantly working to improve the safety and experience of everyone on Facebook,” Grewal concluded.

The next morning, it became clear just why SCL and Cambridge Analytica had been suspended so abruptly, and at such an odd hour: because the New York Times and the Observer were prepping major investigative stories about the company’s use of Facebook data, based on documents and other information from a 26-year-old whistle-blower named Christopher Wylie.

Both stories are excellent, and help us better understand exactly what Cambridge Analytica did during the 2016 election (and the primaries before it). But there are a few points worth pulling out and emphasizing.

Facebook was being used as it’s designed, and that’s the problem.

In 2014, while working at Cambridge Analytica, Wylie hired a University of Cambridge professor named Aleksandr Kogan to build a database of psychometric profiles. Cambridge Analytica — funded by the right-wing billionaire Mercer family and advised by then–Breitbart editor-in-chief Steve Bannon — hoped to use the data to target political advertising and influence voter behavior. Using Amazon’s Mechanical Turk freelance boards, Kogan hired around 270,000 people to fill out a survey in an app that they would install in their Facebook accounts.

Facebook apps, like FarmVille, extend the platform’s usability, but in installing them, users often give third-party developers like Kogan access to a significant amount of their own data. Worse, in 2014, when Kogan’s app was gathering data, Facebook’s terms of service allowed developers to request access to an app installer’s friends as well.

In other words, each of the 270,000 people who were paid to install the app also gave up a significant amount of data about their Facebook friends as well — meaning that from the original 270,000 subjects, Kogan managed to obtain as many as 50 million profiles, including information like locations, job and educational histories, and pages liked. Facebook has since changed privacy settings that mean you can’t be data-betrayed by your inconsiderate or careless friends. But at the time, there was nothing about what Kogan was doing with his app that broke any of Facebook’s rules. It wasn’t until he passed that data on to Cambridge Analytica that he put himself in violation of Facebook’s terms of use.

Facebook has therefore insisted that it was not party to a “breach” of user data. You could argue that this is a semantic argument, largely designed to protect the company from SEC regulations that would have required them to alert users that their data had been mishandled and distributed without explicit permission. Certainly, user trust has been breached, even if no particular server or database was illegally or maliciously accessed.

But I actually agree with Facebook on this point: It wasn’t breached; Kogan obtained profile data perfectly legitimately. I just don’t think that’s a good defense. As hardly needs stating at this point, Facebook’s business model is built on gathering data about its users. (“We … built models to exploit what we knew about [people] and target their inner demons,” Wylie tells the Observer. “That was the basis the entire company was built on.” He’s talking about Cambridge Analytica, but the statement is equally true of Facebook.) You can argue that it was a bad idea to allow a surveillance-advertising company to grow to the size and influence of Facebook. But everyone can agree that the data Facebook has gathered on its users should be better protected, and that users should have better knowledge of and control over that data. Kogan was able to access profiles of 50 million users by paying a mere 270,000 users to install an app — and able to pass that data on to a third party without Facebook’s knowledge — because Facebook made it remarkably easy to obtain information about its users, not because he did something particularly nefarious.

If this has happened once, it’s probably happened more than once.

Kogan ran afoul of the rules by passing the data he’d obtained to a third party — Cambridge Analytica. He’d presented the app to Facebook and to its users as a project gathering for academic research, but then had turned around and given it to a company that had not been named or identified, and which sought to use the data for political, not academic, purposes.

But it’s worth noting that the only reason any of us know that this happened is because of Cambridge Analytica’s prominence in the news. Facebook itself only seems to have become aware that Kogan’s data was being misused in late 2015, after a Guardian report outlined the company’s data-harvesting techniques. Having learned that millions of its users’ data was now in the hands of a company to whom no such permissions had been granted, Facebook demanded that Cambridge Analytica delete that data — and then never followed up.

The fact that all this data was obtained legitimately in the first place, and that the discovery that it had been mishandled was met with only token objection by Facebook, is not, to put it mildly, confidence-inspiring. If the Guardian had never reported on the Cruz campaign’s contract with Cambridge Analytica, would Facebook (or any of us) even know that profile data on so many users was out there? And given that, shouldn’t we be assuming that this same thing — shady mass data-harvesting of Facebook profiles, to be kept on third-party servers — has happened more than once?

Facebook has known about this for a long time, and has done nothing.

The Observer and Times stories are valuable for the level of detail they bring to Cambridge Analytica’s practices, and for the attention they draw to Facebook’s lax privacy protections. But much of the key information in both stories could also be found in an Intercept story from last year — and in the aforementioned Guardian story from December 2015.

It’s easy to be cynical about the sudden attention the story is now getting from the public, given that we’ve had two years to process Cambridge Analytica’s methods. And surely some of the attention is unwarranted — the result of sensationalized chatter about Cambridge Analytica’s overstated role in Trump’s victory. (More on that in a minute.) But Facebook has been silent over the course of those two years, too. To its credit, it’s changed app permissions so that developers can no longer access such a wide network of profiles. Yet even after it was aware that Cambridge Analytica was in possession of mishandled profile data, it did nothing beyond send a letter. “They waited two years and did absolutely nothing to check that the data was deleted,” Wylie told the Observer. It’s hard to square that with Facebook lawyer Grewal’s claim that “[p]rotecting people’s information is at the heart of everything we do.”

The trouble is with Facebook, not (necessarily) Cambridge Analytica.

Trump’s victory in 2016 was so unexpected, and so close, that a whole cottage industry of explanations for his victory — from the prosaic to the conspiracy-driven — has emerged in its wake. Early coverage of Cambridge Analytica tended toward the sensational: Soon after the election, the Guardian called Cambridge Analytica’s influence “sinister,” and it was suggested in the woollier corners of Twitter that its “psychometric profiles” were not just a deciding factor in the election but a particularly dangerous one.

The truth is that there’s very little evidence that Cambridge Analytica’s particular methods have any different effect on voting behavior than any other digital political campaign efforts. Dave Karpf, a professor at Georgetown and expert in political advocacy on the internet, has called Cambridge Analytica the “Theranos of political data” — a company with “a tremendous marketing department, coupled with a team of research scientists who provide on virtually none of those marketing promises.”

Given the narrowness of Trump’s margins, could Cambridge Analytica have provided the extra nudge that pushed him across the finish line? Sure! And, yes, it’s awfully interesting that Cambridge Analytica employed a Russian-American professor who received funding from the Russian government. But until more reporting is done, that’s all it is — interesting. As Cambridge Analytica itself has resentfully pointed out, the Obama campaign was undertook similar Facebook data-gathering efforts. Those campaigns were aboveboard, and the uses of the data made clear to those who signed up — no small distinction — but they still used Facebook in much the same way. Focusing on Cambridge Analytica as a uniquely sinister actor in the election (or in the world of data acquisition or voter-targeting) ignores exactly how easy, and how mundane, their data-harvesting really was — and how vulnerable your Facebook data really is.