Facebook data of 50M users exploited by Trump data firm, say reports; firm suspended

Jessica Guynn | USA TODAY

SAN FRANCISCO — Facebook has suspended Cambridge Analytica as it investigates whether the Donald Trump-connected data analysis firm failed to delete personal data that the social network says it improperly obtained from users — as many as 50 million, according to an explosive new report.

Facebook announced the suspension of the accounts of Cambridge Analytica and its parent company late Friday after being tipped off that the user data the analysis firm had received from a researcher — whose company Global Science Research had obtained it from a personality quiz app accessed through Facebook — was not destroyed as promised.

The suspension raises troubling new questions about Facebook's role in targeting voters during the U.S. presidential election and whether the social media giant does enough to protect users from privacy violations by third parties.

The scale of the alleged abuse emerged Saturday when the New York Times and The Observer of London reported that Cambridge Analytica accessed the Facebook profiles of more than 50 million users without their permission. The report, based on former employees, associates and documents, alleges Cambridge Analytica used the data to target voters during the 2016 presidential election.

Global Science's Aleksandr Kogan, a researcher in cognitive and behavioral neuroscience at the University of Cambridge, gained access to the personal information of 270,000 Facebook users in 2013 after they chose to download his app, “thisisyourdigitallife,” which billed itself as a research app used by psychologists. The information included hometown, content the users liked and their friends.

The app also collected information from people's friends. According to the New York Times, 30 million of those profiles had enough information to match users to other records and build profiles of them. Facebook declined to comment on the number of accounts whose information was shared.

Cambridge Analytica still has most of all of the data collected from Facebook user profiles, which includes details about users' identities, their friends and "likes," according to the report.

The newspaper says, when contacted, Facebook downplayed the scope of the leak and questioned whether Cambridge Analytica still had any of the data before releasing its statement late Friday. An editor with the Guardian-owned Observer tweeted that Facebook threatened to sue the company ahead of publication.

Facebook pointed to a tweet by senior executive Andrew Bosworth, previously vice president of ads, who took issue with the Times' description of Cambridge Analytica's alleged exploit as a breach or data leak. "People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation."

In a statement Saturday, Cambridge Analytica said that it fully complied with Facebook's terms of service and is working with the social media giant to resolve the matter.

"No data from (Global Science Research) was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign," the company said in a statement.

"Cambridge Analytica only receives​ and use​s​ data that has been obtained legally and fairly," it said.

When asked to comment on the newspapers' reports, it responded with a letter a law firm had sent on its behalf to the Observer reporter, where it sought to contradict the statements of a former staffer profiled as a whistle blower in the Observer's coverage.

The Trump campaign denied using voter data from Cambridge Analytica, saying it relied on data from the Republican National Committee.

Here he is. This is the story @facebook tried to suppress. The Cambridge Analytica whistleblower goes on the record in tomorrow’s @ObsNewReview pic.twitter.com/GKNlJNjHvi — Carole Cadwalladr (@carolecadwalla) March 17, 2018

Cambridge Analytica, backed by top Trump donor and hedge-fund billionaire Robert Mercer, claims it can predict how people will vote based on the 5,000 pieces of data it collects on nearly every American adult combined with the results of thousands of personality surveys. Enlisted by the Trump campaign, it touted its role as swinging the presidential election.

How it worked: by asking users to download a personality quiz app

Facebook said a British researcher and his firm, Global Science Research, legitimately gained access to the personal data of Facebook users in 2013 while working on a personality prediction app, but the researcher violated Facebook’s rules by passing it on to Cambridge Analytica. Cambridge Analytica was asked in December to turn over documents to special counsel Robert Mueller, as part of his investigation into collusion between the campaign and Russia during the 2016 election.

In 2015, Facebook learned that the researcher Kogan broke its policies by passing on the information to Cambridge Analytica and to Christopher Wylie of Eunoia Technologies. Facebook says it was assured the information had been deleted, but received reports several days ago that it was not.

Wylie, a former employee of Cambridge Analytica is the whistleblower profiled by The Observer. He set up Eunoia Technologies after leaving Cambridge Analytica in late 2014.

“We are moving aggressively to determine the accuracy of these claims,” Facebook’s deputy general counsel Paul Grewal said in the Friday blog post. “If true, this is another unacceptable violation of trust and the commitments they made.”

Facebook said it has suspended the accounts of Strategic Communication Laboratories, the parent company of Cambridge Analytica, as well as the accounts of Kogan and Wylie. Kogan and Wylie could not be reached for comment.

Facebook denies the harvesting of Facebook profiles constitutes a data breach, which would require Facebook to notify users in many states, including California where it's headquartered.

In a now deleted tweet, Facebook's chief security officer Alex Stamos said Saturday: "Kogan did not break into any systems, bypass any technical controls, or use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a 'breach.'"

The Web Foundation, set up by Tim Berners-Lee to advocate for an open Internet, called for a full investigation and for all affected users to be notified. The Web Foundation also wants to know why Facebook didn't ban Cambridge Analytica sooner and what actions Facebook takes when a third party violates its rules.

"Today’s story on Facebook and Cambridge Analytica drives home why we need platforms to be fully transparent and accountable in the age of big data. Once our personal data is in someone else’s hands, it’s extremely difficult to take back control — with potentially disastrous results for public safety, discourse and democracy," Web Foundation's policy director Craig Fagan in a statement. "Platforms must fully embrace their responsibility to do whatever it takes to keep user data safe from abuse.

In the fall, Mueller asked Cambridge Analytics to turn over emails of employees who worked on the Trump campaign, signaling the special counsel is probing the data operation.

Former senior White House strategist Steve Bannon served on Cambridge Analytica's board of directors and had a stake in the firm.

Mueller is investigating whether Trump associates colluded with Russian operatives to meddle in the election. Trump has denied he or his campaign colluded. The Russian government has denied meddling in the election.

Mark Warner, the top Democrat on the Senate Intelligence panel, called for regulation of online political advertising, calling it "essentially the Wild West."

The Federal Election Commission on Wednesday agreed to begin writing new disclosure rules for online ads as regulators wrestle with how to prevent foreign interests from influencing U.S. elections.

The new rules may not be in place for the 2018 midterm elections and won't cover all political ads, including ads Russian operatives used to meddle in the 2016 presidential contest.

"Whether it's allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it's clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency," Warner said in a statement. "This is another strong indication of the need for Congress to quickly pass the Honest Ads Act ​to bring transparency and accountability to online political advertisements." ​