Yes, Cambridge Analytica, the data analysis firm that helped Donald Trump win the 2016 election, violated rules when it obtained information from some 50 million Facebook profiles, the social media company acknowledged late Friday. But the data came from someone who didn’t hack the system: a professor who originally told Facebook he wanted it for academic purposes.
He set up a personality quiz using tools that let people log in with their Facebook accounts, then asked them to sign over access to their friend lists and likes before using the app. The 270,000 users of that app and their friend networks opened up private data on 50 million people, according to the New York Times. All of that was allowed under Facebook’s rules, until the professor handed the information off to a third party.
Facebook said it found out about Cambridge Analytica’s access in 2015, after which it had the firm certify that it deleted the data. On Friday, Facebook said it now knows Cambridge actually kept the information — an infraction that got Cambridge suspended from the social network. Once that was announced, executives quickly moved on to defending Facebook’s security.
“This was unequivocally not a data breach,’’ longtime Facebook executive Andrew Bosworth said on Twitter. “People chose to share their data with third-party apps and if those third-party apps did not follow the agreements with us/users it is a violation.’’
Alex Stamos, Facebook’s head of security, echoed the same arguments. Cambridge denied doing anything illegal or using the information in the 2016 presidential election; Facebook says it has no way of knowing how or whether the data was used for targeting in the Trump campaign.
Facebook’s advertising business depends on users sharing their most personal data via its social network. But the company’s “not a breach” argument isn’t likely to make users feel any safer or more comfortable doing so — especially given that it’s already under fire for missing that Russian actors were purchasing U.S. election ads on the site to sway voter opinions, as well as running fake accounts disguised as real Americans. The company has also been fending off accusations that it’s too slow to notice or react to harmful content.
The latest incident has raised new questions about what technical guardrails Facebook has in place to prevent authorized users from sharing sensitive information, and how much visibility the company has into how outsiders use the data.
Facebook wouldn’t comment on those questions, saying only that it has made significant improvements in its ability to “detect and prevent violations” by app developers, such as random audits of applications using its tools to make sure they’re following the rules. And it’s no longer letting developers who use Facebook’s login tools see information on their users’ friends.
The disclosure also underscores Facebook’s continuing struggle to anticipate negative consequences of its lack of oversight — in some cases taking action only after things go wrong. The company in the last two years has worked to understand and counteract the spread of misinformation on its site, the use of its automated advertising system for racist targeting, the proliferation of fake user accounts, the spread of violent video and more.
But when the company tries to explain what it’s doing, it grapples with the perception that it’s shirking responsibility for its problems, treating them as public-relations snafus instead of serious product flaws.
Stamos, the security executive, deleted his original tweets on Cambridge Analytica, saying he wasn’t so good at “talking about these things in the reality of 2018.” Specifically, he said he didn’t know how to balance his personal beliefs with his responsibility to Facebook and his co-workers, amid all the criticism.
“We have collectively been too optimistic about what we build and our impact on the world,” Stamos wrote Saturday on Twitter. “Believe it or not, a lot of the people at these companies, from the interns to the CEOs, agree.”