Facebook’s data appears to have been improperly used for political purposes during the UK’s Brexit vote and the 2016 election.

Getty Images

Consultants working for Donald Trump’s presidential campaign exploited the personal Facebook data of millions.

That’s the key message in Saturday stories by The New York Times and the UK’s Guardian and Observer newspapers, as well as in statements from Facebook. The stories and statements indicate the social networking giant was duped by researchers, who reportedly gained access to the data of more than 50 million Facebook users, which was then misused for political ads during the 2016 US presidential election.

Until now, most of what you’ve heard about Facebook and the 2016 election has been focused on meddling by Russian operatives. Those efforts are being investigated by the FBI and the US Senate. 

Data consultancy Cambridge Analytica represents a different problem. In its case, the UK-based company acquired data about hundreds of thousands of people’s friends, likes and locations. It then turned around and used that information to build psychographic profiles of these people and their friends, which were used for targeted political ads in the UK’s Brexit campaign, as well as by Trump’s team during the 2016 US election. 

Facebook’s statements amount to saying there are reports it was misled. Cambridge Analytica says it complies with the social network’s rules, only receives data “obtained legally and fairly,” and that the data Facebook is worried about has been deleted.

Here’s what you need to know.

What is Cambridge Analytica?

Cambridge Analytica is a UK-based data analytics firm that helps political campaigns reach potential voters online. The company combines data from multiple sources including online information and polling to build “profiles” of voters. The company then uses computer programs to predict voter behavior, which then can potentially be influenced through specialized advertisements aimed at the voters.

Cambridge Analytica isn’t working with a small amount of data either. The company claims to have “5,000 data points on over 230 million American voters” — or pretty much all of us, considering there are an estimated 250 million people of voting age in the US

What did Cambridge Analytica do?

Facebook said in a statement published late Friday that Cambridge Analytica received data from Aleksandr Kogan, a lecturer at the University of Cambridge. He allegedly created an app called “thisisyourdigitallife,” which ostensibly offered personality predictions and was billed as “a research app used by psychologists.” 

The app asked users to log in using their Facebook account. As part of the login process, it asked for access to user’s Facebook profiles, location, what they liked on the service, and importantly, friends data as well. Pretty normal so far.

The problem, Facebook says, is that Kogan then sent this data to Cambridge Analytica, something that’s against Facebook’s rules.

“Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules,” Paul Grewal, a VP and general counsel at Facebook, said in a statement.

Kogan did not respond to requests for comment. He also declined to provide details about what happened to The New York Times, citing nondisclosure agreements, his program was “a very standard vanilla Facebook app.”

What does this have to do with Trump?

Trump’s campaign hired Cambridge Analytica to run data operations during the 2016 election. The company helped the campaign identify voters to target with ads, and how best to focus its approach, such as where to make campaign stops and what to say in speeches.

“The applications of what we do are endless,” Cambridge Analytica CEO Alexander Nix said in an interview last year with CNET sister site TechRepublic.

The White House didn’t respond to a request for comment.

Cambridge Analytica also worked with other 2016 presidential campaigns, according to its website and various media reports. Those included the campaigns of Sen. Ted Cruz and of Ben Carson, who went on to join Trump’s cabinet as secretary of housing and urban development

Why did Facebook ban Cambridge Analytica from its service? 

Facebook said Cambridge Analytica “certified” three years ago it had deleted the information, as did Kogan. But since then, Facebook said, it’s received reports that not all that data was deleted. The New York Times reported in an article Saturday that at least some of the data remains.

Cambridge Analytica said in a statement Saturday that it deleted all the data and are in contact with Facebook.

Was Facebook hacked?

The New York Times characterizes it as a “breach” and says it’s “one of the largest data leaks in the social network’s history.” That’s in part because the roughly 270,000 users who gave Kogan access to their information allowed him to collect data on their friends as well. In total, more than 50 million Facebook users are said to have been affected.

The misuse of this data is what The New York Times zeroed in on.

Facebook, however, says that although Kogan mishandled its data, all the information Kogan got was accessed legally, and within its rules. The problem is that Kogan is supposed to hold onto the information himself, not hand it over to Cambridge Analytica or anyone else.

Still, because the information was access through normal means — using an app that asked people for access to their information, which they then agreed to — it was not a “breach.”

Facebook argued its point even further in an update to its Friday statement, saying that calling this episode a “breach” is “false.”

“People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” the company said.

Of course, critics point out that Kogan was able to do what he allegedly did because Facebook allowed app developers to request and receive access to a person’s friend’s data. Facebook changed its policy in 2015.

Wait, so Facebook allows apps access to my data?

When you log in to an app using your Facebook account, the developer typically asks for access to information the social network has. Sometimes it’s just your name and email. Other times, it’s your location and friends’ data too.

All of this is pretty much what any app developer that works with Facebook is allowed to do. That is, until 2015 when Facebook stopped app developers from having access to friends’ data. The rest is still fair game.

Facebook says its rules make it clear that developers cannot share the information they receive with other companies. That’s where the problem with Kogan and Cambridge Analytica comes up.

But everything else? That’s fine by Facebook. The company has a app review process it puts developers through, but once they’re cleared, it’s A-OK.

You hand your information over to app developers all the time. Don’t like it? Think before you click, and read the requests from app developers more carefully.

What can I do?

There isn’t much. You may have been swept up in this without even knowing it. You don’t have to have downloaded Kogan’s app to have had your information accessed, since the statements and articles say it slurped up information about app users’ friends.

Cambridge Analytica also doesn’t appear to offer a way for you to request your information be removed from its systems. The company didn’t respond to a request for comment.

iHate: CNET looks at how intolerance is taking over the internet.

Tech Enabled: CNET chronicles tech’s role in providing new kinds of accessibility.

US Tech Policy