Cambridge Analytica, a data analysis firm that worked on President Trump’s 2016 campaign, and its related company, Strategic Communications Laboratories, pilfered data on 50 million Facebook users and secretly kept it, according to two reports in The New York Times and The Guardian. The apparent misuse of Facebook data—and the social media giant’s failure to police it—leave both companies with plenty still to answer for.

Facebook has suspended both Cambridge and SCL while it investigates whether both companies retained Facebook user data that had been provided by third-party researcher Aleksandr Kogan of the company Global Science Research, a violation of Facebook’s terms. The suspensions were announced just hours before The New York Times and The Guardian published stories Saturday morning describing how Cambridge Analytica harvested data on 50 million US Facebook users, a number far larger than the 270,000 accounts Facebook initially cited. Facebook says it knew about the breach, but had received legally binding guarantees from the company that all of the data was deleted.

“We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made,” Paul Grewal, Facebook’s vice president and general counsel, wrote in a blog post Friday night. Facebook is also suspending Kogan, as well as Christopher Wylie of Eunoia Technologies, the whistleblower who led to stories in The Guardian and The New York Times.

In a statement, a spokesperson for SCL denied the claims. “Cambridge Analytica and SCL Elections do not use or hold Facebook data,” the statement read. (Cambridge is an independent company in the United States that was spun out of SCL.)

According to one source, a trove of Facebook users’ personal data was visible on Cambridge’s internal databases in 2017.

And yet, following Facebook’s announcement Friday night, sources close to Cambridge confirmed to WIRED that this data was still accessible as recently as last year. According to one source, a trove of Facebook users’ personal data was visible on Cambridge’s internal databases in 2017, despite SCL’s current denial and past promises to both Cambridge employees and Facebook that it had all been deleted in 2015. The data included Facebook IDs, and responses to personality surveys that had been administered by Kogan in 2015. Another source close to the company recalled seeing a database called “Kogan-import” in Cambridge’s system, which was only visible to a small number of staffers in data science, engineering, and IT. The source says the database was tightly controlled in terms of who could edit or delete it.

Asked to confirm whether this database existed, an SCL spokesperson said, “We did a system wide internal audit to verify that all GSR data had been removed before we signed an undertaking to Facebook.”

The data in question was gathered using an app called thisisyourdigitallife, created by Kogan, that offered Facebook users personality quizzes. Those who downloaded the app voluntarily turned over reams of personal data about what they like, where they live, and in some cases, depending on individual privacy settings, who their friends were.

Though Facebook says just 270,000 people downloaded the app, a loophole at the time apparently allowed Kogan to collect vastly more information. Until 2014, apps could also collect information on every users’ entire friend network. Facebook shut down that capability for app developers in mid-2014, but offered some apps that were already up and running a small grace period before cutting them off. That timing roughly lines up with Kogan’s research. Of the 50 million accounts Kogan had data on, the New York Times and Guardian reports say, 30 million had complete enough profiles that Cambridge could create psychographic profiles of them. Different than demographic profiles, these describe people based on their personality types.

Kogan passed the survey results on to SCL and Cambridge. Facebook learned about this violation in 2015, removed the app, and requested that Cambridge Analytica, Kogan, and Wylie certify that they had destroyed the information. In a statement, an SCL spokesperson said the company deleted the data as soon as they found out it violated Facebook’s policies.

Under this suspension, none of the involved companies will be permitted to buy ads or manage their clients’ Facebook accounts. The Trump campaign hasn’t worked with Cambridge since the 2016 election, according to a source close to the campaign.

For Cambridge Analytica, this represents the nadir of what has been a steady downward spiral since election night 2016. Earlier Friday, David Carroll, a professor at the New School, filed a legal claim against SCL Group under British data protection law, seeking disclosures for how his data was used in the 2016 election and whether that US voter data was processed illegally overseas. The legal proceedings come in the midst of an ongoing investigation by the UK’s Information Commissioner’s Office into Cambridge Analytica’s role in the Leave.EU campaign, which advocated for the United Kingdom to break with the European Union in the 2016 Brexit vote. Cambridge officials had spoken publicly about working for Leave.EU, but CEO Alexander Nix has since denied it in testimony before Parliament.

On Saturday, the ICO issued a statement saying it continues to investigate how Facebook data may have been illegally acquired and used. “We are continuing to invoke all of our powers and are pursuing a number of live lines of inquiry. Any criminal and civil enforcement actions arising from the investigation will be pursued vigorously,” the statement said.

‘Facebook never comes forward with information until their backs are against the wall.’

Jonathan Albright, Columbia University

Nix also became a key figure in the investigation into Russian interference in the 2016 election, after news broke that he had contacted representatives for Wikileaks founder Julian Assange in the run-up to the election, seeking information about hacked emails Wikileaks had received. Nix has confirmed initiating this contact. This apparently prompted the Trump campaign to issue a statement seemingly designed to distance the campaign from Cambridge Analytica, a firm which had already amassed doubters and critics even before the 2016 election. Long before Cambridge even began working with the Trump campaign, Republican strategists accused the company of inflating its capabilities.

Now, it appears even Cambridge is working to place rhetorical distance between Nix and the company’s work in United States elections. In a statement provided to The New York Times, the company said Nix “never had any strategic or operational role” in an American election.

The chaos has led to a mass exodus from the company’s nascent US political team. Nearly all of the staff that worked in the Trump campaign’s San Antonio digital office are no longer at Cambridge, and sources say its political business within the United States has dwindled. Once feared by Republican digital firms as a threat to their business and by Democrats as a threat to democracy, Cambridge has steadily ceded influence since its 2016 highs.

“The defanging of Cambridge is about just colossal fuckups over and over,” one source close to Cambridge said.

Losing Facebook as an advertising platform, the source said, should further destabilize the already declining company. “There’s no way this doesn’t have a substantial impact on their business,” another source familiar with Cambridge said.

The weekend’s revelations don’t paint Facebook in a positive light, either. After two years in which Facebook has struggled to explain how Russian propaganda and fake news proliferated on the platform, it now must explain one of its fundamental flaws: Facebook offers unprecedented data to its paying clients, but has next to no controls in place to ensure that data will be handled properly.

In a statement Saturday morning, Facebook’s Grewal said, “We will take whatever steps are required to see that the data in question is deleted once and for all—and take action against all offending parties.”

And yet, Facebook shares some of the blame. The company’s executives have repeatedly been brought before Congress to testify about how the platform was used and abused during the 2016 election. The fact that the company discovered a major data breach by a vendor to the Trump campaign seems worthy of public disclosure well before three years have passed. “Facebook never comes forward with information until their backs are against the wall,” said Jonathan Albright, research director at Columbia University’s Tow Center for Digital Journalism. “This is a mess.”

Facebook can, of course, punish entities that violate its policies, as it is doing with Cambridge and SCL, and it may have grounds for legal action. But the damage has already been done.

Digital Campaigns