(Image: file photo)

A data analytics company that helped propel Donald Trump to election victory harvested private information from 50 million Facebook profiles without their permission.

More security news

The story exploded over the weekend after Facebook announced late Friday that the data firm had been suspended from the social network for using the data to determine who voters might choose at the ballot box.

Several news organizations, including The New York Times, The Guardian’s weekend newspaper Observer, and prominent UK broadcast news show Channel 4 News had obtained data and documents from a former Cambridge Analytica staffer turned whistleblower earlier this week.

The New York Times called the incident “one of the largest data leaks in the social network’s history,” later referring to it as a “breach.”

Although most US states have laws mandating firms to report data breaches and exposures, it’s not believed that Facebook has informed any state regulator of the exposure of user’s data.

Facebook’s general counsel Paul Grewal said in a statement it was “completely false” to call the incident a “data breach.” Carole Cadwalladr, who co-wrote The Guardian’s story, said in a tweet that Facebook threatened to sue the newspaper, saying it was “false and defamatory” to call the incident a data breach.

That hair-splitting isn’t likely to fill the 50 million affected users with confidence, either in Facebook, the company’s ability to police its own platform form abuses and influences, or the democratic process.

Grewal said that the social networking giant learned earlier in the week that London-based Cambridge Analytica, used by campaigns to strategically target personalized political messages, and its parent company Strategic Communication Laboratories (SCL), had misused data collected on 270,000 Facebook users. That data, including Facebook profile names, locations, and information on their friends and the content they liked, was collected by a benign-looking personality prediction “research” app, developed by Aleksandr Kogan, a Russian-American researcher and lecturer at the University of Cambridge.

It was that app data which Kogan gave to Cambridge Analytica without the user’s permission, violating Facebook’s policies.

Facebook said it first learned of this handover of Facebook user data in 2015.

Instead of alerting users that their personal data had been abused, the tech giant demanded as recently as August 2016 that both Kogan and Cambridge Analytica certify that they had deleted the data. The legal letter was sent just days before Trump hired Steve Bannon, a former vice-president at Cambridge Analytica, to run the candidate’s presidential campaign — and brought the data firm with him.

Although Facebook said it received assurances that the data had been deleted, the company did not verify the responses.

“Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted,” said Grewal. Facebook also suspended SCL and Cambridge Analytica from the site.

Facebook’s statement was published just hours before several news stories ran on Saturday.

“We are committed to vigorously enforcing our policies to protect people’s information,” said Facebook’s Grewal. “We will take whatever steps are required to see that this happens. We will take legal action if necessary to hold them responsible and accountable for any unlawful behavior.”

It’s the latest twist in an ongoing saga about the goings-on in the run-up to and during the 2016 US presidential elections. Intelligence chiefs said in January that the Russian government used social media to spread information during the election to help Trump defeat rival candidate Hillary Clinton. Several tech companies, including Twitter and Google, have faced criticism for failing to curb the spread of “fake news” on its platforms, and allowing Russian-backed trolls to buy ads to spread misinformation on their platforms.

More: A massive cyberattack is hitting organizations around the world | ‘Russian military behind NotPetya attacks,’ says UK government | Petya ransomware: Cyberattack costs could hit $300m for shipping giant Maersk | Everything you need to know: Ransomware: An executive guide to one of the biggest menaces on the web

But this latest discovery of massive data harvesting and how it was used will raise fresh questions about Facebook’s involvement in targeting voters during the election.

According to the whistleblower Christopher Wylie, who was also suspended from the social network, Kogan provided data on over 50 million profiles to the company.

That figure is far higher than Facebook’s estimate of over a quarter-million accounts, which the company claims consented to having their data taken.

For its part, Cambridge Analytica in a statement denied many of the allegations made against the company. The company said when it learned that the data “had not been obtained” by the academic researcher in line with Facebook’s terms of service, it deleted “all data” that it received.

“No data from [the academic researcher] was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign,” the statement added.

The UK’s Information Commissioner’s Office, charged with upholding data protection and privacy rights, said that it is now “investigating the circumstances in which Facebook data may have been illegally acquired and used.”

Officials at the UK Electoral Commission are also said to be investigating what involvement Cambridge Analytica had in the “Brexit” referendum in 2016.

The reaction to the case has been strong.

Sen. Mark Warner (D-VA) called the online political advertising market the “Wild West.”

“Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency,” he said, calling for lawmakers to pass stronger legislation.

Nuala O’Connor, the president of Washington DC-based non-profit Center for Democracy & Technology (CDT), said it’s now “a time of reckoning for all tech and internet companies to truly consider their impact on democracies worldwide.”

“While the misuse of data is not new, what we now see is how seemingly insignificant information about individuals can be used to decide what information they see and influence viewpoints in profound ways,” said O’Connor.

Exactly what the fallout is from the incident is yet to be fully known. What looks like yet another case of foreign actors using Facebook to influence the outcome of an election isn’t something the social networking giant can walk away from easily.

Facebook cutting off the data supply at the source is a start, but for many it’s too little, too late.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

ZDNET INVESTIGATIONS

Tags: