Breach Response , Cyberwarfare / Nation-state attacks , Data Breach

US, UK and Canada Have Begun Probing Data Leak and Privacy Repercussions

Facebook and Cambridge Analytica: Data Scandal Intensifies
Facebook’s headquarters in Menlo Park, California (Photo: Facebook)

Regulators, attorneys general and lawmakers in the U.S., U.K. and Canada continue to spring into action to try and unravel the events that led to the personal information of as many as 60 million Facebook users leaking to a voter-profiling firm (see Probes Begin as Facebook Slammed by Data Leak Blowback).

See Also: How to Scale Your Vendor Risk Management Program

The firm, London-based Cambridge Analytica, claims to be able to sway voters through careful profiling of online platforms and crafted social media messaging.

Since 2015, Facebook knew the firm had acquired the data by means that violated its own policies, and some particulars of the situation have featured in press reports for at least a year. But information disclosed by Chris Wylie, a former Cambridge Analytics data scientist turned whistleblower, featured in an Observer report this past weekend, has turned what started as an apparent Facebook policy violation into a global privacy scandal.

Worries have been fueled following the U.K.’s Channel 4 broadcasting an undercover video of Cambridge Analytica’s CEO, Alexander Nix. In the video, first broadcast Monday, Nix describes a variety of ethically questionable techniques the firm, which was employed by President Donald Trump’s campaign, could use to swing elections. A second installment, broadcast Tuesday, raised further eyebrows owing to Cambridge Analytica executives claiming their firm ran “all” of President Trump’s 2016 digital campaign and that their efforts left “no paper trail.”

An investigation by Channel 4 News has revealed how Cambridge Analytica claims it ran “all” of President Trump’s digital campaign – and may have broken election law. Executives were secretly filmed saying they leave “no paper trail.”

As a result, Cambridge Analytica’s board suspended Nix, saying on Tuesday that his comments as captured by Channel 4 “do not represent the values or operations of the firm.” The board says it’s launched its own investigation into whether employees violated any laws.

Cambridge Analytica didn’t immediately respond to a request for comment about whether Nix continues to have any role with Cambridge Analytica’s parent company, SCL Group, where he worked as a director for 14 years before setting up the subsidiary in 2013.

FTC Launches Investigation

Meanwhile, Facebook is being called to account for how it manages and secures personal data, and it’s facing inquires from lawmakers as well as regulators both inside the U.S. and abroad.

On Tuesday, the Washington Post reported that the U.S. Federal Trade Commission has opened an investigation into the matter. The publication cites anonymous sources because the FTC does not confirm investigations.

Facebook has previously run afoul of the FTC over privacy-related concerns. In 2011, the agency accused Facebook of unfair and deceptive practices by assuring users their personal information could be kept private, but still sharing it with third parties. Facebook reached a settlement agreement with the regulator. If it’s since violated that agreement, however, it could face millions of dollars in fines.

The FTC’s settlement agreement appears to be highly relevant to the unfolding Cambridge Analytica scandal. In one section of the FTC’s 2011 complaint, the regulator contended that even if a user restricted access to their profile information to “only friends” or “friends of friends,” that setting didn’t necessarily restrict access to their information by third parties.

The FTC’s 2011 order against Facebook.

The FTC contended that if someone’s friend installed a particular app, that app could still pull their birthday, hometown, activities, interests, status updates, marital status, education, place of employment, photos and videos.

As part of the settlement agreement reached in November 2011, Facebook was supposed to stop that practice, among many others. But the transfer of that kind of information to third parties without a Facebook user’s consent is what has come to the forefront in the controversy with Cambridge Analytica.

As part of Facebook’s 2011 settlement with the FTC, the company is also required to obtain a third-party audit every two years that examines its privacy program and compliance with the FTC’s order.

On Tuesday, the Electronic Privacy Information Center said it had filed an urgent Freedom of Information Act request with the FTC to obtain Facebook’s 2015 and 2017 compliance reports.

Data Leak Trail

Cambridge Analytica acquired the data in question from a University of Cambridge psychology lecturer, Aleksandr Kogan. Kogan deployed a Facebook app in 2014 called “thisisyourdigitallife,” which paid users to participate in a personality survey.

About 270,000 people installed the app. But the app also could pull profile data from anyone who was friends with someone who installed it, increasing its reach to as many as 60 million users. From a reading of Facebook’s settlement agreement with the FTC, it would appear that Kogan’s app shouldn’t have been able to do that.

Facebook contends Kogan lied to the company, presenting the app initially as an academic project, but then later passing the data to Cambridge Analytica for commercial use. Multiple reports have suggested that Cambridge Analytica is a shell company, and that the funding ultimately came from SCL Group.

Psychology Lecturer Says He’s a Scapegoat

Kogan told BBC Radio 4’s Today program on Wednesday that he’s been unfairly blamed for the debacle.

“My view is that I’m being basically used as a scapegoat by both Facebook and Cambridge Analytica,” he said. “Honestly we thought we were acting perfectly appropriately. We thought we were doing something that was really normal.”

States Launch Probes

Along with the federal government, three states are now investigating Facebook’s data handling practices.

On Tuesday, New York and Massachusetts sent a joint demand letter to Facebook, according to New York Attorney General Eric T. Schneiderman.

“Consumers have a right to know how their information is used – and companies like Facebook have a fundamental responsibility to protect their users’ personal information,” Schneiderman says. “New Yorkers deserve answers, and if any company or individual violated the law, we will hold them accountable.”

New Jersey Attorney General Gurbir S. Grewal on Tuesday said his office has also launched an investigation into how data for Facebook users ended up in Cambridge Analytica’s hands.

“I am particularly troubled by reports that Facebook may have allowed Cambridge to harvest and monetize its users’ private data, despite Facebook’s promises to keep that information secure,” Grewel says. “At this point we have many questions and few answers, and New Jersey’s residents deserve to know what happened.”

Facebook Goes to Washington

Facebook CEO Mark Zuckerberg has yet to comment publicly on the Cambridge Analytica scandal, although the company has issued several statements. Facebook largely blames Kogan, whom the company contends violated its rules by sharing the data with Cambridge Analytica (see Facebook Attempts to Explain Data Leak, Denies ‘Breach’).

“The entire company is outraged we were deceived,” Facebook says in a statement that attempts to paint the data leak as a policy-infringement matter (see Facebook: Day of Reckoning, or Back to Business as Usual?). “We are committed to vigorously enforcing our policies to protect people’s information and will take whatever steps are required to see that this happens.”

Facebook’s response to date hasn’t quelled critics, who question whether the technology giant realized the gravity of the situation when it first learned of the leak in 2015. Several U.S. senators, including Sen. Dianne Feinstein of California, the top Democrat on the Judiciary Committee, have called on Zuckerberg to testify before Congress.

Facebook is due to brief Senate and House aides on Wednesday. The company is expected to meet with Senate Commerce, Science and Transportation Committee staff, as well as staffers from the House and Senate Intelligence committees, the House Energy and Commerce Committee, the Senate Commerce Committee and the House and Senate Judiciary committees, The Hill reports.

The Senate Intelligence Committee, which is also investigating Russian interference in U.S. elections, will conduct its own investigation of the matter, an unnamed Congressional official with knowledge of the investigation tells Reuters.

Rep. Adam Schiff of California, the highest-ranking Democrat on the House Intelligence Committee, which has been investigating Russia’s use of social media to manipulate U.S. public opinion, has also called on Zuckerberg to testify. “I think it would be beneficial to have him come testify before the appropriate oversight committees,” he told the Washington Post. “And not just Mark but the other CEOs of the other major companies that operate in this space.”

Schiff said whistleblower Chris Wylie has agreed to testify before the House Intelligence Committee, and he says the panel request that Alexander Nix do the same. “The American people cannot rely solely on the investigative work of journalists; Congress also has an obligation to get the truth,” Schiff says.

Canada, UK Investigate

Meanwhile, several countries are probing Cambridge Analytica and Facebook.

The president of the European Parliament, Italian politician Antonio Tajani, says he’s “invited” Zuckerberg to address EU lawmakers. “Facebook needs to clarify before the representatives of 500 million Europeans that personal data is not being used to manipulate democracy,” he says.

In the U.K., the Information Commissioner’s Office, an independent authority set up to uphold information rights in the public interest, issued a “demand for access” to Cambridge Analytica for its records and data on March 7. The company did not reply, so the ICO says it is now seeking a warrant. Facebook had dispatched auditors to Cambridge Analytica’s London offices, but it withdrew the team after the ICO requested that they stand down.

On Tuesday, Canada’s privacy commissioner said his office has launched its own investigation and that it has already been in contact with the ICO.

“We have received a complaint against Facebook in relation to allegations involving Cambridge Analytica and have therefore opened a formal investigation,” says Privacy Commissioner Daniel Therrien. “The first step will be to confirm with the company whether the personal information of Facebook users in Canada was affected.”

The investigation will examine whether Facebook complied with PIPEDA – Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.

“The allegations we’ve seen in media reports raise extremely important privacy questions,” Therrien says. “The digital world, and social media in particular, have become entrenched in our daily lives and people want their rights to be respected.”

Executive Editor Mathew Schwartz contributed to this article.

Tags: