Update, 4/6/18, 1pm PT: Added multiple items, posted underneath update note below.
On March 17, 2018, The Observer revealed that Cambridge Analytica, a U.S. subsidiary of the SCL Group, had harvested the user data of over 50 million Facebook users by abusing Facebook’s lax data sharing rules. The story has persisted in subsequent weeks, and we've covered it closely. Here's everything you need to know:
50 To 230 Million User Profiles Harvested
Whistleblower Christopher Wylie, who was a co-founder of Cambridge Analytica, revealed to the Observer documents that showed how the firm, together with a UK company called Global Sciences Research (GSR), collected the user data of over 50 million users, mostly without their consent. GSR built a quiz application for Facebook and then got over 270,000 Amazon Mechanical Turk workers to install the application.
What those workers didn’t know is that when they installed the application and agreed to all of its permissions, they were sharing not just their own Facebook data, but also the data of all of their friends. The shared data included names, profile information, likes, comments, shares, and more. GSR was able to harvest all of this data without consent from the users’ friends and then share it with Cambridge Analytica because of the way Facebook permitted developers to collect data.
This incident happened in 2014, but Wylie said that by now, Cambridge Analytica should have the data of over 230 million Facebook users. The company reassured Facebook that it deleted the data in 2015, but according to Wylie, the company continued to harvest Facebook’s user data.
It’s Not Just Cambridge Analytica
A former Facebook employee later revealed that Cambridge Analytica was far from the only company to have harvested user data in this way. Sandy Parakilas, who was the the platform operations manager at Facebook between 2011 and 2012, had warned the company that its platform rules were too lax, but his superiors didn’t listen.
Parakilas revealed that there could be thousands of companies and developers that may have harvested the users’ friends data just like Cambridge Analytica and GSR did.
Palantir’s Role In The Scandal
A New York Times report later revealed that Alfredas Chmieliauskas, a Palantir employee in charge of business development, has been teaching Cambridge Analytica how to harvest user data from Facebook.
Chmieliauskas, Alexander Nix (who is a CEO of both SCL Elections and Cambridge Analytica UK), and Erich Schmidt’s daughter were also trying to get Palantir and Cambridge Analytica to work together more. Wylie, the original whistleblower, noted in a UK testimony that Palantir had also been using Cambridge Analytica’s harvested data, but Palantir officials denied the story. They later admitted that “one” of their employees was working with Cambridge Analytica.
Users Report Saved Text History And Unpublished Videos
As more users looked into deleting their Facebook accounts, some of them started noticing that their phones’ call and text history was being saved to their Facebook accounts. Many of them didn’t seem aware of the fact that Facebook’s app and Messenger could do this.
Facebook has been prompting Android users with a request to allow their call and text history to be uploaded to the company's server as part of a recent Android app permission update. However, it’s not clear whether or not Facebook was saving this data even before prompting users with this corresponding permission. It’s only since Android 8.0 that Google started requiring developers to have more specific permissions around data collection and cloud uploads.
Other users also noticed that Facebook has been saving their unpublished video recordings since at least 2008, even though those drafts were supposedly “discarded.” The company said, as it did on other occasions when it was caught tracking users without their permission, that this was just a bug. It’s still strange that so much video data was being saved to the company’s servers for over a decade, yet Facebook's employees never seemed to notice.
The company said that it fixed the bug and deleted the unpublished videos.
Facebook Responds With (Mostly Mandated) Changes
After almost a week of silence after the Cambridge Analytica scandal broke out, Facebook CEO Mark Zuckerberg issued yet another apology for the company’s recent misstep--one of many in the past few years.
Facebook also committed to tightening the platform rules and auditing any company that it suspects may have abused its policies, as Cambridge Analytica did. However, the company didn’t respond to our question on whether or not it will also audit Palantir for the use of Cambridge Analytica data.
Palantir’s founder, Peter Thiel, also happens to be on Facebook’s board of directors.
It also remains to be seen how willing the company will be to fix its privacy problems in the long term. Facebook tends to implement platform improvements only in the face of regulations or public outcry, and even then it makes only the minimum necessary changes that meet compliance or assuages the angry public.
For instance, the company recently announced new privacy controls, as well as an ending of its partnership with most third-party data brokers. However, what the company didn’t mention is that it didn’t implement these changes just as a response to the Cambridge Analytica scandal, but primarily because they were mandated by the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018.
Asked whether or not the company will use the strong privacy protections of GDPR for its entire service across the world, Zuckerberg implied that only a limited version of the GDPR changes will be implemented globally. That means Americans and other non-EU citizens (including those in the UK, soon) will not benefit from the same strict data protection rules that EU citizens will.
Governments Investigate Facebook
The UK, EU, and U.S. governments have begun investigating Facebook over the Cambridge Analytica scandal. Both a UK Parliamentary committee and a U.S. Senate Judiciary committee asked Facebook’s CEO to testify. Zuckerberg rejected the UK committee’s invitation, but he agreed to testify before the House Energy and Commerce Committee on April 11, at 10am. CNN sources also said that Zuckerberg may testify before the U.S. Senate Judiciary committee next week, on April 10.
Updated, 4/6/2018, 1pm PT:
New Data Restrictions
Facebook recently announced a new set of data restrictions for third-party app developers designed to prevent abuses. These restrictions include API limitations to Events, Groups, Pages, and the Instagram Platform. The company also said it will limit the storage of call and text history on its servers to one year after they're uploaded.
The restrictions seem to have affected some services such as Tinder, but both Facebook and Tinder said they will work on fixing the issue. However, for the most part, third-party developers will have no choice but to adapt to the more restrictive APIs and data access.
Facebook’s CEO also clarified that the EU GDPR privacy controls will indeed be available to everyone, but perhaps under a “different format” in certain countries, depending on the local law.
Abuses Ran Rampant
Facebook admitted that not only did Cambridge Analytica harvest the data of almost twice as many user accounts (87 million total) as were previously reported, but malicious actors have already scraped the publicly available Facebook data of almost all Facebook users, which now counts around 2.2 billion.
Despite all of these abuses, mostly happening due to Facebook’s lax rules on data sharing with third parties, Zuckerberg told reporters that he won’t fire anyone over the Cambridge Analytica scandal. He was also asked whether or not the board has discussed replacing him as the company’s chairman, but he said he’s not aware of such discussions.
Facebook’s Other Products Track You, Too
This is probably not a huge surprise to anyone by now, but Facebook can collect data about you from places other than just its main social media platform--including your Messenger chats, WhatsApp records, Instagram, Oculus device usage, and as we’ve seen from multiple lawsuits and investigations in Europe, even through the simple existence of a Like button on a web page.
Congressional Hearings And Australia’s Investigation
After rejecting the invitation to testify for a UK Parliamentary Committee, Zuckerberg agreed to testify in two U.S. hearings, one hosted by the Senate Judiciary Committee (April 10) and the other hosted by the House Energy and Commerce Committee (April 11).
Meanwhile, the Office of Australian Information Commissioner announced its own investigation into Facebook and said it will collaborate with other international authorities.
Facebook Still Needs To Work On Platform Manipulation
In Myanmar, a country whose citizens only recently could widely afford to go online and where Facebook is now seen as the de facto internet, Facebook has played a big role in spreading hate speech, according to UN investigators. Facebook recently patted itself on the back for doing a good job censoring much of that hate speech, but a group of six organizations from Myanmar disagrees. The group asserted that Facebook is too slow to respond when content is flagged, and its policies are also not transparent enough. The group urged the company to invest more in moderation in countries such as Myanmar where the risk of Facebook content sparking open violence is high.
In the same vein, Facebook recently announced that it will start releasing more data about election interference. However, it implied that it will only do so after said elections, when the data may not have much use anymore. The company similarly removed a Russian propaganda group only two weeks after the Russian presidential election had passed (you'll never guess who won!).
Facebook’s Data Woes Continue For Now
Sources told TechCrunch that messages they received from Zuckerberg years ago seem to have been deleted, demonstrating that the company can retract its CEO’s messages from the platform at will. The company said that it’s doing this to avoid the type of data leaks Sony saw a few years ago, when its employees’ emails were published online by the hackers.
The irony is that Zuckerberg seems to care a great deal about his own privacy. The good news is that after this report, Facebook said that it will enable a similar feature, perhaps along the lines of time-bound disappearing messages, for all Facebook Messenger users.
Other reports from the Wall Street Journal said that users from both the U.S. and Europe are experiencing strange “glitches” where they receive password errors when they try to delete their Facebook accounts. Therefore, the users will not be able to delete their accounts until Facebook addresses the issue.