Ex-Facebook Employee: Cambridge Analytica Wasn’t The Only Company Harvesting User Data

Sandy Parakilas, a former Facebook employee, revealed that "numerous" other companies exploited Facebook's user data, similarly to how Cambridge Analytica was able to harvest the data of more than 50 million user accounts in order to target American electoral voters. Parakilas believes that this sort of data harvesting was made possible by Facebook’s lax rules when it comes to sharing data with third parties.

Thousands Of Third-Parties Can Abuse Facebook Data

Sandy Parakilas was the the platform operations manager at Facebook responsible for dealing with platform policy violations by third-party developers between 2011 and 2012. According to his revelations to The Guardian, Parakilas warned Facebook that the company’s lax rules around how user data is shared with third parties could lead to major data breaches or abuses in the future.

He added that Facebook had terms of service and settings that were difficult to understand by users and that it also didn’t use enforcement mechanisms such as audits against companies that could have misused the data, like SCL and Cambridge Analytica did recently.

When asked what kind of control Facebook had over third-parties that received Facebook’s user data, Parakilas said:

Zero. Absolutely none. Once the data left Facebook servers there was not any control, and there was no insight into what was going on.

According to the former Facebook employee, his superiors also discouraged him from looking more deeply into how third parties were using the data, because finding out how the data was used or abused would have put the company in a weaker legal position.

Although the company now has stricter controls over how data is shared with third parties compared to 2012, Parakilas said that a majority of Facebook users may have already gotten their data harvested by "tens or maybe even hundreds of thousands" of third-party developers.

Parakilas also noted that in the time he worked for Facebook, the company never audited a third-party company, despite being able to do so.

Facebook’s Last-Minute Audit Of Cambridge Analytica

In a recent update, Facebook said that it sent Stroz Friedberg, an independent auditor, to Cambridge Analytica’s offices yesterday evening. However, the UK Information Commissioner’s Office arrived with a search warrant soon after, and told the auditor to stand down. UK’s ICO recently allowed WhatsApp to share its data with Facebook as long as the company abides by the soon to go into effect General Data Protection Regulation (GDPR).

Elizabeth Denham, Information Commissioner, said:

On 7 March, my office issued a Demand for Access to records and data in the hands of Cambridge Analytica. Cambridge Analytica has not responded by the deadline provided; therefore, we are seeking a warrant to obtain information and access to systems and evidence related to our investigation. On 19 March, Facebook announced that it will stand down its search of Cambridge Analytica's premises at our request. Such a search would potentially compromise a regulatory investigation.

Facebook knew about Cambridge Analytica’s abuse of its data since 2015, when it simply told the company to delete the information, without doing any audit. The company seems to have suddenly become interested in doing an audit after CA’s abuse of that data became a major news story. We’ve asked Facebook if it has done any other audit of third-party developers before, and we’ll update the story when we get a response.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Dark Lord of Tech
    Facebook was designed to harvest data and be addictive.
  • atwspoon
    I wish they would let me delete my account...stopped using FB in 2011, would love to be 100% deleted from that user data trap for good.
  • Simon Anderson
    I can't find an article which really details what happened: maybe because investigations still ongoing but i'd think people would have a fair idea about the type of data accessible? Forgive me for speculating from here on in:

    I'm guessing that Cam.Ana. didn't send content directly to specific users yeah? I'm wondering when an app has access to user data, is it actually directly accessible? i.e. in laymen terms could you export a list of user names, email addresses, and their associated likes/comments/friends/bio etc... I'd be very surprised if that was the case.

    I'd assume that an app has access to personal data in an indirect manner, i.e. they could get a list of content that the users liked, or they could get percentages on how many users like particular posts, or a break down of age/location of their users without being able to actually tie the data back to specific people?

    What I'm getting at, is did Cam.An. simply gather info on the sort of content voters respond to, in order to then generate their own content in a similiar vain? (i.e. you could maybe analyse the meta data to work out who are democrat, republican, or swing voters... then you see that democrat and swing voters respond well to posts featuring images, or posts with pictures of dogs, etc... so you generate similiar content but with a republican message you want to push)

    Even if they did have a direct list of users, do facebook allow you to send content to specific users?? Obviously if you're friends with someone you can post directly to someones wall or send them direct messages, but even if Cam.An. had a user list they wouldn't be able to do much with it would they?

    I know facebook allows advertisers to send content to specific demographics (i.e. that's the whole appeal) so was this simply a case of Cam.An learning what demographics best to target, and then requesting facebook ad's in exactly the same way as anyone else?

    The media's painting this to be a massive data breach, but without the details, it could just as well be a reasonably innocuous if not slightly deceptive use of standard Facebook services... users accept their meta data is indirectly accessible for advertising as part of signing up. They don't expect third parties to literally have their names and details on a file: I'd highly doubt that was the case.
  • USAFRet
    20816010 said:
    I can't find an article which really details what happened: maybe because investigations still ongoing but i'd think people would have a fair idea about the type of data accessible? Forgive me for speculating from here on in:

    Researcher builds a data collection app. Facebook provides him access to the API for free.
    "Hey dudes...participate in this"
    270,000 people download that app and provide their specific info.
    Apparently, that data is used to troll through all of their friends, friends of friends, etc, etc....55 million people.
    That data is then sold to CA for $1.6 million.
    Eventually, they present that to the campaign for whatever sum.

    This is nothing new. FB itself does this all the time. That is their reason for being.
    What...you thought they provided this website for free?
  • Simon Anderson
    Actually hmmm http://www.wired.co.uk/article/facebook-cambridge-analytica-mark-zuckerberg-mission-data-privacy That slide worries me lol In this case "Cool Social Ap" was the research AP Mark mentioned, and they probably do have email addresses and direct links with all facebook activity. Scary! Still require users to sign up to that original ap... but that ap then sold that data to Cambridge Analytica. hmmmmm!