Skip to main content

Ex-Facebook Employee: Cambridge Analytica Wasn’t The Only Company Harvesting User Data

Sandy Parakilas, a former Facebook employee, revealed that "numerous" other companies exploited Facebook's user data, similarly to how Cambridge Analytica was able to harvest the data of more than 50 million user accounts in order to target American electoral voters. Parakilas believes that this sort of data harvesting was made possible by Facebook’s lax rules when it comes to sharing data with third parties.

Thousands Of Third-Parties Can Abuse Facebook Data

Sandy Parakilas was the the platform operations manager at Facebook responsible for dealing with platform policy violations by third-party developers between 2011 and 2012. According to his revelations to The Guardian, Parakilas warned Facebook that the company’s lax rules around how user data is shared with third parties could lead to major data breaches or abuses in the future.

He added that Facebook had terms of service and settings that were difficult to understand by users and that it also didn’t use enforcement mechanisms such as audits against companies that could have misused the data, like SCL and Cambridge Analytica did recently.

When asked what kind of control Facebook had over third-parties that received Facebook’s user data, Parakilas said:

Zero. Absolutely none. Once the data left Facebook servers there was not any control, and there was no insight into what was going on.

According to the former Facebook employee, his superiors also discouraged him from looking more deeply into how third parties were using the data, because finding out how the data was used or abused would have put the company in a weaker legal position.

Although the company now has stricter controls over how data is shared with third parties compared to 2012, Parakilas said that a majority of Facebook users may have already gotten their data harvested by "tens or maybe even hundreds of thousands" of third-party developers.

Parakilas also noted that in the time he worked for Facebook, the company never audited a third-party company, despite being able to do so.

Facebook’s Last-Minute Audit Of Cambridge Analytica

In a recent update, Facebook said that it sent Stroz Friedberg, an independent auditor, to Cambridge Analytica’s offices yesterday evening. However, the UK Information Commissioner’s Office arrived with a search warrant soon after, and told the auditor to stand down. UK’s ICO recently allowed WhatsApp to share its data with Facebook as long as the company abides by the soon to go into effect General Data Protection Regulation (GDPR).

Elizabeth Denham, Information Commissioner, said:

On 7 March, my office issued a Demand for Access to records and data in the hands of Cambridge Analytica. Cambridge Analytica has not responded by the deadline provided; therefore, we are seeking a warrant to obtain information and access to systems and evidence related to our investigation. On 19 March, Facebook announced that it will stand down its search of Cambridge Analytica's premises at our request. Such a search would potentially compromise a regulatory investigation.

Facebook knew about Cambridge Analytica’s abuse of its data since 2015, when it simply told the company to delete the information, without doing any audit. The company seems to have suddenly become interested in doing an audit after CA’s abuse of that data became a major news story. We’ve asked Facebook if it has done any other audit of third-party developers before, and we’ll update the story when we get a response.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.