US, UK investigating Facebook's role in Cambridge Analytica data breach

The US Federal Trade Commission (FTC) has opened an inquiry into whether Facebook improperly allowed Cambridge Analytica, a political consulting firm that backed President Trump’s 2016 election campaign, to obtain personal data from 50 million users.

This weekend, a whistleblower informed the Guardian that, in 2014, Cambridge Analytica obtained personal information on millions of US voters, then developed a software program that profiled these citizens to predict voting patterns – and, through micro-targeted ads, influence US citizens’ voting decisions.

Bloomberg first reported that the FTC’s probe will focus on whether Facebook violated its 2011 settlement with the FTC. At the time, Facebook assured the agency that it would improve its privacy settings so that third parties could not acquire users’ data without their express knowledge or consent.

However, three years after this agreement, Cambridge Analytica was still able to obtain data on a huge portion of Facebook’s user base, the majority of which did not consent to their personal data being taken for political use. And, the tech giant’s response to these actions were, allegedly, cursory at best.

The FTC has not officially announced its investigation, but said in a statement that, “We take any allegations of violations of our consent decrees very seriously.”

The FTC could fine the company $40,000 for each violation of the 2011 settlement; multiply that by 50 million, and Facebook could be looking at catastrophic financial damages.

Along with the FTC, the British Information Commissioner’s Office (BICO) is also investigating if Cambridge Analytica could have used similar voter data to influence UK citizens during the EU's Brexit' referendum.

The EU’s Electoral Commission and Australia's Privacy Commissioner have also piped up, with both officially investigating Facebook’s actions to determine if the data of their voters were used without authorization.

We’re laying out everything we know and don’t know about how Cambridge Analytica used Facebook to influence elections in the US and around the world, and what this means for the tech giant’s future.

What happened

Cambridge Analytica (CA) obtained voter data through a Facebook-linked app named 'thisisyourdigitallife'. Through the app, CA member Aleksandr Kogan paid Facebook users in exchange for a detailed personality test, supposedly for academic research purposes.

These users volunteered to provide this information, something Facebook Deputy General Counsel was quick to emphasize in a statement:

“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

But, the app also pulled personal data from all of the test-taker’s linked Facebook friends without their consent—data that, per Facebook’s Platform Policy, can only be used to enhance the in-app experience, and should not be given out to anyone.

Instead, Kogan and his associates allegedly built a software platform for influencing US elections, and sold it to Donald Trump. In 2014, former Trump advisor Steve Bannon ran Cambridge Analytica.

Around a quarter of a million people took the test willingly, but 50 million people reportedly ended up having their private data used for political and financial gain without their knowledge or consent.

Facebook only became aware of CA’s breach of contract in 2016, but reportedly waited months to order CA to delete the data. The consulting firm subsequently ignored this order, and Facebook allegedly never followed up to check.

Only after the media asked for comment last Friday did Facebook apparently realize it had been duped for four years. Facebook responded by threatening to sue outlets reporting on the issue.

Last October, after Facebook was forced to divulge Russia’s attempts to influence the 2016 election through their advertising system, Zuckerberg and other executives released several statements on how they would improve their security.

But after this latest scandal, Mark Zuckerberg and other Facebook executives have remained completely silent on the issue. We’ll update this post if Zuckerberg or other executives respond to this latest series of allegations.

One major action Facebook took was to hire hire a forensic auditor to investigate Cambridge Analytica’s servers themselves, since CA had shown them 'certified proof' that the data was destroyed. But BICO ordered the auditors to stop so they could conduct their own investigation.

Moreover, Parliament has already summoned Mark Zuckerberg to answer for his company’s role in the CA fiasco. Congress or the FTC may also follow suit.

The tip of the iceberg?

Facebook has typically tried to self-regulate in the face of criticism. After the Russian allegations came to light, Facebook ignored Congressional calls for regulations and listed the ways they would prevent democratic meddling in the future themselves.

But BICO’s actions show that Facebook isn’t being allowed any leeway this time, because CA’s access to Facebook’s data may have had global repercussions.

That’s because Cambridge Analytica doesn’t simply operate in the United States. The consulting firm worked on the Brexit referendum, and has catered its services to politicians nationwide.

An undercover sting video from Britain’s Channel 4 news revealed that CA executives offered to 'fix' Sri Lankan elections for an undercover reporter. Their 'services' included blackmailing, entrapping or extorting rival politicians, and releasing propaganda to the public. One offer was to send 'Ukranian girls' to a man’s house, then release the footage publicly to shame him.

While all of these options are abhorrent, these offers to spread targeted disinformation are what most concern government agencies like the FTC and BICO. If CA was able to obtain information on voters through Facebook, they would know where to specifically target propaganda to influence elections—just as Russia’s Internet Research Agency did in 2016.

And, CA may not be the only company that has obtained or purchased information that has been obtained through third-party apps. Considering Facebook’s inability to check if CA stole private user information, we have no way of knowing how many other companies could be hoarding and selling data to influence democratic elections.

The US, UK and EU investigations have only just begun, but they could have major repercussions on how Facebook and other social media companies are required to protect user data in future.