Facebook has confirmed over the weekend reports that an app made by a team of academics had collected vasts amounts of user data, who then shared this information with Cambridge Analytica —a commercial data analytics firm that allegedly used this info to target US voters in the 2016 Presidential election.
In a statement outlining its version of events, Facebook revealed how University of Cambridge psychology lecturer Dr. Aleksandr Kogan had created an app named "thisisyourdigitallife" that he made available to users in 2014.
The professor offered the app through an entity named Global Science Research (GSR), which asked users to take an online survey for $1 or $2. The app —just like any Facebook app— requested access to the user's profile information.
Over 270,000 users gave the app permission to use their personal details for academic research. But besides data on the survey taker, the app also harvested information on the users' friends who had not set their profile to private. By exploiting this trick, the app harvested data on over 50 million users.
But according to a report from last year from The Intercept, Kogan's work on the app was done on behalf of Strategic Communication Laboratories (SCL), a military contractor that also owns Cambridge Analytics —the data analytics company behind Donald Trump's US presidential campaign.
According to Christopher Wylie, one of Kogan's collaborators, the data has been used in the US presidential election to profile individuals and target them in such a way to obtain certain responses to political messages.
This was done because the app gained access to content liked by the 50 million users, an important detail that allowed the data analytics firm to easily classify users based on their lifestyle choices and preferences.
Facebook said on Friday that it became aware of the data harvesting incident from Facebook users, and took steps to make sure the involved parties had deleted the data from their servers.
"When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed," Facebook said. "Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data."
But according to Wylie, the data had not been destroyed. The whistleblower provided copies of this data to New York Times and Guardian journalists —who on Friday published numerous tell-all stories from inside the Cambridge Analytica data harvesting operation [1, 2, 3].
Facebook has, in the meantime, suspended Cambridge Analytica and SCL Group from the platform, on the grounds that they violated the company's terms of service. Facebook is clearly irritated that a professional data analytics firm abused an academics license to harvest data on its users.
Facebook's ban hammer also fell on Christopher Wylie Facebook account, something that Wylie was not happy about on Sunday.
Cambridge Analytica responded to the Facebook ban on Saturday, claiming they've been misled about the data's source by GSR and indirectly by Kogan's team.
"When it subsequently became clear that the data had not been obtained by GSR in line with Facebook’s terms of service, Cambridge Analytica deleted all data received from GSR," Cambridge Analytica said.
"We worked with Facebook over this period to ensure that they were satisfied that we had not knowingly breached any of Facebook’s terms of service and also provided a signed statement to confirm that all Facebook data and their derivatives had been deleted," the company said.
"No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign," they also added, in response to media reports.
The UK's Information Commissioner's Office promised an investigation after allegations that the same data had allegedly been used to support the Leave camp during the Brexit campaign.
Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, also promised a similar investigation into the matter.
I will take all possible legal measures including the stricter #dataProtection rules and stronger enforcement granted by #GDPR. I expect the companies to take more responsibility when handling our personal data.— Věra Jourová (@VeraJourova) March 18, 2018