Facebook said on Thursday it had suspended a data analytics firm associated with the Trump campaign, but may have indeed greatly downplayed the scale of the data that firm actually had access to, according to a new report in The New York Times.
Cambridge Analytica had worked with University of Cambridge psychology professor named Dr. Aleksandr Kogan, who had developed an app called “thisisyourdigitallife” and obtained user information — which the Times is reporting scooped up information on profiles of as many as 50 million users. Late Friday, Facebook acknowledged that 270,000 people downloaded the app, which used Facebook Login and granted access to users’ geographic information. But just one person — with hundreds of friends — allowing access to a personal information through an app, circa 2014, may have had a much larger impact than it does today.
In the earlier stages of a company, it’s possible that policies are not rigorous enough and the guardrails on various APIs are not robust enough that this kind of information can just get out in the open without additional scrutiny, allowing firms to take advantage of those shortcomings. Facebook executives, on Twitter no less, were quick to be clear that this wasn’t a breach — though the argument is that it is, indeed, might not be considered a breach in the traditional sense of the word. But, here’s what Facebook chief security officer Alex Stamos said:
Update: Stamos deleted his Tweets. The above is a screenshot of his previous tweet. Here’s his explanation.
I have deleted my Tweets on Cambridge Analytica, not because they were factually incorrect but because I should have done a better job weighing in.
— Alex Stamos (@alexstamos) March 17, 2018
I'm going to step away from this one. I really care about privacy and security, as well as platform openness, freedom from censorship and stopping authoritarians who use the internet as a weapon. I just wish I was better about talking about these things in the reality of 2018.
— Alex Stamos (@alexstamos) March 17, 2018
Prior to deleting his tweets, Stamos posted a long thread that explained the nitty gritty of the situation, which is that around the time of the quiz, the Facebook API allowed developers to see a much wider swath of the data that’s available now. Those APIs were updated in 2015 to remove the ability to see that kind of friend data, a move Stamos said was “controversial” with app developers at the time. These policies in reality are constantly evolving and trying to hit a moving target, especially at the scale of Facebook with more than 2 billion monthly active users. That being said, Trump’s margin of victory in terms of the final vote counts in pivotal states was narrow, so information on the right 50 million people could have made a huge difference.
While Facebook was a publicly-traded company, with a fiduciary duty to its shareholders in 2014 to not have massive screwups and probably a lot more responsibility to keep this kind of information in check, it’s hardly alone in that respect. We’ve seen instances of those missing guardrails to access in many companies and used in many inappropriate ways, like Uber’s “god view” and Lyft’s own troubles. It’s definitely a different situation, but when a company is in growth mode, these kinds of guardrails might simply not be a high priority. That might be especially true when the data sets become increasingly large and simply managing them becomes a huge technical effort. Facebook had 1.39 billion monthly active users by the end of Q4 2014.
To be sure, It does not make the scale of this incident any less severe or important.
Facebook came out with a statement late Friday that it had suspended the account of Strategic Communication Laboratories and its political data analytics firm Cambridge Analytica. However it appears it still may have again downplayed the total scale of the data Kogan had acquired from Facebook users. The Times said it downplayed the scope of the leak and “questioned whether any data still remained out of its controls” throughout a week of inquiries.
This was unequivocally not a data breach. People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. no systems were infiltrated, no passwords or information were stolen or hacked.
— Boz (@boztank) March 17, 2018
We reached out to Facebook for some additional information, and will update when we hear back. But for the time being Facebook executives seem to continue to follow a trend of explaining themselves on Twitter, so we’ll take that as the current statement for Facebook.