March 19, 2018 – WSJ
Facebook Inc. FB 1.15% ignited a firestorm over how it manages third-party access to its users’ information, after the social network said a firm with ties to the 2016 Trump campaign improperly kept data for years despite saying it had destroyed those records.
U.S. and British lawmakers slammed Facebook over the weekend for not providing more information about how the data firm, Cambridge Analytica , came to access information about potentially tens of millions of the social network’s members without their explicit permission.
“This is a big deal, when you have that amount of data. And the privacy violations there are significant,” Sen. Jeff Flake (R., Ariz.), a member of the Senate Judiciary Committee, said in an appearance on CNN. “So, the question is, who knew it? When did they know it? How long did this go on? And what happens to that data now?”
The attorney general in Massachusetts said in social-media posts Saturday that her office planned to launch an investigation into the matter.
Damian Collins, the U.K. lawmaker who chairs a parliamentary committee on media and culture, said he intended to ask Facebook Chief Executive Mark Zuckerberg to testify before the group, or send a senior executive to do so, as part of its inquiry into how social-media manipulation affected Britain’s referendum decision to exit from the European Union.
Late Friday, Facebook said it suspended Cambridge and two individuals— Aleksandr Kogan, a psychology professor from the University of Cambridge, and Christopher Wylie, who helped found Cambridge—after hearing “reports” they had violated Facebook policies that govern how third-party developers can deploy user data they obtained from the company. Facebook didn’t elaborate on the source of its information.
Facebook said it learned in 2015 that Mr. Kogan broke Facebook policy and shared the user data with third parties. The company said it demanded he and third parties with access to the data delete those records but learned this month the data hadn’t been destroyed.
Facebook executives spent much of Saturday arguing what happened didn’t constitute a data breach—even as they and the company acknowledged Mr. Kogan and Cambridge abused user data that previously was provided openly to third parties.
Rep. Adam Schiff of California, the top Democrat on the House Intelligence Committee, said lawmakers should investigate how Cambridge got hold of the data. “We need to find out what we can about the misappropriation of the privacy, the private information of tens of millions of Americans,” Mr. Schiff told ABC News on Sunday.
The Russian manipulation disclosed last year showed how a small group of pro-Kremlin actors created fake accounts to sow discord through posts, images and videos shared widely on Facebook. The activity disclosed Friday is a case where outsiders harvested Facebook user data and deployed it seemingly out of public view.
“This could be a data privacy reckoning for Americans. It’s a wake up call,” said David Carroll, an advocate for increased regulation of Facebook and an associate professor of media design at the New School’s Parsons School of Design.
“We are in the process of conducting a comprehensive internal and external review as we work to determine the accuracy of the claims that the Facebook data in question still exists,” Paul Grewal, Facebook’s deputy general counsel, said in a written statement. “That is where our focus lies as we remain committed to vigorously enforcing our policies to protect people’s information.”
The current controversy has its roots in a 2007 decision by Facebook to give outsiders access to the company’s “social graph”—the friend lists, interests and “likes” that tied Facebook’s user base together. Tapping that rich store of information required that a person create an app and plug it into Facebook’s platform.
The move helped Facebook become a fixture in its members’ lives, catapulting the company from 58 million users to more than 2 billion today. It also addressed criticism from people who argued the company shouldn’t have sole custody over the data generated by users.
Users of dating apps who signed in using Facebook, for example, could see which friends they had in common with a potential date—even if those mutual friends didn’t use the app. President Barack Obama’s 2012 re-election campaign created a voter-outreach app that plugged into the Facebook platform to find potential supporters among a user’s friends.
In 2014, Facebook said it would reverse course after users questioned their data being shared with outsiders without their knowledge. Those changes went into effect in 2015, forcing many dating, job-search and political apps to close their doors, and sparking a fresh round of criticism that Facebook changed its rules at whim.
Despite the changes, Facebook couldn’t ensure data already gleaned by developers wasn’t shared with third parties. Such a move would violate the Facebook policies governing how third-party developers can deploy data they obtained from the company.
In a Friday evening post, Facebook said it had learned in 2015 that Mr. Kogan broke its data policies when he shared user data he gathered from his personality-prediction app, “thisisyourdigitallife,” to third parties including Cambridge and Mr. Wylie.
Cambridge Analytica has said it didn’t use Facebook data collected by Mr. Kogan’s company, Global Science Research, during the 2016 U.S. presidential election.
Facebook said about 270,000 people downloaded the app, giving consent for Mr. Kogan to access information such as their city or content they had liked. Mr. Kogan also could see some information about friends whose privacy settings allowed the access of such data.
A 2011 paper co-written by Facebook researchers said the average Facebook user had 190 friends. That could mean that through the 270,000 people who downloaded Mr. Kogan’s app, data from 51.3 million people were obtained.
A Facebook spokesman said the company’s goal in 2015 was securing the data in question, a goal it believed it had accomplished at the time. The company reiterated that it didn’t consider the abuse as a “data breach” because Mr. Kogan gained access to the data through legitimate means.
— Dave Michaels
contributed to this article.
Appeared in the March 19, 2018, print edition as ‘Facebook Provokes Storm Over User Data.