Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Facebook Attempts to Explain Data Leak, Denies 'Breach'

Political Data-Mining Firm Reportedly Obtained 50 Million Users' Private Details
Facebook Attempts to Explain Data Leak, Denies 'Breach'

Does the misuse of legally obtained data constitute a data breach?

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

According to Facebook, the answer is no. But the social media site has found itself wading into complicated semantics over the past few days as it attempts to explain how a U.K.-based voter-profiling firm reportedly ended up with private information on 50 million of its users.

The social networking giant continues to deny that it experienced a breach, even after new information has surfaced in a long-running saga involving the digital research firm Cambridge Analytica, which helped deliver conservative-leaning election advertisements to millions of U.S. voters.

Facebook says it has banned Strategic Communication Laboratories and its data-analyzing subsidiary, Cambridge Analytica, from using its services. That follows reports that Cambridge Analytica, which U.S. President Donald Trump's campaign used, received a large batch of user data that was passed to it, apparently in violation of Facebook's rules.

Investigating Cambridge Analytica's Influence

Until a couple of years ago, Cambridge Analytica was a little-known player. But in early 2017, the Guardian began examining its influence in political campaigns, including the referendum for the departure of the U.K. from the EU - Brexit - as well as the 2016 U.S. presidential election.

Cambridge Analytica specialized in creating powerful profiles of users based on their likes and other public data. That information was then used for targeting content to those groups that they were inclined to embrace.

Early reports suggested Cambridge Analytica had collected 270,000 Facebook users' data, with their permission, after they filled out a survey. But former Cambridge Analytica officials contend that the firm, in fact, amassed raw data for up to 50 million Facebook users, The New York Times reported on Saturday.

Cambridge Analytica denies possessing the data now. But it appears to still be floating around. The New York Times reports that it obtained a set of the raw data, and a former company employee recently saw "hundreds of gigabytes" of the data, which was unencrypted, still sitting on Cambridge Analytica's servers.

Lawmakers Seek Answers

U.S. and U.K. lawmakers are calling for more action in the wake of such reports, with some labeling the incident as a data breach.

"This is a major breach that must be investigated," U.S. Sen. Amy Klobuchar, D-Minn., who serves on the Senate Judiciary Committee, tweeted Sunday. "It's clear these platforms can't police themselves."

"This is a big deal, when you have that amount of data. And the privacy violations there are significant," Sen. Jeff Flake, R-Ariz., a member of the Senate Judiciary Committee, told CNN's "State of the Union" program. "So, the question is, who knew it? When did they know it? How long did this go on? And what happens to that data now?"

On Monday, Klobuchar and Sen. John Kennedy, R-La., wrote to Senate Judiciary Committee Chairman Charles Grassle, R-Iowa, requesting that the committee call technology firms' CEOs to appear and describe their efforts "to combat attempted foreign interference," as well as "to protect Americans' data and limit abuse of the platforms" in advance of the next election.

Facebook CEO Mark Zuckerberg will also be asked to testify before Parliament about how Cambridge Analytica acquired information about the social network's users.

"Data has been taken from Facebook users without their consent, and was then processed by a third party and used to support their campaigns," Damian Collins, chair of the digital, culture, media and sport committee, wrote on the House of Commons website.

"I will be writing to Mark Zuckerberg asking that either he, or another senior executive from the company, appear to give evidence in front of the committee as part our inquiry," Collins added. "We need to hear from people who can speak about Facebook from a position of authority that requires them to know the truth."

Facebook: Application Developer 'Lied To Us'

Facebook has known about the data leak since 2015, writes Paul Grewal, the company's vice president and deputy general counsel, in a Friday blog post.

Cambridge Analytica acquired the data from Alexsandr Kogan, a Russian-American psychology professor at the University of Cambridge, Grewal says. Kogan allegedly created a Facebook app called "thisisyourdigitallife," which purported to be able to predict personalities. Users were paid to participate, and they used their Facebook credentials to log into the app.

At that time, the app complied within Facebook's developer rules, Grewal says. Users consented to supply data, such as where they lived and what they liked on the social media platform.

But the app could also scoop up data on friends of those users and what those friends had liked, increasing its collection scope to as many as 50 million users, Grewal says.

Facebook's privacy controls could have blocked the collection of information about people's friends, but only if those people had the right settings enabled, Grewel adds. But he contends that Facebook's doesn't view the resulting mass data collection as a breach.

"Aleksandr Kogan lied to us and violated our platform policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica."
—Paul Grewel, Facebook's general counsel

"People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked," Grewel writes.

Instead, Grewel contends that Kogan violated Facebook's rules by sharing the data with Cambridge Analytica. Kogan "lied to us," Grewel writes, referencing unspecified "reports."

Facebook removed Kogan's app from the social network in 2015. In addition, Facebook "demanded certifications from Kogan and all parties he had given data to that the information had been destroyed," which it received, Grewel writes.

But The New York Times and the Guardian, citing anonymous Cambridge Analytica employees, say all of the data may not have been erased.

"We are moving aggressively to determine the accuracy of these claims," Grewel writes. "If true, this is another unacceptable violation of trust and the commitments they made."

In the meantime, Grewel says that Kogan, Cambridge Analytica as well as Christopher Wylie, who helped found the firm, have been suspended from using Facebook, "pending further information."

Better Abuse Monitoring Promised

Following Trump's 2016 election, Facebook vigorously denied that its platform could have been abused to influence voters. CEO Mark Zuckerburg famously called such suggestions "crazy."

But as more indications continue to emerge that social networks were indeed by domestic and foreign operators to influence voters' opinions, Twitter, Google and Facebook have committed to more rigorously monitoring their platforms for subtle abuse.

Grewel writes that since 2014, due to privacy concerns, Facebook has made multiple changes, including implementing stricter oversight of data-scooping apps, such as blocking their ability to spy on someone's roster of friends.

But a Facebook executive, Andrew Bosworth, speaking via Twitter, said that clearly more must be done.

Bosworth's comment came in reply to Hunter Walk, a partner at the venture fund Homebrew, who said: "We're gonna spend the morning arguing over the definition of a 'breach' but what I want to hear is that Facebook values my privacy as much, or more, than I do."

Bosworth responded: "We do. Our business depends on it at every level. These policies changed in 2014, but clearly that was not soon enough or rigorously enforced enough. We must do better and will."

In a sign of how explosive the latest findings pertaining to Cambridge Analytica are, Facebook's Chief Security Officer Alex Stamos deleted a series of posts about Cambridge Analytica. Stamos broadly contests that the situation doesn't amount to a breach, but acknowledged it's a "nuanced and difficult one."

Stamos writes: "I have deleted my tweets on Cambridge Analytica, not because they were factually incorrect but because I should have done a better job weighing in."

Bigger-Picture Questions

The kerfuffle around the latest Cambridge Analytica disclosures feeds into broader worries about how social media platforms have been used - and will be used - to influence political campaigns (see Russia Will Meddle in US Midterm Elections, Spy Chief Warns).

Cambridge Analytica received significant investment from conservative donors, and at one time employed former Trump adviser Steve Bannon as a vice president. The company reportedly also worked on the pro-Brexit campaign. It's now being investigated by Parliament and government regulators over allegations that its Brexit work was illegal.

More insights into the company's activities may soon be forthcoming. Cambridge Analytica is reportedly in the sights of U.S. Special Counsel Robert Mueller, who is investigating alleged contacts between the Trump campaign and Russia. Mueller's investigation has already touched on social media efforts that allegedly violated U.S. election laws.

In mid-February, 13 Russian nationals and three Russian companies were charged with interfering with the U.S. political system, including the 2016 presidential election.

Twelve of the individuals worked for Internet Research Agency LLC, based in St. Petersburg, Russia, which was a content mill for social media postings that largely leaned toward conservative viewpoints. According to the indictment, the IRA attempted to boost the prospects of some politicians, including Trump, at the expense of their rivals, including Democratic presidential nominee Hillary Clinton (see US Indicts 13 Russians for Election Interference).

Executive Editor Mathew Schwartz contributed to this article.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.