It’s no secret that Facebook tracks user data, as anyone who has seen an add related to a topic they just posted about can attest — but the alleged illegal data mining of more than 50 million users that was acquired by Cambridge Analytica is raising new concerns about the security of personal information stored on Facebook. Facebook has since banned the analytics firm and the parent company Strategic Communication Laboratories, but with Cambridge Analytica handling social media campaigns related to President Donald Trump’s presidential bid and the U.K.’s Brexit vote, the scrutiny will likely continue for some time.
On Wednesday, March 21, Facebook CEO Mark Zuckerberg broke his silence and shared a post detailing what happened and what the network is doing prevent similar access. Facebook says users impacted by the data misuse will be notified, but added that the list of security changes announced this week is only the start, with more adjustments coming over the next few weeks. Cambridge Analytica says the company has done nothing wrong and, so far, has appeared to cooperate with investigations.
So what do Facebook users need to know about the illegal data mining? Here is what we know so far.
Users didn’t have to authorize an app to have their data mined
Some of the user data in question was accessed by authorizing the app “thisisyourdigitallife,” by Global Science Research, a personality app that told users the information was anonymous and for physiological research. Granting access to a third-party app prompts a pop-up screen that says what data the app will have access to, requiring the user to agree to the terms before allowing access. The app was also reportedly boosted by Amazon Turk, a program that pays users to complete surveys and other online tasks. Global Science Research allegedly sold that data to Cambridge Analytica.
That is not why the app’s developers and Cambridge Analytic are under fire, however. Around 270,000 people actually accessed the app. However, the app didn’t stop there; it also gathered data on those users’ friends, and friends of friends, until it had access to information from more than 50 million accounts, as detailed in The New York Times. This means the vast majority of users who had their data stolen never authorized the app to access their accounts, thus prompting the ensuing controversy and Facebook’s ban of Cambridge Analytica.
While wasting three minutes of your life taking a quiz to find out what kind of potato chip you are is nobody’s proudest moment, granting an unknown company access to your data, and that of your friends, is an irrationally high price to pay.
Third-party apps can no longer access your friends’ data — and Facebook is still doing more
Facebook says that today’s platform doesn’t allow third-party apps to access the same information from your friends. This change was made in 2014 when Facebook removed the API that allowed developers to access data on a user’s friends.
While third-party apps have not had access to friend data for years, Zuckerberg says the platform will take several steps to further protect user data. Third-party apps will now only stay connected for three months, preventing one-time use apps from monitoring data in the background. The network is also launching an audit of all the apps that used friend data prior to 2014 — and removing anyone who doesn’t cooperate with the audit as well as apps that misused data. And while users could always look in the settings to see what apps have access to their data, Facebook will put the tool right in the newsfeed over the next month so users can easily check the permitted apps.
In an official blog post following Zuckerberg’s statement, Facebook also said that they would be informing users involved in any data misuse, including users that were impacted by the “thisisyourdigitallife” app. By expanding the existing bug bounty program, the network also hopes to find data misuse faster by rewarding hackers that find those loopholes for the company to correct.
“I started Facebook, and at the end of the day I’m responsible for what happens on our platform,” Zuckerberg wrote. “I’m serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn’t change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward.”
Facebook knew about the data in 2015
Facebook discovered the misuse of data from journalists back in 2015. The app’s creator, Dr. Aleksandr Kogan, claimed he was using it for an academic study — and insists he didn’t think he was doing anything wrong. When Facebook found out about the data the app was gathering in 2015, it asked Global Science Research to delete it — and thought the company did. When Facebook received reports suggesting that the deletion never happened, they suspended the company from the platform and launched an investigation.
A lawsuit filed by investors said Facebook should have disclosed this information.
Facebook is losing money — and that might be a good thing
Advertisers often choose Facebook because the company can target a specific customer using legal, publicly shared information to advertise, say, diapers only to new parents. The scandal, however, is affecting the company’s value. In just the first two days, the company’s stock lost around $60 billion dollars in value.
While that’s not good news if you invested in Facebook stock, for the average user, that impact could be a good sign — Facebook isn’t going to sit by idly and lose billions. Social media platforms are profit-driven companies, and a threat to the bottom line can spur a rapid change of course. Just look at how fast YouTube changed advertising policies when advertisers boycotted the platform after seeing their ads inserted in hate speech videos.
This isn’t the first time Facebook has been scrutinized over privacy
In 2011, Facebook faced a list of seven complaints from the Federal Trade Commission about user privacy. One of those complaints said that “Facebook represented that third-party apps that users installed would have access only to user information they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.”
A second complaint on the list sounds familiar in the midst of the current scandal, which reads “selecting ‘Friends Only’ did not prevent their information from being shared with third-party applications their friends used.” Additionally, while Facebook claimed it verified that participating apps were secure, the FTC said this was not true. Facebook settled the complaint, agreed to get user approval before allowing apps to access data, and agreed to allow privacy audits.
In 2017, Facebook faced legal fines in France and the Netherlands for violating privacy protection laws in those countries. At the time, the government organizations said that Facebook didn’t allow enough privacy controls and that the platform was also using browser history without user consent.
That turmoil in France and the Netherlands likely prompted Facebook to announce a new Privacy Center, designed to help users understand just how their data is used. The Privacy Center hasn’t yet rolled out, with Facebook planning to launch it in May 2018.
The U.S., U.K., and FTC are all investigating
More information will likely come over the next few weeks as several groups dig into the controversy. Facebook reportedly met with Congress for two days following the scandal. Facebook hired a private investigative firm — but the U.K.’s Information Commissioner’s Office asked the group to leave as it pursued its own investigation. The FTC is also investigating how the information was used, according to Bloomberg.
As the investigation continues, additional details will likely become available. Currently, it’s unclear exactly how the data was used, which campaigns the data was used in, and if those campaigns had any major impact. Cambridge Analytica is claiming no wrongdoing.
Facebook claims it was deceived
While Zuckerberg and Chief Operating Officer Sheryl Sandberg are usually quick to make a public apology in the wake of an incident involving the platform, the two have been unusually quiet until today’s post by the CEO. A Facebook representative said that’s because the two are “working around the clock” but said that the platform is “outraged we were deceived” and is taking steps to protect user information.
While information wasn’t stolen in a hack-like breach, Zuckerberg called the mishandling of data a breach of trust.”This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” he said. “But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”
Andrew “Boz” Bosworth, the company’s vice president of augmented and virtual reality and the former vice president in advertising, said Facebook is set up so that personal data isn’t sold to other companies. “Yes developers can receive data that helps them provide better experiences to people, but we don’t make money from that directly and have set this up in a way so that no one’s personal information is sold to businesses,” he wrote in a Facebook post. “We are able to show better ads when we know more about people relative to other businesses, so giving data to them is the opposite of a good strategy. Also if people aren’t having a positive experience connecting with businesses and apps then it all breaks down. This is specifically what I mean when we say our interests are aligned with users when it comes to protecting data.”
This isn’t the only questionable practice Cambridge Analytica is accused of
While misuse of user data is at the heart of the scandal, that’s not all Cambridge Analytica is facing. British undercover reporters set up several meetings with the company and recorded CEO Alexander Nix suggesting creating a sex scandal to discredit an opponent. Cambridge Analytica has cried foul and said it never intended carrying out those suggestions.
Users can revoke authorization to third-party apps
While even the former owner of WhatsApp is calling for users to delete Facebook, there are settings users can adjust to limit shared data and view which third-party apps have been authorized. This may not prevent illegal access to data if someone finds a way to access information outside of Facebook’s rules, but it’s a start for users who would rather not cut all ties with Facebook.
As the investigation continues, we will update this post with additional information.
Updated on March 22: Added official blog post detailing security changes.