In 2014, London-based data analytics and political profiling firm Cambridge Analytica gained access to the personal data of over 50 million Facebook users and used that information to match profiles to electoral rolls and create what the firm calls “psychographic modeling” that could later be used to micro-target users with personalized political ads leading to customized informational sites.
The types of data collected included usernames, the city a user lives in, and the content a user “liked” on Facebook. User profile data might also include name, gender, location, time zone, friends names, bios, date of birth, educational information, relationship status, political views, religion, and in some cases, a user’s private messages.
The Facebook user data was gathered by Cambridge University professor and psychologist Aleksandr Kogan who created what he called “a research app used by psychologists,” the “thisisyourdigitallife” personality quiz app that collected the data of users who downloaded the app but also scraped data from those on their friends list. According to a Guardian article, Kogan’s company Global Science Research “entered into a commercial agreement” with Cambridge Analytica and passed on the Facebook user data they had collected.
270,000 participants who were Facebook users were paid a small amount of money in exchange for downloading the app and agreeing to the collection of personal data associated with their Facebook account. Because the app also collected information on all of the participants’ Facebook friends, more than 50 million Facebook users had their personal data collected and passed on to Cambridge Analytica for the purpose of creating voter profiles.
According to the Guardian article, in 2014, 50 million profiles would represent one-third of North American Facebook users and almost one quarter of potential US voters.
Facebook representatives have repeatedly disputed the fact that this event could be described as a security data breach. Facebook VP and Deputy General Counsel Paul Grewal released a statement saying “The claim that this is a data breach is completely false… People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” A statement by Facebook CEO Mark Zuckerberg instead called it “a breach of trust between Facebook and the people who share their data with us and expect us to protect it.”
This story is significant because it challenges the definition of a data breach and deals with questions of where an organization’s’ responsibility for a user’s personal data ends.
As Facebook representatives argued, no Facebook user data was hacked and no Facebook systems were infiltrated. Some of the users agreed to the collection of their data and were paid for it. A third-party used the data it collected from Facebook users according to Facebook’s rules at the time and sold it to another company. What could Facebook have done to prevent this unauthorized sharing of data?
Facebook learned that Kogan had passed on Facebook user data to Cambridge Analytica in 2015. They removed Kogan’s app from Facebook and informed the parties that had received the data that they needed to certify that the data was deleted, but Facebook did not notify the millions of users whose data was given away, and they did not check to ensure that the user data was actually deleted.