Did Cambridge Analytica Harvest 50 Million Facebook Profiles?

Slashdot reader umafuckit shared this article from The Guardian: The data analytics firm that worked with Donald Trump's election team and the winning Brexit campaign harvested millions of Facebook profiles of U.S. voters, in one of the tech giant's biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box... Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on."

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals... On Friday, four days after the Observer sought comment for this story, but more than two years after the data breach was first reported, Facebook announced that it was suspending Cambridge Analytica and Kogan from the platform, pending further information over misuse of data. Separately, Facebook's external lawyers warned the Observer on Friday it was making "false and defamatory" allegations, and reserved Facebook's legal position...

The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook's own lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to harvest the profiles... Facebook did not pursue a response when the letter initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage, he said. "That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back."
Wylie worked with Aleksandr Kogan, the creator of the "thisisyourdigitallife" app, "who has previously unreported links to a Russian university and took Russian grants for research," according to the article. Kogan "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms...

"At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential U.S. voters."

This is a "Breach"?

[Frosty+Piss]

If your Facebook Profile is set to "Public" then all the "Public" can see it. This is a "breach"? Maybe of the Facebook TOS, but those are meaningless.

Re:This is a "Breach"?

its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time.*

*Not applicable to bakers.

Re:This is a "Breach"?

[squiggleslash]

*sigh* The quality of Slashdot moderation continues to plummet. I understand FP skimming the headline and claiming something wrong, we all do that occasionally, but if you're a moderator please, please, confirm something is correct before you mod it as "Insightful" or something else implying it's right.

No, setting your Facebook Profile to "Private" does nothing to prevent a third party from accessing your data if you allow that third party to use your account for ID purposes.

Here's what TFA says (and, frankly, they're barely touching the actual ramifications):

However, the app also collected the information of the test-takersâ(TM) Facebook friends, leading to the accumulation of a data pool tens of millions-strong. Facebookâ(TM)s âoeplatform policyâ allowed only collection of friendsâ(TM) data to improve user experience in the app and barred it being sold on or used for advertising. The discovery of the unprecedented data harvesting, and the use to which it was put, raises urgent new questions about Facebookâ(TM)s role in targeting voters in the US presidential election. It comes only weeks after indictments of 13 Russians by the special counsel Robert Mueller which stated they had used the platform to perpetrate âoeinformation warfareâ against the US.

Facebook has something called the Graph API. Whenever you allow a "Facebook app" (such as those that let you automatically log into a website when you're logged into Facebook, or those that save your game status by connecting it to your Facebook ID, or those that use your Facebook ID to let you comment on their website (the ones that also allow you to use your Twitter or Google account I mean, not the Facebook comments plugin), and, as in this example, those that let you take "tests" that they then offer to post to your wall, they use the Graph API.

The Graph API gives developers access to a horrific amount of data on a user. And while the process of linking an app to an ID is supposed to include a warning to end users about what the app can access, in practice it is normal for apps to always ask for pretty much everything, which means users, in practice, ignore the warning.

No, setting your profile to private won't help you. And even if it did, so what? You're talking about a massive social engineering attack that Facebook's own practices directly encourages. Facebook pretty much encourages the authors of Candy Gems Saga The Game to ask for all your private information, so by the time the Kremlin Research Institute comes along and posts clickbait polls and surveys and quizzes, Facebook's users have been conditioned into thinking that's OK and normal and it's fine to allow them to do whatever they want.

And before you say "Well, so what, that's their fault for not being vigilant", they're not the only victims when the goal of those abusing Facebook's system is to try to manipulate large numbers of people into voting against their nation's interests.

Re:This is a "Breach"?

[Attila+Dimedici]

Except that the bakers did not refuse to serve a class of people. They refused to provide service for a specific event.

I'm more concerned about shadow profiles

[93+Escort+Wagon]

Given I closed my Facebook account several years ago, I'm more worried about whether these bad actors managed to access Facebook's shadow profiles - since, unfortunately, most of my family is on Facebook.

For people who are actually on Facebook - including my family - I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".

Re: I'm more concerned about shadow profiles

[jd]

Also doesn't matter what the TOS says, EU law trumps the TOS. Just the way it is. And I want to see those folks in total isolation cells in the deepest dungeons that exist. This violates human rights and human dignity. It cannot be tolerated by anyone with an ounce of intellect.