Did Cambridge Analytica Harvest 50 Million Facebook Profiles?

Slashdot reader umafuckit shared this article from The Guardian: The data analytics firm that worked with Donald Trump's election team and the winning Brexit campaign harvested millions of Facebook profiles of U.S. voters, in one of the tech giant's biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box... Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on."

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals... On Friday, four days after the Observer sought comment for this story, but more than two years after the data breach was first reported, Facebook announced that it was suspending Cambridge Analytica and Kogan from the platform, pending further information over misuse of data. Separately, Facebook's external lawyers warned the Observer on Friday it was making "false and defamatory" allegations, and reserved Facebook's legal position...

The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook's own lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to harvest the profiles... Facebook did not pursue a response when the letter initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage, he said. "That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back."
Wylie worked with Aleksandr Kogan, the creator of the "thisisyourdigitallife" app, "who has previously unreported links to a Russian university and took Russian grants for research," according to the article. Kogan "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms...

"At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential U.S. voters."

I'm more concerned about shadow profiles

[93+Escort+Wagon]

Given I closed my Facebook account several years ago, I'm more worried about whether these bad actors managed to access Facebook's shadow profiles - since, unfortunately, most of my family is on Facebook.

For people who are actually on Facebook - including my family - I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".

Re:I'm more concerned about shadow profiles

[mrwireless]

Victim blaming 2.0..

Slashdot commenters want to have it both ways:
- Users are too dumb to know what they are signing up for. #sheeple
- Users knew what they were signing up for, no use crying over it now.

Re: I'm more concerned about shadow profiles

[jd]

Cambridge Analystics is in the EU. Different rules. Each profile stolen violates the Data Protection Act and European Human Rights, regardless of where the person was located, because the data was stored in Europe and CA was a European company under European law.

If those 50 million sued, they'd win, because under the DPA your data cannot be transferred from the E.U. to any country with weaker protections.

Furthermore, the U.S. election laws forbid foreign national involvement, violations of the fourth for electioneering and spying on American nationals by US agencies even via third parties.

If this goes to court, the proverbial fan will be crushed under the impact.

Re: I'm more concerned about shadow profiles

[jd]

Also doesn't matter what the TOS says, EU law trumps the TOS. Just the way it is. And I want to see those folks in total isolation cells in the deepest dungeons that exist. This violates human rights and human dignity. It cannot be tolerated by anyone with an ounce of intellect.

Re: I'm more concerned about shadow profiles

[shilly]

Ddi you feel all clever when you wrote that?

You shouldn't have.

The GDPR hasn't come into effect yet, although everyone is preparing for it (including UK organisations).

Instead, the UK has the Data Protection Act 1998, which was explicitly designed to be compliant with the requirements of EU data protection law at the time. That included, for example, not transferring PII outside the EEA without adequate protection. So the OP is completely wrong, and you are not only wrong, you are wrong while you think you are right.

Incidentally, the Brexit vote makes no difference. As the article you yourself linked to says: "the UK will still be classed as a Member State when the GDPR compliance deadline is reached on 25 May 2018." So the UK will have to comply with GDPR. It may negotiate some changes post-Brexit, but it doesn't really have the bandwidth to do so, so I kinda doubt it.

GDPR is a new set of requirements, and every EU member state is having to create new law to comply. That's how the EU operates: member states agree new principles for the single market through discussion, they write down the requirements centrally, and then each EU member state goes and creates new laws in their own country that are compliant with the new principles. If you read that without getting all defensive, congratulations, you now know more about how the EU operates that Liam Fox, Jacob Rees-Arsehole, Boris Fuckface and David the British Brexit Bulldog. But then you probably knew more than them to start with, they're so fucking ignorant.

Re:This is a "Breach"?

[vux984]

The same way a restaurateur can refuse to serve a customer who previously made a mess of your dining room.

Facebook may be 'facing the public' but its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time. The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: This is a "Breach"?

[jd]

It includes private data. The app used to take everything.

And, yes, it is a breach. It doesn't matter what you set public, if you operate in the EU (and Cambridge is still in there), you abide by EU Data Protection laws. You are forbidden from collecting personal data without both a license and permission (they had neither) and you are forbidden from reselling it to a nation with weaker data protection laws (the U.S. included).

Every last one of those 50 million can sue Data Analytics. And they should. Even if they're awarded only £100 each, CA will deserve the consequences.

Re: BS story

[jd]

No, you didn't RTFA.

And they admit they wrote malware, specifically a logic bomb, that downloaded private and confidential information, a clear-cut example of violating the Computer Misuse Act in addition to the Data Protection Act.

If this reaches court before Brexit, Facebook will be liable for at least £5 billion and CA will be crushed into oblivion. Possibly taking Cambridge University with it, if it's shown the university was aware of the activities.

Re: Data breach?

[jd]

First, it wasn't. This was stolen by malware in apps through private accounts with non-public access rights. RTFA.

Second, it's in violation of the CMA and DPA of the UK and EU. The EU takes these things seriously.

Third, it violated election laws in the U.S., along with civil service laws. Trump might not care, but the special prosecutor will, as will politicians who are up for re-election.

Re:SubjectIsSubject

[Actually,+I+do+RTFA]

Do you have a source for that exchange? I'm looking for the original

Re: Like it matters....

[mi]

involving foreign nationals is a criminal enterprise

Oh, wow... Would hiring a British spy, who then engaged his contacts among Russians, qualify?

Fine, arrest everyone who is guilty of such a crime

There is no crime described in TFA... At the most, there is a violation of Facebook's TOS...

Re:This is a "Breach"?

[squiggleslash]

*sigh* The quality of Slashdot moderation continues to plummet. I understand FP skimming the headline and claiming something wrong, we all do that occasionally, but if you're a moderator please, please, confirm something is correct before you mod it as "Insightful" or something else implying it's right.

No, setting your Facebook Profile to "Private" does nothing to prevent a third party from accessing your data if you allow that third party to use your account for ID purposes.

Here's what TFA says (and, frankly, they're barely touching the actual ramifications):

However, the app also collected the information of the test-takersâ(TM) Facebook friends, leading to the accumulation of a data pool tens of millions-strong. Facebookâ(TM)s âoeplatform policyâ allowed only collection of friendsâ(TM) data to improve user experience in the app and barred it being sold on or used for advertising. The discovery of the unprecedented data harvesting, and the use to which it was put, raises urgent new questions about Facebookâ(TM)s role in targeting voters in the US presidential election. It comes only weeks after indictments of 13 Russians by the special counsel Robert Mueller which stated they had used the platform to perpetrate âoeinformation warfareâ against the US.

Facebook has something called the Graph API. Whenever you allow a "Facebook app" (such as those that let you automatically log into a website when you're logged into Facebook, or those that save your game status by connecting it to your Facebook ID, or those that use your Facebook ID to let you comment on their website (the ones that also allow you to use your Twitter or Google account I mean, not the Facebook comments plugin), and, as in this example, those that let you take "tests" that they then offer to post to your wall, they use the Graph API.

The Graph API gives developers access to a horrific amount of data on a user. And while the process of linking an app to an ID is supposed to include a warning to end users about what the app can access, in practice it is normal for apps to always ask for pretty much everything, which means users, in practice, ignore the warning.

No, setting your profile to private won't help you. And even if it did, so what? You're talking about a massive social engineering attack that Facebook's own practices directly encourages. Facebook pretty much encourages the authors of Candy Gems Saga The Game to ask for all your private information, so by the time the Kremlin Research Institute comes along and posts clickbait polls and surveys and quizzes, Facebook's users have been conditioned into thinking that's OK and normal and it's fine to allow them to do whatever they want.

And before you say "Well, so what, that's their fault for not being vigilant", they're not the only victims when the goal of those abusing Facebook's system is to try to manipulate large numbers of people into voting against their nation's interests.

Re:This is a "Breach"?

[Attila+Dimedici]

Except that the bakers did not refuse to serve a class of people. They refused to provide service for a specific event.

Re:This is a "Breach"?

[Attila+Dimedici]

Unless youre a baker that doesn't want to make a cake for gays, and even gives you a reference to other bakers who will happily serve you, right?

Actually the baker in question was perfectly willing to make a cake for gays (the gays who sued had been long time customers). They merely refused to bake a cake celebrating the sexual relationship between the two gays.

Re: Data breach?

[currently_awake]

The special prosecutor seems to be several steps ahead of what is in the news. I expect these people have already been talked to, and deals made to keep them out of jail. From what little I know of Trump, I don't believe he's (mentally) capable of being the "Dr Evil" level villain at the bottom of all this.

Re:This is a "Breach"?

[cascadingstylesheet]

The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

Er, almost. There are some reasons they don't like your face that may matter ...

Re: Data breach?

[bongey]

EU data protection law doesn't apply to the UK. http://www.computerweekly.com/...

Re: Like it matters....

[ArchieBunker]

Scraping Facebook for metadata is treason? No wonder Hillary and her loonies lost the election.

Re:From Russian With Laughter

[shilly]

This is bang on target. The entire spectrum of political leadership has chosen to look the other way in almost every Western state. They have lost the ability to be hard nosed in their assessments, and specifically have lost the ability to speak politely but non-comittally in public while fighting hard behind the scenes. The last thing along those lines was Stuxnet. The West should be doing their best to strategically weaken Putin -- and if this is their best, it's pretty weak.

Re:From Russian With Laughter

[meta-monkey]

Yeah, let's go to war with Iran, Russia, and North Korea! Because they're...doing stuff in the middle east and the Korean peninsula, which is sovereign territory of the United States!

Re: From Russian With Laughter

[c6gunner]

Yeah, let's go to war with Germany, Italy, and Japan! Because they're...doing stuff in Europe and Asia, which is sovereign territory of the United States!