Did Cambridge Analytica Harvest 50 Million Facebook Profiles?

Slashdot reader umafuckit shared this article from The Guardian: The data analytics firm that worked with Donald Trump's election team and the winning Brexit campaign harvested millions of Facebook profiles of U.S. voters, in one of the tech giant's biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box... Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on."

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals... On Friday, four days after the Observer sought comment for this story, but more than two years after the data breach was first reported, Facebook announced that it was suspending Cambridge Analytica and Kogan from the platform, pending further information over misuse of data. Separately, Facebook's external lawyers warned the Observer on Friday it was making "false and defamatory" allegations, and reserved Facebook's legal position...

The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook's own lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to harvest the profiles... Facebook did not pursue a response when the letter initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage, he said. "That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back."
Wylie worked with Aleksandr Kogan, the creator of the "thisisyourdigitallife" app, "who has previously unreported links to a Russian university and took Russian grants for research," according to the article. Kogan "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms...

"At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential U.S. voters."

I'm more concerned about shadow profiles

[93+Escort+Wagon]

Given I closed my Facebook account several years ago, I'm more worried about whether these bad actors managed to access Facebook's shadow profiles - since, unfortunately, most of my family is on Facebook.

For people who are actually on Facebook - including my family - I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".

Re: I'm more concerned about shadow profiles

[jd]

Cambridge Analystics is in the EU. Different rules. Each profile stolen violates the Data Protection Act and European Human Rights, regardless of where the person was located, because the data was stored in Europe and CA was a European company under European law.

If those 50 million sued, they'd win, because under the DPA your data cannot be transferred from the E.U. to any country with weaker protections.

Furthermore, the U.S. election laws forbid foreign national involvement, violations of the fourth for electioneering and spying on American nationals by US agencies even via third parties.

If this goes to court, the proverbial fan will be crushed under the impact.

Re:This is a "Breach"?

[vux984]

The same way a restaurateur can refuse to serve a customer who previously made a mess of your dining room.

Facebook may be 'facing the public' but its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time. The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: BS story

[jd]

No, you didn't RTFA.

And they admit they wrote malware, specifically a logic bomb, that downloaded private and confidential information, a clear-cut example of violating the Computer Misuse Act in addition to the Data Protection Act.

If this reaches court before Brexit, Facebook will be liable for at least £5 billion and CA will be crushed into oblivion. Possibly taking Cambridge University with it, if it's shown the university was aware of the activities.

Re: Data breach?

[jd]

First, it wasn't. This was stolen by malware in apps through private accounts with non-public access rights. RTFA.

Second, it's in violation of the CMA and DPA of the UK and EU. The EU takes these things seriously.

Third, it violated election laws in the U.S., along with civil service laws. Trump might not care, but the special prosecutor will, as will politicians who are up for re-election.

Re:This is a "Breach"?

[squiggleslash]

*sigh* The quality of Slashdot moderation continues to plummet. I understand FP skimming the headline and claiming something wrong, we all do that occasionally, but if you're a moderator please, please, confirm something is correct before you mod it as "Insightful" or something else implying it's right.

No, setting your Facebook Profile to "Private" does nothing to prevent a third party from accessing your data if you allow that third party to use your account for ID purposes.

Here's what TFA says (and, frankly, they're barely touching the actual ramifications):

However, the app also collected the information of the test-takersâ(TM) Facebook friends, leading to the accumulation of a data pool tens of millions-strong. Facebookâ(TM)s âoeplatform policyâ allowed only collection of friendsâ(TM) data to improve user experience in the app and barred it being sold on or used for advertising. The discovery of the unprecedented data harvesting, and the use to which it was put, raises urgent new questions about Facebookâ(TM)s role in targeting voters in the US presidential election. It comes only weeks after indictments of 13 Russians by the special counsel Robert Mueller which stated they had used the platform to perpetrate âoeinformation warfareâ against the US.

Facebook has something called the Graph API. Whenever you allow a "Facebook app" (such as those that let you automatically log into a website when you're logged into Facebook, or those that save your game status by connecting it to your Facebook ID, or those that use your Facebook ID to let you comment on their website (the ones that also allow you to use your Twitter or Google account I mean, not the Facebook comments plugin), and, as in this example, those that let you take "tests" that they then offer to post to your wall, they use the Graph API.

The Graph API gives developers access to a horrific amount of data on a user. And while the process of linking an app to an ID is supposed to include a warning to end users about what the app can access, in practice it is normal for apps to always ask for pretty much everything, which means users, in practice, ignore the warning.

No, setting your profile to private won't help you. And even if it did, so what? You're talking about a massive social engineering attack that Facebook's own practices directly encourages. Facebook pretty much encourages the authors of Candy Gems Saga The Game to ask for all your private information, so by the time the Kremlin Research Institute comes along and posts clickbait polls and surveys and quizzes, Facebook's users have been conditioned into thinking that's OK and normal and it's fine to allow them to do whatever they want.

And before you say "Well, so what, that's their fault for not being vigilant", they're not the only victims when the goal of those abusing Facebook's system is to try to manipulate large numbers of people into voting against their nation's interests.

Re:This is a "Breach"?

[Attila+Dimedici]

Unless youre a baker that doesn't want to make a cake for gays, and even gives you a reference to other bakers who will happily serve you, right?

Actually the baker in question was perfectly willing to make a cake for gays (the gays who sued had been long time customers). They merely refused to bake a cake celebrating the sexual relationship between the two gays.