Slashdot Mirror

← Back to Stories (view on slashdot.org)

Former Cambridge Analytica Employee Says Facebook Users Affected Could Be 'Much Greater Than 87 million' (theverge.com)

Posted by msmash on from the how-about-that dept.

Cambridge Analytica and its partners used data from previously unknown "Facebook-connected questionnaires" to obtain user data from the social media service, according to testimony from a former Cambridge Analytica employee. From a report: Brittany Kaiser provided evidence to the British Parliament today as part of a hearing on fake news. Kaiser, who worked on the business team at Cambridge Analytica's parent company until January of this year, wrote in a statement that she was "aware in a general sense of a wide range of surveys" used by Cambridge Analytica or its partners, and she said she believes the number of people whose Facebook data may have been compromised is likely higher than the widely reported 87 million.

8 of 45 comments (clear)

  1. Still can't figure out ... by WoodstockJeff · · Score: 4, Insightful

    ... how information you GAVE AWAY to unknown people is "compromised", just because it was used by someone you may not have wanted to know it?

    1. Re:Still can't figure out ... by iMadeGhostzilla · · Score: 4, Interesting

      It's in CA's interest to keep fanning this flame as they only profit if people -- and potential clients -- believe CA really helped change history.

    2. Re:Still can't figure out ... by ausekilis · · Score: 2

      The information was freely given to Facebook - not to third parties.

      When you do a pen-test you set boundaries with the client up-front. Things like "just break into the DMZ" or "leave our customer database alone" are part of the contract. If you go in and gather that customer database, then that customer data is compromised (and you are in breach of contract). My understanding is FB only sells anonymous data, so CA gathering real sheeple data is where the "compromise' comes from.

    3. Re:Still can't figure out ... by Xest · · Score: 2

      It's compromised because the data was given to Facebook, therefore the contract exists between the user and Facebook. Some users also gave permission for their data to be given to an app created by Alexsandr Kogan in his capacity as a researcher, but some of the data that Alexsandr Kogan took was from friends of people who gave permission for their data to be given to the app.

      There's two issues here, one is a bit of a grey area, the other is clearly illegal, and hence reasonable to class as a breach.

      The first issue, the one that's a grey area is the fact that Kogan gathered the data as an academic, but then used it commercially - even if this was hidden in a contract upon use of his app, there's a requirement in most European countries to get explicit consent for use of the data for marketing purposes. He didn't do that, he merely sold the data on for (political) marketing purposes without obtaining explicit consent.

      The second issue, that isn't a grey area, and is clearly illegal, is that he harvested data of friends of people who used his app - those people NEVER gave consent for him or his app to gather that data, and this is illegal in all EU countries. There's no clause to allow friends to give consent on your behalf to hand your data away under EU data protection law and their never has been, thus to harvest data not just of the person who signed up to your app, but of their friends as well who didn't sign up, is completely illegal in the EU.

      As Kogan is British, and performed these acts in the EU under British implementation of EU law, he's therefore clearly obtained data illegally, and that is why it's reasonable to call it a breach. He took data he had no legal basis to acquire and then profited from selling it on - that's no different to anyone else taking data they have no legal access to and selling it on like many cyber criminals do for a living.

      Now I'm not absolving Facebook - the fact Facebook made that friend data available in the first place even though there was no legal way for anyone to ever access or consume it in Europe is in itself something that has been known to be in breach of European law for some time, but the argument goes that it's an American company so it's fine to break European law, even at it's European subsidiaries operating in Europe with European staff. It's not of course, which is why Facebook is in so much shit now. When you have a presence and staff in a country or jurisdiction, then you have to play by their rules, else you get the fuck out, just as Google did when China tried to make them adhere to Chinese authoritarianism rather than have a search presence in the country.

      I agree the term "compromised" is classically tied to theft of data through technical exploitation of vulnerabilities, but I don't think it has to be. This is the equivalent of someone leaving a top secret file on a bus accidentally only for someone to steal it - no exploit was required, but the top secret data is still compromised in such a scenario, so I think use of the term is reasonable, even if it's not what we're used to.

  2. The question I'm more interested in by damn_registrars · · Score: 4, Insightful

    How many non-users did Cambridge get information on? It's been known for some time - and was admitted in congress recently - that facebook has profiles for non-users as well as actual users. For myself and ... well, I'm told repeatedly that I am the only remaining person alive between the age of 8 and 80 who doesn't have a profile there ... it would be really interesting to know if Cambridge got information on "us" as well.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:The question I'm more interested in by skids · · Score: 3

      You're not alone. I wonder if we're in better standing to sue the pants off someone.

      (Congratulations, bleating sheep of America. You not only gave a huge social engineering war-chest to the evil corporations you ranted about on FaceBook, but also probably to the Evil Government you ranted about on FaceBook, and most certainly to the Evil Enemies of America you ranted about on FaceBook. I hope you are proud of yourselves.)

      --
      Someone had to do it.
    2. Re:The question I'm more interested in by chispito · · Score: 3, Interesting

      How many non-users did Cambridge get information on? It's been known for some time - and was admitted in congress recently - that facebook has profiles for non-users as well as actual users. For myself and ... well, I'm told repeatedly that I am the only remaining person alive between the age of 8 and 80 who doesn't have a profile there ... it would be really interesting to know if Cambridge got information on "us" as well.

      Citation please. Zuckerberg admitted to running analytics on anonymous users--you know, keeping web server logs--NOT to creating "shadow profiles," a term that still makes zero sense. I've read the Gizmodo article and I really think it comes down to somebody who doesn't understand what a relational database is and how trivial it is for FB to suggest contacts based on the loads of info your friends and family have already provided. There is no need to pre-generate anything.

      Simplified example: Friend A and Friend B frequently tagged you in pictures. They also tagged Stranger C. Do you know Stranger C?

      My suspicion is that they will simply stop suggesting contacts, as they should. Unfortunately, this doesn't prevent your friends and families from tagging you all over the place and providing all sorts of details about your life.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
  3. Re:Honest question by Quantum+gravity · · Score: 4, Insightful

    This is what Christopher Wylie (The whistleblower in the Facebook–Cambridge Analytica scandal) has to say about it:

    "So whenever you go, and you like something, you are giving me a clue as to who you are as a person. And so all of this can be captured very easily and run through an algorithm that learns who you are. When you go to work - right? - your co-workers only see one side of you. Your friends only see one side of you. But a computer sees all kinds of sides of you. And so we can get better than human level accuracy at predicting your behavior."