In early 2018, it was revealed that the data analytics firm Cambridge Analytica had improperly obtained data on 87 million Facebook users. This led to a major scandal for Facebook and raised serious concerns about privacy and data protection. So how exactly did this massive data breach happen?
What data was compromised in the Facebook breach?
The data that was compromised in the Facebook-Cambridge Analytica breach included:
- Names
- Email addresses
- Phone numbers
- Locations
- Likes and interests
- Birthdates
- News feed posts
- Photos
This gave Cambridge Analytica extensive profiles on millions of Facebook users, which could be used for political ad targeting and other purposes.
How did Cambridge Analytica obtain the data?
In 2014, Cambridge academic Aleksandr Kogan created a Facebook personality quiz app called “This Is Your Digital Life.” The app collected data not just on the roughly 270,000 people who took the quiz, but also on their Facebook friends.
Facebook’s API settings at the time allowed apps to collect data on an app user’s friends, unless those friends had privacy settings restricting such collection. So Kogan was able to gain access to tens of millions of friend profiles, providing data on around 87 million users to Cambridge Analytica.
Why did Kogan collect the data?
Kogan collected and shared the data as part of a commercial arrangement with Cambridge Analytica. The company paid Kogan’s company Global Science Research to provide data that could be used to build psychological profiles on voters.
Cambridge Analytica was working for political campaigns, including Ted Cruz’s 2016 presidential run and Donald Trump’s 2016 campaign. The promise of microtargeting voters based on their Facebook data proved appealing.
How was the data used?
Cambridge Analytica used the Facebook data it obtained to build profiles of voters that were then used for political ad targeting purposes. This enabled campaigns to craft tailored ads and messaging based on people’s personalities and preferences.
The psychological profiling work of Cambridge Academic was led by psychologist Michal Kosinski. By analyzing “likes” and survey responses, the company developed models to predict personality traits including openness, neuroticism, extroversion and political partisanship.
Did Cambridge Analytica actually change voter behavior?
Whether Cambridge Analytica’s tactics made a decisive difference in any elections remains debated. Some analysts believe the company was not nearly as effective as it claimed to be. Still, the controversy raised valid concerns over the use of personal data to target and manipulate voters based on psychological profiles.
How was the breach discovered?
In early 2018, Cambridge Analytica whistleblower Christopher Wylie came forward to reveal how the company had improperly obtained and used Facebook user data. This kicked off a wave of public concern over data privacy and prompted new investigations into what had happened.
Soon after, The Guardian and The New York Times broke major stories about the misuse of Facebook data by Cambridge Analytica. This coverage sparked outrage and led Facebook to launch an audit of apps that had access to large amounts of friend data at that time.
What was Facebook’s role and response?
Facebook faced intense criticism over the Cambridge Analytica data breach, including:
- Allowing apps to gather data on users’ friends without their consent
- Not better monitoring how third-party developers were using friend data accessed through its API
- A lack of transparency around data sharing practices, particularly around apps
In response to the scandal, Facebook announced changes to strengthen its policies, restrict data access, and conduct audits of apps. However, many felt the company did not properly address concerns over its data privacy practices.
How was Cambridge Analytica connected to Facebook?
Beyond the data-sharing connections through Kogan’s app, Cambridge Analytica also had links to Facebook in other ways:
- It was funded in part by conservative billionaire Robert Mercer, a key early Facebook investor and board member
- The company had a contract to provide advertising targeting services for Facebook around the 2016 election
- Cambridge Analytica’s CEO Alexander Nix had reached out to Facebook for help commercializing its data tools
So while Cambridge Analytica acted unethically, some argued Facebook had an ethical responsibility based on its existing relationships with the parties involved.
What was the impact on public perception?
The scandal revealed a troubling loss of control over personal data by Facebook users. Key impacts included:
- Loss of public trust in Facebook to protect privacy
- Increased scrutiny of Facebook’s data practices more broadly
- Momentum behind data privacy reforms like GDPR in Europe
- Rising awareness of vulnerabilities created by extensive personal data collection
The episode catalyzed a privacy movement seeking to give users more control over their data and limit unchecked collection by companies like Facebook.
What legal consequences did Facebook face?
Facebook faced several major legal actions related to the Cambridge Analytica breach:
- A $5 billion FTC fine for privacy violations
- Investigations by state attorneys general, FCC, SEC, and others
- Lawsuits by users and shareholders
The FTC fine was the largest privacy penalty ever imposed by the US government at the time. Facebook also faced restrictions and oversight provisions as part of the FTC settlement.
What happened to Cambridge Analytica?
The data scandal brought increased public scrutiny and legal inquiries into Cambridge Analytica. It ultimately led to the company shutting down in 2018, including:
- Declared bankruptcy and began insolvency proceedings
- Faced questions from UK, US prosecutors over its data practices
- Lost clients and saw business dry up
- Facilities raided by UK information commissioner’s office
The senior executives of Cambridge Analytica denied wrongdoing, though employee whistleblowers contested those claims. The company failed to recover from the reputational damage.
How was user data impacted?
| Category | Impact |
|---|---|
| Compromised accounts | Up to 87 million |
| Data exposed per user | Name, email, location, interests, personality traits, relationships, likes, etc. |
| Value per user record | $5-15 estimated based on past breaches |
| Total potential value | $435 million – $1.3 billion |
Despite no financial theft, the highly sensitive personality data on millions of people gave Cambridge Analytica significant power to target and influence users.
Was the breach containable?
Once Cambridge Analytica obtained the data in 2014-2015, Facebook had limited ability to contain the breach. They could:
- Press Cambridge Analytica to delete the data
- Turn off API friend data access for apps
- Threaten legal action
But Facebook had no technical means to force data deletion or block further analysis and use. The FTC later alleged Facebook was deceptive in claiming the breach was contained.
Could a blockchain model have prevented it?
Blockchain’s decentralized approach offers greater transparency around data sharing and makes it harder for one entity to access excessive data:
- User consent required for each transaction
- All parties can view when data is accessed
- Data not stored centrally, reducing concentrated stores of data
So while not necessarily foolproof, blockchain does offer data protection advantages over traditional centralized data stores.
Conclusion
The Facebook-Cambridge Analytica data scandal marked an enormous breach of trust that woke up society to the vast amounts of personal data companies like Facebook were amassing. It highlighted the unchecked power and lack of oversight that technology giants had when it came to collecting and using people’s data. Outrage over the controversy launched calls for new global data privacy regulations and sparked a renewed debate over online privacy that continues today.