Posts

Facebook Cuts Off Cambridge Analytica, Promises Further Investigation

As I noted in my post on Andrew McCabe’s firing, the far more important news of the weekend is that Facebook has suspended Cambridge Analytica’s access to its data.

As Facebook explained, back in 2015, Cambridge researcher Aleksandr Kogan harvested data on millions of Americans by getting them to willingly use his research app. When Facebook found out that he had handed the data off to two downstream companies (this detail is important), it made them delete the data based on developer user agreements.

In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.

Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.

Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies. When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.

They now claim to have new information that CA didn’t delete the data (I have firsthand knowledge that Facebook knew of this at least a year ago, and these pieces argue Facebook knew even earlier).

Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted. We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made. We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information.

We are committed to vigorously enforcing our policies to protect people’s information. We will take whatever steps are required to see that this happens. We will take legal action if necessary to hold them responsible and accountable for any unlawful behavior.

What changed is that the guy who operationalized all this data, Christopher Wylie, just came forward publicly. Here’s how Carole Cadwalladr, the Guardian reporter who has owned this story, describes Wylie.

Or, as Wylie describes it, he was the gay Canadian vegan who somehow ended up creating “Steve Bannon’s psychological warfare mindfuck tool”.

In 2014, Steve Bannon – then executive chairman of the “alt-right” news network Breitbart – was Wylie’s boss. And Robert Mercer, the secretive US hedge-fund billionaire and Republican donor, was Cambridge Analytica’s investor. And the idea they bought into was to bring big data and social media to an established military methodology – “information operations” – then turn it on the US electorate.

Wylie describes how he profiled Americans so they could tailor political ads.

[W]hile studying for a PhD in fashion trend forecasting, he came up with a plan to harvest the Facebook profiles of millions of people in the US, and to use their private and personal information to create sophisticated psychological and political profiles. And then target them with political ads designed to work on their particular psychological makeup.

“We ‘broke’ Facebook,” he says.

And he did it on behalf of his new boss, Steve Bannon.

Wylie is going on the record (and providing the records) to back this description of how, contrary to repeated claims made in parliamentary testimony, Alexsandr Kogan harvested data in the guise of doing research.

Kogan then set up GSR to do the work, and proposed to Wylie they use the data to set up an interdisciplinary institute working across the social sciences. “What happened to that idea,” I ask Wylie. “It never happened. I don’t know why. That’s one of the things that upsets me the most.”

It was Bannon’s interest in culture as war that ignited Wylie’s intellectual concept. But it was Robert Mercer’s millions that created a firestorm. Kogan was able to throw money at the hard problem of acquiring personal data: he advertised for people who were willing to be paid to take a personality quiz on Amazon’s Mechanical Turk and Qualtrics. At the end of which Kogan’s app, called thisismydigitallife, gave him permission to access their Facebook profiles. And not just theirs, but their friends’ too. On average, each “seeder” – the people who had taken the personality test, around 320,000 in total – unwittingly gave access to at least 160 other people’s profiles, none of whom would have known or had reason to suspect.

What the email correspondence between Cambridge Analytica employees and Kogan shows is that Kogan had collected millions of profiles in a matter of weeks. But neither Wylie nor anyone else at Cambridge Analytica had checked that it was legal. It certainly wasn’t authorised. Kogan did have permission to pull Facebook data, but for academic purposes only. What’s more, under British data protection laws, it’s illegal for personal data to be sold to a third party without consent.

“Facebook could see it was happening,” says Wylie. “Their security protocols were triggered because Kogan’s apps were pulling this enormous amount of data, but apparently Kogan told them it was for academic use. So they were like, ‘Fine’.” [my emphasis]

Here’s where the violation(s) come in. While participants in Kogan’s harvesting project willingly participated in the project (and in the process made their friends’ Facebook data accessible to Kogan as well), he told Facebook it was for research, and in spite of the fact that the harvesting was done in the UK, he didn’t get consent before he sold the data to CA.

Both Cadwalladr and NYT’s story are calling this a “breach” which in my opinion is counterproductive for a lot of reasons, not least that consumer recourse for “breaches” in the US is virtually nothing — as the recent experience of those exposed in Equifax’ breach has made clear.

Whereas the kinds of TOS violations that Kogan committed in the UK do provide consumers recourse, not just to demand transparency about what happened, but also financial fines. Facebook, in the EU, is similarly exposed (full disclosure: I believe I have a still running challenge in Ireland for my CA-related FB data).

Just as this story was breaking, David Carroll, who has been a key activist on this issue, filed a claim against CA in the UK.

In other words, with Wylie’s testimony, there are sticks to use in Europe to first gain transparency about what happened, and possibly fine the parties. Which is probably why Facebook finally suspended CA’s access to Facebook, without which it is far less dangerous.

There are other aspects of this story: shell companies, a pitch to Lukoil, and questions about the citizenship of those who worked for CA in the 2014 and 2016 elections, potentially raising questions about the involvement of foreign (British) actors in our elections. But here’s the detail in the NYT story I’m most interested in.

While the substance of Mr. Mueller’s interest is a closely guarded secret, documents viewed by The Times indicate that the firm’s British affiliate claims to have worked in Russia and Ukraine.

The Ukrainian side of Paul Manafort’s involvement in the Party of Regions — the American lobbying side of which is what got him charged with conspiracy to defraud the US — pertains to bringing American style politics to Ukraine.

He also directed Yanukovych’s party to harp on a single theme each week—say, the sorry condition of pensioners. These were not the most-sophisticated techniques, but they had never been deployed in Ukraine. Yanukovych was proud of his American turn. After he hired Manafort, he invited U.S. Ambassador John Herbst to his office, placed a binder containing Manafort’s strategy in front of him, and announced, “I’m going with Washington.”

Manafort often justified his work in Ukraine by arguing that he hoped to guide the country toward Europe and the West. But his polling data suggested that Yanukovych should accentuate cultural divisions in the country, playing to the sense of victimization felt by Russian speakers in eastern Ukraine. And sure enough, his clients railed against nato expansion. When a U.S. diplomat discovered a rabidly anti-American speech on the Party of Regions’ website, Manafort told him, “But it isn’t on the English version.”

Yanukovych’s party succeeded in the parliamentary elections beyond all expectations, and the oligarchs who’d funded it came to regard Manafort with immense respect.

There are Americans doing this overseas more and more of late, and Manafort’s efforts for Yanukovych precede the foundation of CA (and Manafort’s involvement in the Trump campaign largely precedes Bannon and Cambridge Analytica’s). But that’s the basis for his relationships in the region.

There’s a lot of implications of the Wylie testimony, assuming law enforcement, parliament, and Congress find his underlying documents as compelling as the journalists have. For starters, this significantly limits what CA (and its intelligence contractor SCL) will be able to do, which neutralizes a powerful tool Bannon and the Mercers have been holding. I believe that both CA and FB are both already at significant legal exposure. I suspect this will finally force FB to get a lot more attentive to what app developers do with FB user data. I’ve been saying for a while that at some point US tech companies may want to harmonize with Europe’s General Data Protection Regulation (GDPR), which starts being enforced in May. Certainly, it would provide a solution to some of the political problems they’re already facing and harmonization would make compliance easier. That would provide even more teeth to prevent this illicit kind of downstream data usage.

But there also may be aspects of this story that expose CA and their clients, including the Trump campaign, to legal concerns that piggy back on any conspiracy with Russia.