Did Cambridge Analytica Harvest 50 Million Facebook Profiles?

Slashdot reader umafuckit shared this article from The Guardian: The data analytics firm that worked with Donald Trump's election team and the winning Brexit campaign harvested millions of Facebook profiles of U.S. voters, in one of the tech giant's biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box... Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on."

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals... On Friday, four days after the Observer sought comment for this story, but more than two years after the data breach was first reported, Facebook announced that it was suspending Cambridge Analytica and Kogan from the platform, pending further information over misuse of data. Separately, Facebook's external lawyers warned the Observer on Friday it was making "false and defamatory" allegations, and reserved Facebook's legal position...

The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook's own lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to harvest the profiles... Facebook did not pursue a response when the letter initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage, he said. "That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back."
Wylie worked with Aleksandr Kogan, the creator of the "thisisyourdigitallife" app, "who has previously unreported links to a Russian university and took Russian grants for research," according to the article. Kogan "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms...

"At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential U.S. voters."

This is a "Breach"?

[Frosty Piss]

If your Facebook Profile is set to "Public" then all the "Public" can see it. This is a "breach"? Maybe of the Facebook TOS, but those are meaningless.

Re:

[Frosty Piss]

This is from the original Slashdot article on the subject:

Facebook said late Friday that it had suspended Strategic Communication Laboratories (SCL), along with its political data analytics firm, Cambridge Analytica, for violating its policies around data collection and retention.

I'm really not sure how you can "suspend" someone or some organization from accessing "Public" - i.e publically available - data on a public facing website. Again, these TOS things are bu8llshit - you put it out there free of charge, people can do what they want with it, as long as a real law hasn't been broken.

Re:This is a "Breach"?

[vux984]

The same way a restaurateur can refuse to serve a customer who previously made a mess of your dining room.

Facebook may be 'facing the public' but its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time. The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

Re:

[Anonymous Coward]

its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time.*

*Not applicable to bakers.

Re:This is a "Breach"?

[Attila Dimedici]

Except that the bakers did not refuse to serve a class of people. They refused to provide service for a specific event.

Re:

[Anonymous Coward]

So if they just refused to serve all homosexuals and blacks they would be fine? They went wrong by just excluding a specific event. Gotcha! So when I host a Facebook event called "burn the Jew" then they have no legal right to exclude it?

I agree with you on Facebook having the right to exclude anyone they want but the cake incident was just bull shit. The mental gymnastics many leftists have to do to qualify one and not Tue other is amusing.

Re:

[Attila Dimedici]

No, they did not. The people in question had been long time customers of the bakers, for whom the bakers had made many cakes. However, when they requested that the bakers make a cake for a ceremony celebrating their sexual relationship, the bakers declined because they were unwilling to participate in celebrating what they believed to be self-destructive behavior.

Re:

[cascadingstylesheet]

The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

Er, almost. There are some reasons they don't like your face that may matter ...

Re:This is a "Breach"?

[Attila Dimedici]

Unless youre a baker that doesn't want to make a cake for gays, and even gives you a reference to other bakers who will happily serve you, right?

Actually the baker in question was perfectly willing to make a cake for gays (the gays who sued had been long time customers). They merely refused to bake a cake celebrating the sexual relationship between the two gays.

Re:

[Highdude702]

From the articles I read, the baker said they could buy one of the already made wedding cakes, he wouldn't make them a custom one. Either way it was bullshit all around, he should not have been forced to serve them.

Re:

[Highdude702]

Apparently somebody thinks they know enough to be able to tell other people how to run their life and modded my comment flamebait..
How progressive of you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[CaptainDork]

This.

I have preached from the beginning that the only right a Facebook member has is to leave.

Re: This is a "Breach"?

[jd]

It includes private data. The app used to take everything.

And, yes, it is a breach. It doesn't matter what you set public, if you operate in the EU (and Cambridge is still in there), you abide by EU Data Protection laws. You are forbidden from collecting personal data without both a license and permission (they had neither) and you are forbidden from reselling it to a nation with weaker data protection laws (the U.S. included).

Every last one of those 50 million can sue Data Analytics. And they should. Even if they're awarded only £100 each, CA will deserve the consequences.

Re:

[pnutjam]

I wonder if any "shadow" profiles were included. I don't do facebook, but I'm pretty sure facebook still does me.

Re:

[NoZart]

When i signed up (i was very late to the game, around 2012) immediately after entering my email, it proposed a list of people "i might like", which coincidently included all of my friends and family. Not one of the proposed profiles was a stranger. They knew me pretty well beforehand.

Re:

[dgg]

It was a breach because Facebook knew that the data was illegally given to another third party and didn't inform the affected users

Comment removed

[account_deleted]

Comment removed based on user account deletion

I'm more concerned about shadow profiles

[93 Escort Wagon]

Given I closed my Facebook account several years ago, I'm more worried about whether these bad actors managed to access Facebook's shadow profiles - since, unfortunately, most of my family is on Facebook.

For people who are actually on Facebook - including my family - I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".

Re:

[mrwireless]

Victim blaming 2.0..

Slashdot commenters want to have it both ways:
- Users are too dumb to know what they are signing up for. #sheeple
- Users knew what they were signing up for, no use crying over it now.

Re:

[CaptainDork]

I'm reminded of the silly disclaimers floating around a few years back (paraphrase): "By way of this post to Facebook, I hereby forbid Facebook to use my personal information and posts for any reason."

Re: I'm more concerned about shadow profiles

[jd]

Cambridge Analystics is in the EU. Different rules. Each profile stolen violates the Data Protection Act and European Human Rights, regardless of where the person was located, because the data was stored in Europe and CA was a European company under European law.

If those 50 million sued, they'd win, because under the DPA your data cannot be transferred from the E.U. to any country with weaker protections.

Furthermore, the U.S. election laws forbid foreign national involvement, violations of the fourth for electioneering and spying on American nationals by US agencies even via third parties.

If this goes to court, the proverbial fan will be crushed under the impact.

Re:

[jd]

Uh, no, and that would be irrelevant. Only way to find if a profile is American is to harvest it and if you harvest it through malware you are copying personally identifiable information unlawfully.

The DPA doesn't specify origin, anyway. It specifies personally identifiable information. And that's it. This violates the law, however you cut it.

Re: I'm more concerned about shadow profiles

[jd]

Also doesn't matter what the TOS says, EU law trumps the TOS. Just the way it is. And I want to see those folks in total isolation cells in the deepest dungeons that exist. This violates human rights and human dignity. It cannot be tolerated by anyone with an ounce of intellect.

Re:

[bongey]

Nope,the EU data protection laws do not apply to the UK, especially since they voted to leave the EU. Note they are trying to bring the UK laws in line to the EU laws but they are not the same http://www.computerweekly.com/... [computerweekly.com] .

Re:

[shilly]

Ddi you feel all clever when you wrote that?

You shouldn't have.

The GDPR hasn't come into effect yet, although everyone is preparing for it (including UK organisations).

Instead, the UK has the Data Protection Act 1998, which was explicitly designed to be compliant with the requirements of EU data protection law at the time. That included, for example, not transferring PII outside the EEA without adequate protection. So the OP is completely wrong, and you are not only wrong, you are wrong while you think you

Re:

[angel'o'sphere]

I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".
Dont be outraged to be raped, it is your fault to wear a short skirt!

Not sure if you are an idiot or an asshole, I think you are both.

Re: I'm more concerned about shadow profiles

[c6gunner]

Stupid analogy. This is more like willingly participating in a porn shoot, and then being outraged that a specific person got a copy of the video.

Re:

[burtosis]

Yep, that's how they got my brother [theonion.com]

Re:

[AHuxley]

AC the information is pushed up onto a social media site by users as part of their account and use of social media.
The "internet" can see what is part of a site.
A lot of different search services transverse the internet.

Re: So what?

[jd]

Data Protection Act, U.S. election laws, and the stuff that was taken included anything private. This was not simple harvesting of public data, this was hacking of personal accounts via malware in an app.

Do get a sense of perspective.

Re:

[AHuxley]

Social media thats all about ads on line is now discovering a private side?

Re: So what?

[c6gunner]

This was not simple harvesting of public data, this was hacking of personal accounts via malware in an app.

Why comment when you're obviously clueless? It was a standard app using the Facebook API. If this was malware then so is every other app on Facebook.

Re:

[shilly]

It's not the information per se, it's the inferences. If people knew what could be *done* with the information, they'd be horrified. As it stands, the reason people give permission is because 99% of folks aren't aware of just how much can be inferred by a group of immoral clever bastards. Same way that people aren't aware of just how much damage can be done by a failure to follow GMP standards for drug manufacture. And here's the point -- they shouldn't have to be aware -- drug manufacturers are obliged to

SubjectIsSubject

[p0p0]

"had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms..."

So the only thing he did that made Facebook take action was violate their ToS. They're making it seem as if this is some generous act on their part, their tools did exactly what they were meant to do but they're upset he didn't grease their palms first.

Well this is it. Trump's campaign is finished.

Zuck: Yeah s

Re:

[Actually, I do RTFA]

Do you have a source for that exchange? I'm looking for the original

At least they're moving on from 'teh Russians'

[Jarwulf]

Glad to see the media is inadvertently starting to contradict their theory that the Russians 'hacked' the election for trump in their never ending quest to not accept blame for their defeat. Keep doing what you're doing guys. Do the exact same thing you did last election. Thats right you did nothing wrong at all.

From Russian With Laughter

[Anonymous Coward]

Whenever you collect that much information about everybody in one place you are going to become a target for intelligence agencies that don't give a dam about your terms of service or laws. Democtrats whine about Russia, but they totally underestimated the threat. They mocked Mitt Romney for naming Russia as the biggest threat in the 2012 Presidential Debates. President Obama quipped that the, "1980s are calling to ask for their foreign policy back". Well, who's laughing now? The world is full of nasty and

Re:

[shilly]

This is bang on target. The entire spectrum of political leadership has chosen to look the other way in almost every Western state. They have lost the ability to be hard nosed in their assessments, and specifically have lost the ability to speak politely but non-comittally in public while fighting hard behind the scenes. The last thing along those lines was Stuxnet. The West should be doing their best to strategically weaken Putin -- and if this is their best, it's pretty weak.

Re:

[meta-monkey]

Yeah, let's go to war with Iran, Russia, and North Korea! Because they're...doing stuff in the middle east and the Korean peninsula, which is sovereign territory of the United States!

Re: From Russian With Laughter

[c6gunner]

Yeah, let's go to war with Germany, Italy, and Japan! Because they're...doing stuff in Europe and Asia, which is sovereign territory of the United States!

BS story

[Actually, I do RTFA]

There's little evidence that CA did anything better than guessing. These stories just burnish the reputation of a scam company.

Hell, where's the story on Theranos getting pulled out of Walgreen's because they're cutting too much into their profit margin.

Re: BS story

[jd]

No, you didn't RTFA.

And they admit they wrote malware, specifically a logic bomb, that downloaded private and confidential information, a clear-cut example of violating the Computer Misuse Act in addition to the Data Protection Act.

If this reaches court before Brexit, Facebook will be liable for at least £5 billion and CA will be crushed into oblivion. Possibly taking Cambridge University with it, if it's shown the university was aware of the activities.

Re:

[Actually, I do RTFA]

I'm talking about this from the summary:

used them to build a powerful software program to predict and influence choices at the ballot box..exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.

While they may have gathered the data, there's no reason to believe their analysis had any actual value. Like Theranos's blood tests. Or Mrs. Reagan's psychic.

And that should b

Re:

[jd]

Big Data does have analytic value. I refer you to the Snowden papers.

Re:

[Actually, I do RTFA]

Big Data, in the abstract, has value. CA hasn't proven that they can analyze the data and produce the value.

I refer you to the Iced Tea company that added Blockchain to their company name. Blockchain has value. And Iced Tea manufacturer is no likely to deliver that value.

CA claims to be able to do XYZ, but there's no evidence they can... other than pointing to their raw data.

Re:

[shilly]

I can think of a couple of big reasons: unexpected wins for Trump and Brexit.

Sure, it's possible they provided analytics that didn't help. But it's also possible they provided analytics that did help, and given the unexpected nature of the victories, that seems like a good place to start.

Note: by unexpected, I don't mean "no-one thought Trump or Brexit would win". I mean "the consensus view in advance among the majority of pollsters and media and others with some stake in analysing the game was that Trump a

Re:

[shilly]

I can think of two things more hilarious:
1. Your inability to read. I didn't say what my view was. I talked about the consensus view.
2. Your inability to write. Even dunces tend to know how to use a full stop and a comma. But not you, apparently.

Re:

[meta-monkey]

"And built models to exploit we knew about them and target their inner demons!" Sounds so scary. But when Obama did it [theguardian.com] it was all amazing friendship technology!!

Every time an individual volunteers to help out – for instance by offering to host a fundraising party for the president – he or she will be asked to log onto the re-election website with their Facebook credentials. That in turn will engage Facebook Connect, the digital interface that shares a user's personal information with a third party.

Consciously or otherwise, the individual volunteer will be injecting all the information they store publicly on their Facebook page – home location, date of birth, interests and, crucially, network of friends – directly into the central Obama database.

"If you log in with Facebook, now the campaign has connected you with all your relationships," a digital campaign organiser who has worked on behalf of Obama says.

Re: They are the home of MIT and Harvard...

[jd]

I'm pretty sure MIT isn't in England. Could be wrong.

Re:

[Bite The Pillow]

Me too, Time's Up, Brexit, kids being political leaders... It's a brave new world out there. I'd double check things like that if I were you.

Pretty sure my FB account is safe

[Snotnose]

considering I don't have a FB account and never will.

Re:

[Bite The Pillow]

If anyone you know posts your name or photo you have a facebook profile. If that person is affected you are very likely to be affected.

The data will be minimal, but it isn't zero.

They optimize for customer acquisition so you will see lots of eerie friend suggestions every time you log on. They are guessing a bit, but they also have a vague idea about you from data you didn't submit.

Re: Data breach?

[jd]

First, it wasn't. This was stolen by malware in apps through private accounts with non-public access rights. RTFA.

Second, it's in violation of the CMA and DPA of the UK and EU. The EU takes these things seriously.

Third, it violated election laws in the U.S., along with civil service laws. Trump might not care, but the special prosecutor will, as will politicians who are up for re-election.

Re:

[currently_awake]

The special prosecutor seems to be several steps ahead of what is in the news. I expect these people have already been talked to, and deals made to keep them out of jail. From what little I know of Trump, I don't believe he's (mentally) capable of being the "Dr Evil" level villain at the bottom of all this.

Re:

[jd]

I don't give a shit who else is involved, no criminal act justifies or excuses another. And no amount of crap by those who do not understand that the world isn't serial ticker tape can change that. I want all those who committed crimes in the election in solitary confinement in a SuperMAX or equivalent and I don't give a shit about their nationality or rank.

Re:

[shilly]

Russia runs right through this story, both explicitly (Kogan's funding) and implicitly (bankrolling other buyers).

Re:

[bongey]

EU data protection law doesn't apply to the UK. http://www.computerweekly.com/... [computerweekly.com]

Re:

[q_e_t]

EU data protection law doesn't apply to the UK. http://www.computerweekly.com/... [computerweekly.com]

The EU law isn't in force yet, but:

Despite the UK government having triggered Article 50 of the Lisbon Treaty, and being in negotiations regarding leaving the EU, the UK will still be classed as a Member State when the GDPR compliance deadline is reached on 25 May 2018.

Re:

[q_e_t]

I'd also point out that if the UK wishes to continue trading with the EU, many companies will need to comply with GDPR, particularly banks, so whether it is still in UK law after March 2019 is not relevant for a number of businesses.

Re:

[q_e_t]

P.S. That quote is from Computer Weekly, in the article referenced. I get lots of articles sent to me about GDPR, and we are preparing for compliance.

I'd Guess They are Unhackable

[BrendaEM]

(Shrugs shoulders)
I guess there is nothing anyone can do.
(scuffs feet)

Tired of slanted-ass 'antiTrump' virtue posturing

[TheRealHocusLocus]

Q: "Did Cambridge Analytica Harvest 50 Million Facebook Profiles?"
A: TFA money quote: "hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use"

which implies that friend lists of 'hundreds of thousands' of participating (paid) users were used to issue an automated flurry of direct access to related profiles by user ID [facebook.com]... and the rabbit hole went as deep as default 'public' profiles would permit. Like sheeple-product publicly declaring thei

Opinion polling 2.0?

[sabbede]

Is it really that different? They're just skipping the step of sending out questionnaires or making thousands of calls.

So, what's the problem? Finding out what issues are important to people and focusing on them in a campaign is kinda fundamental to the whole process, no? It was okay in the '90's when Bill used "triangulation" (the same thing without Facebook) to target messaging.

Re:

[eric_harris_76]

Facebook is taking sides and is not apolitical.

Golly. That's a shocker.

But still, it's good to see additional evidence. It takes more evidence to convince some people than others. If they get there later, at least they get there.

For some people on some issues, no amount of evidence is enough.

Re: Like it matters....

[Pat Williams Deese]

FB, don't claim to be outraged. You sell us short everyday. You allowed Russians to interfere with our Democracy. You only care about your bottom dollar. You have the ability to control who and what is buying your product. Get off the pretense about being outraged and step up to the plate and do something about it. Words come cheap.

Re: Like it matters....

[jd]

No, Republicans only try to believe that.

Regardless, data theft is a criminal enterprise, conspiracy to defraud is a criminal enterprise, violation of US election laws by involving foreign nationals is a criminal enterprise, government agencies conspiring to defraud the electorate is - essentially - treason, and Cambridge Analytics violated EU data protection laws on top of all that.

Fine, arrest everyone who is guilty of such a crime, throw the lot in a SuperMAX and never let them see the light of day again

Re:

[Anonymous Coward]

Except it's not data theft. Potentially breaking the rules /terms of service, but not theft. Facebook gave them the API to get the info, just like many other organizations (liberal/socialist ones too).

p.s. F EU data protection laws.

"take the criminals off the streets - every last one of them"

cool - each and every illegal immigrant, adult, child, illegal parents of legal children...yup, get them all off the streets too. Don't forget George Soros, The whole Clinton family, Bernie, and 99% of every politici

Re:

[mi]

involving foreign nationals is a criminal enterprise

Oh, wow... Would hiring a British spy [nytimes.com], who then engaged his contacts among Russians [npr.org], qualify?

Fine, arrest everyone who is guilty of such a crime

There is no crime described in TFA... At the most, there is a violation of Facebook's TOS...

Re:

[currently_awake]

Conspiring with the Russians to overthrow the government of the USA (hacking the election) appears to meet the narrow legal definition of Treason, under American law.

Re:

[knorthern knight]

> Conspiring with the Russians to overthrow the government
> of the USA (hacking the election) appears to meet the
> narrow legal definition of Treason, under American law.

Wrong wrong wrong. Please RTFC (C == Constitution) https://www.law.cornell.edu/co... [cornell.edu] Article 3; section 3

> Treason against the United States, shall consist only in levying war against
> them, or in adhering to their enemies, giving them aid and comfort.

The US is not at war with Russia. Even at the height of the "Cold War", the

Re:

[jd]

No, because - for some peculiar reason - election laws only apply to elections. I know, it's odd, but there you go. The law is what it is and they're obliged to obey it. If you do the crime, you bloody well aught to do the time. Or is law and order only a concern when it's the other side?

Re:

[ABEND]

election laws only apply to elections

Please, cite the law — the article and the verse — you allege has been violated. I'll wait.

The de facto law is that the party with the highest dudgeon always wins and it's rarely violated.

Re:

[ArchieBunker]

Scraping Facebook for metadata is treason? No wonder Hillary and her loonies lost the election.

Re: Like it matters....

[ananamouse]

I am reminded of a joke about a flea crawling up an elephantâ€(TM)s leg with rape on its mind....

Re: What's the problem?

[jd]

In the EU, that doesn't matter. Data protection act.