Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Facebook Government United Kingdom United States Politics

Did Cambridge Analytica Harvest 50 Million Facebook Profiles? (theguardian.com) 135

Slashdot reader umafuckit shared this article from The Guardian: The data analytics firm that worked with Donald Trump's election team and the winning Brexit campaign harvested millions of Facebook profiles of U.S. voters, in one of the tech giant's biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box... Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on."

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals... On Friday, four days after the Observer sought comment for this story, but more than two years after the data breach was first reported, Facebook announced that it was suspending Cambridge Analytica and Kogan from the platform, pending further information over misuse of data. Separately, Facebook's external lawyers warned the Observer on Friday it was making "false and defamatory" allegations, and reserved Facebook's legal position...

The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook's own lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to harvest the profiles... Facebook did not pursue a response when the letter initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage, he said. "That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back."

Wylie worked with Aleksandr Kogan, the creator of the "thisisyourdigitallife" app, "who has previously unreported links to a Russian university and took Russian grants for research," according to the article. Kogan "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms...

"At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential U.S. voters."
This discussion has been archived. No new comments can be posted.

Did Cambridge Analytica Harvest 50 Million Facebook Profiles?

Comments Filter:
  • If your Facebook Profile is set to "Public" then all the "Public" can see it. This is a "breach"? Maybe of the Facebook TOS, but those are meaningless.

    • Re: (Score:1, Troll)

      by Frosty Piss ( 770223 ) *

      This is from the original Slashdot article on the subject:

      Facebook said late Friday that it had suspended Strategic Communication Laboratories (SCL), along with its political data analytics firm, Cambridge Analytica, for violating its policies around data collection and retention.

      I'm really not sure how you can "suspend" someone or some organization from accessing "Public" - i.e publically available - data on a public facing website. Again, these TOS things are bu8llshit - you put it out there free of charge, people can do what they want with it, as long as a real law hasn't been broken.

      • by vux984 ( 928602 ) on Saturday March 17, 2018 @07:29PM (#56277241)

        The same way a restaurateur can refuse to serve a customer who previously made a mess of your dining room.

        Facebook may be 'facing the public' but its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time. The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          its still a private service and it can decide not to provide service, or do business with anyone it wants pretty much for any reason, at any time.*

          *Not applicable to bakers.

        • The ToS maybe "bullshit", but its not even necessary... they don't have to wait until you violate the ToS they can decide they just don't like your face, without any ToS at all.

          Er, almost. There are some reasons they don't like your face that may matter ...

    • by reelyanoob ( 2329548 ) on Saturday March 17, 2018 @07:32PM (#56277255)
      This is where that quiz that forces you to read the article would help. It's stated in the summary that Kogan had special access to private profile information for research purposes, but then data-mined it for commercial gain.
    • This.

      I have preached from the beginning that the only right a Facebook member has is to leave.

    • by jd ( 1658 ) <imipak AT yahoo DOT com> on Saturday March 17, 2018 @08:49PM (#56277577) Homepage Journal

      It includes private data. The app used to take everything.

      And, yes, it is a breach. It doesn't matter what you set public, if you operate in the EU (and Cambridge is still in there), you abide by EU Data Protection laws. You are forbidden from collecting personal data without both a license and permission (they had neither) and you are forbidden from reselling it to a nation with weaker data protection laws (the U.S. included).

      Every last one of those 50 million can sue Data Analytics. And they should. Even if they're awarded only £100 each, CA will deserve the consequences.

      • by pnutjam ( 523990 )
        I wonder if any "shadow" profiles were included. I don't do facebook, but I'm pretty sure facebook still does me.
    • by dgg ( 198270 )
      It was a breach because Facebook knew that the data was illegally given to another third party and didn't inform the affected users
    • by squiggleslash ( 241428 ) on Saturday March 17, 2018 @10:10PM (#56277843) Homepage Journal

      *sigh* The quality of Slashdot moderation continues to plummet. I understand FP skimming the headline and claiming something wrong, we all do that occasionally, but if you're a moderator please, please, confirm something is correct before you mod it as "Insightful" or something else implying it's right.

      No, setting your Facebook Profile to "Private" does nothing to prevent a third party from accessing your data if you allow that third party to use your account for ID purposes.

      Here's what TFA says (and, frankly, they're barely touching the actual ramifications):

      However, the app also collected the information of the test-takersâ(TM) Facebook friends, leading to the accumulation of a data pool tens of millions-strong. Facebookâ(TM)s âoeplatform policyâ allowed only collection of friendsâ(TM) data to improve user experience in the app and barred it being sold on or used for advertising. The discovery of the unprecedented data harvesting, and the use to which it was put, raises urgent new questions about Facebookâ(TM)s role in targeting voters in the US presidential election. It comes only weeks after indictments of 13 Russians by the special counsel Robert Mueller which stated they had used the platform to perpetrate âoeinformation warfareâ against the US.

      Facebook has something called the Graph API [facebook.com]. Whenever you allow a "Facebook app" (such as those that let you automatically log into a website when you're logged into Facebook, or those that save your game status by connecting it to your Facebook ID, or those that use your Facebook ID to let you comment on their website (the ones that also allow you to use your Twitter or Google account I mean, not the Facebook comments plugin), and, as in this example, those that let you take "tests" that they then offer to post to your wall, they use the Graph API.

      The Graph API gives developers access to a horrific amount of data on a user. And while the process of linking an app to an ID is supposed to include a warning to end users about what the app can access, in practice it is normal for apps to always ask for pretty much everything, which means users, in practice, ignore the warning.

      No, setting your profile to private won't help you. And even if it did, so what? You're talking about a massive social engineering attack that Facebook's own practices directly encourages. Facebook pretty much encourages the authors of Candy Gems Saga The Game to ask for all your private information, so by the time the Kremlin Research Institute comes along and posts clickbait polls and surveys and quizzes, Facebook's users have been conditioned into thinking that's OK and normal and it's fine to allow them to do whatever they want.

      And before you say "Well, so what, that's their fault for not being vigilant", they're not the only victims when the goal of those abusing Facebook's system is to try to manipulate large numbers of people into voting against their nation's interests.

  • by 93 Escort Wagon ( 326346 ) on Saturday March 17, 2018 @06:54PM (#56277109)

    Given I closed my Facebook account several years ago, I'm more worried about whether these bad actors managed to access Facebook's shadow profiles - since, unfortunately, most of my family is on Facebook.

    For people who are actually on Facebook - including my family - I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".

    • Victim blaming 2.0..

      Slashdot commenters want to have it both ways:
      - Users are too dumb to know what they are signing up for. #sheeple
      - Users knew what they were signing up for, no use crying over it now.
    • I'm reminded of the silly disclaimers floating around a few years back (paraphrase): "By way of this post to Facebook, I hereby forbid Facebook to use my personal information and posts for any reason."

    • by jd ( 1658 ) <imipak AT yahoo DOT com> on Saturday March 17, 2018 @08:57PM (#56277619) Homepage Journal

      Cambridge Analystics is in the EU. Different rules. Each profile stolen violates the Data Protection Act and European Human Rights, regardless of where the person was located, because the data was stored in Europe and CA was a European company under European law.

      If those 50 million sued, they'd win, because under the DPA your data cannot be transferred from the E.U. to any country with weaker protections.

      Furthermore, the U.S. election laws forbid foreign national involvement, violations of the fourth for electioneering and spying on American nationals by US agencies even via third parties.

      If this goes to court, the proverbial fan will be crushed under the impact.

      • by bongey ( 974911 )
        Nope,the EU data protection laws do not apply to the UK, especially since they voted to leave the EU. Note they are trying to bring the UK laws in line to the EU laws but they are not the same http://www.computerweekly.com/... [computerweekly.com] .
        • by shilly ( 142940 )

          Ddi you feel all clever when you wrote that?

          You shouldn't have.

          The GDPR hasn't come into effect yet, although everyone is preparing for it (including UK organisations).

          Instead, the UK has the Data Protection Act 1998, which was explicitly designed to be compliant with the requirements of EU data protection law at the time. That included, for example, not transferring PII outside the EEA without adequate protection. So the OP is completely wrong, and you are not only wrong, you are wrong while you think you

    • I say "don't pretend to be outraged since you voluntarily decided to hand them all your personal information".
      Dont be outraged to be raped, it is your fault to wear a short skirt!

      Not sure if you are an idiot or an asshole, I think you are both.

  • "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms..."

    So the only thing he did that made Facebook take action was violate their ToS. They're making it seem as if this is some generous act on their part, their tools did exactly what they were meant to do but they're upset he didn't grease their palms first.

    Well this is it. Trump's campaign is finished.

    Zuck: Yeah s

  • Glad to see the media is inadvertently starting to contradict their theory that the Russians 'hacked' the election for trump in their never ending quest to not accept blame for their defeat. Keep doing what you're doing guys. Do the exact same thing you did last election. Thats right you did nothing wrong at all.
  • by Anonymous Coward

    Whenever you collect that much information about everybody in one place you are going to become a target for intelligence agencies that don't give a dam about your terms of service or laws. Democtrats whine about Russia, but they totally underestimated the threat. They mocked Mitt Romney for naming Russia as the biggest threat in the 2012 Presidential Debates. President Obama quipped that the, "1980s are calling to ask for their foreign policy back". Well, who's laughing now? The world is full of nasty and

    • by shilly ( 142940 )

      This is bang on target. The entire spectrum of political leadership has chosen to look the other way in almost every Western state. They have lost the ability to be hard nosed in their assessments, and specifically have lost the ability to speak politely but non-comittally in public while fighting hard behind the scenes. The last thing along those lines was Stuxnet. The West should be doing their best to strategically weaken Putin -- and if this is their best, it's pretty weak.

    • Yeah, let's go to war with Iran, Russia, and North Korea! Because they're...doing stuff in the middle east and the Korean peninsula, which is sovereign territory of the United States!

  • There's little evidence that CA did anything better than guessing. These stories just burnish the reputation of a scam company.

    Hell, where's the story on Theranos getting pulled out of Walgreen's because they're cutting too much into their profit margin.

    • Re: BS story (Score:5, Interesting)

      by jd ( 1658 ) <imipak AT yahoo DOT com> on Saturday March 17, 2018 @09:03PM (#56277651) Homepage Journal

      No, you didn't RTFA.

      And they admit they wrote malware, specifically a logic bomb, that downloaded private and confidential information, a clear-cut example of violating the Computer Misuse Act in addition to the Data Protection Act.

      If this reaches court before Brexit, Facebook will be liable for at least £5 billion and CA will be crushed into oblivion. Possibly taking Cambridge University with it, if it's shown the university was aware of the activities.

      • I'm talking about this from the summary:

        used them to build a powerful software program to predict and influence choices at the ballot box..exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.

        While they may have gathered the data, there's no reason to believe their analysis had any actual value. Like Theranos's blood tests. Or Mrs. Reagan's psychic.

        And that should b

        • by jd ( 1658 )

          Big Data does have analytic value. I refer you to the Snowden papers.

          • Big Data, in the abstract, has value. CA hasn't proven that they can analyze the data and produce the value.

            I refer you to the Iced Tea company that added Blockchain to their company name. Blockchain has value. And Iced Tea manufacturer is no likely to deliver that value.

            CA claims to be able to do XYZ, but there's no evidence they can... other than pointing to their raw data.

        • by shilly ( 142940 )

          I can think of a couple of big reasons: unexpected wins for Trump and Brexit.

          Sure, it's possible they provided analytics that didn't help. But it's also possible they provided analytics that did help, and given the unexpected nature of the victories, that seems like a good place to start.

          Note: by unexpected, I don't mean "no-one thought Trump or Brexit would win". I mean "the consensus view in advance among the majority of pollsters and media and others with some stake in analysing the game was that Trump a

        • "And built models to exploit we knew about them and target their inner demons!" Sounds so scary. But when Obama did it [theguardian.com] it was all amazing friendship technology!!

          Every time an individual volunteers to help out – for instance by offering to host a fundraising party for the president – he or she will be asked to log onto the re-election website with their Facebook credentials. That in turn will engage Facebook Connect, the digital interface that shares a user's personal information with a third party.

          Consciously or otherwise, the individual volunteer will be injecting all the information they store publicly on their Facebook page – home location, date of birth, interests and, crucially, network of friends – directly into the central Obama database.

          "If you log in with Facebook, now the campaign has connected you with all your relationships," a digital campaign organiser who has worked on behalf of Obama says.

  • considering I don't have a FB account and never will.
    • If anyone you know posts your name or photo you have a facebook profile. If that person is affected you are very likely to be affected.

      The data will be minimal, but it isn't zero.

      They optimize for customer acquisition so you will see lots of eerie friend suggestions every time you log on. They are guessing a bit, but they also have a vague idea about you from data you didn't submit.

  • (Shrugs shoulders)
    I guess there is nothing anyone can do.
    (scuffs feet)
  • Q: "Did Cambridge Analytica Harvest 50 Million Facebook Profiles?"
    A: TFA money quote: "hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use"

    which implies that friend lists of 'hundreds of thousands' of participating (paid) users were used to issue an automated flurry of direct access to related profiles by user ID [facebook.com]... and the rabbit hole went as deep as default 'public' profiles would permit. Like sheeple-product publicly declaring thei

  • Is it really that different? They're just skipping the step of sending out questionnaires or making thousands of calls.

    So, what's the problem? Finding out what issues are important to people and focusing on them in a campaign is kinda fundamental to the whole process, no? It was okay in the '90's when Bill used "triangulation" (the same thing without Facebook) to target messaging.

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...