The attorney general for the US state of Massachusetts is launching an investigation into alleged harvesting of Facebook profiles by a firm employed by Donald Trump’s election campaign.
Investigations by the Observer and New York Times newspapers claim details from 50 million profiles were gathered without the users’ knowledge.
The company, Cambridge Analytica, was suspended from Facebook on Friday.
Both Facebook and Cambridge Analytica deny any wrongdoing.
The American data analysis firm – which is not associated with the famous British university – is well known for the role it played in President Trump’s election campaign, where it provided intricate data on the thoughts of American voters.
Allegations against it centre on a professor from the University of Cambridge, Aleksandr Kogan, who designed a personality testing Facebook app called thisisyourdigitallife. The app was a private enterprise, and not part of his university work.
The app, created in November 2013 for the Facebook platform, asked users for permission to access their profile information – and also that of their friends’.
It is alleged that Mr Kogan then sold that data on to Cambridge Analytica, in violation of Facebook’s policies.
A whistleblower who worked at Cambridge Analytica spoke to The Guardian, claiming that he worked with Mr Kogan “to harvest millions of people’s profiles.”
“We exploited Facebook… and built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on,” he said.
How did it access so many profiles?
- Mr Kogan’s app requested permission from people taking his personality quiz to access some information from their Facebook profiles.
- About 265,000 people had downloaded the app at the time – and it also asked for permission to request “more limited information” from the user’s friends.
- Facebook says this “is no longer possible” – but at the time, such a request was controlled by the privacy settings of that user’s friends. So if a user had their account set to allow sharing with a friend’s apps, and the friend gave permission to Mr Kogan’s app, it could read some information.
- Facebook’s policies, however, said that this data can only be used for the app’s stated purpose – and cannot be transferred or sold on.
Cambridge Analytica, however, said that once the company learned about how the data provided by Mr Kogan was sourced, it deleted all the relevant records, in December 2015.
It said none of that data was used in the services it provided to Mr Trump’s campaign. It added that it did not use or hold data from Facebook profiles.
But in a statement, Facebook wrote that it had “we received reports that, contrary to the certifications we were given, not all data was deleted”.
A spokesperson for Facebook also said that the data collection was not a hack or a breach.
“People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” the company said.
Britain’s Observer newspaper reports that the incident was known about more than two years ago.
But the newspaper said Facebook’s action to ban Cambridge Analytica and its parent group SCL this week happened four days after its reporters contacted the social network for comment about its upcoming story.
On Saturday, as the story emerged in newspapers, the UK Information Commissioner, the country’s main data protection regulator, said it was “investigating the circumstances in which Facebook data may have been illegally acquired and used”.
However, the statement did not mention Mr Kogan, his company, or Cambridge Analytica, instead saying it was part of an “ongoing investigation into the use of data analytics for political purposes”.
Alexander Nix, founder of Cambridge Analytica, was interviewed by a committee of British MPs last month on the firm’s practices.