Cambridge Analytica Under Fire for Data Harvesting

A company linked to former Breitbart executive chairman, Steve Bannon, is in the middle of an expose of what is considered the biggest data breach for Facebook. Cambridge Analytica, a data analytics firm which is currently under investigation by the ICO, was revealed to journalists working for the Observer to have used personal information taken without authorization in early 2014 to build a system that could profile individual US voters. It is thought the purpose of this was to target Facebook users with personalized political advertisements. 

According to the Observer: “Documents seen [by the Observer], and confirmed by a Facebook statement, showed that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.” 

Whistleblower Christopher Wylie, who incidentally has had his Facebook account disabled since the revelations this weekend, worked with a Cambridge University academic to obtain the data. He alleges information on Facebook users was collected by Cambridge University professor Dr. Aleksandr Kogan through an app he created in 2014, called “thisisyourdigitallife.” 

The app, which offered users a small sum of money to take a personality test, was downloaded by 270,000 people.

He told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

Since the expose, UK Digital, Culture, Media and Sport Committee chairman and MP, Damian Collins, released a statement that said: “It seemed clear that [Nix, CEO of Cambridge Analytica] had deliberately misled the Committee and Parliament by giving false statements.” 

Cambridge Analytica has since released its own statement, which said: “Cambridge Analytica fully complies with Facebook’s terms of service and is currently in touch with Facebook following its recent statement that it had suspended the company from its platform, in order to resolve this matter as quickly as possible.

“In 2014, we contracted a company led by a seemingly reputable academic at an internationally-renowned institution to undertake a large-scale research project in the United States. This company, Global Science Research (GSR), was contractually committed by us to only obtain data in accordance with the UK Data Protection Act and to seek the informed consent of each respondent. GSR was also contractually the Data Controller (as per Section 1(1) of the Data Protection Act) for any collected data. GSR obtained Facebook data via an API provided by Facebook.

“When it subsequently became clear that the data had not been obtained by GSR in line with Facebook’s terms of service, Cambridge Analytica deleted all data received from GSR.”

The statement went onto say that “No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.”

The expose came after Facebook suspended Cambridge Analytica and SCL Group from its platform. In a statement, the tech giant said: “Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.”

Facebook updated this statement on the March 17, adding: “The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up for his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

What’s Hot on Infosecurity Magazine?