Last night Facebook announced bans against Cambridge Analytica, its parent company and several individuals for allegedly sharing and keeping data that they had promised to delete. This data reportedly included information siphoned from hundreds of thousands of Amazon Mechanical Turkers who were paid to use a "personality prediction app" that collected data from them and also anyone they were friends with -- about 50 million accounts. That data reportedly turned into information used by the likes of Robert Mercer, Steve Bannon and the Donald Trump campaign for social media messaging and "micro-targeting" individuals based on shared characteristics.
Now, reports by The New York Times and The Guardian reveal what was behind the timing of that Friday night news dump. According to reporters from both outlets, which were collaborating, the social network had downplayed their reporting and even threatened to sue The Guardian, over what they learned from documents and a whistleblower (who Facebook included in its ban list): Christopher Wylie.
Wylie's account largely fills in the gaps from Facebook's statement. While Facebook didn't explain how many users had their data snagged by the "thisisyourdigitallife" app, the reports say it pulled private info from more than 50 million people even though they didn't know about it or consent -- an act that at the time was allowed under Facebook's rules. About 30 million of those (a number previously reported by The Intercept) contained enough information for Cambridge Analytica to match profiles with other data and complete its "psychographic" work -- learning about individuals and trying to target them with personally tailored messages.
That's the bit that causes Wylie to describe his former employer as engaging in something more like psychological warfare than simple "data analysis." Cambridge Analytica maintains that "When it subsequently became clear that the data had not been obtained by GSR in line with Facebook's terms of service, Cambridge Analytica deleted all data received from GSR." It also claims none of the data was used during the 2016 campaign, however, the NYT notes that its CEO previously said the Trump efforts drew on psychographics it had created for the Ted Cruz campaign.
As for Facebook, that company is staunchly pushing the line that this does not represent a "breach" or a "leak". Deputy General Counsel tweeted that "No systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked." In a series of now-deleted tweets, CSO Alex Stamos said the app's creator "lied" to users and Facebook about what he was using the data for, but said his use was consistent with its API at the time, and the way some APIs for contact sharing works on platforms like Android and iOS. Facebook updated last night's release with a new statement:
The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.
That will not be enough to avoid further scrutiny however -- according to The Guardian, the British Information Commissioner's Office and the Electoral Commission are investigating. In the US, Massachusetts attorney general Maura Healey announced her office is opening an investigation, and they probably won't be the only ones.
That's above and beyond the professor suing Cambridge Analytica in the UK to find out the full extent of the data it has acquired. David Carroll's lawsuit was filed yesterday, and a crowdfunding campaign to back the effort has already raised £30,000.
- This article originally appeared on Engadget.