A decade of apparent indifference for data privacy at Facebook has culminated in revelations that organizations harvested user information for targeted advertizement, particularly political ad, to apparent success. While the most well-known offender is Cambridge Analytica–the political consulting and strategic communication business firm behind the pro-Brexit Leave EU campaign, as well as Donald Trump's 2016 presidential campaign–other companies accept likely used similar tactics to collect personal data of Facebook users.

TechRepublic's cheat sheet about the Facebook information privacy scandal covers the ongoing controversy surrounding the illicit utilize of profile information. This article will exist updated as more information near this developing story comes to the forefront. It is also available as a download, Cheat sail: Facebook Information Privacy Scandal (free PDF).

Run across: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

What is the Facebook data privacy scandal?

The Facebook data privacy scandal centers around the drove of personally identifiable data of "upwardly to 87 million people" by the political consulting and strategic advice firm Cambridge Analytica. That company–and others–were able to gain access to personal data of Facebook users due to the confluence of a diverseness of factors, broadly including inadequate safeguards against companies engaging in information harvesting, lilliputian to no oversight of developers by Facebook, developer abuse of the Facebook API, and users agreeing to overly broad terms and conditions.

Come across: Information security policy (TechRepublic Premium)

In the example of Cambridge Analytica, the company was able to harvest personally identifiable information through a personality quiz app called thisisyourdigitiallife, based on the Ocean personality model. Information gathered via this app is useful in edifice a "psychographic" contour of users (the Bounding main acronym stands for openness, conscientiousness, extraversion, agreeableness, and neuroticism). Adding the app to your Facebook account to take the quiz gives the creator of the app access to contour information and user history for the user taking the quiz, also as all of the friends that user has on Facebook. This data includes all of the items that users and their friends have liked on Facebook.

Researchers associated with Cambridge University claimed in a paper that information technology "tin can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, utilise of addictive substances, parental separation, age, and gender," with a model developed by the researchers that uses a combination of dimensionality reduction and logistic/linear regression to infer this information about users.

The model–co-ordinate to the researchers–is effective due to the relationship of likes to a given aspect. However, well-nigh likes are not explicitly indicative of their attributes. The researchers notation that "less than 5% of users labeled equally gay were connected with explicitly gay groups," but that liking "Juicy Couture" and "Adam Lambert" are likes indicative of gay men, while "WWE" and "Being Confused Later on Waking Up From Naps" are likes indicative of directly men. Other such connections are peculiarly lateral, with "curly chips" beingness an indicator of high IQ, "sour processed" being an indicator of not smoking, and "Factor Wilder" being an indicator that the user's parents had not separated by age 21.

Come across: Can Russian hackers be stopped? Here's why information technology might accept 20 years (TechRepublic cover story) | download the PDF version

Boosted resources

  • How a Facebook app scraped millions of people's personal information (CBS News)
  • Facebook reportedly thinks there's no 'expectation of privacy' on social media (CNET)
  • Cambridge Analytica: 'We know what you want before you lot want information technology' (TechRepublic)
  • Boilerplate US citizen had personal data stolen at to the lowest degree 4 times in 2019 (TechRepublic)
  • Facebook: We'll pay you to track down apps that misuse your information (ZDNet)

  • Virtually consumers do non trust big tech with their privacy (TechRepublic)

  • Facebook asks permission to apply personal information in Brazil (ZDNet)

What is the timeline of the Facebook information privacy scandal?

Facebook has more a decade-long runway tape of incidents highlighting inadequate and bereft measures to protect data privacy. While the severity of these individual cases varies, the sequence of repeated failures paints a larger picture of systemic issues.

SEE: All TechRepublic cheat sheets and smart person's guides

In 2005, researchers at MIT created a script that downloaded publicly posted information of more 70,000 users from iv schools. (Facebook only began to allow search engines to crawl profiles in September 2007.)

In 2007, activities that users engaged in on other websites was automatically added to Facebook user profiles as office of Beacon, one of Facebook's first attempts to monetize user profiles. As an example, Beacon indicated on the Facebook News Feed the titles of videos that users rented from Blockbuster Video, which was a violation of the Video Privacy Protection Act. A form activeness suit was filed, for which Facebook paid $nine.5 million to a fund for privacy and security equally function of a settlement agreement.

SEE: The Brexit dilemma: Will London's offset-ups stay or go? (TechRepublic cover story)

In 2011, following an FTC investigation, the company entered into a consent decree, promising to accost concerns about how user data was tracked and shared. That investigation was prompted by an incident in Dec 2009 in which information thought individual by users was beingness shared publicly, according to contemporaneous reporting by The New York Times.

In 2013, Facebook disclosed details of a issues that exposed the personal details of vi million accounts over approximately a year. When users downloaded their own Facebook history, that user would obtain in the same action not just their own address volume, but also the email addresses and phone numbers of their friends that other people had stored in their address books. The information that Facebook exposed had not been given to Facebook by users to begin with–information technology had been vacuumed from the contact lists of other Facebook users who happen to know that person. This miracle has since been described as "shadow profiles."

The Cambridge Analytica portion of the data privacy scandal starts in Feb 2014. A spate of reviews on the Turkopticon website–a third-political party review website for users of Amazon's Mechanical Turk–detail a task requested past Aleksandr Kogan asking users to complete a survey in substitution for money. The survey required users to add the thisisyourdigitiallife app to their Facebook business relationship, which is in violation of Mechanical Turk's terms of service. One review quotes the request as requiring users to "provide our app access to your Facebook so we can download some of your data–some demographic information, your likes, your friends list, whether your friends know one some other, and some of your private messages."

In December 2015, Facebook learned for the commencement time that the information set Kogan generated with the app was shared with Cambridge Analytica. Facebook founder and CEO Mark Zuckerberg claims "we immediately banned Kogan's app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly caused information. They provided these certifications."

According to Cambridge Analytica, the company took legal action in Baronial 2016 against GSR (Kogan) for licensing "illegally caused information" to the visitor, with a settlement reached that Nov.

On March 17, 2018, an exposé was published by The Guardian and The New York Times, initially reporting that 50 1000000 Facebook profiles were harvested past Cambridge Analytica; the figure was later revised to "up to 87 million" profiles. The exposé relies on data provided past Christopher Wylie, a old employee of SCL Elections and Global Science Research, the creator of the thisisyourdigitiallife app. Wylie claimed that the data from that app was sold to Cambridge Analytica, which used the information to develop "psychographic" profiles of users, and target users with pro-Trump advertising, a claim that Cambridge Analytica denied.

On March 16, 2018, Facebook threatened to sue The Guardian over publication of the story, co-ordinate to a tweet by Guardian reporter Carole Cadwalladr. Campbell Brown, a former CNN announcer who now works as head of news partnerships at Facebook, said information technology was "non our wisest motility," adding "If information technology were me I would have probably not threatened to sue The Guardian." Similarly, Cambridge Analytica threatened to sue The Guardian for defamation.

On March xx, 2018, the FTC opened an investigation to determine if Facebook had violated the terms of the settlement from the 2011 investigation.

In April 2018, reports indicated that Facebook granted Zuckerberg and other high ranking executives powers over decision-making personal information on a platform that is not bachelor to normal users. Messages from Zuckerberg sent to other users were remotely deleted from users' inboxes, which the company claimed was part of a corporate security mensurate following the 2014 Sony Pictures hack. Facebook later on announced plans to brand available the "unsend" capability "to all users in several months," and that Zuckerberg will be unable to unsend messages until such fourth dimension that feature rolls out. Facebook added the feature 10 months after, on February 6, 2019. The public characteristic permits users to delete messages upwards to x minutes afterwards the messages were sent. In the controversy prompting this feature to be added, Zuckerberg deleted letters months later they were sent.

On Apr 4, 2018, The Washington Postal service reported that Facebook announced "malicious actors" abused the search function to gather public profile information of "most of its two billion users worldwide."

In a CBS News/YouGov poll published on April ten, 2018, 61% of Americans said Congress should practise more to regulate social media and tech companies. This sentiment was echoed in a CBS News interview with Box CEO Aaron Levie and YML CEO Ashish Toshniwal who called on Congress to regulate Facebook. Co-ordinate to Levie, "In that location are then many examples where nosotros don't have modern ways of either regulating, controlling, or putting the correct protections in identify in the internet age. And this is a fundamental issue that, that we're gonna have to grapple with as an industry for the next decade."

On April eighteen, 2018, Facebook updated its privacy policy.

On May 2, 2018, SCL Group, which owns Cambridge Analytica, was dissolved. In a press release, the company indicated that "the siege of media coverage has driven away near all of the Company'southward customers and suppliers."

On May 15, 2018, The New York Times reported that Cambridge Analytica is beingness investigated by the FBI and the Justice Section. A source indicated to CBS News that prosecutors are focusing on potential financial crimes.

On May 16, 2018, Christopher Wylie testified before the Senate Judiciary Committee. Amongst other things, Wylie noted that Cambridge Analytica, under the management of Steve Bannon, sought to "exploit sure vulnerabilities in certain segments to send them information that will remove them from the public forum, and feed them conspiracies and they'll never come across mainstream media." Wylie also noted that the company targeted people with "characteristics that would lead them to vote for the Democratic political party, particularly African American voters."

On June 3, 2018, a report in The New York Times indicated that Facebook had maintained data-sharing partnerships with mobile device manufacturers, specifically naming Apple tree, Amazon, BlackBerry, Microsoft, and Samsung. Under the terms of this personal information sharing, device manufacturers were able to gather information almost users in order to deliver "the Facebook experience," the Times quotes a Facebook official as saying. Additionally, the study indicates that this admission immune device manufacturers to obtain data about a user's Facebook friends, fifty-fifty if those friends had configured their privacy settings to deny information sharing with third parties.

The same day, Facebook issued a rebuttal to the Times report indicating that the partnerships were conceived because "the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating organization," at a fourth dimension when the smartphone market included BlackBerry's BB10 and Windows Phone operating systems, among others. Facebook claimed that "contrary to claims by the New York Times, friends' data, similar photos, was only attainable on devices when people made a decision to share their information with those friends. We are not aware of whatsoever abuse past these companies." The distinction beingness made is partially semantic, as Facebook does not consider these partnerships a third political party in this case. Facebook noted that changes to the platform made in April began "winding downward" admission to these APIs, and that 22 of the partnerships had already been ended.

On June 5, 2018, the The Washington Post and The New York Times reported that the Chinese device manufacturers Huawei, Lenovo, Oppo, and TCL were granted access to user data under this plan. Huawei, along with ZTE, are facing scrutiny from the U.s. government on unsubstantiated accusations that products from these companies pose a national security risk.

On July ii, 2018, The Washington Post reported that the US Securities and Substitution Committee, Federal Trade Commission, and Federal Bureau of Investigation have joined the Department of Justice research into the Facebook/Cambridge Analytica data scandal. In a statement to CNET, Facebook indicated that "We've provided public testimony, answered questions, and pledged to keep our aid equally their work continues." On July 11th, the Wall Street Journal reported that the SEC is separately investigating if Facebook adequately warned investors in a timely style about the possible misuse and improper collection of user information. The same mean solar day, the UK assessed a £500,000 fine to Facebook, the maximum permitted by law, over its role in the data scandal. The UK'southward Data Commissioner's Office is also preparing to launch a criminal probe into SCL Elections over their involvement in the scandal.

On July iii, 2018, Facebook best-selling a "bug" unblocked people that users has blocked between May 29 and June v.

On July 12, 2018, a CNBC report indicated that a privacy loophole was discovered and airtight. A Chrome plug-in intended for marketing enquiry chosen Grouply.io immune users to access the list of members for private Facebook groups. Congress sent a letter to Zuckerberg on February 19, 2019 enervating answers about the data leak, stating in part that "labeling these groups as closed or bearding potentially misled Facebook users into joining these groups and revealing more personal data than they otherwise would have," and "Facebook may accept failed to properly notify grouping members that their personal health information may have been accessed by wellness insurance companies and online bullies, amid others."

Fallout from a confluence of factors in the Facebook data privacy scandal has come to bear in the final week of July 2018. On July 25th, Facebook announced that daily active user counts have fallen in Europe, and growth has stagnated in the U.s.a. and Canada. The post-obit day, Facebook suffered the worst single-day marketplace value subtract for a public visitor in the Usa, dropping $120 billion, or nineteen%. On the July 28th, Reuters reported that shareholders are suing Facebook, Zuckerberg, and CFO David Wehner for "making misleading statements about or failing to disclose slowing revenue growth, falling operating margins, and declines in agile users."

On August 22, 2018, Facebook removed Facebook-owned security app Onavo from the App Store, for violating privacy rules. Information collected through the Onavo app is shared with Facebook.

In testimony before the Senate, on September 5, 2018, COO Sheryl Sandberg conceded that the visitor "[was] as well slow to spot this and too slow to deed" on privacy protections. Sandberg, and Twitter CEO Jack Dorsey faced questions focusing on user privacy, election interference, and political censorship. Senator Mark Warner of Virginia even said that, "The era of the wild west in social media is coming to an cease," which seems to indicate coming legislation.

On September half dozen, 2018, a spokesperson indicated that Joseph Chancellor was no longer employed by Facebook. Chancellor was a co-manager of Global Science Research, the house which improperly provided user information to Cambridge Analytica. An internal investigation was launched in March in role to make up one's mind his involvement. No argument was released indicating the result of that investigation.

On September 7, 2018, Zuckerberg stated in a mail service that fixing problems such as "defending against ballot interference by nation states, protecting our customs from abuse and damage, or making sure people take control of their data and are comfy with how it's used," is a process which "will extend through 2019."

On September 26, 2018, WhatsApp co-founder Brian Acton stated in an interview with Forbes that "I sold my users' privacy" every bit a result of the messaging app being sold to Facebook in 2014 for $22 billion.

On September 28, 2018, Facebook disclosed details of a security alienation which afflicted l million users. The vulnerability originated from the "view as" feature which can be used to let users see what their profiles wait similar to other people. Attackers devised a way to export "access tokens," which could be used to gain command of other users' accounts.

A CNET written report published on October v, 2018, details the existence of an "Internet Bill of Rights" drafted by Rep. Ro Khanna (D-CA). The bill is probable to be introduced in the event the Democrats regain control of the House of Representatives in the 2018 elections. In a statement, Khanna noted that "Every bit our lives and the economy are more tied to the internet, it is essential to provide Americans with bones protections online."

On October 11, 2018, Facebook deleted over 800 pages and accounts in advance of the 2018 elections for violating rules confronting spam and "inauthentic beliefs." The aforementioned day, information technology disabled accounts for a Russian house chosen "Social Data Hub," which claimed to sell scraped user data. A Reuters report indicates that Facebook volition ban simulated information about voting in the midterm elections.

On October xvi, 2018, rules requiring public disclosure of who pays for political advertising on Facebook, as well as identity verification of users paying for political ad, were extended to the Britain. The rules were beginning rolled out in the U.s. in May.

On October 25, 2018, Facebook was fined £500,000 by the United kingdom's Information Commissioner'southward Office for their role in the Cambridge Analytica scandal. The fine is the maximum amount permitted by the Data Protection Act 1998. The ICO indicated that the fine was final. A Facebook spokesperson told ZDNet that the company "respectfully disagreed," and has filed for entreatment.

The same day, Vice published a report indicating that Facebook'due south advertiser disclosure policy was trivial to corruption. Reporters from Vice submitted advertisements for approval attributed to Mike Pence, DNC Chairman Tom Perez, and Islamic State, which were approved by Facebook. Further, the contents of the advertisements were copied from Russian advertisements. A spokesperson for Facebook confirmed to Vice that the copied content does not violate rules, though the false attribution does. According to Vice, the just denied submission was attributed to Hillary Clinton.

On October 30, 2018, Vice published a second report in which it claimed that it successfully applied to purchase advertisements attributed to all 100 sitting US Senators, indicating that Facebook had yet to prepare the trouble reported in the previous week. According to Vice, the simply denied submission in this test was attributed to Mark Zuckerberg.

On November 14, 2018, the New York Times published an exposé on the Facebook data privacy scandal, citing interviews of more than 50 people, including current and quondam Facebook executives and employees. In the exposé, the Times reports:

  • In the Spring of 2016, a security proficient employed by Facebook informed Primary Security Officer Alex Stamos of Russian hackers "probing Facebook accounts for people connected to the presidential campaigns," which Stamos, in turn, informed general counsel Colin Stretch.
  • A group called "Project P" was assembled by Zuckerberg and Sandberg to study simulated news on Facebook. By January 2017, this group "pressed to issue a public paper" nearly their findings, but was stopped by board members and Facebook vice president of global public policy Joel Kaplan, who had formerly worked in former US President George West. Bush'southward assistants.
  • In Spring and Summer of 2017, Facebook was "publicly claiming there had been no Russian effort of any significance on Facebook," despite an ongoing investigation into the extent of Russian involvement in the election.
  • Sandberg "and deputies" insisted that the post drafted by Stamos to publicly admit Russian involvement for the starting time fourth dimension be made "less specific" before publication.
  • In October 2017, Facebook expanded their engagement with Republican-linked house Definers Public Affairs to discredit "activist protesters." That business firm worked to link people critical of Facebook to liberal philanthropist George Soros, and "[lobbied] a Jewish civil rights group to bandage some criticism of the company equally anti-Semitic."
  • Following comments critical of Facebook by Apple tree CEO Tim Cook, a spate of manufactures critical of Apple and Google began appearing on NTK Network, an arrangement which shares an office and staff with Definers. Other articles appeared on the website downplaying the Russians' use of Facebook.

On November fifteen, 2018, Facebook appear it had terminated its relationship with Definers Public Affairs, though it disputed that either Zuckerberg or Sandberg was enlightened of the "specific work existence done." Further, a Facebook spokesperson indicated "It is wrong to suggest that we have ever asked Definers to pay for or write articles on Facebook's behalf, or communicate annihilation untrue."

On November 22, 2018, Sandberg acknowledged that work produced past Definers "was incorporated into materials presented to me and I received a small number of emails where Definers was referenced."

On November 25, 2018, the founder of Six4Three, on a business concern trip to London, was compelled past Parliament to hand over documents relating to Facebook. Six4Three obtained these documents during the discovery process relating to an app developed by the startup that used paradigm recognition to identify photos of women in bikinis shared on Facebook users' friends' pages. Reports indicate that Parliament sent an official to the founder's hotel with a warning that noncompliance would consequence in possible fines or imprisonment. Despite the warning, the founder of the startup remained noncompliant, prompting him to be escorted to Parliament, where he turned over the documents.

A study in the New York Times published on Nov 29, 2018, indicates that Sheryl Sandberg personally asked Facebook communications staff in January to "research George Soros's financial interests in the wake of his loftier-profile attacks on tech companies."

On December 5, 2018, documents obtained in the probe of Six4Three were released by Parliament. Damian Collins, the MP who issued the order compelling the handover of the documents in November, highlighted 6 key points from the documents:

  1. Facebook entered into whitelisting agreements with Lyft, Airbnb, Bumble, and Netflix, amidst others, allowing those groups total access to friends data subsequently Graph API v1 was discontinued. Collins indicates "It is not clear that at that place was any user consent for this, nor how Facebook decided which companies should be whitelisted or non."
  2. According to Collins, "increasing revenues from major app developers was one of the cardinal drivers behind the Platform 3.0 changes at Facebook. The idea of linking admission to friends data to the fiscal value of the developers' human relationship with Facebook is a recurring characteristic of the documents."
  3. Information reciprocity between Facebook and app developers was a central focus for the release of Platform v3, with Zuckerberg discussing charging developers for access to API access for friend lists.
  4. Internal discussions of changes to the Facebook Android app acknowledge that requesting permissions to collect calls and texts sent by the user would be controversial, with one project manager stating it was "a pretty loftier-risk affair to do from a PR perspective."
  5. Facebook used data nerveless through Onavo, a VPN service the company acquired in 2013, to survey the use of mobile apps on smartphones. Co-ordinate to Collins, this occurred "obviously without [users'] knowledge," and was used past Facebook to determine "which companies to acquire, and which to care for as a threat."
  6. Collins contends that "the files show evidence of Facebook taking ambitious positions against apps, with the effect that denying them admission to data led to the failure of that business organization." Documents disclosed specifically indicate Facebook revoked API admission to video sharing service Vine.

In a statement, Facebook claimed, "Six4Three… cherrypicked these documents from years ago." Zuckerberg responded separately to the public disclosure on Facebook, acknowledging, "Similar whatsoever organisation, we had a lot of internal give-and-take and people raised dissimilar ideas." He called the Facebook scrutiny "healthy given the vast number of people who use our services," merely said it shouldn't "misrepresent our actions or motives."

On Dec xiv, 2018, a vulnerability was disclosed in the Facebook Photograph API that existed between September thirteen-25, 2018, exposing private photos of 6.8 million users. The Photo API bug affected people who utilize Facebook to log in to third-party services.

On Dec 18, 2018, The New York Times reported on special data sharing agreements that "[exempted] business concern partners from its usual privacy rules, naming Microsoft's Bing search engine, Netflix, Spotify, Amazon, and Yahoo as partners in the report. Partners were capable of accessing data including friend lists and private messages, "despite public statements it had stopped that type of sharing years before." Facebook claimed the data sharing was about "helping people," and that this was not done without user consent.

On Jan 17, 2019, Facebook disclosed that it removed hundreds of pages and accounts controlled by Russian propaganda organization Sputnik, including accounts posing as politicians from primarily Eastern European countries.

On January 29, 2019, a TechCrunch written report uncovered the "Facebook Enquiry" program, which paid users aged xiii to 35 to receive up to $20 per calendar month to install a VPN awarding similar to Onavo that allowed Facebook to gather practically all information about how phones were used. On iOS, this was distributed using Apple's Developer Enterprise Program, for which Apple briefly revoked Facebook's certificate as a effect of the controversy.

Facebook initially indicated that "less than 5% of the people who chose to participate in this market research plan were teens," and on March ane, 2019 amended the statement to "about 18 percent."

On February 7, 2019, the German antitrust office ruled that Facebook must obtain consent before collecting data on non-Facebook members, following a three-year investigation.

On February 20, 2019, Facebook added new location controls to its Android app that allows users to limit background information collection when the app is non in use.

The same day, ZDNet reported that Microsoft's Edge browser contained a underground whitelist allowing Facebook to run Adobe Flash, bypassing the click-to-play policy that other websites are subject to for Wink objects over 398×298 pixels. The whitelist was removed in the February 2019 Patch Tuesday update.

On March 6, 2019, Zuckerberg announced a plan to rebuild services effectually encryption and privacy, "over the next few years." As part of these changes, Facebook will brand messages betwixt Facebook, Instagram, and WhatsApp interoperable. Former Microsoft executive Steven Sinofsky–who was fired afterwards the poor reception of Windows 8–called the move "fantastic," comparing information technology to Microsoft's Trustworthy Computing initiative in 2002.

CNET and CBS News Senior Producer Dan Patterson noted on CBSN that Facebook can benefit from this consolidation past making the messaging platforms cheaper to operate, likewise as profiting from users sending coin through the messaging platform, in a business organisation model like to Venmo.

On March 21, 2019, Facebook disclosed a lapse in security that resulted in hundreds of millions of passwords being stored in evidently text, affecting users of Facebook, Facebook Lite, and Instagram. Facebook claimed that "these passwords were never visible to anyone exterior of Facebook and we have constitute no evidence to engagement that anyone internally driveling or improperly accessed them."

Though Facebook'southward post does not provide specifics, a study by veteran security reporter Brian Krebs claimed "between 200 million and 600 1000000" users were affected, and that "more than 20,000 Facebook employees" would have had admission.

On March 22, 2019, a court filing by the attorney full general of Washington DC alleged that Facebook knew near the Cambridge Analytica scandal months prior to the outset public reports in Dec 2015. Facebook claimed that employees knew of rumors relating to Cambridge Analytica, but the claims relate to a "dissimilar incident" than the main scandal, and insisted that the company did not mislead anyone nigh the timeline of the scandal.

Facebook is seeking to accept the case filed in Washington DC dismissed, likewise as to seal a certificate filed in that example.

On March 31, 2019, The Washington Post published an op-ed by Zuckerberg calling for governments and regulators to take a "more agile part" in regulating the net. Shortly after, Facebook introduced a characteristic that explains why content is shown to users on their news feeds.

On Apr 3, 2019, over 540 1000000 Facebook-related records were constitute on ii improperly protected AWS servers. The data was collected past Cultura Colectiva, a Mexico-based online media platform, using Facebook APIs. Amazon deactivated the associated account at Facebook's request.

On April 15, 2019, it was discovered that Oculus, a company owned by Facebook, shipped VR headsets with internal etchings including text such as "Big Brother is Watching."

On Apr eighteen, 2019, Facebook disclosed the "unintentional" harvesting of e-mail contacts belonging to approximately i.5 one thousand thousand users over the course of 3 years. Affected users were asked to provide email address credentials to verify their identity.

On Apr 30, 2019, at Facebook's F8 programmer conference, the company unveiled plans to overhaul Messenger and re-orient Facebook to prioritize Groups instead of the timeline view, with Zuckerberg declaring "The future is private."

On May 9, 2019, Facebook co-founder Chris Hughes called for Facebook to exist cleaved upwards by government regulators, in an editorial in The New York Times. Hughes, who left the company in 2007, cited concerns that Zuckerberg has surrounded himself with people who do not challenge him. "We are a nation with a tradition of reining in monopolies, no matter how well-intentioned the leaders of these companies may be. Mark'southward power is unprecedented and united nations-American," Hughes said.

Proponents of a Facebook breakdown typically signal to unwinding the social network's buy of Instagram and WhatsApp.

Zuckerberg dismissed Hughes' entreatment for a breakup in comments to French republic 2, stating in part that "If what you intendance about is commonwealth and elections, then you lot want a company similar us to invest billions of dollars a year, like nosotros are, in edifice up really advanced tools to fight election interference."

On May 24, 2019, a report from Motherboard claimed "multiple" staff members of Snapchat used internal tools to spy on users.

On July viii, 2019, Apple tree co-founder Steve Wozniak warned users to get off of Facebook.

On July 18, 2019, lawmakers in a House Committee on Fiscal Services hearing expressed mistrust of Facebook's Libra cryptocurrency programme due to its "pattern of failing to keep consumer data private." Lawmakers had previously issued a letter to Facebook requesting the company suspension evolution of the project.

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook over user privacy violations. Facebook agreed to conduct an overhaul of its consumer privacy practices equally part of the settlement. Access to friend data past Sony and Facebook was "immediately" restricted as part of this settlement, according to CNET. Separately, the FTC settled with Aleksandr Kogan and former Cambridge Analytica CEO Alexander Zero, "restricting how they conduct whatsoever business organization in the future, and requiring them to delete or destroy any personal information they nerveless." The FTC announced a lawsuit against Cambridge Analytica the same day.

Also on July 24, 2019, Netflix released "The Great Hack," a documentary almost the Cambridge Analytica scandal.

In early July, 2020, Facebook admitted to sharing user data with an estimated v,000 third-party developers afterwards information technology admission to that data was supposed to expire.

Zuckerberg testified earlier Congress once more on July 29, 2020, as role of an antitrust hearing that included Amazon'due south Jeff Bezos, Apple's Tim Cook, and Google's Sundar Pichai. The hearing didn't touch on Facebook's information privacy scandal, and was instead focused on Facebook'south purchase of Instagram and WhatsApp, as well as its treatment of other competing services.

Additional resource

  • Facebook knew of illicit user profile harvesting for 2 years, never acted (CBS News)
  • Facebook's FTC consent prescript deal: What you lot need to know (CNET)
  • Australia's Facebook investigation expected to take at to the lowest degree 8 months (ZDNet)
  • Election tech: The truth about Cambridge Analytica's political large data (TechRepublic)
  • Google sued past ACCC for allegedly linking data for ads without consent (ZDNet)
  • Midterm elections, social media and hacking: What you need to know (CNET)
  • Critical flaw revealed in Facebook Fizz TLS projection (ZDNet)
  • CCPA: What California's new privacy law ways for Facebook, Twitter users (CNET)

What are the key companies involved in the Facebook data privacy scandal?

In addition to Facebook, these are the companies continued to this information privacy story.

SCL Group (formerly Strategic Advice Laboratories) is at the center of the privacy scandal, though it has operated primarily through subsidiaries. Nominally, SCL was a behavioral research/strategic advice company based in the UK. The company was dissolved on May one, 2018.

Cambridge Analytica and SCL U.s.a. are offshoots of SCL Group, primarily operating in the United states of america. Registration documentation indicates the pair formally came into existence in 2013. As with SCL Group, the pair were dissolved on May 1, 2018.

Global Science Research was a market place inquiry house based in the UK from 2014 to 2017. It was the originator of the thisisyourdigitiallife app. The personal information derived from the app (if not the app itself) was sold to Cambridge Analytica for use in entrada messaging.

Emerdata is the functional successor to SCL and Cambridge Analytica. Information technology was founded in August 2017, with registration documents listing several people associated with SCL and Cambridge Analytica, likewise as the same address every bit that of SCL Group's London headquarters.

AggregateIQ is a Canadian consulting and engineering science company founded in 2013. The company produced Ripon, the software platform for Cambridge Analytica's political campaign work, which leaked publicly after being discovered in an unprotected GitLab bucket.

Cubeyou is a US-based data analytics firm that likewise operated surveys on Facebook, and worked with Cambridge University from 2013 to 2015. It was suspended from Facebook in April 2018 following a CNBC report.

Six4Three was a US-based startup that created an app that used image recognition to identify photos of women in bikinis shared on Facebook users' friends' pages. The company sued Facebook in April 2015, when the app became inoperable after admission to this data was revoked when the original version of Facebook's Graph API was discontinued.

Onavo is an analytics company that develops mobile apps. They created Onavo Extend and Onavo Protect, which are VPN services for information protection and security, respectively. Facebook purchased the company in October 2013. Data from Onavo is used by Facebook to rail usage of non-Facebook apps on smartphones.

The Internet Enquiry Bureau is a St. Petersburg-based organization with ties to Russian intelligence services. The organisation engages in politically-charged manipulation beyond English-linguistic communication social media, including Facebook.

Boosted resources

  • If your system advertises on Facebook, beware of these new limitations (TechRepublic)
  • Data breach exposes Cambridge Analytica's data mining tools (ZDNet)
  • Was your business organisation'south Twitter feed sold to Cambridge Analytica? (TechRepublic)
  • US special counsel indicts 13 members of Russia's election meddling troll subcontract (ZDNet)

Who are the key people involved in the Facebook data privacy scandal?

Nigel Oakes is the founder of SCL Group, the parent company of Cambridge Analytica. A report from Buzzfeed News unearthed a quote from 1992 in which Oakes stated, "We utilize the aforementioned techniques every bit Aristotle and Hitler. … We appeal to people on an emotional level to get them to agree on a functional level."

Alexander Nix was the CEO of Cambridge Analytica and a director of SCL Group. He was suspended following reports detailing a video in which Nix claimed the visitor "offered bribes to smear opponents every bit corrupt," and that it "campaigned secretly in elections… through front end companies or using subcontractors."

Robert Mercer is a conservative activist, computer scientist, and a co-founder of Cambridge Analytica. A New York Times written report indicates that Mercer invested $xv million in the company. His daughters Jennifer Mercer and Rebekah Anne Mercer serve as directors of Emerdata.

Christopher Wylie is the one-time director of enquiry at Cambridge Analytica. He provided information to The Guardian for its exposé of the Facebook information privacy scandal. He has since testified before committees in the The states and Britain about Cambridge Analytica's involvement in this scandal.

Steve Bannon is a co-founder of Cambridge Analytica, likewise as a founding member and sometime executive chairman of Breitbart News, an alt-right news outlet. Breitbart News has reportedly received funding from the Mercer family as far dorsum as 2010. Bannon left Breitbart in January 2018. According to Christopher Wylie, Bannon is responsible for testing phrases such as "drain the swamp" at Cambridge Analytica, which were used extensively on Breitbart.

Aleksandr Kogan is a Senior Enquiry Associate at Cambridge University and co-founder of Global Scientific discipline Inquiry, which created the information harvesting thisisyourdigitiallife app. He worked as a researcher and consultant for Facebook in 2013 and 2015. Kogan also received Russian regime grants and is an associate professor at St. Petersburg Land University, though he claims this is an honorary role.

Joseph Chancellor was a co-director of Global Scientific discipline Research, which created the information harvesting thisisyourdigitiallife app. Around November 2015, he was hired by Facebook every bit a "quantitative social psychologist." A spokesperson indicated on September 6, 2018, that he was no longer employed by Facebook.

Michal Kosinski, David Stillwell, and Thore Graepel are the researchers who proposed and adult the model to "psychometrically" clarify users based on their Facebook likes. At the fourth dimension this model was published, Kosinski and Stillwell were affiliated with Cambridge University, while Graepel was affiliated with the Cambridge-based Microsoft Research. (None have an association with Cambridge Analytica, according to Cambridge University.)

Mark Zuckerberg is the founder and CEO of Facebook. He founded the website in 2004 from his dorm room at Harvard.

Sheryl Sandberg is the COO of Facebook. She left Google to join the company in March 2008. She became the eighth member of the company's board of directors in 2012 and is the starting time adult female in that part.

Damian Collins is a Conservative Party politician based in the United Kingdom. He currently serves equally the Chair of the House of Eatables Civilization, Media and Sport Select Commission. Collins is responsible for issuing orders to seize documents from the American founder of Six4Three while he was traveling in London, and releasing those documents publicly.

Chris Hughes is one of four Facebook co-founders, who originally took on beta testing and feedback for the website, until leaving in 2007. Hughes is the first to call for Facebook to exist broken upwardly past regulators.

Additional resources

  • Facebook investigates employee's ties to Cambridge Analytica (CBS News)
  • Aleksandr Kogan: The link between Cambridge Analytica and Facebook (CBS News)
  • Video: Cambridge Analytica shuts down post-obit information scandal (CBS News)

How have Facebook and Mark Zuckerberg responded to the data privacy scandal?

Each time Facebook finds itself embroiled in a privacy scandal, the general playbook seems to exist the aforementioned: Mark Zuckerberg delivers an amends, with oft-recycled lines, such every bit "this was a big mistake," or "I know nosotros can do ameliorate." Despite repeated controversies regarding Facebook's handling of personal data, information technology has connected to gain new users. This is by design–founding president Sean Parker indicated at an Axios conference in November 2017 that the first step of building Facebook features was "How do we consume as much of your time and conscious attention every bit possible?" Parker also likened the design of Facebook to "exploiting a vulnerability in human psychology."

On March 16, 2018, Facebook announced that SCL and Cambridge Analytica had been banned from the platform. The announcement indicated, correctly, that "Kogan gained admission to this information in a legitimate style and through the proper channels that governed all developers on Facebook at that time," and passing the information to a third party was against the platform policies.

The following day, the announcement was amended to state:

The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign upwardly to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of data were stolen or hacked.

On March 21, 2018, Mark Zuckerberg posted his showtime public statement about the issue, stating in part that:

"We have a responsibility to protect your information, and if nosotros can't and so we don't deserve to serve you. I've been working to empathise exactly what happened and how to make sure this doesn't happen once again."

On March 26, 2018, Facebook placed total-page ads stating: "This was a breach of trust, and I'm pitiful we didn't practise more at the fourth dimension. Nosotros're now taking steps to ensure this doesn't happen again," in The New York Times, The Washington Post, and The Wall Street Journal, as well equally The Observer, The Sunday Times, Mail on Sunday, Sun Mirror, Dominicus Express, and Lord's day Telegraph in the UK.

In a blog post on April 4, 2018, Facebook announced a serial of changes to data treatment practices and API admission capabilities. Foremost among these include limiting the Events API, which is no longer able to access the guest list or wall posts. Additionally, Facebook removed the power to search for users past phone number or email address and made changes to the account recovery process to fight scraping.

On April ten, 2018, and Apr 11, 2018, Marker Zuckerberg testified earlier Congress. Details nearly his testimony are in the adjacent section of this article.

On April x, 2018, Facebook announced the launch of its data abuse bug compensation program. While Facebook has an existing security bug bounty programme, this is targeted specifically to prevent malicious users from engaging in data harvesting. There is no limit to how much Facebook could potentially pay in a bounty, though to date the highest amount the company has paid is $twoscore,000 for a security problems.

On May xiv, 2018, "around 200" apps were banned from Facebook as part of an investigation into if companies accept abused APIs to harvest personal information. The visitor declined to provide a list of offending apps.

On May 22, 2018, Marking Zuckerberg testified, briefly, before the European Parliament nigh the data privacy scandal and Cambridge Analytica. The format of the testimony has been the subject of derision, as all of the questions were posed to Zuckerberg before he answered. Guy Verhofstadt, an Eu Parliament member representing Belgium, said, "I asked you six 'yes' and 'no' questions, and I got not a single answer."

What did Mark Zuckerberg say in his testimony to Congress?

In his Senate testimony on Apr 10, 2018, Zuckerberg reiterated his amends, stating that "Nosotros didn't accept a broad enough view of our responsibility, and that was a big mistake. And information technology was my mistake. And I'thousand sorry. I started Facebook, I run information technology, and I'thou responsible for what happens hither," adding in a response to Sen. John Thune that "we endeavour not to make the aforementioned fault multiple times.. in general, a lot of the mistakes are around how people connect to each other, just because of the nature of the service."

Sen. Amy Klobuchar asked if Facebook had determined whether Cambridge Analytica and the Internet Research Bureau were targeting the same users. Zuckerberg replied, "We're investigating that now. Nosotros believe that it is entirely possible that there volition exist a connexion in that location." According to NBC News, this was the kickoff suggestion in that location is a link between the activities of Cambridge Analytica and the Russian disinformation campaign.

On June xi, 2018, nearly 500 pages of new testimony from Zuckerberg was released following promises of a follow-upward to questions for which he did not take sufficient information to address during his Congressional testimony. The Washington Post notes that the release, "in some instances sidestepped lawmakers' questions and concerns," but that the questions being asked were not e'er relevant, peculiarly in the example of Sen. Ted Cruz, who attempted to bring attention to Facebook's donations to political organizations, equally well as how Facebook treats criticism of "Taylor Swift's contempo cover of an Globe, Wind and Fire song."

Boosted resources

  • Facebook gave Apple, Samsung access to data about users — and their friends (CNET)
  • Zuckerberg doubles down on Facebook'south fight against faux news, data misuse (CNET)
  • Tech execs react to Mark Zuckerberg's amends: "I remember he's sorry he has to evidence" (CBS News)
  • On Facebook, Zuckerberg gets privacy and you get null (ZDNet)
  • 6 Facebook security mistakes to prepare on Data Privacy Day (CNET)
  • Zuckerberg takes Facebook data amends tour to Washington (CNET)
  • Zuckerberg's Senate hearing highlights in 10 minutes (CNET via YouTube)
  • Russian politicians call on Facebook'south Marking Zuckerberg to testify on privacy (CNET)

What is the 2016 Usa presidential election connectedness to the Facebook data privacy scandal?

In Dec 2015, The Guardian bankrupt the story of Cambridge Analytica being contracted past Ted Cruz's entrada for the Republican Presidential Main. Despite Cambridge Analytica CEO Alexander Nix's merits in an interview with TechRepublic that the company is "fundamentally politically agnostic and an apolitical organization," the primary financier of the Cruz campaign is Cambridge Analytica co-founder Robert Mercer, who donated $11 million to a pro-Cruz Super PAC. Post-obit Cruz's withdrawal from the campaign in May 2016, the Mercer family began supporting Donald Trump.

In Jan 2016, Facebook COO Sheryl Sandberg told investors that the election was "a big deal in terms of advertizing spend," and that through "using Facebook and Instagram ads y'all can target by congressional district, you can target by interest, y'all can target past demographics or whatsoever combination of those."

In October 2017, Facebook appear changes to its advertising platform, requiring identity and location verification and prior authorization in society to run electoral advertising. In the wake of the fallout from the data privacy scandal, farther restrictions were added in Apr 2018, making "effect ads" regarding topics of electric current interest similarly restricted.

In secretly recorded conversations by an undercover squad from Channel iv News, Cambridge Analytica'due south Nix claimed the firm was behind the "defeat kleptomaniacal Hillary" advertisement entrada, calculation, "We only put data into the bloodstream of the cyberspace and then scout information technology grow, give it a lilliputian push button every now and again over time to watch information technology accept shape," and that "this stuff infiltrates the online community, but with no branding, so it's unattributable, untrackable." The same exposé quotes Chief Data Officer Alex Tayler as maxim, "When you think nigh the fact that Donald Trump lost the popular vote by iii one thousand thousand votes just won the balloter higher vote, that's downward to the data and the enquiry."

Additional resources

  • How Cambridge Analytica used your Facebook data to assist elect Trump (ZDNet)
  • Facebook takes down fake accounts operated by 'Roger Stone and his associates' (ZDNet)
  • Facebook, Cambridge Analytica and data mining: What you need to know (CNET)

  • Civil rights auditors slam Facebook stance on Trump, voter suppression (ZDNet)

  • The Trump entrada app is tapping a "gilded mine" of data almost Americans (CBS News)

What is the Brexit tie-in to the Facebook information privacy scandal?

AggregateIQ was retained by Nigel Farage's Vote Leave organization in the Brexit campaign, and both The Guardian and BBC merits that the Canadian company is connected to Cambridge Analytica and its parent organisation SCL Group. UpGuard, the organization that found a public GitLab case with code from AggregateIQ, has extensively detailed its connection to Cambridge Analytica and its involvement in Brexit campaigning.

Additionally, The Guardian quotes Wylie every bit saying the visitor "was set up up every bit a Canadian entity for people who wanted to work on SCL projects who didn't want to motion to London."

Additional resources

  • Brexit: A cheat canvas (TechRepublic)
  • Facebook suspends some other data analytics firm, AggregateIQ (CBS News)
  • Lawmakers grill academic at centre of Facebook scandal (CBS News)

How is Facebook affected past the GDPR?

Like any organization providing services to users in European union countries, Facebook is bound by the Eu General Information Protection Regulation (GDPR). Due to the scrutiny Facebook is already facing regarding the Cambridge Analytica scandal, as well as the full general nature of the social media giant's product existence personal data, its strategy for GDPR compliance is similarly receiving a keen deal of focus from users and other companies looking for a model of compliance.

While in theory the GDPR is only applicable to people residing in the Eu, Facebook will crave users to review their data privacy settings. According to a ZDNet article, Facebook users will exist asked if they want to see advertizement based on partner information–in practice, websites that feature Facebook's "Like" buttons. Users globally volition exist asked if they wish to proceed sharing political, religious, and relationship information, while users in Europe and Canada will exist given the option of switching automated facial recognition on again.

Facebook members outside the United states of america and Canada have heretofore been governed past the company's terms of service in Ireland. This has reportedly been changed prior to the first of GDPR enforcement, equally this would seemingly make Facebook liable for amercement for users internationally, due to Ireland's status as an European union member.

Boosted resources

  • Google, Facebook striking with serious GDPR complaints: Others will exist soon (ZDNet)
  • Facebook rolls out changes to comply with new Eu privacy constabulary (CBS News)
  • European court strikes down Eu-US Privacy Shield user data exchange understanding as invalid (ZDNet)
  • GDPR security pack: Policies to protect data and achieve compliance (TechRepublic Premium)
  • Information technology pro's guide to GDPR compliance (free PDF) (TechRepublic)

What are Facebook "shadow profiles?"

"Shadow profiles" are stores of data that Facebook has obtained about other people–who are non necessarily Facebook users. The beingness of "shadow profiles" was discovered every bit a result of a bug in 2013. When a user downloaded their Facebook history, that user would obtain not just his or her address book, but besides the email addresses and phone numbers of their friends that other people had stored in their address books.

Facebook described the outcome in an electronic mail to the afflicted users. This is an extract of the email, co-ordinate to security site Parcel Storm:

When people upload their contact lists or address books to Facebook, we attempt to match that data with the contact data of other people on Facebook in society to generate friend recommendations. Because of the bug, the email addresses and telephone numbers used to brand friend recommendations and reduce the number of invitations we send were inadvertently stored in their account on Facebook, along with their uploaded contacts. Equally a consequence, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, which included their uploaded contacts, they may have been provided with boosted email addresses or phone numbers.

Because of the fashion that Facebook synthesizes information in club to attribute collected data to existing profiles, information of people who do non take Facebook accounts congeals into dossiers, which are popularly called a "shadow contour." It is unclear what other sources of input are added to said "shadow profiles," a term that Facebook does not use, according to Zuckerberg in his Senate testimony.

Additional resource

  • Shadow profiles: Facebook has data you didn't hand over (CNET)
  • Finally, the globe is getting concerned about data privacy (TechRepublic)
  • Firm: Facebook'southward shadow profiles are 'frightening' dossiers on everyone (ZDNet)

What are the possible implications for enterprises and business users?

Business concern users and business accounts should be aware that they are every bit vulnerable as consumers to data exposure. Considering Facebook harvests and shares metadata–including SMS and voice phone call records–between the company's mobile applications, business users should be enlightened that their run a risk profile is the aforementioned as a consumer's. The stakes for businesses and employees could be higher, given that incidental or adventitious data exposure could expose the visitor to liability, IP theft, extortion attempts, and cybercriminals.

Though deleting or deactivating Facebook applications won't forestall the company from creating so-called advertising "shadow profiles," it will forestall the visitor from capturing geolocation and other sensitive data. For actional best practices, contact your visitor'southward legal counsel.

Additional resources

  • Social media policy (TechRepublic Premium)
  • Want to reach and retain customers? Adopt data privacy policies (TechRepublic)
  • Hiring kit: Digital campaign managing director (TechRepublic Premium)
  • Photos: All the tech celebrities and brands that have deleted Facebook (TechRepublic)

How tin can I alter my Facebook privacy settings?

According to Facebook, in 2014 the company removed the ability for apps that friends utilise to collect information well-nigh an private user. If you wish to disable third-party utilize of Facebook altogether–including Login With Facebook and apps that rely on Facebook profiles such as Tinder–this can be done in the Settings carte under Apps And Websites. The Apps, Websites And Games field has an Edit button–click that, then click Plow Off.

Facebook has been proactively notifying users who had their data collected by Cambridge Analytica, though users tin can manually check to see if their data was shared past going to this Facebook Aid page.

Facebook is also developing a Clear History button, which the company indicates is "their database record of you lot." CNET and CBS News Senior Producer Dan Patterson noted on CBSN that "there aren't a lot of specifics on what that immigration of the database will do, and of class, as soon as you lot log back in and start creating information once again, you lot fix a new cookie and you lot starting time the process again."

To proceeds a ameliorate understanding of how Facebook handles user data, including what options tin and cannot exist modified by end users, it may be helpful to review Facebook's Terms of Service, every bit well as its Information Policy and Cookies Policy.

Additional resources

  • Ultimate guide to Facebook privacy and security (Download.com)
  • Facebook's new privacy tool lets yous manage how you're tracked across the web (CNET)
  • User privacy and data management: Changes to expect in light of the Facebook debacle (TechRepublic)
  • Securing Facebook: Keep your data safe with these privacy settings (ZDNet)
  • How to cheque if Facebook shared your data with Cambridge Analytica (CNET)

Notation: This article was written and reported by James Sanders and Dan Patterson. Information technology was updated by Brandon Vigliarolo.

Facebook CEO Marking Zuckerberg in May 2018 at the F8 developer briefing.
Image: James Martin/CNET