Facebook and the English data analytics firm Cambridge Analytica (CA) are facing intense scrutiny in response to numerous reports about the possible misuse of data of 50 million Facebook accounts. The data was originally collected through a third party personality test app and later reportedly improperly transferred to CA and/or its parent company Strategic Communications Laboratories (SGL) and used to create target voters as part of CA’s political campaign consulting business.

The App: The “thisisyourdigitallife” app was created as a “research tool” by the English company Global Science Research (GSR), whose co-founder is Russian-American Aleksandr Kogan, a social psychologist and University of Cambridge professor. In 2013, GSR used Facebook’s application program interface (API) to offer the app to Facebook users. Some 270,000 users clicked a button to connect to the app and in doing so reportedly gave GSR permission to use their Facebook data for research purposes. The data collected included location information and users’” likes” on stories and posts on the social media network.

Harvesting Friends Data: Additionally, however, the app also “harvested” certain data from the “friends” of each app user, reportedly when the friend’s account profile was set to Facebook’s default privacy settings. Harvested” data is said to have been pulled from some 50 million “friends”. Kogan, GSR and Facebook allegedly maintain that the app accessed the “friends” data legitimately, because at the time, Facebook’s default privacy settings allowed this data to be collected from the “friends” when the “friends” agreed to Facebook’s terms and conditions.

Sharing of Data with Third Parties: Sometime in 2015, Facebook learned GSR had reportedly shared, perhaps sold, both the app user data and the harvested “friends” data with CA and/or SCL, for whom Dr. Kogan was now alleging working. Facebook claims it demanded the data be immediately destroyed by CA, GSR, Kogan and others who had access to it. CA, GSR and Professor Kogan claim they deleted the data, and CA claims it provided FB with a written certification of deletion. It appears Facebook did not audit or otherwise verify the deletion.

On March 16, Facebook abruptly suspended CA from its advertising platform, as multiple newspapers reported that CA not only hadn’t deleted GSR sourced data, but that it also used the data to build voter profiles to predict American voters’ behavior during the Donald Trump 2016 presidential campaign. CA denies knowing CSR sourced data could not be used for other than research purposes, denies using any GSR sourced data in the Trump campaign, and reaffirms GSR sourced data was deleted in 2015. However, recent reporting claims CA paid $800,000 for GSR to develop the “thisisyourdigitallife” app, which calls into question whether CA knew the CRS data was subject to the research use restrictions. One newspaper reported that Kogan also received Russian government funding for his research into the psychology of Facebook users.

Multiple Investigations: As a result of the allegations of misuse of Facebook user data, U.S. and E.U. authorities are investigating Facebook and CA. British and E.U. data protection authorities are investigating the adequacy of Facebook’s “harvesting” of personal data explanations in its privacy settings, as well as the company’s response to learning a third party received data from GSR through its API platform. The Irish data protection commissioner has also questioned Facebook and CA’s actions.

Whether Facebook’s default privacy settings provided enough information for users to consent has not yet been litigated in the United States or in Britain, although one German regional court recently held in the vzbv case that the company’s default privacy settings were inadequate.

In the U.S., the Federal Trade Commission is reviewing whether Facebook violated its 2011 consent decree. The FTC’s 2009 complaint claimed Facebook misrepresented the fact that installed third-party apps could access almost all of a user’s data, by saying the apps would only have access to user information needed to operate to app. Facebook settled the complaint without admitting any misrepresentation, but agreed to clear notices of privacy practices and to obtain express consent before a user’s data was shared beyond the user’s privacy settings. Attorneys General from Massachusetts and Connecticut are in early stages of investigating questions about the sharing and use of this data.

Additionally, Facebook is investigating GSR’s harvesting and reported improper use of user and “friends” data that was shared with, perhaps sold to, CA. In that effort, Facebook seeks to conduct a digital forensics audit of CA’s and SCL’s data and whether the GSR sourced data as promised.

There are several additional interesting aspects of this Facebook and CA developing news that are worth mentioning.

  • Some commentators question whether the Facebook and CA developments might lead to a broader discussion about data-collecting technology platforms and data privacy rights. A former Facebook employee claims she repeatedly expressed concerns to the company about its reportedly lax oversight of data harvested by third parties using the API platform.
  • GSR’s other co-founder Joseph Chancellor, works for Facebook as an in-house psychologist. It is unclear when Chancellor left GSR or started working for Facebook. To date, it is unclear if Facebook warned or took action against Chancellor for the reported improper GSR data sharing with CA and/or SCL.
  • Much of the recent news about FB, CA and the GSR sourced data comes from whistleblowers who were former employees of these companies, as well as a U.K. news station’s undercover investigation against CA. One of the undercover news stories shows CA’s CEO on video reportedly suggesting its political consulting work includes entrapping politicians with bribes and women. In response to the video, English authorities obtained a warrant to conduct an on-site investigation of CA’s offices, which may help determine what happened with GSR sourced data. CA also suspended its CEO indefinitely.
  • A U.S. professor sued CA in the U.K. courts demanding a copy of what personal data CA had collected on him. See more details about this lawsuit here.
  • The “thisisyourdigitallife” app reported collected enough data for CA to create psychographic and political profiles on American voters to assist in targeting messages to them. This news has rattled politicians and governments world-wide, given that CA has been involved in several close and pivotal political campaigns.
  • Facebook users are deactivating and deleting their accounts in response to this news. Additionally ,On March 20, one Facebook user recently sued Facebook and CA on behalf of 50 million Facebook users in federal court in California, alleging that her privacy was violated when her personal data was improperly disclosed to CA. Price’s lawsuit seeks damages for all U.S. Facebook users whose information was harvested without their consent, and it asserts various state law claims A judge will decide whether the lawsuit will be certified as a class action. The complaint can be found here.
  • Facebook has suffered a stock value loss of about $50 billion dollars from this news. Facebook shareholders sued the social media network in San Francisco in a class action, claiming they suffered losses after the disclosure about CA. The case is Yuan v. Facebook Inc., 3:18-cv-01725, U.S. District Court, Northern District of California (San Francisco).
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.