Cambridge Analytica: US Congress probes data firm set up by ex-Cambridge Analytica employee
Congress wants to know whether it's collecting data from apps or using data brokers
US Congress has requested that ex-Cambridge Analytica employee Matt Oczkowski answer questions regarding the use of data by his new company Data Propria.
Oczkowski has been asked to explain whether the data being used by Data Propria was supplied by researcher Aleksandr Kogan, who collected data from millions of Facebook users in 2016, according to a letter sent by Democrats on the House Energy and Commerce Committee last week.
"Given news reports indicating that Data Propria is being led by former Cambridge Analytica employees, including yourself, we believe the American people must be assured that Data Propria is not using consumer data wrongfully obtained by Cambridge Analytica or engaging in other inappropriate practices," the letter said.
Not only does Congress want Oczkowski to spill the beans on whether the data it's using as collected via Facebook, Democrats including Frank Pallone, Jr., Mike Doyle and Jan Schakowsky want to understand exactly how Data Propria is getting its data from Facebook, data brokers or other means.
It also requested that Data Propria advise Congress on whether or not it's telling consumers how their data is being used and if it's using the data for consulting purposes. For companies in the US, there's no legal requirement to disclose this information if customers request it, unlike the stringent rules imposed on those in the EU by GDPR.
"You have acknowledged in interviews with press that the work of Data Propria will be very similar to Cambridge Analytica," the group continued in their letter. "The admitted overlap between the personnel and work of Cambridge Analytica and Data Propria raises serious concerns about Data Propria's practices regarding the collection and use of Americans' personal information."
05/06/2018: SCL Elections ignores watchdog order to hand over user's data
Cambridge Analytica has refused to comply with a deadline to hand over the data it holds on a US citizen, throwing a regulatory battle between itself and the Information Commissioner's Office (ICO) into "uncharted waters".
The ICO had given the now-defunct political consultancy firm until Monday to comply with a legal notice after Professor David Carroll filed a Subject Access Request (SAR) under the Data Protection Act 1998 to discover what information the company held on him.
But the organisation's data controller, SCL Elections, failed to respond to the ICO's enforcement order - with the UK data regulator now considering prosecution.
"We are looking at the apparent failure to comply with our Enforcement Notice by SCL Elections Limited and its directors," an ICO spokesperson told IT Pro. "A decision on options for next steps, including any decision on prosecution, will now be taken in line with the prosecutors code."
Despite being a US citizen, Professor Carroll launched a landmark test case in 2017 under UK data protection law, after learning that Cambridge Analytica had processed his personal data in the UK as part of its alleged profiling of US voters for work on the Trump presidential election campaign. His case, separately filed with the High Court, was backed by the ICO, with its outcome bearing implications for millions of Americans whose data had also been harvested by the company.
However, Cambridge Analytica did not recognise his right to submit a SAR as a non-UK citizen, and refused to provide the full extent of the data it held. Consequently the ICO last month issued a legal notice for SCL Elections to comply in full - or face prosecution.
"My story is a peculiar example of how the typically American deference to the tech companies and a reluctance to consider comprehensive privacy rules contrasts with strong data protection regimes, enforced by a muscular regulator equipped with the necessary tools," said Carroll, giving evidence before the European Union's (EU) Civil Liberties, Justice and Home Affairs (LIBE) committee yesterday.
He revealed that Cambridge Analytica administrators had not yet provided the ICO with the login credentials to recover his data from its servers, which the regulator seized earlier this year as it investigates the use of data in political campaigns.
He later tweeted: "The company did not respond to the @ICOnews Enforcement Order due today. We are now in uncharted waters."
Information commissioner Elizabeth Denham, also giving evidence before the LIBE committee, outlined the scale of the ICO's probe into the misuse of data in political campaigning, branding it the "largest investigation ever undertaken by a data protection authority".
Involving 40 full-time ICO staff as well as a further 20 external legal and forensic IT recovery experts, the enquiry is examining more than 30 separate organisations, and the actions of around a dozen individuals.
"We are investigating social media platforms, data brokers, analytics firms, political parties and campaign groups and academic institutions," she told the committee, adding: "We are looking at both regulatory and criminal breaches. We are working with other regulators, EU Data protection authorities and law enforcement in the UK and abroad."
Denham added the ICO has seized dozens of servers containing hundreds of terabytes of data from several searches, and has conducted dozens of interviews.
"We are looking at the complete range of sanctions at our disposal at this time including our new powers under the new UK Data Protection Act for no-notice inspections, quicker warrants, to compel delivery of evidence and to seal digital evidence where it cannot be immediately recovered," she continued.
Cambridge Analytica, which specialised in data analysis and strategic communication, shut down in early May, blaming "a siege of media coverage" that drove away its customers and suppliers, as it commenced parallel bankruptcy proceedings in the US.
"Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations," the company said at the time, adding that despite trying to "correct the record" it has has been "vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas".
The ICO has made clear that companies shutting themselves down must still comply with subject access requests like Professor Carroll's. The regulator will publish a report outlining the wider implications of its ongoing investigations before the end of June, which will include a series of recommendations on regulatory gaps in areas such as data protection.
08/05/2018: ICO orders firm to hand over data to US citizen
The UK's data protection watchdog has served a legal notice to Cambridge Analytica, ordering it to give a US academic all of the personal data it holds on him.
Professor David Carroll, who is based at the Parson School of Design in New York, had filed a Subject Access Request (SAR) under the terms of the Data Protection Act 1998 to Cambridge Analytica after the scandal broke that the data modelling company had allegedly amassed 240 million Americans' Facebook profile data.
However, he only received information that showed how the company had scored him on certain political categories, such as gun control and national security, leading him he to believe the information was incomplete and launch legal action.
Cambridge Analytica's data controller is UK-based company SCL Elections, and Professor Carroll took his case to England's High Court, and also filed a complaint with the UK Information Commissioner's Office (ICO).
The ICO said that not only does it believe Cambridge Analytica held back information, but pointed out that the firm did not offer an adequate explanation of where it had obtained Professor Carroll's data, or how it would be used.
However, in a statement, information commissioner Elizabeth Denham, said that SCL Elections was unwilling to cooperate with its investigation over Professor Carroll's personal data.
"The company has consistently refused to cooperate with our investigation into this case and has refused to answer our specific enquiries in relation to the complainant's personal data - what they had, where they got it from and on what legal basis they held it," she said.
"The right to request personal data that an organisation holds about you is a cornerstone right in data protection law and it is important that Professor Carroll, and other members of the public, understand what personal data Cambridge Analytica held and how they analysed it."
The regulator's decision means potentially millions of US Facebook users whose data was harvested by Cambridge Analytica could make similar demands of the organisation.
Both Cambridge Analytica and SCL Elections have filed for insolvency after the Facebook data harvesting scandal and have questioned the ICO's jurisdiction given the data in question belongs to an American citizen, but the ICO doesn't agree and has warned the companies could face criminal charges for withholding the information.
"We are aware of recent media reports concerning Cambridge Analytica's future but whether or not the people behind the company decide to fold their operation, a continued refusal to engage with the ICO will potentially breach an Enforcement Notice and that then becomes a criminal matter," Denham added.
While Cambridge Analytica is closing, some of the people involved in the firm have started another venture called Emerdata.
19/04/2018: Alexander Nix may face formal summons to Parliament
Alexander Nix, the suspended CEO of Cambridge Analytica, may face an official summons to appear before the Digital, Cultural, Media and Sport Committee after refusing to attend voluntarily.
The committee wanted him to address inconsistencies in testimony he gave in February stating that Cambridge Analytica did not have or work with Facebook users' data. Shortly afterwards, The Observer revealed that Cambridge Analytica allegedly had access to tens of millions of Facebook profiles.
Nix's lawyers said on Tuesday, however, that Nix was "not able to give evidence tomorrow as a consequence of him having been served with an information notice and being subject of a criminal investigation by the Information Commissioner's Office".
In response, committee chairman Damian Collins said he may order Nix to give more evidence to the committee.
"It is certainly the intention of the committee to take this further and consider issuing a summons for Mr. Nix to appear on a named day at some point in the near future," said Collins, who warned Nix last month on the severity of giving false statements to a select committee.
Though Nix did not appear, Cambridge Analytica whistleblower Brittainy Kaiser delivered written testimony and documents to the committee on Tuesday.
Kaiser wrote that Arron Banks of Leave.EU collected the personal data of people he sold car insurance to through his company GoSkippy, and that this data may have been used to target possible Brexit supporters.
"I do not believe Banks's written evidence to this inquiry is a full account of what happened," said Kaiser, submitting proposals for projects under Banks, along with supporting emails.
Cambridge Analytica also used quizzes to mine data on users, including a "sex compass" quiz, according to Kaiser's testimony.
"I do not know the specifics of these surveys or how the data was acquired or processed," said Kaiser.
She started the #OwnYourData campaign to push Mark Zuckerberg to change Facebook's terms of service so users get more rights over their own data. The campaign, which has 147,000 signatures, asks Zuckerberg to respond by the end of April. Facebook today introduced changes to its terms and conditions that bring them in line with the EU's impending GDPR data protection legislation.
12/04/2018: Zuckerberg claims ignorance about 'shadow profiles'
Facebook founder Mark Zuckerberg was grilled by members of a US congressional committee over the social network's use of so-called "Shadow Profiles".
Shadow Profiles are said to be data collected by Facebook about non-users of the network, such as email addresses, names tagged in photos, or details in a smartphone contact list. This data is hidden from users but used to recommend friends and new connections as well as social data analysis. This data is not normally disclosed to account owners but is used in Facebook's "People You May Know" feature.
The existence of shadow profiles came to light in 2013 when a bug in Facebook showed not just contact details of a user's friend's in a download file but also their friend's shadow contact information.
At the hearing, of the US House Energy and Commerce Committee, New Mexico Representative Ben Lujan asked Zuckerberg about these profiles.
Zuckerberg replied that "in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to."
Zuckerberg denied he was familiar with the term "Shadow Profile". Lujan then asked how many data points on average Facebook collects on its users. Zuckerberg replied that he did not know.
Lujan then asked how many data points Facebook collected on non-users. Again, Zuckerberg said he did not know. Lujan then asked how someone who does not have a Facebook account opt out of Facebook's involuntary data collection?
The Facebook CEO responded that "anyone e can turn off and opt out of any data collection for ads, whether they use our services or not." He then suggested that Facebook still needed to collect non-user data for security reasons.
"In order to prevent people from scraping public information [...] we need to know when someone is repeatedly trying to access our services," he told the committee.
Lujan pointed out to Zuckerberg that non-users wanting to request what data it has on them need to go a Facebook page and sign up for an account to access their data.
11/04/2018: Zuckerberg deflects US regulations in first Senate hearing
Facebook CEO Mark Zuckerberg emerged relatively unscathed from the first of two US Senate hearings, managing to deflect attempts to enforce tougher regulations on the social media platform.
During a grilling by a joint committee of 44 US Senators, the 33-year-old internet mogul took full responsibility company failings that led to the improper sharing of data on approximately 87 million Facebook users, however, made no commitments to supporting any specific reactionary legislation drawn up by Congress.
Zuckerberg began with an opening speech that was released ahead of schedule, followed by a series of questions aimed at probing Facebook's business model and the events leading to the exploitation of the platform by Cambridge Analytica.
He admitted that the company had failed to audit the agreement drawn up with Cambridge Analytica, and said that it had become apparent that the firm had misled Facebook to exploit its algorithms.
He also conceded that following the discovery of the data breach in 2015, failing to notify both the Federal Trade Commission and the public immediately was a mistake, though he believed the case to be "closed" after dealing with the issue internally.
On the question of whether Zuckerberg would support the introduction of legislation Zuckerberg said:
"I'll have my team follow up with you so that way we can have this discussion across the different categories where I think this discussion needs to happen."
Shares in the company fell sharply on the news of the Cambridge Analytica scandal, however, investors were clearly happy with Zuckerberg's performance on Tuesday, as shares saw the single biggest daily jump in almost two years, up by 4.5%.
It could be argued that some Senators' questions failed to probe enough into the failings behind the scandal, as many were targeted at Facebook's business model or the way it currently manages data on the platform.
At one point, it appeared Zuckerberg was answering basic questions on how an internet company operates. Senator Orrin Hatch asked: "How do you sustain a business model in which users don't pay for your service?"
"Senator, we run ads," said Zuckerberg.
This was shortly followed by a question by Senator John Kennedy on whether the company would work on providing better ways for users to delete their data, only for Zuckerberg to highlight that such functions already exist.
It wasn't all smooth sailing for the CEO however. At around 2 hours into the hearing, Senator Lindsey Graham from South Carolina launched a barrage of questions on the subject of market monopolies and customer choice, frequently interrupting Zuckerberg before he could finish answering.
On the question of what competitors Facebook has, Zuckerberg attempted to offer up rival tech companies such as Google, Apple and Twitter, only for the Senator to dismiss them as he believes Facebook offers a unique service.
Graham: "I'm talking about is there real competition you face. Because car companies face a lot of competition. If they make a defective car, it gets out in the world, people stop buying that car, they buy another one. Is there an alternative to Facebook in the private sector?"
Zuckerberg: "Yes Senator, the average American uses 8 different apps...to communicate with their friends and stay in touch with people, ranging from text to email."
Graham: "OK, which is the same service that you provide."
Zuckerberg: "Well, we provide a number of different services."
Graham: "Is Twitter the same as what you do?"
Zuckerberg: "It overlaps with a portion of what we do."
Graham: "You don't think you have a monopoly?"
Zuckerberg responded with a pause, before adding that "it certainly doesn't feel like that to me!", prompting laughter from the chamber.
While this moment was perhaps the toughest for Zuckerberg, other Senators were clearly displeased with his answers.
Writing on Twitter after the hearing, Senator Kamala Harris said: "Mark Zuckerberg's failure to answer several critical questions during his appearance before the Senate today leaves me concerned about how much Facebook values trust and transparency."
Tuesday's hearing was the first of two for Zuckerberg, who is also due to appear before the House Energy and Commerce Committee on Wednesday.
Speaking on Tuesday, Senator John Thune said a separate hearing would be held specifically on Cambridge Analytica, and other companies that may have been involved with the improper sharing of data on Facebook.
10/04/2018: Zuckerberg apologises for data scandal ahead of Congress hearing
Facebook CEO Mark Zuckerberg has apologised for failings in his company's data protection policies that led to 87 million users having their information improperly shared to third-parties, according to documents released yesterday ahead of his Congressional hearing on Tuesday.
Zuckerberg, who is due to appear before Congress to answer questions relating to improper data sharing deals on the social media site, also took responsibility for failing to stop the spread of fake news to influence public opinion.
"Facebook is an idealistic and optimistic company," said Zuckerberg, in a transcript compiled by CNBC. "For most of our existence, we focused on all the good that connecting people can bring.
"But it's clear now that we didn't do enough to prevent these tools from being used for harm as well. That goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy."
"We didn't take a broad enough view of our responsibility, and that was a big mistake," he added. "It was my mistake, and I'm sorry. I started Facebook, I run it, and I'm responsible for what happens here."
In the documents released ahead of Tuesday's hearing, Zuckerberg said the company was committed to making changes to policy that would "significantly impact our profitability", but these would take some time to implement.
The scandal surrounding Facebook and its data policies show no sign of abating. Recent reports from New Zealand suggest that as many as 63,714 users could have had their information exposed to Cambridge Analytica's data harvesting, after only 10 people took part in an online personality quiz.
John Edwards, New Zealand's data protection commissioner, said he was urgently reviewing the case and would seek answers from Facebook on how the data was being used by Cambridge Analytica, according to the Guardian.
Edwards reportedly deleted his Facebook account upon hearing news of the incident and has said that New Zealanders should consider doing the same.
Apple's co-founder, Steve Wozniak, told USA Today that he would also be deleting his Facebook account over concerns that the social media site was becoming increasingly careless with user data.
"Users provide every detail of their life to Facebook and ... Facebook makes a lot of advertising money off this," he said to the newspaper. "The profits are all based on the user's info, but the users get none of the profits back."
Zuckerberg will appear before a joint hearing of the US Senate Judiciary and Commerce committee on Tuesday 10 April at 2:15 pm ET (7.15pm BST), and again before the US House Energy and Commerce Committee on Wednesday at 10 am ET (3 am BST). Details on how to watch Tuesday's hearing can be found here.
06/04/2018: Sheryl Sandberg admits 'mistakes'
Weeks after the Cambridge Analytica scandal first started making headlines, Facebook's chief operating officer (COO), Sheryl Sandberg, has finally broken her silence on the matter.
Speaking to the Financial Times, Sandberg admitted the company had underinvested in safety and security but added that this attitude was changing. Indeed, there has been a flurry of announcements this week from senior figures detailing changes that have been made to the way the company shares data and giving users more granular control over what data Facebook holds on them (read on below).
"We made mistakes and I own them and they are on me," Sandberg told the FT, adding: "There are operational things that we need to change in this company and we are changing them ... We have to learn from our mistakes and we need to take action."
Although Facebook admitted earlier this week that around 87 million of its 2.2 billion users are thought to have had their data scraped by Cambridge Analytica, Sandberg said the company is in the dark as to what exactly was taken, because it can't undertake an internal probe until the one being conducted by the Information Commissioner's Office (ICO) in the UK is completed.
Sandberg also acknowledged that she and CEO Mark Zuckerberg should have spoken out on the matter sooner, but added that they "wanted to make sure [they] knew exactly what happened" before making any public statements.
She also claimed that Russian meddling in the US election in 2016 through disinformation and incendiary posts took the social platform's top executives by surprise.
"Things happened in 2016 which we were too slow to understand. Now we are following and investigating very thoroughly," she said.
Her comments come after Zuckerberg held a press Q&A in which he admitted the company hadn't done enough to ensure third-party apps were using people's data responsibly and in line with Facebook's terms and conditions.
"In retrospect, I think we clearly should have been doing more all along," he said.
Facebook yesterday revealed new measures to bring Facebook's data protection policies in line with the EU's tougher rules coming into force next month, including making the policy easier to understand, and explaining how and why Facebook uses people's information.
05/04/2018: Facebook admits it 'could have done more' to scrutinise third-party apps
Mark Zuckerberg has admitted that Facebook "should have been doing more" to ensure third-party companies were using the social network's data responsibly, as revised figures suggest as many as 87 million users may have been affected by the Cambridge Analytica scandal.
The admission came as Facebook's chief faced a grilling from the press over the company's data protection practices and how much it scrutinised those services accessing social media data.
"In retrospect, I think we clearly should have been doing more all along," said Zuckerberg, speaking at the conference on Wednesday. "I'm not trying to defend this now: I think our view in a number of aspects of our relationship with people is that our job is to give them tools, and that it was largely people's responsibility how they chose to use them.
"I think it was wrong in retrospect to have that limited of a view," he added. "I think we need to take a broader view of our responsibility."
Facebook now believes as many as 87 million users may have had their data improperly shared with Cambridge Analytica as a result of past policies, some 37 million more than previously thought.
"We wanted to take a broad view that is a conservative estimate," said Zuckerberg. "I am quite confident that given our analysis that it is not more than 87 million. It very well could be less, but we wanted to put out the maximum we felt that it could be as that analysis says."
In response to concerns about its data protection policies, Facebook has said it now intends to roll out EU General Data Protection Regulations worldwide, dismissing earlier reports that the measures would be diluted for US users.
Facebook also announced a string of updates to its API that aim to restrict the access third-parties have to user data. This includes a new App Controls link at the top of a user's news feed that gives an overview of the data they're sharing with third-party applications. As part of this addition, Facebook will also be telling users if their data had been improperly shared with Cambridge Analytica.
From now on, if a user allows an app to access data on the events they're attending, that app will no longer have free reign to scrape information from the list of users also interested in the event.
Apps will also no longer be able to use the Pages API to access posts or comments on any page by default, and instead only those "providing useful services to our community" will be able to petition Facebook for approval.
The ways in which Facebook groups work are also changing. Instead of a single member being able to give permission for an app to access group content, any third-parties using the API will need to be approved by Facebook first.
The ability to search for a person using their phone number or email address has also been scrapped, after it was found that the feature was being abused to harvest profile data, and any application seeking to access a user's feed, including likes, posts and photos, will need to first ask Facebook.
Last week it was revealed that Facebook had been storing user call and text histories as part of an opt-in feature on the Android version of Facebook. Although it appears the company will still maintain this practice, Facebook has said it will review the data it collects to ensure no message content is stored, and that it will delete all logs older than one year. Broader data, such as the time of calls, will now no longer be collected.
Zuckerberg revealed that his company had opened an investigation into the data Cambridge Analytica data agreement, as it still doesn't know exactly what information the firm held on its systems. However, this has since been put on hold while the UK's Information Commissioner's Office conducts its own investigation, which includes the examination of files taken during a raid on Cambridge Analytica's London headquarters in March.
Zuckerberg is due to appear before Congress next week to defend company policies, having already refused to testify before a UK parliamentary committee.
26/03/2018: Cambridge Analytica: Watchdog examines 'evidence' after London office raid
The UK's data watchdog raided Cambridge Analytica's London headquarters on Friday evening after finally getting a search warrant approved by a High Court judge.
Twenty officials from the Information Commissioner's Office entered the Oxford Street address at 8pm to look for evidence relating to allegations the analytics firm harvested data from 50 million Facebook users without their consent.
The property search lasted seven hours, and an undisclosed volume of evidence was taken from the property, the ICO said.
"We will now need to assess and consider the evidence before deciding the next steps and coming to any conclusions," an ICO spokesperson said in a statement. "This is one part of a larger investigation by the ICO into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors."
The ICO announced it was investigating the allegations against Cambridge Analytica on 17 March, and issued a Demand for Access to records two days later. However, the judge adjourned the case from last Wednesday to last Friday, meaning a warrant wasn't granted until late that evening. Media reports showed pictures of boxes being carried out of Cambridge Analytica's shared offices prior to the warrant hearings.
The search forms part of wider public scrutiny into whether Facebook did enough to secure the data it held on its users, as well as whether data was abused to influence elections.
A former Cambridge Analytica director told the Guardian on Friday that the firm's management deliberately misled the British public about its involvement with a pro-Brexit group, Leave.EU, during the referendum campaign period.
In an attempt to mitigate fallout, Facebook took out full-page adverts in both UK and US newspapers over the weekend, in which CEO Mark Zuckerberg said the incident was a "breach of trust" and said he was "sorry we didn't do more at the time".
His comments were later echoed by COO Sheryl Sandberg, who told CNBC on Friday that the case "was a critical moment for our company". "We are going to do everything we can," added Sandberg. "I would definitely have had Mark and myself out speaking earlier, but we were trying to get to the bottom of this."
Friday's raid kicked off a turbulent weekend for the social media company, which saw scathing opinion polls and fresh revelations of data misuse.
A Reuters poll in the US found that less than half of Americans now trust Facebook to adhere to US privacy laws, while 60% of users in Germany believe social networks are negatively impacting the democratic process, according to national newspaper Bild am Sonntag.
There were also multiple reports of users downloading their account files stored on Facebook's website, only to discover that call data from mobile phones was also being logged, including who they called and for how long, seemingly without their knowledge.
Facebook has since refuted the claim that this was done secretly, pointing to a usage agreement as part of its Messenger platform that allows users to opt-in to call and text history logging.
Zuckerberg has now been called to appear before a UK parliamentary committee to give evidence on the Cambridge Analytica's use of personal data. The committee has demanded a response by the end of today.
22/03/2018: ICO must wait for warrant
UK data watchdog the Information Commissioner's Office (ICO) will not get access to Cambridge Analytica's London offices until Friday at the earliest, after its demand for a warrant to search the premises was adjourned.
In a statement today, an ICO spokesperson said: "A High Court judge has adjourned the ICO's application for a warrant relating to Cambridge Analytica until Friday. The ICO will be in court to continue to pursue the warrant to obtain access to data and information to take forward our investigation."
While IT Pro asked the regulator why it was adjourned, a spokesperson declined to comment further. However, Guardian journalist Carole Cadwalladr reported that the judge granted an extension because Cambridge Analytica's legal counsel was unavailable.
It means the ICO's planned raid of Cambridge Analytica's offices is further delayed, despite reports earlier this week claiming boxes were being removed from the firm's shared premises on Tuesday.
Meanwhile, Facebook CEO Mark Zuckerberg has finally broken his silence over allegations that Cambridge Analytica accessed the data of 50 million Facebook users without their consent, seeking to reassure users that a similar abuse of people's information could never happen again.
The scandal, which broke earlier this week, surrounds the use of a quiz developed for data mining and an analytics firm that harvested the data not just of those who used the app (thisisyourdigitallife), but also of all their Facebook friends.
Several days after the story first broke, Zuckerberg finally issued an official response through Facebook, which includes a timeline of events and an explanation of how an app could have accessed data from individuals who didn't have any direct contact with it.
The Facebook CEO said: "The good news is that the most important actions to prevent this from happening again today we have already taken years ago.
"In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the data apps could access. Most importantly, apps like [thisisyourdigitallife] could no longer ask for data about a person's friends unless their friends had also authorized the app.
"We also required developers to get approval from us before they could request any sensitive data from people. These actions would prevent any app ... from being able to access so much data today."
However, he added that the company is taking further steps to tighten up how it guards user data, including revoking apps' access where users haven't used them for three months, and reducing the data first given to apps on sign in to just the user's name, profile picture and email address.
This is particularly significant as part of the broad range of data collected by Cambridge Analytica included very sensitive data such as sexuality, location, religion and political leanings, and apps could access this data indefinitely.
Zuckerberg also claimed that Cambridge Analytica has once again affirmed that it has deleted all the data linked to this case something it previously said it had done in 2015, but which an Observer article subsequently contradicted with the account of former employee and whistleblower Christopher Wylie.
Cambridge Analytica has voluntarily agreed to a full forensic audit to ensure this is the case, Zuckerberg added.
Meanwhile, Wylie, the ex-director of research at Cambridge Analytica who blew the whistle on this scandal, took to Twitter to confirm he would be accepting invitations to testify in front of several legislative bodies in the US and UK.
20/03/2018: ICO seeks warrant to raid London offices
The UK's data privacy watchdog is seeking a warrant to raid Cambridge Analytica's London headquarters in order to investigate allegations that the company illegally harvested the information of 50 million Facebook profiles.
The Information Commissioner's Office (ICO) confirmed to IT Pro this morning that it is seeking an urgent warrant following the company's failure to comply with its request on 7 March for access to its databases and records.
"Cambridge Analytica has not responded to the commissioner by the deadline provided; therefore, the information commissioner is seeking a warrant to obtain information and access to systems and evidence related to her investigation," an ICO spokesman said.
The news follows an expos by the Observer that claimed Cambridge Analytica had used the Facebook data of more than 50 million people in order to build a powerful predictive analytics algorithm that could accurately predict political preferences, sexuality and other personal traits.
It has also emerged that Facebook was in the process of conducting its own internal investigation into Cambridge Analytica's actions separately to the ICO, which it ceased yesterday at the regulator's behest. Damian Collins, chair of the culture select committee, expressed doubt as to Facebook's motives in conducting its own investigation, telling the BBC that "This is a matter for the authorities".
"The concern would have been, were they removing information or evidence which could have been vital to the investigation? It's right they stood down but it's astonishing they were there in the first place."
Facebook is planning an open meeting today, to let staff grill the company's management on the unfolding incident. According to the Verge, the meeting will be led by Facebook deputy general counsel Paul Grewal, who will give staff background information on the case and field questions from staff.
It will mark the first time that staff have had an official opportunity to ask questions of the company's leadership since the scope of Cambridge Analytica's use of Facebook data was publicly revealed - although Facebook has admitted it was aware of the issue in 2015, a year after it happened.
The meeting is planned to last just half an hour, and an employee told the Verge that the move felt like a temporary solution to buy time until Friday's all-hands meeting where founder and CEO Mark Zuckerberg - who has thus far been silent on the issue - is expected to address employees. Collins has called on Zuckerberg or a senior Facebook executive to give evidence to his Parliamentary committee on the scandal.
To understand what the Cambridge Analytica and Facebook scandal is all about, read our explainer.
Facebook maintains that this is not a data breach in the traditional sense, and is instead a misuse of legitimately-obtained data. Security expert Graham Cluley agreed with the assessment, but said it shows fundamental issues with Facebook's design. "From Facebook's point of view, it's not a traditional data breach," he told IT Pro. "That's because this is how Facebook was designed, and many apps over the years have scooped up users' information and (privacy settings permitting) those of their friends as well."
"Hundreds of millions of times every day Facebook hones the content it displays to you based on what it has determined you are interested in, who you are, and what it thinks will be most effective. So, it's not that different from what Cambridge Analytica does with the same access to the data," he added.
"None of this is news. Facebook has been working this way for years. The only way to reduce your exposure is to refuse to play Facebook's game and not be a member of the site. If you can't bring yourself to leave, at the very least lock down your privacy settings and reduce the level of information that you share."
Cambridge Analytica's CEO, Alexander Nix, was also caught in an undercover sting by Channel 4, which recorded Nix seemingly bragging about using ex-intelligence operatives, micro-targeted propaganda and 'honeypot' traps to influence elections and other political proceedings.
"We're used to operating through different vehicles, in the shadows, and I look forward to building a very long-term and secretive relationship with you," Nix told undercover reporters posing as potential clients in an initial phone call.
"We have two projects at the moment, which involve doing deep, deep depth research on the opposition and providing... really damaging source material, that we can decide how to deploy in the course of the campaign," he said as part of a later meeting recorded by Channel 4.
Cambridge Analytica denied that it uses any of the methods alleged by the investigation, and stated that it was simply 'humouring' the potential client.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now