Wednesday 21 March 2018

The large-scale personal data release Facebook Inc didn't tell the world about



“Back in 2004, when a 19-year-old Zuckerberg had just started building Facebook, he sent his Harvard friends a series of instant messages in which he marvelled at the fact that 4,000 people had volunteered their personal information to his nascent social network. “People just submitted it ... I don’t know why ... They ‘trust me’ ... dumb fucks.”  [The Guardian, 21 March 2018]

“Christopher Wylie, who worked for data firm Cambridge Analytica, reveals how personal information was taken without authorisation in early 2014 to build a system that could profile individual US voters in order to target them with personalised political advertisements. At the time the company was owned by the hedge fund billionaire Robert Mercer, and headed at the time by Donald Trump’s key adviser, Steve Bannon. Its CEO is Alexander Nix”  [The Guardian,18 March 2018]

Alexander James Ashburner Nix is listed by Companies House UK as the sole director and CEO of Cambridge Analytica (UK) Limited (formerly SCL USA Limited incorporated 6 January 2015). The majority of shares in the company are controlled by SCL Elections Limited (incorprated 17 October 2012) whose sole director and shareholder appears to be Alexander Nix. Mr. Nix in his own name is also a shareholder in Cambridge Analytica (UK) Limited.

Companies House lists ten companies with which Mr. Nix is associated.

NOTE: In July 2014 an Alastair Carmichael Macwillson incorporated Cambridge Analytica Limited, a company which is still active. Macwilliam styles himself as a management consultant and cyber security professional.

Nix's Cambridge Analytica was reported as indirectly financed by leading Republican donor Robert Mercer during the 2015 primaries and 2016 US presidential campaign.

On 15 December 2017 The Wall Street Journal reported that:

Special Counsel Robert Mueller has requested that Cambridge Analytica, a data firm that worked for President Donald Trump’s campaign, turn over documents as part of its investigation into Russian interference in the 2016 U.S. election, according to people familiar with the matter.

Concerns about Cambridge Analytica and its relationship with Facebook Inc. resurfaced this month.

The Guardian, 18 March 2018:

The data analytics firm that worked with Donald Trump’s election team and the winning Brexit campaign harvested millions of Facebook profiles of US voters, in one of the tech giant’s biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box….

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.

Recode, 17 March 2018:

Facebook is in another awkward situation. The company claims that it wasn’t breached, and that while it has suspended Cambridge Analytica from its service, the social giant is not at fault. Facebook contends that its technology worked exactly how Facebook built it to work, but that bad actors, like Cambridge Analytica, violated the company’s terms of service.

On the other hand, Facebook has since changed those terms of service to cut down on information third parties can collect, essentially admitting that its prior terms weren’t very good.

So how did Cambridge Analytica get Facebook data on some 50 million people?
Facebook’s Chief Security Officer, Alex Stamos, tweeted a lengthy defense of the company, which also included a helpful explanation for how this came about…..

Facebook offers a number of technology tools for software developers, and one of the most popular is Facebook Login, which lets people simply log in to a website or app using their Facebook account instead of creating new credentials. People use it because it’s easy — usually one or two taps — and eliminates the need for people to remember a bunch of unique username and password combinations.

When people use Facebook Login, though, they grant the app’s developer a range of information from their Facebook profile — things like their name, location, email or friends list. This is what happened in 2015, when a Cambridge University professor named Dr. Aleksandr Kogan created an app called “thisisyourdigitallife” that utilized Facebook’s login feature. Some 270,000 people used Facebook Login to create accounts, and thus opted in to share personal profile data with Kogan.

Back in 2015, though, Facebook also allowed developers to collect some information on the friend networks of people who used Facebook Login. That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends. This was not a secret — Facebook says it was documented in their terms of service — but it has since been updated so that this is no longer possible, at least not at the same level of detail.

Through those 270,000 people who opted in, Kogan was able to get access to data from some 50 million Facebook users, according to the Times. That data trove could have included information about people’s locations and interests, and more granular stuff like photos, status updates and check-ins.

The Times found that Cambridge Analytica’s data for “roughly 30 million [people] contained enough information, including places of residence, that the company could match users to other records and build psychographic profiles.”

This all happened just as Facebook intended for it to happen. All of this data collection followed the company’s rules and guidelines.

Things became problematic when Kogan shared this data with Cambridge Analytica. Facebook contends this is against the company’s terms of service. According to those rules, developers are not allowed to “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”

As Stamos tweeted out Saturday (before later deleting the tweet): “Kogan did not break into any systems, bypass any technical controls, our use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach.’”….

The problem here is that Facebook gives a lot of trust to the developers who use its software features. The company’s terms of service are an agreement in the same way any user agrees to use Facebook: The rules represent a contract that Facebook can use to punish someone, but not until after that someone has already broken the rules.

CNN tech, 19 March 2018:

Kogan's company provided data on millions of Americans to Cambridge Analytica beginning in 2014. The data was gathered through a personality test Facebook application built by Kogan. When Facebook users took the test they gave Kogan access to their data, including demographic information about them like names, locations, ages and genders, as well as their page "likes," and some of their Facebook friends' data.

There is some evidence that Cambridge Analytica is a bad actor according to a report by 4News on 19 March 2018:

Senior executives at Cambridge Analytica – the data company that credits itself with Donald Trump’s presidential victory – have been secretly filmed saying they could entrap politicians in compromising situations with bribes and Ukrainian sex workers.

In an undercover investigation by Channel 4 News, the company’s chief executive Alexander Nix said the British firm secretly campaigns in elections across the world. This includes operating through a web of shadowy front companies, or by using sub-contractors.

In one exchange, when asked about digging up material on political opponents, Mr Nix said they could “send some girls around to the candidate’s house”, adding that Ukrainian girls “are very beautiful, I find that works very well”.

In another he said: “We’ll offer a large amount of money to the candidate, to finance his campaign in exchange for land for instance, we’ll have the whole thing recorded, we’ll blank out the face of our guy and we post it on the Internet.”

Offering bribes to public officials is an offence under both the UK Bribery Act and the US Foreign Corrupt Practices Act. Cambridge Analytica operates in the UK and is registered in the United States.

The admissions were filmed at a series of meetings at London hotels over four months, between November 2017 and January 2018. An undercover reporter for Channel 4 News posed as a fixer for a wealthy client hoping to get candidates elected in Sri Lanka.

Mr Nix told our reporter: “…we’re used to operating through different vehicles, in the shadows, and I look forward to building a very long-term and secretive relationship with you.”

Along with Mr Nix, the meetings also included Mark Turnbull, the managing director of CA Political Global, and the company’s chief data officer, Dr Alex Tayler.

Mr Turnbull described how, having obtained damaging material on opponents, Cambridge Analytica can discreetly push it onto social media and the internet.

He said: “… we just put information into the bloodstream of the internet, and then, and then watch it grow, give it a little push every now and again… like a remote control. It has to happen without anyone thinking, ‘that’s propaganda’, because the moment you think ‘that’s propaganda’, the next question is, ‘who’s put that out?’.”

It should be noted that Cambridge Analytica has set up shop in Australia and the person named in the filing documents as the only shareholder was Allan Lorraine. Cambridge Analyitica is said to have met with representatives of the Federal Liberal Party in March 2017.

Despite denials to the contrary, It is possible that Cambridge Analytica has been consulted by state and federal Liberals since mid-2015 and, along with i360, was consulted by South Australian Liberals concerning targeted campaigning in relation to their 2018 election strategy.

Once the possibility of Australian connection became known, the Australian Information and Privacy Commissioner made preliminary inquiries.

News.com.au. 20 March 2018:

Facebook could be fined if Australians' personal information was given to controversial researchers Cambridge Analytica, the privacy watchdog says.

Australian Information and Privacy Commissioner Timothy Pilgrim says he is aware profile information was taken and used without authorisation.

"My office is making inquiries with Facebook to ascertain whether any personal information of Australians was involved," Mr Pilgrim said on Tuesday.

"I will consider Facebook's response and whether any further regulatory action is required.".

Cambridge Analytica is facing claims it used data from 50 million Facebook users to develop controversial political campaigns for Donald Trump and others.

The Privacy Act allows the commissioner to apply to the courts for a civil penalty order if it finds serious breaches of the law......

UK Information Commissioner Elizabeth Denham is also investigating the breach, promising it will be "far reaching" and any criminal or civil enforcement actions arising from it would be "pursued vigorously".

Facebook Inc's initial response to this issue was a denial of resonsibility which did not play well in financial markets

The Guardian, 21 March 2018:

It appears that while Facebook had been aware of what the Observer described as “unprecedented data harvesting” for two years, it did not notify the affected users.

What’s more, Facebook has displayed a remarkable lack of contrition in the immediate aftermath of the Observer’s revelations. Instead of accepting responsibility, its top executives argued on Twitter that the social network had done nothing wrong. “This was unequivocally not a data breach,” Facebook vice-president Andrew Bosworth tweeted on Saturday. “People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. No systems were infiltrated, no passwords or information were stolen or hacked.”

In a sense, Facebook’s defence to the Cambridge Analytica story was more damning than the story itself. Tracy Chou, a software engineer who has interned at Facebook and worked at a number of prominent Silicon Valley companies, agrees that there wasn’t a hack or breach of Facebook’s security. Rather, she explains, “this is the way that Facebook works”. The company’s business model is to collect, share and exploit as much user data as possible; all without informed consent. Cambridge Analytica may have violated Facebook’s terms of service, but Facebook had no safeguards in place to stop them.

While some Facebook executives were busy defending their honour on Twitter over the weekend, it should be noted that Zuckerberg remained deafeningly silent. On Monday, Facebook’s shares dropped almost 7%, taking $36bn (£25.7bn) off the company’s valuation. Still, Zuckerberg remained silent. If you’re going to build a service that is influential and that a lot of people rely on, then you need to be mature, right? Apparently, silence is Zuck’s way of being mature.

No comments: